What is the Digital Personal Data Protection (DPDP) Act, 2023?

1 min read
What is the Digital Personal Data Protection (DPDP) Act, 2023? Blog Image


The Central Government recently said that companies/entities may be given around a year’s time, and even some more to smaller organisations or startups, to comply with norms of Digital Personal Data Protection (DPDP) Act, 2023.

About Digital Personal Data Protection (DPDP) Act, 2023

  • The DPDP Act is a legal framework introduced in India to safeguard the personal data of individuals and ensure that their data is shared only with their consent. 
  • It regulates the processing of digital personal data and outlines various provisions to protect individuals’ privacy in the digital age.
  • Applicability:
    • It applies to the processing of digital personal data within the territory of Indicollected online or collected offline and later digitized.
    • It is also applicable to processing digital personal data outside the territory of India, if it involves providing goods or services to the data principals within the territory of India
  • Evolution:
    • The conceptual basis of the DPDP Act is the report of the Expert Committee set up under the chairmanship of Justice BN Srikrishna, which led to the introduction of the Personal Data Protection Act in 2019. 
    • After several iterations and consultations, the Digital Personal Data Protection Act, 2023, was introduced and subsequently passed by both the Lok Sabha and the Rajya Sabha. 
  • Key Stakeholders:
    • Data Principal (DP): – the data owner.
      • DP could be individuals or entities whose data is to be protected.
      • The DP has to give written consent to generate and process the data indicating the specific purpose of its use.
      • DP can withdraw the consent at any time or can restrict its use. 
    • Data Fiduciary– A data collecting, storing, and sharing entity.
    • A data fiduciary also acts as a “Consent Manager” who enables a DP to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.
    • The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciaries, on the basis of an assessment of relevant factors when they turn out to be systemically significant. 
    • Data Processor–an entity processing the data on behalf of a data fiduciaryBoth Data fiduciary and data processor could also be the same in certain small entities. 
    • Data Protection Officer (DPO):  – could be any individual appointed as DPO by a Data Fiduciary under the provisions of this Act. 
  • Other Provisions:
    • Citizen’s Rights: Under data principal rights, individuals also have the right to information, right to correction and erasure, right to grievance redressal, and right to nominate any other person to exercise these rights in the event of the individual’s death or incapacity.
    • Establishment of a Data Protection Board of India (DPBI): 
      • It will function as an impartial adjudicatory body responsible for resolving privacy-related grievances and disputes between relevant parties.
      • As an independent regulator, it will possess the authority to ascertain instances of non-compliance with the Act’s provisions and impose penalties accordingly. 
      • The appointment of the chief executive and board members of the Data Protection Board will be carried out by the central government.
      • An appeal against any order of the DPBI shall lie with the High Court. The High Court could take up any breach Suo moto. 
      • No civil court shall have the jurisdiction to entertain any suit or take any action in respect of any matter under the provisions of this Act and no injunction shall be granted by any court or other authority in respect of any action taken under the provisions of this Act.  
    • Penalty for infringement: 
    • The Act does not impose criminal penalties for non-compliance.
    • The financial penalty could range from as high as Rs. 250 crores to a data fiduciary or data processor to as low as Rs.10000 to a data principal (the owner of data).
    • Conflict with existing laws: 
    • The provisions of the DPDP Act will be in addition to and not supersede any other law currently in effect. 
    • However, in case of any conflict between a provision of this Act and a provision of any other law currently in effect, the provision of this Act shall take precedence to the extent of such conflict.


Q1) What is an adjudicatory body?

An adjudicatory body is an organization, tribunal, or panel established to make legal judgments, decisions, or rulings on specific matters or disputes. These bodies are typically responsible for resolving disputes, interpreting and applying laws and regulations, and ensuring fair and impartial decision-making in various areas of law and governance. Adjudicatory bodies may have different names and functions depending on their jurisdiction and the specific issues they address. 

Source: Entities may be given a year’s time to comply with DPDP Act: Government