The Digital Personal Data Protection Act (DPDPA) 2023 was enacted after more than a decade of effort to adopt a comprehensive data protection regime for India. It became a law on August 11, 2023, following assent by the President of India and publication in the official gazette after clearing the Parliamentary hurdle the same week.

The law is meant to provide for the processing of digital personal data in a manner that safeguards the right of individuals and ensures that the processing is done for lawful purposes. The enormous rise in the use of digital platforms and services over the past few years and a lack of adequate legal and regulatory measures had necessitated the enactment of a data protection bill. Prior to the DPDPA, India did not have a standalone law on data protection, and the processing of personal data was largely regulated under the Information Technology (IT) Act, 2000.

The Evolution of India's Data Privacy Regime

The DPDPA didn’t appear out of a vacuum. Its trajectory highlights a shifting focus toward balancing economic interests with fundamental human rights:

• 2017 (The Puttaswamy Judgment): The Supreme Court of India recognized privacy as a fundamental right under the Constitution and recommended the prompt enactment of a robust Data Protection (DP) law.
• The Justice Srikrishna Committee: A committee of experts produced a foundational whitepaper and an initial draft bill for the government’s consideration.
• The Personal Data Protection Bill, 2019: Refined by the Ministry of Electronics and Information Technology (MeitY).
• The Data Protection Bill, 2021: A substantive framework revised and presented by the Joint Parliamentary Committee (JPC) on Data Protection.
• The Digital Personal Data Protection Bill, 2022: MeitY updated the JPC version, introducing significant departures from the approach seen in previous drafts. Following extensive public consultation, the text was finalized into the current law.

This Act is a manifestation of India’s digital journey, balancing economic, national security, and data protection concerns while blending regulatory theory with pragmatism to match changing global developments.

Scope and Applicability

The DPDPA applies to personal data that is collected in digital form or collected in non-digital form but digitized subsequently.

Where the Act Applies:

• Personal data processing within Indian territory.
• Processing outside India if it is in connection with offering goods or services to data principals (individuals) within India.

What the Act Excludes:

1. Non-digital data: Personal data that remains completely offline in physical registers or papers.
2. Personal/Domestic use: Data processed by an individual for purely personal or domestic purposes.
3. Publicly available data: Data made publicly available by the data principal themselves, or by any other person under a legal obligation.

Enforcement and Compliance Timelines

MeitY is responsible for issuing official notifications detailing the specific timelines for the enforcement of various provisions. It has indicated that the "sunshine period" (the transition window for compliance) will not be as elaborate as the EU's GDPR—which allowed 24 months. Instead, businesses may be given compliance windows as short as six months for certain provisions.

To learn more about the DPDPA and the detailed limits of its scope, download the Exterro briefing paper on The Digital Personal Data Protection Act 2023.

‍