Digital Personal Data Protection Act: Difference between revisions

Line 1:

{{Norm

| norm_title = Digital Personal Data Protection Act, 2023

| alternative_name = DPDP Act; DPDPA

| norm_type = Act

| issuing_body = Parliament of India

| scope_geo = National

| country = India

| norm_status = Active

| official_text = https://egazette.gov.in/WriteReadData/2023/247847.pdf

| related_norm = White Paper of the Committee of Experts on a Data Protection Framework for India (2017); A Free and Fair Digital Economy – Srikrishna Committee Report (2018); Personal Data Protection Bill, 2019; Information Technology Act, 2000 (SPDI Rules, 2011)

| parent_framework = Indian data protection legal framework

| norm_language = English

}}

'''Data Protection ~~framework for India~~'''

The '''Digital Personal Data Protection Act, 2023''' (DPDP Act) is India’s principal data-protection statute. It governs the processing of digital personal data (including data collected offline that is later digitized), defines obligations for data fiduciaries and rights/duties for data principals, provides for monetary penalties, and establishes the [[Data Protection Board of India]] as an adjudicatory body.<ref name="act">[https://egazette.gov.in/WriteReadData/2023/247847.pdf The Gazette of India: Digital Personal Data Protection Act] Retrieved August 1, 2025</ref>

~~Finally, the final draft of the Indian version of GDPR~~ is ~~out~~.

~~With~~ the ~~objective to 'ensure growth~~ of ~~the~~ digital ~~economy while keeping~~ personal data ~~of citizens secure and protected' Government of India has come up with a White Paper and is soliciting public comments on what shape a~~ data ~~protection law must take. The White Paper outlines the issues~~ that ~~a majority of the members of the Drafting Committee feel require incorporation in a law~~, ~~relevant experiences from other countries~~ and ~~concerns regarding their incorporation~~, ~~certain provisional views based on an evaluation of the issues vis-à-vis the objectives of the exercise~~, and ~~specific questions for~~ the ~~public~~. ~~On the basis~~ of ~~the responses received, the Committee will conduct public consultations with citizens and stakeholders shortly to hear all voices that wish and need to be heard on this subject leading to~~ Data Protection ~~Bill.~~

==~~=Go to the following link for more information~~ and ~~add your comments=~~==

== Scope and applicability ==

[~~http~~://~~meity~~.~~gov.in~~/~~white~~-~~paper~~-data-protection-~~framework~~-~~india-public-comments-invited Public Comments~~: ~~white-paper-data-protection-framework-india-public-comments-invited~~]

The act applies to processing of digital personal data in India, and to processing outside India when offering goods or services in India.<ref name="prs">[https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023 PRS Legislative Research: Digital Personal Data Protection Bill, 2023 – Summary] Retrieved August 1, 2025</ref>

[[~~Category~~:~~Frameworks~~]]

== Key concepts and rights ==

* Data principals: individuals have rights to access information, correction and erasure, grievance redress, and to nominate another person to act on their behalf in case of death or incapacity.<ref name="prs"></ref>

* Data fiduciaries: entities processing personal data must implement reasonable security safeguards, give notices and obtain valid consent, and observe purpose/collection limitations. Certain legitimate-use grounds are specified in the Act.<ref name="act"></ref>

* Consent managers: entities registered with the Board that enable individuals to give, manage, review, and withdraw consent through an interoperable platform.<ref name="consentmgr">[https://lakshmisri.com/insights/articles/consent-managers-under-digital-personal-data-protection-act/ Lakshmikumaran & Sridharan: Consent Managers under the DPDP Act] Retrieved August 1, 2025</ref>

== Cross-border transfers ==

Cross-border transfers are permitted by default, except to countries or territories that the Central Government may restrict by notification (“negative list” approach). The Act does not impose a [[General Data Protection Regulation|GDPR]]-style transfer mechanism by itself.<ref name="latham">[https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf Latham & Watkins: India’s DPDP Act vs. the GDPR – A Comparison] Retrieved August 1, 2025</ref><ref name="dsci">[https://www.dataguidance.com/sites/default/files/dcsi_privacy_across_borders-_guidance_on_cross-border_data_transfers_for_indian_organizations.pdf DSCI/DataGuidance: Privacy Across Borders – Guidance on Cross-Border Data Transfers] Retrieved August 1, 2025</ref>

== Institutional design ==

The Act provides for a Data Protection Board of India (Section 18) to adjudicate non-compliance, direct remedial measures (including on breach), and impose penalties.<ref name="act"></ref>

== Enforcement and penalties ==

The Schedule to the Act sets maximum penalties, including up to ₹250 crore for failure to implement reasonable security safeguards that lead to a personal-data breach, and up to ₹200 crore for failures such as breach notification or children’s-data obligations. A residual category covers “any other” contraventions up to ₹50 crore. A separate small penalty applies to data principals for specified misuse.<ref name="prs"></ref>

== Status and implementation ==

On '''January 3, 2025''', MeitY released the '''Draft Digital Personal Data Protection Rules, 2025''' for public consultation; as of mid-2025, substantive provisions of the Act were widely described as pending notification and phased rollout was expected following final Rules.<ref name="pibrules">[https://www.pib.gov.in/PressReleasePage.aspx?PRID=2090048 PIB: MeitY releases Draft Digital Personal Data Protection Rules, 2025] Retrieved August 1, 2025</ref><ref name="iclg">[https://iclg.com/practice-areas/data-protection-laws-and-regulations/india ICLG 2025: Data Protection – India] Retrieved August 1, 2025</ref> MeitY reported receiving '''6,915''' submissions on the draft Rules on '''July 26, 2025'''.<ref name="pibinputs">[https://www.pib.gov.in/PressReleasePage.aspx?PRID=2148944 PIB: Draft DPDP Rules, 2025 Receive 6,915 Inputs] Retrieved August 1, 2025</ref>

== History ==

* '''November 27, 2017''' – Committee of Experts (Justice B.N. Srikrishna, Chair) releases a White Paper to solicit public comments on a data-protection framework.<ref name="whitepaper">[https://prsindia.org/files/policy/policy_committee_reports/Report%20Summary-%20Data%20Protection%20Expert%20Committee%20White.pdf PRS: White Paper on Data Protection Framework for India (Summary)] Retrieved August 1, 2025</ref>

* '''July 27, 2018''' – Committee submits report '''''A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians''''' and a draft '''Personal Data Protection Bill, 2018''' to MeitY.<ref name="srikrishna2018">[https://prsindia.org/files/bills_acts/bills_parliament/2019/Committee%20Report%20on%20Draft%20Personal%20Data%20Protection%20Bill%2C%202018_0.pdf PRS: Committee Report on Draft Personal Data Protection Bill, 2018] Retrieved August 1, 2025</ref>

* '''December 11, 2019''' – Government introduces the '''Personal Data Protection Bill, 2019''' in Lok Sabha; referred to a Joint Parliamentary Committee (report: December 16, 2021).<ref name="pdp2019">[https://prsindia.org/files/bills_acts/bills_parliament/2019/Personal%20Data%20Protection%20Bill%2C%202019.pdf PRS: Personal Data Protection Bill, 2019 (Text)] Retrieved August 1, 2025</ref><ref name="jpc">[https://eparlib.nic.in/handle/123456789/835465 Parliament of India: JPC Report on the PDP Bill, 2019] Retrieved August 1, 2025</ref>

* '''August 3, 2022''' – Government withdraws the 2019 Bill to reconsider the framework.<ref name="prsstatus">[https://prsindia.org/billtrack/the-personal-data-protection-bill-2019 PRS: Status of the Personal Data Protection Bill, 2019] Retrieved August 1, 2025</ref>

* '''August 11, 2023''' – Parliament enacts the '''Digital Personal Data Protection Act, 2023'''.<ref name="act"></ref>

== References ==

@@ Line 1: / Line 1: @@
-{{Template:Articles needing attention}}
+{{Norm
+| norm_title = Digital Personal Data Protection Act, 2023
+| alternative_name = DPDP Act; DPDPA
+| norm_type = Act
+| issuing_body = Parliament of India
+| scope_geo = National
+| country = India
+| norm_status = Active
+| official_text = https://egazette.gov.in/WriteReadData/2023/247847.pdf
+| related_norm = White Paper of the Committee of Experts on a Data Protection Framework for India (2017); A Free and Fair Digital Economy – Srikrishna Committee Report (2018); Personal Data Protection Bill, 2019; Information Technology Act, 2000 (SPDI Rules, 2011)
+| parent_framework = Indian data protection legal framework
+| norm_language = English
+}}
-'''Data Protection framework for India'''
+The '''Digital Personal Data Protection Act, 2023''' (DPDP Act) is India’s principal data-protection statute. It governs the processing of digital personal data (including data collected offline that is later digitized), defines obligations for data fiduciaries and rights/duties for data principals, provides for monetary penalties, and establishes the [[Data Protection Board of India]] as an adjudicatory body.<ref name="act">[https://egazette.gov.in/WriteReadData/2023/247847.pdf The Gazette of India: Digital Personal Data Protection Act] Retrieved August 1, 2025</ref>
-Finally, the final draft of the Indian version of GDPR is out.
-With the objective to 'ensure growth of the digital economy while keeping personal data of citizens secure and protected' Government of India has come up with a White Paper and is soliciting public comments on what shape a data protection law must take. The White Paper outlines the issues that a majority of the members of the Drafting Committee feel require incorporation in a law, relevant experiences from other countries and concerns regarding their incorporation, certain provisional views based on an evaluation of the issues vis-à-vis the objectives of the exercise, and specific questions for the public. On the basis of the responses received, the Committee will conduct public consultations with citizens and stakeholders shortly to hear all voices that wish and need to be heard on this subject leading to Data Protection Bill.
-===Go to the following link for more information and add your comments===
+== Scope and applicability ==
-[http://meity.gov.in/white-paper-data-protection-framework-india-public-comments-invited Public Comments: white-paper-data-protection-framework-india-public-comments-invited]
+The act applies to processing of digital personal data in India, and to processing outside India when offering goods or services in India.<ref name="prs">[https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023 PRS Legislative Research: Digital Personal Data Protection Bill, 2023 – Summary] Retrieved August 1, 2025</ref>
-[[Category:Frameworks]]
+== Key concepts and rights ==
+* Data principals: individuals have rights to access information, correction and erasure, grievance redress, and to nominate another person to act on their behalf in case of death or incapacity.<ref name="prs"></ref>
+* Data fiduciaries: entities processing personal data must implement reasonable security safeguards, give notices and obtain valid consent, and observe purpose/collection limitations. Certain legitimate-use grounds are specified in the Act.<ref name="act"></ref>
+* Consent managers: entities registered with the Board that enable individuals to give, manage, review, and withdraw consent through an interoperable platform.<ref name="consentmgr">[https://lakshmisri.com/insights/articles/consent-managers-under-digital-personal-data-protection-act/ Lakshmikumaran & Sridharan: Consent Managers under the DPDP Act] Retrieved August 1, 2025</ref>
+== Cross-border transfers ==
+Cross-border transfers are permitted by default, except to countries or territories that the Central Government may restrict by notification (“negative list” approach). The Act does not impose a [[General Data Protection Regulation|GDPR]]-style transfer mechanism by itself.<ref name="latham">[https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf Latham & Watkins: India’s DPDP Act vs. the GDPR – A Comparison] Retrieved August 1, 2025</ref><ref name="dsci">[https://www.dataguidance.com/sites/default/files/dcsi_privacy_across_borders-_guidance_on_cross-border_data_transfers_for_indian_organizations.pdf DSCI/DataGuidance: Privacy Across Borders – Guidance on Cross-Border Data Transfers] Retrieved August 1, 2025</ref>
+== Institutional design ==
+The Act provides for a Data Protection Board of India (Section 18) to adjudicate non-compliance, direct remedial measures (including on breach), and impose penalties.<ref name="act"></ref>
+== Enforcement and penalties ==
+The Schedule to the Act sets maximum penalties, including up to ₹250 crore for failure to implement reasonable security safeguards that lead to a personal-data breach, and up to ₹200 crore for failures such as breach notification or children’s-data obligations. A residual category covers “any other” contraventions up to ₹50 crore. A separate small penalty applies to data principals for specified misuse.<ref name="prs"></ref>
+== Status and implementation ==
+On '''January 3, 2025''', MeitY released the '''Draft Digital Personal Data Protection Rules, 2025''' for public consultation; as of mid-2025, substantive provisions of the Act were widely described as pending notification and phased rollout was expected following final Rules.<ref name="pibrules">[https://www.pib.gov.in/PressReleasePage.aspx?PRID=2090048 PIB: MeitY releases Draft Digital Personal Data Protection Rules, 2025] Retrieved August 1, 2025</ref><ref name="iclg">[https://iclg.com/practice-areas/data-protection-laws-and-regulations/india ICLG 2025: Data Protection – India] Retrieved August 1, 2025</ref> MeitY reported receiving '''6,915''' submissions on the draft Rules on '''July 26, 2025'''.<ref name="pibinputs">[https://www.pib.gov.in/PressReleasePage.aspx?PRID=2148944 PIB: Draft DPDP Rules, 2025 Receive 6,915 Inputs] Retrieved August 1, 2025</ref>
+== History ==
+* '''November 27, 2017''' – Committee of Experts (Justice B.N. Srikrishna, Chair) releases a White Paper to solicit public comments on a data-protection framework.<ref name="whitepaper">[https://prsindia.org/files/policy/policy_committee_reports/Report%20Summary-%20Data%20Protection%20Expert%20Committee%20White.pdf PRS: White Paper on Data Protection Framework for India (Summary)] Retrieved August 1, 2025</ref>
+* '''July 27, 2018''' – Committee submits report '''''A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians''''' and a draft '''Personal Data Protection Bill, 2018''' to MeitY.<ref name="srikrishna2018">[https://prsindia.org/files/bills_acts/bills_parliament/2019/Committee%20Report%20on%20Draft%20Personal%20Data%20Protection%20Bill%2C%202018_0.pdf PRS: Committee Report on Draft Personal Data Protection Bill, 2018] Retrieved August 1, 2025</ref>
+* '''December 11, 2019''' – Government introduces the '''Personal Data Protection Bill, 2019''' in Lok Sabha; referred to a Joint Parliamentary Committee (report: December 16, 2021).<ref name="pdp2019">[https://prsindia.org/files/bills_acts/bills_parliament/2019/Personal%20Data%20Protection%20Bill%2C%202019.pdf PRS: Personal Data Protection Bill, 2019 (Text)] Retrieved August 1, 2025</ref><ref name="jpc">[https://eparlib.nic.in/handle/123456789/835465 Parliament of India: JPC Report on the PDP Bill, 2019] Retrieved August 1, 2025</ref>
+* '''August 3, 2022''' – Government withdraws the 2019 Bill to reconsider the framework.<ref name="prsstatus">[https://prsindia.org/billtrack/the-personal-data-protection-bill-2019 PRS: Status of the Personal Data Protection Bill, 2019] Retrieved August 1, 2025</ref>
+* '''August 11, 2023''' – Parliament enacts the '''Digital Personal Data Protection Act, 2023'''.<ref name="act"></ref>
+== References ==
+{{reflist}}