Jump to content

Digital Personal Data Protection Act

Norm
Norm title Digital Personal Data Protection Act, 2023
Type of norm Act
Issuing body Parliament of India
Geographic scope National
Country
  • India
Status Active
Official text https://egazette.gov.in/WriteReadData/2023/247847.pdf
Related Norms
  • White Paper of the Committee of Experts on a Data Protection Framework for India (2017)
  • A Free and Fair Digital Economy – Srikrishna Committee Report (2018)
  • Personal Data Protection Bill, 2019
  • Information Technology Act, 2000 (SPDI Rules, 2011)
Parent legal framework Indian data protection legal framework
Language English

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s principal data-protection statute. It governs the processing of digital personal data (including data collected offline that is later digitized), defines obligations for data fiduciaries and rights/duties for data principals, provides for monetary penalties, and establishes the Data Protection Board of India as an adjudicatory body.[1]

Scope and applicability

The act applies to processing of digital personal data in India, and to processing outside India when offering goods or services in India.[2]

Key concepts and rights

  • Data principals: individuals have rights to access information, correction and erasure, grievance redress, and to nominate another person to act on their behalf in case of death or incapacity.[2]
  • Data fiduciaries: entities processing personal data must implement reasonable security safeguards, give notices and obtain valid consent, and observe purpose/collection limitations. Certain legitimate-use grounds are specified in the Act.[1]
  • Consent managers: entities registered with the Board that enable individuals to give, manage, review, and withdraw consent through an interoperable platform.[3]

Cross-border transfers

Cross-border transfers are permitted by default, except to countries or territories that the Central Government may restrict by notification (“negative list” approach). The Act does not impose a GDPR-style transfer mechanism by itself.[4][5]

Institutional design

The Act provides for a Data Protection Board of India (Section 18) to adjudicate non-compliance, direct remedial measures (including on breach), and impose penalties.[1]

Enforcement and penalties

The Schedule to the Act sets maximum penalties, including up to ₹250 crore for failure to implement reasonable security safeguards that lead to a personal-data breach, and up to ₹200 crore for failures such as breach notification or children’s-data obligations. A residual category covers “any other” contraventions up to ₹50 crore. A separate small penalty applies to data principals for specified misuse.[2]

Status and implementation

On January 3, 2025, MeitY released the Draft Digital Personal Data Protection Rules, 2025 for public consultation; as of mid-2025, substantive provisions of the Act were widely described as pending notification and phased rollout was expected following final Rules.[6][7] MeitY reported receiving 6,915 submissions on the draft Rules on July 26, 2025.[8]

History

  • November 27, 2017 – Committee of Experts (Justice B.N. Srikrishna, Chair) releases a White Paper to solicit public comments on a data-protection framework.[9]
  • July 27, 2018 – Committee submits report A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians and a draft Personal Data Protection Bill, 2018 to MeitY.[10]
  • December 11, 2019 – Government introduces the Personal Data Protection Bill, 2019 in Lok Sabha; referred to a Joint Parliamentary Committee (report: December 16, 2021).[11][12]
  • August 3, 2022 – Government withdraws the 2019 Bill to reconsider the framework.[13]
  • August 11, 2023 – Parliament enacts the Digital Personal Data Protection Act, 2023.[1]

References

Has countryAssociates a page with a country. Territory names are extracted from ISO 3166, "Country Codes".
Has entity typeSpecifies the primary classification or fundamental type of the page's subject (e.g., Event, Organization, Person).
Norm +
Has geographic scopeDefines the geographical reach or jurisdiction of a governance process (Global, Regional, or National).
Has languageAssociates an object with a language. Not normalized.
English +