India’s Digital Personal Data Protection Act (DPDP), 2023 has finally come into force, two years after Parliament cleared it. The law marks a major step toward protecting citizens’ digital privacy, in line with the Supreme Court’s 2017 Right to Privacy judgment.
Features of the DPDP Act
- Scope: Applies to digital personal data processed in India. Covers both private companies and government entities, unless exempted.
- Role of Data Fiduciaries: Entities that collect or use personal data are called data fiduciaries. They must ensure consent-based processing, transparency, and data security.
- Rights of Individuals (Data Principals): Right to access personal data. Right to correction and deletion of data. Right to grievance redressal.Right to nominate another person in case of death/incapacity.
- Duties of Individuals: Provide authentic information and not file false complaints.
Important Provisions of the Act
- Consent must be clear and specific, with easy withdrawal.
- Significant data fiduciaries (large organisations) must appoint a Data Protection Officer.
- Mandatory reporting of data breaches.
- Penalties up to ₹250 crore per violation for non-compliance.
- Data Protection Board of India (DPBI) established for enforcement.
- Exemptions for the State, especially for national security, investigations, and public order.
- Rules allow cross-border data transfer to trusted nations.
Issues & Concerns
- The Act weakens RTI, since government agencies can deny data citing privacy.
- Wide exemptions may allow state surveillance.
- Civil society groups say the Act lacks strong checks on government’s data use.
- Transparency activists fear the law gives the State “backdoor access” to personal data.
Way Forward
- Reduce broad government exemptions and ensure judicial oversight.
- Strengthen independent functioning of DPBI.
- Improve public awareness on data rights and responsibilities.
- Align rules with global standards like GDPR for better digital trade compatibility.
- Ensure robust cybersecurity infrastructure to prevent large-scale breaches.
Conclusion
The DPDP Act is a major milestone in India’s digital governance journey, but its effectiveness depends on transparent, accountable implementation. Strengthened oversight and balanced exemptions are essential for building public trust in the country’s data protection regime.
This topic is available in detail on our main website.
