Digital Personal Data Protection Act
Norm | |
---|---|
Norm title | Digital Personal Data Protection Act, 2023 |
Type of norm | Act |
Issuing body | Parliament of India |
Geographic scope | National |
Country |
|
Status | Active |
Official text | https://egazette.gov.in/WriteReadData/2023/247847.pdf |
Related Norms |
|
Parent legal framework | Indian data protection legal framework |
Language | English |
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s principal data-protection statute. It governs the processing of digital personal data (including data collected offline that is later digitized), defines obligations for data fiduciaries and rights/duties for data principals, provides for monetary penalties, and establishes the Data Protection Board of India as an adjudicatory body.[1]
Scope and applicability
The act applies to processing of digital personal data in India, and to processing outside India when offering goods or services in India.[2]
Key concepts and rights
- Data principals: individuals have rights to access information, correction and erasure, grievance redress, and to nominate another person to act on their behalf in case of death or incapacity.[2]
- Data fiduciaries: entities processing personal data must implement reasonable security safeguards, give notices and obtain valid consent, and observe purpose/collection limitations. Certain legitimate-use grounds are specified in the Act.[1]
- Consent managers: entities registered with the Board that enable individuals to give, manage, review, and withdraw consent through an interoperable platform.[3]
Cross-border transfers
Cross-border transfers are permitted by default, except to countries or territories that the Central Government may restrict by notification (“negative list” approach). The Act does not impose a GDPR-style transfer mechanism by itself.[4][5]
Institutional design
The Act provides for a Data Protection Board of India (Section 18) to adjudicate non-compliance, direct remedial measures (including on breach), and impose penalties.[1]
Enforcement and penalties
The Schedule to the Act sets maximum penalties, including up to ₹250 crore for failure to implement reasonable security safeguards that lead to a personal-data breach, and up to ₹200 crore for failures such as breach notification or children’s-data obligations. A residual category covers “any other” contraventions up to ₹50 crore. A separate small penalty applies to data principals for specified misuse.[2]
Status and implementation
On January 3, 2025, MeitY released the Draft Digital Personal Data Protection Rules, 2025 for public consultation; as of mid-2025, substantive provisions of the Act were widely described as pending notification and phased rollout was expected following final Rules.[6][7] MeitY reported receiving 6,915 submissions on the draft Rules on July 26, 2025.[8]
History
- November 27, 2017 – Committee of Experts (Justice B.N. Srikrishna, Chair) releases a White Paper to solicit public comments on a data-protection framework.[9]
- July 27, 2018 – Committee submits report A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians and a draft Personal Data Protection Bill, 2018 to MeitY.[10]
- December 11, 2019 – Government introduces the Personal Data Protection Bill, 2019 in Lok Sabha; referred to a Joint Parliamentary Committee (report: December 16, 2021).[11][12]
- August 3, 2022 – Government withdraws the 2019 Bill to reconsider the framework.[13]
- August 11, 2023 – Parliament enacts the Digital Personal Data Protection Act, 2023.[1]
References
- ↑ 1.0 1.1 1.2 1.3 The Gazette of India: Digital Personal Data Protection Act Retrieved August 1, 2025
- ↑ 2.0 2.1 2.2 PRS Legislative Research: Digital Personal Data Protection Bill, 2023 – Summary Retrieved August 1, 2025
- ↑ Lakshmikumaran & Sridharan: Consent Managers under the DPDP Act Retrieved August 1, 2025
- ↑ Latham & Watkins: India’s DPDP Act vs. the GDPR – A Comparison Retrieved August 1, 2025
- ↑ DSCI/DataGuidance: Privacy Across Borders – Guidance on Cross-Border Data Transfers Retrieved August 1, 2025
- ↑ PIB: MeitY releases Draft Digital Personal Data Protection Rules, 2025 Retrieved August 1, 2025
- ↑ ICLG 2025: Data Protection – India Retrieved August 1, 2025
- ↑ PIB: Draft DPDP Rules, 2025 Receive 6,915 Inputs Retrieved August 1, 2025
- ↑ PRS: White Paper on Data Protection Framework for India (Summary) Retrieved August 1, 2025
- ↑ PRS: Committee Report on Draft Personal Data Protection Bill, 2018 Retrieved August 1, 2025
- ↑ PRS: Personal Data Protection Bill, 2019 (Text) Retrieved August 1, 2025
- ↑ Parliament of India: JPC Report on the PDP Bill, 2019 Retrieved August 1, 2025
- ↑ PRS: Status of the Personal Data Protection Bill, 2019 Retrieved August 1, 2025
ICANNWiki resources: Content Guide | Documentation | Development || Maintenance: Articles needing attention | Candidates for deletion || Projects: Internet & Digital Governance Library