Digital Personal Data Protection Act (DPDPA 2023): A Comprehensive Analysis
India, the world’s largest democracy, has achieved a milestone with the enactment of the Digital Personal Data Protection Act (DPDPA), 2023. This landmark legislation is introduced for protecting the fundamental right of data privacy for Indian citizens, making sure that both physical and digital spaces are safe.
Imagine a time when there was no online shopping, no apps to order food, and no cab services at your fingertips. Every small task used to require stepping out—the shop for buying, bank for transferring money, and even a travel agency for tickets. Today, it feels almost unthinkable. Over the years, globalization, liberalization, and technological advancement have shifted these activities to virtual platforms. Now, everything from groceries to gadgets arrives at your doorstep with just a click.
However, there’s always a catch for the convenience of technology with your personal data. Every app and service collect bits of your data under “terms and conditions” or “cookies.” These terminologies are so lengthy and full of jargon that nobody bothers to read through them; most just hit the “Accept.” Button. This data, while essential for services, also poses a significant risk if mishandled. Whether it is shopping online, booking a cab, or streaming a show, every transaction reveals something about you—your habits, preferences, or even sensitive financial information. Misuse of such data not only threatens individual privacy but could have far-reaching implications on national security.
Before DPDPA: The Struggle to Protect Privacy
India’s approach to data protection was long defined by fragmented laws that struggled to keep pace with the digital era. The Information Technology Act, 2000, was the country’s first legislative attempt to address cybersecurity concerns. However, it fell short of adequately safeguarding personal data privacy. In response to tackle these challenges, the IT Rules, 2011 were introduced to provide specific protections for sensitive personal data.
However, these rules offered a more targeted approach but were still limited in scope. Recognizing the growing need for comprehensive regulation, the IT Rules, 2021 further expanded oversight, bringing online platforms under greater scrutiny and reinforcing the need for robust data privacy protections in the digital era. Despite these efforts, the lack of a unified, comprehensive framework left significant gaps, which were eventually addressed by the enactment of the Digital Personal Data Protection Act, 2023 (DPDPA).
However, these measures failed to keep pace with the changing digital landscape. The landmark case of Justice K.S. Puttaswamy vs. Union of India in 2017 highlighted the need for protecting the privacy of individuals along with holistic data protection. The Supreme Court’s declaration of privacy as a fundamental right under Article 21 of the Constitution paved the way for more stringent legislation. In response, the B.N. Srikrishna Committee drafted the Personal Data Protection Bill, 2018, which started national debates on accountability, individual rights, and data usage. These efforts brought to the fore the need for a unified framework, which eventually led to the Digital Personal Data Protection Act, 2023 (DPDPA).
After years of consultation, deliberation, and feedback, the government went ahead to pass the Digital Personal Data Protection Act, 2023 (DPDPA).
DPDPA marks a new thinking in personal data handling/processing within India. A landmark law defining the responsibilities among data handlers and rights for individuals while ensuring transparency around data collection, storage, and use for the betterment of Indians. The DPDPA represents a fair balance between advancing technological development, business growth, and the fundamental right to privacy.
After DPDPA: A New Era of Accountability
With the enactment of the DPDPA, individuals are now empowered to take control of their personal data. However, companies must adhere to strict regulations, ensuring data is collected only when necessary and used responsibly. The Act also introduces penalties for data breaches and non-compliance, making accountability the cornerstone of India’s digital transformation.
Compliance with the provisions of the Act is crucial to avoid penalties (which can extend up to Rs. 250 crore) and also loss of trust.
Journey of Data Protection Law in India
The journey of India’s data protection law began in 2018 with the first draft of the Personal Data Protection Bill, submitted by the Justice Srikrishna Committee. The bill was presented in Parliament in December 2019 and was referred to the Joint Parliamentary Committee (JPC), which submitted its report in December 2021. A revised Data Protection Bill, 2021 was later withdrawn in August 2022, and a new draft was introduced by the Ministry of Electronics and IT. The Digital Personal Data Protection Bill, 2023, was introduced in the parliament on 3 August 2023, passed by Lok Sabha on 7 August, and by Rajya Sabha on 9 August. Following presidential assent on 11 August 2023, it became the Digital Personal Data Protection Act, 2023.
|
Timeline
|
Event
|
Bill/Act Name
|
|---|---|---|
|
2018
|
Fist draft submitted by the committee chaired by Justice SriKrishna
|
Personal Data Protection Bill, 2018 (PDP Act)
|
|
December 2019
|
PDP Bill introduced in Parliament and referred to Joint Parliamentary Committee (JPC)
|
Personal Data Protection Bill, 2019
|
|
December 2021
|
JPC submitted its report
|
Personal Data Protection Bill, 2019
|
|
December 2021
|
Revised version introduced as Data Protection Bill, 2021
|
The Data Protection Bill, 2021
|
|
August 2022
|
Draft of the 2021 Bill withdrawn and replaced by a new draft by Ministry of Electronics & IT
|
Draft of the Data Protection Bill, 2022
|
|
3 August 2023
|
Digital Personal Data Protection Bill, 2023 tabled in Parliament
|
DPDP Bill, 2023
|
|
7 August 2023
|
DPDP Bill, 2023 passed by the Lower House (Lok Sabha)
|
DPDP Bill, 2023
|
|
9 August 2023
|
DPDP Bill, 2023 passed by the Upper House (Rajya Sabha)
|
DPDP Bill, 2023
|
|
11 August 2023
|
DPDP Bill received presidential assent and became law
|
Digital Personal Data Protection Act, 2023
|
Key objectives of DPDPA
The Key objectives of Digital Personal Data Protection Act are:
- Promotes transparency in data management by organizations
- Establish standards for handling and processing data
- Limiting tracking and targeted advertising
- Establishing a legal framework
- Define the rights and responsibilities of individuals and organizations
Key Significance of the DPDP Act
For Individuals
- The Act gives individuals complete authority over their personal data, allowing them to determine how their personal information is used.
- It protects privacy as a fundamental right and protects citizens from data misuse in this advanced digital world.
For Businesses
- By providing clear compliance guidelines, the Act reduces ambiguity, helping businesses manage data responsibly and avoid legal risks.
- It helps establish trust with consumers, leading to deeper relationships and business growth in a secure digital space.
For Government
- The Act strengthens regulatory oversight, ensuring fair and transparent enforcement of data protection laws.
- It balances privacy with national security and public welfare, enabling responsible data use for critical governance purposes.
For Global Stakeholders
- The Act would represent the commitment of India towards data protection, aligning with international benchmarks like GDPR for easier international business.
- It would ensure secure cross-border data transfers and help India gain credibility as a trusted global digital partner.
Conclusion
The Digital Personal Data Protection Act (DPDPA) is a significant step in India’s efforts to protect personal data, bringing it in line with global data protection standards like GDPR in Europe and CCPA in California. It empowers people to have more control over their personal data, creates clear rules for businesses on handling data, and holds entities accountable with penalties for non-compliance.
While GDPR has a very elaborate framework for data protection in the EU, CCPA specifically focuses on consumer rights in California, the DPDPA adapts to India’s unique needs. It ensures transparency in handling data, sets guidelines for transferring data across borders, and contains specific rules for the protection of children’s data.
For businesses like GoTrust, the DPDPA is especially crucial, having been developed with the help of AppVin Technologies. It focuses specifically on strong authentication and user consent management, in line with the new law’s principles regarding protecting users’ privacy. The solution has separate modules for businesses for effective DSR Management, Policy management, Data Mapping which includes ROPA and other assessments. GoTrust has an effective universal and cookie consent management solution which ensures that consent collected from the users is explicit, informed, unambiguous and unconditional.