India's Digital Personal Data Protection Act 2023 (DPDP Act) is the first comprehensive data protection legislation in India. Applicable to the processing of digital personal data of individuals (data principals), the Act creates significant obligations for businesses (data fiduciaries) with penalties up to Rs. 250 crore per violation.
Key Definitions
- Personal Data: Any data about an identifiable individual
- Data Principal: The individual whose personal data is processed (the person)
- Data Fiduciary: Entity that determines the purpose and means of processing data (the business)
- Data Processor: Entity processing data on behalf of a data fiduciary
Consent Requirements
- Processing of personal data requires freely given, specific, informed, unconditional, and unambiguous consent
- Consent must be for a specific purpose — cannot be bundled into general terms
- Consent requests must be in plain language and multilingual
- Consent can be withdrawn at any time — as easily as it was given
Grounds for Processing Without Consent (Legitimate Use)
- State and its instrumentalities for national security, law enforcement
- Employment-related processing (employee data)
- Medical emergency processing
- Compliance with a judgment or court order
Rights of Data Principals
- Right to information about processing
- Right to correction and erasure
- Right to grievance redressal
- Right to nominate a person to exercise rights on death/incapacity
Obligations of Data Fiduciaries
- Purpose limitation: collect only what is needed for stated purpose
- Data minimisation: collect minimum necessary data
- Storage limitation: retain only as long as necessary
- Security safeguards: implement appropriate technical/organizational measures
- Data breach notification: notify Data Protection Board and affected individuals
- Significant Data Fiduciaries (large processors) must appoint: Data Protection Officer (DPO), conduct Data Protection Impact Assessment (DPIA), data audits
Cross-Border Data Transfers
Transfer of personal data outside India to countries approved by the Central Government. No data localisation requirement for most data (unlike some earlier drafts), but Government can restrict specific countries/sectors.
Penalties
| Violation | Penalty |
|---|---|
| Breach of children's data obligations | Up to Rs. 200 crore |
| Failure to implement security safeguards | Up to Rs. 250 crore |
| Breach notification failure | Up to Rs. 200 crore |
| Other violations | Up to Rs. 50 crore |
Need Expert Help?
TaxClue's CA and legal team can assist you. Contact us or see our services.