Cyber Security
Index

  • Introduction

1. What is the DPDP Act?

The DPDP Act is India’s first cross-sectoral law specifically designed to protect personal data. It balances two conflicting needs:

  1. The right of individuals to protect their personal information.

  2. The need for businesses and the government to process that data for lawful purposes.

It applies to digital personal data that is:

  • Collected online.

  • Collected offline but later digitized.

Shutterstock

(A conceptual diagram illustrating the flow of data from the "Data Principal" to the "Data Fiduciary," with the "Data Protection Board" overseeing the process.)

2. The Key Players (Definitions)

To understand the Act, you must learn the new vocabulary it introduces:

  • Data Principal: The individual to whom the data relates (i.e., You, the user).

  • Data Fiduciary: The entity (company/organization) that decides why and how to process the data (e.g., Amazon, your bank, Google).

  • Data Processor: An entity that processes data on behalf of the Fiduciary (e.g., a cloud storage provider or payroll company).

  • Significant Data Fiduciary (SDF): Large companies (like social media giants) that handle high volumes of sensitive data and face stricter rules.

3. For Individuals: Your Rights & Duties

The Act empowers citizens (Data Principals) with specific rights, transforming them from passive subjects to active owners of their data.

The Rights

  • Right to Information: You can ask a company what data they have on you, who they are sharing it with, and why.

  • Right to Correction & Erasure: You can demand that companies correct inaccurate data or delete your data entirely if it’s no longer needed.

  • Right to Grievance Redressal: Companies must have a system to resolve your complaints. If they fail, you can approach the Data Protection Board (DPB).

  • Right to Nominate: In the event of death or incapacity, you can nominate someone to exercise your rights.

The Duties

Interestingly, the Act also imposes duties on users. You cannot:

  • Register a false or frivolous complaint.

  • Impersonate another person when providing data.

  • Penalty: Violation of these duties can attract a fine of up to ₹10,000.

4. For Businesses: Obligations of Data Fiduciaries

If you run a business that collects customer data (names, emails, phone numbers), the DPDP Act imposes strict compliance requirements.

A. Consent is King

You can only process data for a lawful purpose after obtaining Consent.

  • Notice: You must show a clear notice before asking for consent, explaining exactly what data is being collected and why.

  • Free & Specific: Consent cannot be bundled. You cannot force a user to agree to marketing emails just to access a basic service.

  • Withdrawal: Users must be able to withdraw consent as easily as they gave it.

B. Legitimate Uses (Exceptions to Consent)

Consent is not required for "Legitimate Uses," such as:

  • Voluntarily provided data (e.g., handing over a business card).

  • Processing for employment purposes.

  • Medical emergencies.

  • Fulfilling legal obligations or court orders.

C. Handling Children’s Data

This is a critical area. If you process data of users under 18:

  • You must obtain verifiable parental consent.

  • You cannot track, monitor behavior, or show targeted ads to children.

D. Data Security

Fiduciaries must implement reasonable security safeguards to prevent data breaches. If a breach occurs, you must notify both the Data Protection Board and the affected users immediately.

5. Significant Data Fiduciaries (SDFs)

The government will classify certain entities as SDFs based on the volume and sensitivity of data they handle (e.g., Facebook, WhatsApp, large banks).

Extra Obligations for SDFs:

  • Appoint a Data Protection Officer (DPO) based in India.

  • Appoint an Independent Data Auditor.

  • Conduct periodic Data Protection Impact Assessments (DPIA).

6. Cross-Border Data Transfer

Unlike previous drafts that demanded "Data Localization" (storing data only in India), the 2023 Act is more liberal.

  • General Rule: Data can flow freely to other countries.

  • The "Blacklist": The government retains the power to restrict transfers to specific countries (likely hostile nations) via official notification.

7. Penalties: The Cost of Non-Compliance

The DPDP Act is civil, not criminal—meaning no jail time. However, the financial penalties are massive and are imposed for each instance of violation.

Violation Maximum Penalty
Failure to take security safeguards (Data Breach) ₹250 Crore
Failure to notify Board/Users of a breach ₹200 Crore
Breach of obligations regarding Children's Data ₹200 Crore
Failure to observe SDF obligations ₹150 Crore
General non-compliance ₹50 Crore

8. Exemptions

The Act provides exemptions to:

  • Government Agencies: For reasons of national security, public order, and friendly relations with foreign states.

  • Startups: The government may exempt certain startups from strict notice and data retention obligations to foster innovation.

  • Legal/Judicial: Data processed by courts or for preventing/investigating crimes.

Conclusion: The Way Forward

The DPDP Act, 2023 is a game-changer. For individuals, it promises privacy and control. For businesses, it demands a shift from "collecting everything" to "collecting only what is necessary."

While the rules are still being operationalized, the message is clear: Data privacy is no longer a luxury; it is a legal necessity.