top of page

What Is the Digital Personal Data Protection Act, and How Does It Impact Businesses in India?

Mar 44 min read

Introduction


The Digital Personal Data Protection Act, 2023 (DPDP Act) marks a watershed moment in India's data protection landscape. Rooted in the principles of transparency, accountability, and individual autonomy, the Act introduces a structured framework for regulating the processing of personal data.


From defining data rights to establishing obligations for businesses, this law is set to reshape the compliance framework for Indian and multinational corporations. At the same time, its implications for legal practitioners, compliance officers, and corporate counsel are profound, demanding a deeper understanding of its provisions and enforcement mechanisms.


This article critically examines the key features of the Act, its scope of applicability, exemptions, and the broader legal discourse shaping India's evolving data protection jurisprudence.


Context and Background


The DPDP Act, 2023 is the culmination of India's efforts to establish a robust legal framework for personal data protection. Its origins can be traced to:

  • The Supreme Court’s landmark judgment in K.S. Puttaswamy v. Union of India (2017), which established the Right to Privacy as a fundamental right under Article 21 of the Indian Constitution.

  • The global shift towards data privacy regulations, such as the EU’s General Data Protection Regulation (GDPR) and China’s Personal Information Protection Law (PIPL).

  • The increasing frequency of data breaches and unauthorized data sharing, which underscored the urgent need for a statutory framework governing data processing in India.


Key Provisions of the DPDP Act


Definition of Personal Data


The Act defines personal data as "any data about an individual who is identifiable by or in relation to such data." This broad definition aligns with global standards but leaves interpretative flexibility, making case law pivotal in shaping its future scope.


Applicability and Exemptions


The Act applies to:

  • Any entity (Data Fiduciary) that collects, processes, or stores personal data within India.

  • Entities outside India processing the data of Indian residents.


Exemptions

The following entities are exempt from certain provisions:

  • Government entities for purposes of national security, law enforcement, and disaster management.

  • Startups and small businesses under a special category called Notified Data Fiduciaries (NDFs), which receive compliance relaxations.

  • Personal or household data processing, ensuring that non-commercial data processing remains outside regulatory purview.


Consent Framework


Consent is central to the Act’s compliance model. The law mandates that Data Fiduciaries obtain:

  • Explicit, informed, and affirmative consent before collecting personal data.

  • Clear disclosure of the purpose of data collection before obtaining consent.

  • Easy withdrawal mechanisms, allowing users to revoke consent at any time.


Deemed Consent – A Legal Grey Area?

A controversial provision under the Act is deemed consent, wherein personal data can be processed without explicit consent in cases involving:

  • Public health emergencies (e.g., pandemics).

  • Employment-related purposes.

  • Legal and judicial proceedings.


Legal scholars argue that this provision lacks safeguards, potentially allowing misuse by corporations and government entities. Its implementation and judicial scrutiny will determine its long-term impact on data privacy rights.


Rights of Data Principals (Individuals)


The Act grants Data Principals (users) several rights, including:

  • Right to Information – Users can request details about how their data is processed.

  • Right to Correction and Erasure – Users can request corrections or deletion of inaccurate data.

  • Right to Grievance Redressal – Individuals can escalate complaints to the Data Protection Board in case of non-compliance.

These rights mirror GDPR’s data subject rights, albeit with certain limitations, such as the lack of a clear data portability right.


Obligations of Data Fiduciaries


Entities processing personal data have strict statutory obligations, including:

  • Data Minimization: Only collecting data necessary for processing purposes.

  • Purpose Limitation: Prohibiting secondary usage of data beyond what was initially consented to.

  • Security Obligations: Implementing robust security measures to prevent data breaches.

A violation of these obligations can result in penalties of up to ₹250 crore ($30 million USD), making compliance a critical priority for businesses operating in India.


Cross-Border Data Transfers


Unlike the previous versions of the Bill, which recommended strict data localization, the DPDP Act permits cross-border data transfers. However, the government retains the power to restrict transfers to specific nations in the interest of:

  • National security

  • Public policy considerations

  • Diplomatic relations

Legal experts believe that sector-specific restrictions may be introduced in the future, especially for critical industries like banking and telecommunications.


Compliance Challenges


The implementation of the DPDP Act poses significant challenges for companies and legal professionals alike:

  1. Consent Fatigue:

    • Companies must ensure user-friendly consent mechanisms to prevent overburdening consumers with excessive notifications.

  2. Data Retention and Erasure Policies:

    • Legal teams must establish clear policies for data deletion and archival, considering overlapping compliance requirements under other Indian laws (e.g., IT Act, 2000).

  3. Interpretation of ‘Deemed Consent’ Clause:

    • Future litigation will shape how courts balance user rights with corporate and governmental interests.


Landmark Cases Influencing Data Protection Jurisprudence


Several judicial precedents have shaped India's privacy and data protection landscape:

K.S. Puttaswamy v. Union of India (2017)

  • Recognized the Right to Privacy as a fundamental right under Article 21.

  • Laid the foundation for India’s data protection framework.


Justice K.S. Puttaswamy v. Union of India (2018) – Aadhaar Case

  • Upheld Aadhaar’s constitutional validity but imposed restrictions on its mandatory use.

  • Emphasized the necessity of a robust data protection law.


Ram Suresh Yadav v. State of Uttar Pradesh (2017)

  • Highlighted the importance of data security in government databases.

  • Established judicial scrutiny over state surveillance activities.


The Road Ahead: Future Challenges & Potential Amendments


As the Act moves into its enforcement phase, key challenges include:

  • Balancing privacy rights with digital innovation (especially in AI and Big Data industries).

  • Clarifying ambiguities in the deemed consent provision.

  • Strengthening enforcement through an independent regulatory body.


While the DPDP Act is a progressive step, legal experts anticipate further amendments and clarifications in the coming years, especially in areas concerning:

  • Data localization requirements.

  • Sector-specific compliance obligations.

  • Interplay with other existing regulations (e.g., IT Act, 2000).


Conclusion


The Digital Personal Data Protection Act, 2023 represents a transformative shift in India's approach to data governance and privacy rights. While the Act introduces several progressive measures, its practical implementation, judicial interpretations, and regulatory developments will ultimately determine its effectiveness.



Comments

BharatLaw.AI is revolutionising the way lawyers research cases. We have built a fantastic platform that can help you save up to 90% of your time in your research. Signup is free, and we have a free forever plan that you can use to organise your research. Give it a try.

bottom of page