An Overview of India's Digital Personal Data Protection Act (DPDPA) of 2023

The Digital Personal Data Protection Act (DPDPA) 2023 got enacted after more than a decade of effort to adopt a comprehensive data protection regime for India. It became a law on August 11, 2023, following assent by the President of India and publication in official gazette after clearing the Parliamentary hurdle the same week. The law is meant to provide for the processing of digital personal data in a manner that safeguards the right of individuals and ensures that the processing is done for lawful purposes. The enormous rise in use of digital platforms and services over the past few years and lack of adequate legal and regulatory measures had necessitated the enactment of a data protection bill. Prior to the DPDPA, India did not have a standalone law on data protection, and processing of personal data was largely regulated under the Information Technology (IT) Act, 2000.

The DPDPA didn’t appear out of a vacuum. The Supreme Court’s 2017 Puttaswamy judgment recognized Privacy as a fundamental right and recommended the prompt enactment of a robust Data Protection (DP) law. Over the last six years, there have been multiple iterations and versions of the data protection bill. The Justice Srikrishna committee of experts produced a whitepaper and a draft bill for the government’s consideration. It was refined by Ministry of Electronics and Information Technology (MeitY) that produced the 'Personal Data Protection Bill, 2019'. The bill was referred to the ‘Joint Parliamentary Committee (JCP) on Data Protection’ that produced a substantive revised framework and presented the 'The Data Protection Bill, 2021’.

MeitY further updated the JPC version to 'Digital Personal Data Protection Bill, 2022,’ which had significant departures from the approach previous drafts of the bill had seen. Following public consultation, the DPDPA, which is now the law of the land, was conceived. This bill is a manifestation of India’s digital journey, economic, national security and data protection concerns with an attempt to balance theory and pragmatism along with changing global developments and the outlook for the future.

The bill is yet to be made enforceable. MeitY will issue a notification detailing the timelines for enforcement of various provisions. Thus far, it has indicated that the sunshine period will not be as elaborate as GDPR, which allowed 24 months, and some provisions could provide as short as six months for businesses to become compliant. The DPDPA applies to personal data that is collected in digital form or in non-digital form but digitized subsequently. The Bill does not apply to: (i) non-digital data (personal data in registers or papers) (ii) data processed for personal or domestic purposes; and (iii) data made publicly available by a data principal herself or any other person under a legal obligation. DPDPA applies to personal data processing within Indian territory. It also extends its scope outside India if such processing is in connection with offering of goods and services to data principals within India. The 2022 Bill also applied outside India if the processing was in connection to ‘profiling’ of Indian data principals.

To learn more about DPDPA and the details of its scope by downloading the Exterro briefing paper on The Digital Personal Data Protection Act 2023.