🏛️ Overview of DPDPA 2023

The Digital Personal Data Protection Act, 2023 received Presidential assent on August 11, 2023. It establishes a comprehensive framework for processing digital personal data in India, balancing individual privacy rights with legitimate data processing needs.

📌 Key Features of DPDPA 2023
  • Applies to digital personal data processed in India
  • Extraterritorial application for profiling/offering goods to Indians
  • Consent-based framework with legitimate use exceptions
  • Established Data Protection Board of India
  • Penalties up to ₹250 Crore per violation
  • No private right of action (complaints to Board only)

Applicability (Section 3)

DPDPA applies to processing of digital personal data within India where:

  • Data is collected online, OR
  • Data is collected offline and subsequently digitized

It also applies to processing outside India if related to offering goods/services or profiling individuals in India.

📖 Key Definitions (Section 2)

Data Principal
Section 2(j)
The individual to whom the personal data relates. In case of a child, includes the parent/lawful guardian.
Data Fiduciary
Section 2(i)
Any person who alone or with others determines the purpose and means of processing personal data.
Data Processor
Section 2(k)
Any person who processes personal data on behalf of a Data Fiduciary.
Personal Data
Section 2(t)
Any data about an individual who is identifiable by or in relation to such data.
Consent
Section 6
Free, specific, informed, unconditional, and unambiguous indication through clear affirmative action.
Significant Data Fiduciary
Section 10
Data Fiduciary notified by Government based on volume, sensitivity, risk to sovereignty, etc.

✅ Consent Framework (Section 6-7)

Consent is the cornerstone of DPDPA. Processing is lawful only with valid consent or under specified legitimate uses.

📌 Requirements for Valid Consent
Consent must be: Free (not coerced) • Specific (for defined purposes) • Informed (clear notice provided) • Unconditional (not bundled) • Unambiguous (clear affirmative action)

Notice Requirements (Section 5)

Before or at the time of collecting data, the Data Fiduciary must provide notice containing:

  • Personal data being collected and purpose of processing
  • How Data Principal can exercise their rights
  • How to make complaints to the Data Protection Board

Legitimate Uses Without Consent (Section 7)

GroundDescription
Specified PurposeData Principal voluntarily provides data for a specific purpose
State FunctionsFor permits, licenses, benefits, services by State
Legal ObligationCompliance with law, court order, judgment
Medical EmergencyThreat to life/health of Data Principal or others
EmploymentPurposes of employment (safeguards apply)
Public InterestSpecified purposes like credit scoring, debt recovery

👤 Rights of Data Principals (Section 11-14)

📄

Right to Access (Section 11)

Obtain summary of personal data being processed and processing activities

✏️

Right to Correction (Section 12)

Correct inaccurate, incomplete, or misleading personal data

🗑️

Right to Erasure (Section 12)

Erase personal data no longer necessary for the purpose collected

👁️

Right to Grievance Redressal (Section 13)

Seek redressal from Data Fiduciary and Board

👤

Right to Nominate (Section 14)

Nominate another person to exercise rights in case of death/incapacity

💡 Example: Exercising Right to Erasure
Scenario
Priya signed up for an e-commerce platform but deleted her account 2 years ago. She discovers the platform still holds her data.
Action
Priya can exercise her Right to Erasure under Section 12. The platform must erase her data unless retention is required by law or for a legitimate purpose (which must be specified).

🏢 Obligations of Data Fiduciaries (Section 8-10)

General Obligations (Section 8)

  • Purpose Limitation: Process only for specified purpose
  • Data Minimization: Collect only necessary data
  • Accuracy: Ensure data is accurate and complete
  • Storage Limitation: Retain only as long as necessary
  • Security Safeguards: Implement reasonable security measures
  • Breach Notification: Notify Board and Data Principals of breaches
  • Erasure: Erase data when purpose fulfilled or consent withdrawn

Significant Data Fiduciary Obligations (Section 10)

SDFs have additional obligations:

  • Appoint Data Protection Officer (based in India)
  • Appoint Independent Data Auditor
  • Conduct Data Protection Impact Assessment
  • Periodic audits and compliance reporting

💰 Penalties Under DPDPA (Schedule)

⚠️ Penalty Framework
ViolationMaximum Penalty
Failure to take security safeguards (breach)₹250 Crore
Failure to notify breach to Board and Principal₹200 Crore
Non-compliance with children's data provisions₹200 Crore
Non-compliance with additional SDF obligations₹150 Crore
Breach of other provisions₹50 Crore
Breach by Data Principal (false complaint, etc.)₹10,000

🏛️ Data Protection Board of India (Section 18-26)

DPDPA establishes the Data Protection Board of India as the adjudicating body:

  • Receives complaints from Data Principals
  • Inquires into alleged violations
  • Imposes penalties
  • Can direct Data Fiduciaries to take corrective measures
  • Appeals against Board orders go to Telecom Disputes Settlement and Appellate Tribunal (TDSAT)
✅ Key Point: No Private Right of Action
Unlike GDPR, DPDPA does not provide for direct private lawsuits. Data Principals must file complaints with the Data Protection Board. This is a significant limitation for individual remedies.

📝 Part 12.1 Quiz

Q1: DPDPA received Presidential assent in:

Q2: Maximum penalty under DPDPA is:

Q3: "Data Fiduciary" is defined in Section:

Q4: Consent under DPDPA must be:

Q5: Significant Data Fiduciary must appoint:

Q6: Appeals against Data Protection Board go to:

Q7: DPDPA allows private right of action:

Q8: Which is NOT a legitimate use without consent?

Q9: Penalty for breach of children's data provisions:

Q10: Data Principal can nominate another person under: