DPDPA 2023: Structure & Scope
2.1 Legislative Architecture of DPDPA 2023
The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) received Presidential assent on 11th August 2023 and was published in the Gazette of India. Understanding its architecture is fundamental for any data protection practitioner—think of it as knowing the anatomy before performing surgery.
Act Number: 22 of 2023
Date of Assent: 11th August 2023
Chapters: 8
Sections: 44
Schedule: 1 (Penalties)
Commencement: Section 1(2) - Different dates for different provisions as notified by Central Government
As Aristotle observed, "The whole is greater than the sum of its parts." The DPDPA's structure reflects a deliberate design philosophy: it places obligations on fiduciaries before rights of principals (Chapter II before Chapter III), signaling that duty precedes entitlement. This mirrors the Indian constitutional tradition where duties (Article 51A) complement rights (Part III).
Structural Overview: The Eight Chapters
| Chapter | Title | Sections | Core Purpose |
|---|---|---|---|
| I | Preliminary | §1-3 | Title, definitions, applicability |
| II | Obligations of Data Fiduciary | §4-10 | Processing grounds, consent, notice, obligations |
| III | Rights and Duties of Data Principal | §11-15 | Access, correction, erasure, grievance, duties |
| IV | Special Provisions | §16-17 | Cross-border transfer, exemptions |
| V | Data Protection Board of India | §18-26 | Establishment, composition, powers |
| VI | Penalties and Adjudication | §27-32 | Board directions, inquiry procedure, penalties |
| VII | Appeal | §29 | Appeal to TDSAT |
| VIII | Miscellaneous | §33-44 | Penalties schedule, rules, amendments |
2.2 Preamble Analysis
The Preamble of DPDPA 2023 serves as the interpretive compass. Unlike many statutes, DPDPA's Preamble explicitly acknowledges the dual imperative: protecting personal data and enabling lawful processing.
"An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto."
When arguing before the Data Protection Board or courts, always invoke the Preamble's balancing mandate. Neither absolute protection nor unrestricted processing is the Act's intent—it's the golden mean that matters. In Cellular Operators Association v. TRAI (2016) 7 SCC 703, the Supreme Court held that preambles are legitimate aids to interpretation when the language is ambiguous.
Key Interpretive Principles from the Preamble
Rights-Based Approach
- "Right of individuals to protect"
- Individual as central stakeholder
- Data Principal empowerment
- Constitutional backing (Article 21)
Purpose-Based Processing
- "Lawful purposes" as foundation
- Not prohibitive, but regulatory
- Business interests recognized
- Innovation-friendly interpretation
Digital Focus
- "Digital personal data" specificity
- Non-digital data excluded
- Technology-neutral principles
- Future-ready framework
2.3 Chapter I: Preliminary (§1-3)
Short Title & Commencement
§1(1)-(2)
The Act is called "Digital Personal Data Protection Act, 2023." Critically, §1(2) allows staggered commencement—different provisions may come into force on different dates as notified. This enables phased implementation.
Definitions
§2(a)-(zb) — 28 Definitions
The definitional section contains 28 definitions from (a) "Appellate Tribunal" to (zb) "State". Key definitions include Data Principal, Data Fiduciary, Personal Data, Processing, Consent Manager, and Significant Data Fiduciary.
Application of Act
§3(a)-(c)
Establishes territorial scope: applies to digital personal data processed within India (collected digitally or digitised subsequently), and to processing outside India if connected to offering goods/services to Data Principals in India.
Positive Applicability (§3(a)-(b)): Data collected in digital form within India; data collected non-digitally and later digitised; processing outside India for offering goods/services to Indian Data Principals.
Negative Applicability (§3(c)): Does NOT apply to personal/domestic processing by individuals; data made publicly available by the Data Principal herself; data made publicly available pursuant to legal obligation.
Section 3(c)(ii)(B) creates a significant carve-out: if data is made publicly available under a legal mandate (e.g., company director details on MCA portal), DPDPA doesn't apply. However, this doesn't mean unlimited processing—purpose limitation principles from contract law and tort law may still apply.
2.4 Chapter II: Obligations of Data Fiduciary (§4-10)
Chapter II is the operational heart of DPDPA, containing 7 sections that establish the complete framework of fiduciary duties. Think of it as the "Ten Commandments" for data processors (though mercifully only seven).
Chapter II: Flow of Obligations
| Section | Title | Key Requirements |
|---|---|---|
| §4 | Grounds for Processing | Only consent OR legitimate uses; lawful purpose requirement |
| §5 | Notice | Pre-consent notice; itemised personal data; specified purpose; complaint mechanism |
| §6 | Consent | Free, specific, informed, unambiguous; withdrawal rights; granular consent |
| §7 | Certain Legitimate Uses | Employment, voluntary data, State functions, legal compliance, emergencies |
| §8 | General Obligations | Data quality, security safeguards, breach notification, retention limits |
| §9 | Processing of Children's Data | Parental consent; no tracking/behavioural monitoring; no targeted advertising |
| §10 | Significant Data Fiduciary | DPO appointment; Data Protection Impact Assessment; periodic audits |
Section 8(5) mandates "reasonable security safeguards." In litigation, argue by analogy to Yahoo! Inc. Data Breach Litigation (N.D. Cal. 2017) where "reasonableness" was assessed against industry standards. Reference CERT-In guidelines, ISO 27001, and RBI's Cybersecurity Framework to establish the benchmark. The burden shifts to the fiduciary to prove safeguards were reasonable.
2.5 Chapter III: Rights & Duties of Data Principal (§11-15)
Chapter III enshrines the rights of Data Principals while uniquely imposing duties—a feature distinguishing DPDPA from GDPR. This reflects the Indian constitutional philosophy where rights and duties are two sides of the same coin (Article 51A).
Right to Access
§11(1)-(2)
Right to obtain summary of personal data being processed, processing activities, identities of other Data Fiduciaries/Processors with whom data was shared. Exception for law enforcement sharing under §11(2).
Right to Correction & Erasure
§12(1)-(3)
Right to correct inaccurate/misleading data, complete incomplete data, update outdated data, and erase personal data. Erasure subject to specified purpose necessity and legal compliance requirements.
Right to Grievance Redressal
§13(1)-(3)
Right to readily available grievance mechanism. Response within prescribed period. Mandatory exhaustion before approaching the Board—§13(3) creates this as a jurisdictional prerequisite.
Right to Nominate
§14(1)-(2)
Right to nominate another individual to exercise rights in event of death or incapacity. "Incapacity" defined as unsoundness of mind or infirmity of body. A digital estate planning provision.
Duties of Data Principal
§15(a)-(d)
Unique to DPDPA: duties to comply with laws when exercising rights; not furnish false/misleading information; not impersonate; not suppress material information. Breach attracts ₹10,000 penalty.
Section 15 is a double-edged sword. While meant to prevent misuse, it can be weaponised by fiduciaries to resist legitimate requests. If a Data Principal's subject access request is denied citing "false information," challenge by demanding specifics—the burden to prove falsehood is on the fiduciary. Analogize to Central Bureau of Investigation v. V.C. Shukla (1998) 3 SCC 410 where the Court held that procedural requirements can't defeat substantive rights.
2.6 Chapter IV: Special Provisions (§16-17)
Chapter IV contains only two sections but addresses two of the most consequential aspects: cross-border transfers and exemptions. These are the provisions that will likely generate the most litigation and regulatory guidance.
§16: Transfer Outside India
- Central Government may restrict transfers to specified countries
- Negative list approach (restrict, not permit)
- Existing laws with higher protection prevail
- Sectoral regulations continue to apply
- RBI data localization rules unaffected
§17: Exemptions
- §17(1): Exempts from Chapters II & III
- Legal proceedings (§17(1)(a))
- Judicial functions (§17(1)(b))
- Crime investigation (§17(1)(c))
- Offshore processing (§17(1)(d))
- §17(2): State security exemptions
Section 17 creates a tiered exemption framework:
§17(1): Exempts from Chapter II (except §8(1) and §8(5)) and Chapter III and §16. These are "partial exemptions" preserving basic security obligations.
§17(2): Central Government may exempt processing in interest of sovereignty, security of State, public order, or friendly relations with foreign States. This is "total exemption" by notification.
§17(3): Research, archiving, statistical purposes exemption with conditions.
§17(4)-(5): Startup and small business exemptions subject to notification.
Section 17(2) exemptions must satisfy the Puttaswamy proportionality test. In Modern Dental College v. State of MP (2016) 7 SCC 353, the Supreme Court held that even executive discretion must have judicially manageable standards. When challenging blanket §17(2) notifications, argue: (1) no rational nexus to stated purpose, (2) overbroad scope, (3) lack of procedural safeguards, (4) disproportionate to legitimate aim.
2.7 Chapter V: Data Protection Board of India (§18-26)
Chapter V establishes the Data Protection Board of India (DPB)—the regulatory authority tasked with enforcement. Understanding its structure is essential for anyone appearing before it.
| Section | Subject | Key Provisions |
|---|---|---|
| §18 | Establishment | Central Government to establish DPB; body corporate with perpetual succession |
| §19 | Composition | Chairperson + Members (number to be prescribed); qualifications to be prescribed |
| §20 | Terms & Conditions | Salary, allowances, tenure, removal—all as prescribed |
| §21 | Resignation & Removal | Resignation to Central Government; removal for incapacity, misbehaviour, etc. |
| §22 | Filling Vacancies | Procedure for filling casual vacancies |
| §23 | Powers of Chairperson | Distribution of work; authentication of orders |
| §24 | Officers & Employees | Board may appoint officers/employees; terms as prescribed |
| §25 | Grants | Central Government grants to the Board |
| §26 | Accounts & Audit | Proper accounts; CAG audit; annual report to Central Government |
Nature: Body corporate with perpetual succession and common seal (§18(2))
Independence: §28(1) mandates DPB to function as an "independent body"
Digital Office: §28(1) requires DPB to function as a "digital office" with online proceedings
Jurisdiction: §39 bars civil court jurisdiction for matters within DPB's purview
Powers: Not a court, but exercises quasi-judicial functions
The Srikrishna Committee had recommended a truly independent Data Protection Authority with members having security of tenure and selection by a collegium including CJI. The final DPDPA model gives significant discretion to the Central Government. As Montesquieu warned in The Spirit of Laws: "There is no liberty, if the judiciary power be not separated from the legislative and executive." The independence of DPB remains a potential constitutional question.
2.8 Chapter VI: Penalties & Adjudication (§27-32)
Chapter VI contains the enforcement machinery—the Board's powers to investigate, direct, and penalize. For practitioners, this chapter defines the battlefield.
Directions by Board
Board may issue directions for urgent remedial/mitigation measures, blocking access to services, monetary penalties. Directions binding on Data Fiduciaries.
Powers & Functions
Board functions independently as digital office. May conduct inquiry into complaints, references, breaches. Techno-legal measures as prescribed.
Alternate Dispute Resolution
Board may accept voluntary undertakings. Mediation and settlement encouraged. Reduces litigation load.
Penalty
Penalties as per Schedule. Maximum ₹250 crore for breach notification failure. Board to consider factors including breach nature, gravity, duration, fiduciary conduct.
When representing fiduciaries facing penalties, focus on mitigating factors in §33(2): (a) nature and gravity of breach, (b) duration, (c) type of data, (d) repetitive nature, (e) remedial action taken, (f) voluntary actions, (g) circumstances in which breach occurred. Build a narrative of good faith compliance efforts. Reference Lafarge Aggregates v. Competition Commission (2016) where the Supreme Court reduced penalties considering cooperation and remedial measures.
2.9 Chapter VII: Appeal (§29)
Chapter VII contains a single section establishing the appellate mechanism before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Forum: TDSAT (established under TRAI Act, 1997)
Limitation: 60 days from date of receipt of order
Condonation: Additional 60 days if sufficient cause shown
Fee: As prescribed (Rule to be notified)
Further Appeal: §29(8) allows appeal to Supreme Court on substantial question of law
Timeline: TDSAT to decide within 6 months "as far as practicable"
TDSAT was originally created for telecom disputes. Its expertise is in competition and licensing matters. Data protection involves fundamentally different legal questions—privacy, consent validity, proportionality. Practitioners should build arguments that educate the tribunal on data protection principles. Reference international data protection jurisprudence (UK ICO decisions, Irish DPC decisions) as persuasive authority.
2.10 Chapter VIII: Miscellaneous (§33-44)
Chapter VIII contains the standard miscellaneous provisions found in Indian statutes, but some provisions deserve close attention from practitioners.
| Section | Subject | Practical Significance |
|---|---|---|
| §33 | Penalty | Core penalty provision; factors for quantum determination |
| §34 | No Double Penalty | Protection against multiple penalties for same breach |
| §35 | Offences by Companies | Director liability; "in charge" and "consent/connivance" tests |
| §36 | Cognizance | Only on Board complaint; 2-year limitation |
| §38 | Act Not in Derogation | DPDPA additional to, not replacing, other laws; prevails in conflict |
| §39 | Civil Court Bar | No civil court jurisdiction for DPB matters; no injunctions against Board |
| §40 | Rule-Making Power | Central Government's delegated legislation authority |
| §42 | Amendment of Schedule | Can increase penalties up to 2x original; notification method |
| §44 | Amendments to Other Acts | Consequential amendments to TRAI Act, IT Act |
Section 35 imposes liability on persons "in charge of" and "responsible for" conduct of company business. This mirrors §141 of Negotiable Instruments Act. Use the defence framework from Aneeta Hada v. Godfather Travels (2012) 5 SCC 661: liability requires specific averments, not generic allegations. Challenge notices that don't specify the director's actual role in the alleged violation.
2.11 The Schedule: Penalty Framework
The Schedule to DPDPA 2023 prescribes penalties for various breaches. Understanding the penalty tiers is crucial for risk assessment and client advisory.
| S.No. | Breach Description | Maximum Penalty |
|---|---|---|
| 1 | Breach of §8(5) (Security safeguards) resulting in personal data breach | ₹250 Crore |
| 2 | Breach of §8(6) (Breach notification to Board and Data Principals) | ₹200 Crore |
| 3 | Breach of §10 (Additional obligations of Significant Data Fiduciary) | ₹150 Crore |
| 4 | Breach of §9 (Processing of children's data) | ₹200 Crore |
| 5 | Breach of §15 (Duties of Data Principal) | ₹10,000 |
| 6 | Breach of any other provision | ₹50 Crore |
Highest (₹250 Cr): Security breach—reflects priority on prevention
High (₹200 Cr): Breach notification failure; children's data—transparency and vulnerability protection
Moderate (₹150 Cr): SDF compliance—systematic governance
Residual (₹50 Cr): All other breaches—catch-all
Lowest (₹10,000): Data Principal duties—individual accountability
Section 42 empowers the Central Government to double penalties by notification. This means the ₹250 crore ceiling could become ₹500 crore. Monitor Government notifications carefully. Advise clients to build compliance buffers assuming potential escalation.
2.12 DPDP Rules 2025: Delegated Legislation
The Digital Personal Data Protection Rules, 2025 (Draft) were published on 3rd January 2025 for public consultation. These rules operationalize DPDPA provisions and are essential for compliance implementation.
Key Rules Overview
Notice Requirements
Notice must be standalone, clear language, itemised personal data description, specified purpose, consent withdrawal mechanism, rights exercise information.
Consent Manager Registration
Requirements for registration as Consent Manager, technical standards, interoperability requirements, audit obligations.
Security Safeguards
Encryption standards, access controls, security protocols, incident response requirements, audit trail maintenance.
Grievance Redressal
Timeline for response (to be specified), escalation mechanism, documentation requirements, Data Principal communication standards.
The Rules contain specific operational requirements that exceed what the parent Act mandates. Build compliance programs now based on Draft Rules—even if final rules differ, the direction is clear. Organizations that wait for final notification will face rushed implementation and higher breach risk.