The Digital Personal Data Protection Act, 2023 (DPDP Act) is an Act of the Parliament of India, cited as Act No. 22 of 2023, which governs the processing of digital personal data. Its purpose is to balance the individual's right to protect their personal data with the necessity of processing such data for lawful purposes.
The Act's origin lies in the Supreme Court's landmark 2017 judgment in Justice K.S. Puttaswamy v. Union of India, which affirmed the right to privacy as a fundamental right. This judicial pronouncement spurred the government to form the Justice B.N. Srikrishna Committee in 2017, leading to the eventual introduction of the DPDP Bill, 2023, which received the President's assent on August 11, 2023. The Act replaced the limited data protection framework previously contained in Section 43A of the Information Technology Act, 2000, and the associated Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011.
The Act works by establishing obligations for the Data Fiduciary (the entity processing the data) and rights for the Data Principal (the individual to whom the data relates). A Data Fiduciary must process digital personal data only for a lawful purpose, primarily after obtaining the Data Principal's clear consent. Key rights of the Data Principal include the right to access, correction, and erasure of their personal data. For children (under 18), the Act mandates verifiable parental consent and prohibits targeted advertising. The Act establishes the Data Protection Board of India (DPBI) under Section 18 to adjudicate non-compliance, with penalties for breaches reaching up to ₹250 crore. The DPDP Act connects to the broader governance of the digital economy and is expected to be complemented by the forthcoming Digital India Act. Unlike the previous rules, the DPDP Act treats all personal data uniformly, without distinguishing between personal and sensitive personal data.