{"id":75254,"date":"2025-11-26T18:12:26","date_gmt":"2025-11-26T12:42:26","guid":{"rendered":"https:\/\/vajiramandravi.com\/current-affairs\/?p=75254"},"modified":"2025-11-26T18:12:26","modified_gmt":"2025-11-26T12:42:26","slug":"dpdp-act-2023","status":"publish","type":"post","link":"https:\/\/vajiramandravi.com\/current-affairs\/dpdp-act-2023\/","title":{"rendered":"DPDP Act 2023, DPDP Rules 2025, Objectives, Provisions"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">The Government of India notified the Digital Personal Data Protection (DPDP) Rules, 2025 on 14 November 2025, completing the full operationalisation of the DPDP Act 2023. Together, the Act and the Rules establish a clear, citizen-centric framework for the responsible handling of digital personal data. They balance the protection of individual rights with the need for lawful and accountable data processing. The detailed article has been shared below.<\/span><\/p>\n<h2><b>Digital Personal Data Protection (DPDP) Act 2023<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The Digital Personal Data Protection (DPDP) Act 2023, enacted in August 2023, establishes India\u2019s legal framework for safeguarding digital personal data. It outlines the responsibilities of organisations that process such data and adopts the <\/span><b>SARAL<\/b><span style=\"font-weight: 400;\"> approach: <\/span><b>Simple, Accessible, Rational, and Actionable<\/b><span style=\"font-weight: 400;\">, to ensure the law remains easy to understand and implement. The framework also seeks to balance the individual <\/span><b><a href=\"https:\/\/vajiramandravi.com\/upsc-exam\/right-to-privacy\/\" target=\"_blank\">Right to Privacy<\/a> under Article 21 <\/b><span style=\"font-weight: 400;\">of the Indian Constitution with transparency by aligning its provisions with the <\/span><b>Right to Information (RTI) Act, 2005<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h2><b>DPDP Act 2023 Objectives<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The objective of the DPDP Act 2023 is to make sure that people\u2019s personal information is kept private and protected while, at the same time, allowing certain types of data to be processed (for example, legally, securely, and appropriately) by both government and business entities. The purpose of the DPDP Act 2023 has been shared below.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Safeguarding Individual Privacy: <\/b><span style=\"font-weight: 400;\">Provides a legal framework to protect personal data, prevent misuse, and limit unauthorised access or surveillance.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Ensuring Responsible Data Processing: <\/b><span style=\"font-weight: 400;\">Allows data processing only for lawful purposes with user consent, ensuring accuracy, security, and timely deletion.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Consent-Centric Data Governance: <\/b><span style=\"font-weight: 400;\">Requires clear, informed consent with the option to withdraw anytime; mandates parental consent for minors and persons with disabilities.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Balancing Privacy with Digital Innovation:<\/b><span style=\"font-weight: 400;\"> Reduces compliance burden for startups and small entities while imposing stricter obligations on major data processors.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Secure Cross-Border Data Flow: <\/b><span style=\"font-weight: 400;\">Permits international data transfers to government-approved countries, supporting global digital operations with safeguards.<\/span><\/li>\n<\/ul>\n<p><strong>Also Read: <a href=\"https:\/\/vajiramandravi.com\/current-affairs\/consumer-protection-act-1986\/\" target=\"_blank\">Consumer Protection Act 1986<\/a><\/strong><\/p>\n<h2><b>DPDP Act 2023 Features<\/b><\/h2>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Establishes a consent-based system where personal data can be processed only with clear, informed, and revocable consent of the individual.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Introduces rights for individuals, including the right to access, correct, erase personal data, and the right to grievance redressal.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Provides special protections for children\u2019s data by requiring parental consent and prohibiting harmful data-processing practices.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Allows classification of certain entities as <\/span><b>Significant Data Fiduciaries<\/b><span style=\"font-weight: 400;\">, imposing stricter obligations like data audits and impact assessments.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Includes provisions for government-notified exemptions in the interest of national security, public order, and research.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Permits cross-border data transfers to approved countries while ensuring adequate protection safeguards.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Follows the SARAL principle to keep rules simple, clear, and easy to implement for individuals and organisations.<\/span><\/li>\n<\/ul>\n<h2><b>Justice BN Srikrishna Committee<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">\u00a0The Justice BN Srikrishna Committee was set up to study global data protection practices and recommend a comprehensive framework for India, which laid the groundwork for the initial draft of the DPDP Act.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The DPDP Act 2023 and subsequent DPDP Rules 2025 were finalised through public consultations and parliamentary enactment. The Ministry of Electronics and Information Technology carried forward the Committee\u2019s recommendations to create India\u2019s citizen-centric data protection framework.<\/span><\/p>\n<h2><b>DPDP Act 2023 Provisions<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The DPDP Act 2023 lays down a comprehensive legal framework for processing digital personal data in a lawful, transparent, and accountable manner. It outlines the rights of individuals, obligations of organisations, rules for consent, and a graded system of penalties for violations.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The Act permits cross-border transfer of personal data to countries approved by the government, ensuring controlled and secure data flow.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Personal data may be retained for up to three years from the last interaction, with mandatory 48-hour prior notice to the Data Principal before erasure.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">A digital-first <\/span><b>Data Protection Board of India (DPBI)<\/b><span style=\"font-weight: 400;\"> is established to handle consent, grievances, and enforcement through an online system for faster resolution.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Major digital platforms with large user bases, such as social media and e-commerce giants, are designated as Significant Data Fiduciaries with enhanced obligations.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The DPDP Act 2023 prescribes stringent monetary penalties for breaches by Data Fiduciaries. The maximum fine of <\/span><b>up to \u20b9250 crore<\/b><span style=\"font-weight: 400;\"> is imposed for failing to implement adequate security safeguards.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Penalties of <\/span><b>up to \u20b9200 crore<\/b><span style=\"font-weight: 400;\"> may apply for not reporting a data breach or violating obligations related to children\u2019s data. For all other forms of non-compliance with the Act or its Rules, fines can go <\/span><b>up to \u20b950 crore<\/b><span style=\"font-weight: 400;\">.<\/span><\/li>\n<\/ul>\n<h2><b>Data Protection Board of India<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">A central pillar of the DPDP Act 2023 is the creation of the Data Protection Board of India, a dedicated authority to regulate compliance and address grievances.<\/span><\/p>\n<p><b>Structure and Appointment<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Members are appointed by the Central Government.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Tenure is two years, with eligibility for reappointment.<\/span><\/li>\n<\/ul>\n<p><b>Data Protection Board of India (DPBI) Functions<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Enforcing compliance with the DPDP Act 2023.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Monitoring and responding to data breaches.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Investigating complaints and imposing penalties.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Coordinating with organisations during breach incidents.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Providing an online, digital-first grievance mechanism.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Facilitating appeals to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).<\/span><\/li>\n<\/ul>\n<h2><b>DPDP Rules 2025<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The DPDP Rules 2025 provide detailed procedures, compliance timelines, and mechanisms to implement the DPDP Act 2023 effectively. They ensure citizen rights, secure data handling, and transparent grievance redressal while guiding organisations on responsible digital data management.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">DPDP Rules 2025 strengthen citizen rights, ensure responsible data use by organisations and curb unauthorised use of personal data.\u00a0\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The Digital Personal Data Protection Rule reduces digital harms, supports innovation and helps build a secure, trusted digital economy for India.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The DPDP framework puts citizens at the centre of data protection, giving them clear control over how their personal data is used.<\/span><\/li>\n<\/ul>\n<p><strong>Also Read: <a href=\"https:\/\/vajiramandravi.com\/current-affairs\/protection-of-human-rights-act-1993\/\" target=\"_blank\">Protection of Human Rights Act 1993<\/a><\/strong><\/p>\n<h2><b>How the DPDP Rules 2025 Empower Individuals<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The DPDP framework strengthens citizen-centric privacy by giving individuals full control over how their personal data is collected, used, and protected. It ensures clear rights, transparent processes, and strict accountability for all Data Fiduciaries.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Right to Give or Refuse Consent:<\/b><span style=\"font-weight: 400;\"> Individuals can allow, deny, or withdraw consent anytime, and it must always be clear and informed.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Right to Know How Data Is Used:<\/b><span style=\"font-weight: 400;\"> Citizens may seek simple, clear information on what data is collected and why.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Right to Access Personal Data:<\/b><span style=\"font-weight: 400;\"> Individuals can request a copy of their personal data held by any Data Fiduciary.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Right to Correct or Update Data:<\/b><span style=\"font-weight: 400;\"> People may ask for corrections or updates when data is inaccurate or outdated.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Right to Erasure:<\/b><span style=\"font-weight: 400;\"> Personal data can be requested for deletion, and the Data Fiduciary must act within the allowed timeframe.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Right to Nominate Another Person:<\/b><span style=\"font-weight: 400;\"> Individuals can appoint someone to exercise their data rights on their behalf.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Mandatory 90-Day Response:<\/b><span style=\"font-weight: 400;\"> All requests for access, correction, updating, or deletion must be resolved within 90 days.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Breach Notification:<\/b><span style=\"font-weight: 400;\"> Individuals must be informed promptly with clear details if their data is compromised.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Contact Point for Queries:<\/b><span style=\"font-weight: 400;\"> Every Data Fiduciary must provide an accessible officer or DPO for grievance and query handling.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Protection for Children:<\/b><span style=\"font-weight: 400;\"> Processing children\u2019s data requires verifiable parental\/guardian consent except for essential services.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Protection for Persons with Disabilities:<\/b><span style=\"font-weight: 400;\"> Consent must come from a verified lawful guardian when the individual cannot decide independently.<\/span><\/li>\n<\/ul>\n<h2><b>Challenges and Criticisms of the DPDP Act 2023<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The DPDP Act 2023 faces several concerns regarding its implementation, enforcement, and impact on individual privacy. Many experts argue that certain provisions may dilute accountability and grant excessive powers to the government.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The Act grants wide exemptions to government bodies, which can weaken transparency and reduce accountability in how citizens\u2019 data is handled.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">It gives the government broad authority to access, process, or block data, creating concerns about potential overreach and surveillance.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The absence of a fully independent regulatory authority limits neutral oversight and may affect fair enforcement of data protection rules.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Some key terms remain loosely defined, leading to confusion among organizations about proper compliance and interpretation of obligations.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The Act places minimal restrictions on cross-border data transfers, raising questions about data security and exposure to foreign laws.<\/span><\/li>\n<\/ul>\n<h2><b>Way Forward<\/b><\/h2>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Strengthen Independent Oversight: <\/b><span style=\"font-weight: 400;\">Establish a more autonomous regulatory body to enhance public trust. For example, creating an independent Privacy Commission similar to the UK\u2019s ICO can ensure impartial supervision.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Improve Citizen Awareness:<\/b><span style=\"font-weight: 400;\"> Launch large-scale digital literacy campaigns on consent, data rights, and grievance mechanisms. Like the RBI&#8217;s \u201cRBI Kehta Hai\u201d campaign, a nationwide \u201cData Suraksha\u201d campaign could educate citizens.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Streamline Compliance for Startups: <\/b><span style=\"font-weight: 400;\">Provide toolkits, model privacy policies, and simplified reporting formats for smaller firms. For instance, a government-issued \u201cStartup Compliance Sandbox\u201d could reduce operational burden.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Enhance Data Security Standards: <\/b><span style=\"font-weight: 400;\">Mandate periodic security audits and certifications for high-risk platforms. A system akin to ISO 27001 certification could be adapted as an Indian standard for digital platforms.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Promote Privacy-by-Design Innovation:<\/b><span style=\"font-weight: 400;\"> Encourage companies to embed privacy features in new technologies. For example, apps could use automatic data minimisation or end-to-end encryption by default.<\/span><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Digital Personal Data Protection DPDP Act 2023 and DPDP Rules 2025 explain India\u2019s data privacy rights, consent rules, penalties and citizen-centric digital data safeguards.<\/p>\n","protected":false},"author":27,"featured_media":74567,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[786],"tags":[3901],"class_list":{"0":"post-75254","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-general-studies","8":"tag-dpdp-act-2023","9":"no-featured-image-padding"},"acf":[],"_links":{"self":[{"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/posts\/75254","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/comments?post=75254"}],"version-history":[{"count":0,"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/posts\/75254\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/media\/74567"}],"wp:attachment":[{"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/media?parent=75254"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/categories?post=75254"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vajiramandravi.com\/current-affairs\/wp-json\/wp\/v2\/tags?post=75254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}