Introduction to DPDPA 2023
The Digital Personal Data Protection Act, 2023 (DPDPA) was enacted on August 11, 2023, marking India's first comprehensive data protection legislation. This law has significant implications for cyber crime investigators, both in terms of investigating data breaches and ensuring their own compliance during investigations.
By the end of this part, you will be able to:
- Understand the DPDPA 2023 framework and key definitions
- Identify data fiduciary obligations relevant to investigations
- Apply breach notification and investigation requirements
- Understand the role of the Data Protection Board
- Navigate the penalty framework under DPDPA
As of early 2026, the DPDPA 2023 is being implemented in phases. The Central Government is issuing rules under Section 40 to operationalize various provisions. Investigators should stay updated on the latest rules and notifications.
Key Definitions Under DPDPA 2023
Understanding the key terms is essential for applying DPDPA in cyber crime investigations.
Digital Personal Data (Section 2(n))
Personal data that is in digital form. This includes data collected in digital form or data collected in non-digital form and later digitized.
Personal Data (Section 2(t))
Any data about an individual who is identifiable by or in relation to such data. Example: Name, email address, phone number, Aadhaar number, IP address, biometric data, etc.
Data Principal (Section 2(j))
The individual to whom the personal data relates. In case of a child (under 18), includes the parent or lawful guardian.
Data Fiduciary (Section 2(i))
Any person who alone or in conjunction with others determines the purpose and means of processing personal data. Examples: Companies, government departments, hospitals, e-commerce platforms.
Data Processor (Section 2(k))
Any person who processes personal data on behalf of a Data Fiduciary. Examples: Cloud service providers, payroll processors, IT service companies.
Significant Data Fiduciary (Section 2(x))
A Data Fiduciary notified by the Central Government based on volume/sensitivity of personal data processed, risk to rights of Data Principal, potential impact on sovereignty/security, etc.
Personal Data Breach (Section 2(u))
Any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data that compromises confidentiality, integrity, or availability.
Obligations of Data Fiduciaries
Data Fiduciaries have several obligations under DPDPA 2023 that are relevant to cyber crime investigations.
General Obligations (Section 8)
- Consent: Obtain free, specific, informed, unconditional, and unambiguous consent before processing
- Lawful Purpose: Process data only for lawful purposes for which consent was given
- Notice: Provide notice about data processing to Data Principals
- Data Accuracy: Ensure completeness, accuracy, and consistency of data
- Data Retention: Not retain data longer than necessary; erase when purpose is achieved
- Security Safeguards: Implement appropriate technical and organizational measures to prevent breaches
Obligations of Significant Data Fiduciaries (Section 10)
Additional obligations for entities handling large volumes of sensitive data:
- Appoint a Data Protection Officer (DPO) based in India
- Appoint an Independent Data Auditor
- Conduct periodic Data Protection Impact Assessment (DPIA)
- Conduct periodic audits
- Additional compliance requirements as notified
When investigating a data breach at a company:
- Check if the company is a Data Fiduciary under DPDPA
- Verify if it is a Significant Data Fiduciary (SDF)
- Review their compliance with security safeguards obligation
- Check if they have DPO and audit records (if SDF)
- Examine breach notification compliance
Data Breach Investigation Requirements
DPDPA 2023 mandates specific actions when a personal data breach occurs.
Breach Notification Obligations (Section 8(6))
In the event of a personal data breach, the Data Fiduciary must:
- Intimate the Data Protection Board of India (DPBI) about the breach
- Intimate each affected Data Principal about the breach
- Notification must be in the manner prescribed by the Central Government
Data Breach Response Flow
What Investigators Should Examine
When investigating a data breach under DPDPA:
- Breach notification compliance: Was DPBI and Data Principals notified? When?
- Security measures: What safeguards were in place? Were they reasonable?
- Breach cause: Was it a cyber attack, insider threat, accidental disclosure, or negligence?
- Scope of breach: What data was compromised? How many individuals affected?
- Prior compliance: Were there past breaches? What corrective actions were taken?
- DPIA records: For SDFs, was a Data Protection Impact Assessment conducted?
Data Protection Board of India
The Data Protection Board of India (DPBI) is the regulatory authority established under DPDPA 2023.
Composition and Nature (Section 18-23)
- Independent body established by the Central Government
- Chairperson and Members appointed by Central Government
- Functions as a digital office - proceedings to be conducted digitally
- Not a court but has powers of a civil court for certain purposes
Functions and Powers
- Receive complaints from Data Principals about violations
- Inquire into complaints and breaches
- Impose penalties for violations of DPDPA
- Direct Data Fiduciaries to take remedial measures
- Accept voluntary undertakings from Data Fiduciaries
- Refer matters involving criminal liability to other authorities
The DPBI handles administrative/civil violations of DPDPA 2023. If a data breach involves criminal activity (hacking, data theft, etc.), the matter should be:
- Reported to police under IT Act (Section 66, 43A) and BNS provisions
- DPBI may refer criminal aspects to law enforcement
- Parallel proceedings - DPBI for compliance violations, police/courts for criminal offenses
Penalty Framework
DPDPA 2023 prescribes significant penalties for various violations. The Schedule to the Act specifies maximum penalties.
⚖ Failure to Take Security Safeguards (Personal Data Breach)
For failure to implement reasonable security safeguards to prevent personal data breaches, as required under Section 8(5).
⚖ Failure to Notify Breach
For failure to notify the Data Protection Board and affected Data Principals about a personal data breach under Section 8(6).
⚖ Non-Compliance by Children's Data
For processing children's personal data in violation of the Act's provisions (Section 9).
⚖ Significant Data Fiduciary Obligations
For failure to comply with additional obligations - DPO appointment, audits, DPIA (Section 10).
⚖ General Non-Compliance
For other violations of DPDPA provisions not specifically covered above.
DPDPA penalties are administrative/civil in nature. A data breach may also attract criminal liability under:
- IT Act Section 43A: Compensation for failure to protect data (civil)
- IT Act Section 72: Breach of confidentiality (criminal - up to 2 years)
- IT Act Section 72A: Disclosure in breach of contract (criminal - up to 3 years)
- BNS provisions: For associated offenses like cheating, criminal breach of trust
Exemptions Relevant to Law Enforcement
DPDPA 2023 provides certain exemptions that are relevant to law enforcement and investigations.
Section 17: Exemptions
The following are exempt from DPDPA provisions:
- Prevention, detection, investigation, or prosecution of offenses
- Enforcement of legal rights or claims
- Performance of judicial or quasi-judicial functions
- Personal or domestic purposes
- Processing by State instrumentality in interest of:
- Sovereignty and integrity of India
- Security of the State
- Friendly relations with foreign States
- Maintenance of public order
What this means for investigators:
- Law enforcement processing personal data for crime investigation is exempt from DPDPA consent requirements
- This includes collecting suspect data, accessing victim information, etc.
- However, this does NOT mean unlimited power - other laws (IT Act, CrPC/BNSS, constitutional provisions) still apply
- Evidence must still be collected following proper legal procedures
DPDPA and Cyber Crime: Practical Scenarios
Scenario 1: Investigating a Data Breach at a Company
- Determine if the company is a Data Fiduciary (likely yes)
- Check if it's a Significant Data Fiduciary (check notifications)
- Verify breach notification compliance - did they notify DPBI and affected persons?
- Examine security measures that were in place
- Determine cause - was it cyber attack (apply IT Act 66, etc.) or negligence?
- Document evidence for both DPBI proceedings and criminal prosecution if applicable
Scenario 2: Accessing Personal Data During Investigation
- DPDPA exempts law enforcement processing for crime investigation
- However, still need proper legal authority (warrant, Section 91 CrPC/BNSS 94)
- For interception/monitoring, follow IT Act Section 69 procedure
- Document the legal basis for accessing data
- Minimize data collection to what's necessary for investigation
Scenario 3: Third-Party Data Processor Involvement
- If breach originated at a data processor (e.g., cloud provider)
- Data Fiduciary is primarily liable, but processor may have contractual obligations
- May need to investigate the processor's systems as well
- Cross-border issues if processor is outside India
- DPDPA 2023 is India's first comprehensive data protection law, enacted August 2023
- Data Fiduciaries must implement security safeguards and notify breaches to DPBI and affected individuals
- Significant Data Fiduciaries have additional obligations including DPO appointment and audits
- Penalties are substantial - up to Rs. 250 Crores for security failures
- Data Protection Board handles administrative violations; criminal matters go to police/courts
- Law enforcement is exempt from consent requirements when investigating crimes
- Exemption doesn't mean unlimited power - proper legal procedures must still be followed
- Data breaches may involve both DPDPA violations and IT Act criminal offenses