Digital Personal Data Protection Act

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s principal data-protection statute. It governs the processing of digital personal data (including data collected offline that is later digitized), defines obligations for data fiduciaries and rights/duties for data principals, provides for monetary penalties, and establishes the Data Protection Board of India as an adjudicatory body.^[1]

Scope and applicability

The act applies to processing of digital personal data in India, and to processing outside India when offering goods or services in India.^[2]

Key concepts and rights

• Data principals: individuals have rights to access information, correction and erasure, grievance redress, and to nominate another person to act on their behalf in case of death or incapacity.^[2]
• Data fiduciaries: entities processing personal data must implement reasonable security safeguards, give notices and obtain valid consent, and observe purpose/collection limitations. Certain legitimate-use grounds are specified in the Act.^[1]
• Consent managers: entities registered with the Board that enable individuals to give, manage, review, and withdraw consent through an interoperable platform.^[3]

Cross-border transfers

Cross-border transfers are permitted by default, except to countries or territories that the Central Government may restrict by notification (“negative list” approach). The Act does not impose a GDPR-style transfer mechanism by itself.^[4][5]

Institutional design

The Act provides for a Data Protection Board of India (Section 18) to adjudicate non-compliance, direct remedial measures (including on breach), and impose penalties.^[1]

Enforcement and penalties

The Schedule to the Act sets maximum penalties, including up to ₹250 crore for failure to implement reasonable security safeguards that lead to a personal-data breach, and up to ₹200 crore for failures such as breach notification or children’s-data obligations. A residual category covers “any other” contraventions up to ₹50 crore. A separate small penalty applies to data principals for specified misuse.^[2]

Status and implementation

On January 3, 2025, MeitY released the Draft Digital Personal Data Protection Rules, 2025 for public consultation; as of mid-2025, substantive provisions of the Act were widely described as pending notification and phased rollout was expected following final Rules.^[6][7] MeitY reported receiving 6,915 submissions on the draft Rules on July 26, 2025.^[8]

History

• November 27, 2017 – Committee of Experts (Justice B.N. Srikrishna, Chair) releases a White Paper to solicit public comments on a data-protection framework.^[9]
• July 27, 2018 – Committee submits report A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians and a draft Personal Data Protection Bill, 2018 to MeitY.^[10]
• December 11, 2019 – Government introduces the Personal Data Protection Bill, 2019 in Lok Sabha; referred to a Joint Parliamentary Committee (report: December 16, 2021).^[11][12]
• August 3, 2022 – Government withdraws the 2019 Bill to reconsider the framework.^[13]
• August 11, 2023 – Parliament enacts the Digital Personal Data Protection Act, 2023.^[1]

References