India Digital Personal Data Protection Act Assent

On 11 August 2023 the Digital Personal Data Protection Act 2023 received Presidential assent, establishing India first full data protection legislation. The Act creates a principles-based framework for personal data processing that applies to organizations handling data of Indian residents, with significant penalties for non-compliance and a new Data Protection Board to oversee enforcement.

Scope and Application

The DPDP Act applies to processing of digital personal data within India and to processing outside India where goods or services are offered to individuals in India. This extraterritorial scope captures multinational organizations with Indian operations or customers.

• Digital personal data. The Act covers personal data collected in digital form or digitized from offline collection. This includes data collected through websites, mobile applications, digital services, and digitized paper records.
• Data fiduciary obligations. Organizations processing personal data as data fiduciaries bear primary compliance responsibility including lawful processing, purpose limitation, storage limitation, and data accuracy obligations.
• Data processor requirements. Processors acting on behalf of data fiduciaries must comply with contractual obligations and applicable Act provisions, though primary accountability remains with the fiduciary.

Lawful Processing and Consent Requirements

The Act establishes consent as the primary basis for lawful personal data processing, with specific requirements for obtaining and managing consent that differ from some other data protection frameworks.

• Consent requirements. Consent must be free, specific, informed, unconditional, and unambiguous. Data fiduciaries must provide clear notice of processing purposes before obtaining consent.
• Deemed consent. The Act recognizes deemed consent for certain purposes including legal obligations, emergency situations, employment contexts, and public interest activities, reducing reliance on explicit consent in appropriate circumstances.
• Consent withdrawal. Individuals can withdraw consent at any time, and data fiduciaries must make withdrawal mechanisms easily accessible. Processing must cease upon withdrawal unless another lawful basis applies.

Data Principal Rights

The Act establishes rights for data principals that is individuals whose data is processed, including access, correction, erasure, and grievance redress rights. Organizations must implement processes to receive and respond to rights requests.

• Right to access. Data principals can request summary information about their personal data being processed and the processing activities performed.
• Right to correction and erasure. Individuals can request correction of inaccurate data and erasure of data no longer necessary for the purpose for which it was collected.
• Right to grievance redress. Data fiduciaries must establish grievance redress mechanisms and respond to complaints within specified timeframes.
• Right to nominate. Data principals can nominate individuals to exercise their rights in case of death or incapacity.

Significant Data Fiduciary Obligations

The Act designates certain organizations as Significant Data Fiduciaries based on data volume, sensitivity, or risk to data principals. These organizations face additional obligations including data protection officer appointment, periodic audits, and data protection impact assessments.

Penalties and Enforcement

The Act establishes significant penalties for non-compliance, with maximum fines of 250 crore rupees approximately 30 million USD for individual violations. The Data Protection Board will adjudicate complaints, conduct inquiries, and impose penalties. If you are affected, focus on compliance given the significant financial exposure from potential violations.

Timeline overview

The Act provisions will come into force on dates notified by the Central Government, with implementing rules to be issued providing detailed compliance requirements. If you are affected, begin compliance preparations while monitoring government notifications for effective dates and rule publication.

Similar analysis

Additional analysis covering similar themes.

Data Strategy · Credibility 40/100 · October 22, 2021

G7 Digital Trade Principles

G7 Trade Ministers adopted the Digital Trade Principles on 22 October 2021, setting commitments on open digital markets, cross-border data flows with trust, and safeguards on personal data and cybersecurity that shape…

Data Strategy · Credibility 91/100 · January 1, 2023

California Privacy Rights Act Effective Date

California Privacy Rights Act (CPRA) became effective January 1, 2023, amending CCPA with stricter requirements. New rights, a dedicated enforcement agency (CPPA), and expanded business obligations. If you have…

Data Strategy · Credibility 86/100 · October 1, 2022

Japan APPI Cross-Border Transfer Rules Enforced

Japan enforced the amended Act on the Protection of Personal Information on 1 October 2022, requiring fuller disclosure and monitoring for cross-border transfers plus mandatory breach notification to the PPC.

Data Strategy · Credibility 40/100 · September 1, 2022

China Cross-Border Data Security Assessments Effective

China's Cyberspace Administration began enforcing mandatory security assessments for certain cross-border data transfers on 1 September 2022, requiring exporters to file assessments or adopt standard contracts before…

Data Strategy · Credibility 40/100 · August 3, 2022

India Withdraws Personal Data Protection Bill

India withdrew its long-debated Personal Data Protection Bill on 3 August 2022, resetting the legislative process and signaling that a broader Digital Personal Data Protection Bill would follow, affecting localization…

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

August 11, 2023

Coverage pillar

Data Strategy

Source credibility

40/100 — low confidence

Topics

India · Privacy · Cross-border data · Compliance · Governance

Sources cited

3 sources (prsindia.org, pib.gov.in, iso.org)

Reading time

5 min

Further reading

1. Digital Personal Data Protection Act, 2023
2. Press Information Bureau release on DPDP assent
3. ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization