Digital Personal Data Protection (DPDP) Act, 2023

Digital Personal Data Protection (DPDP) Act, 2023

  • Context:

  • The Union government notified large parts of the Digital Personal Data Protection (DPDP) Act, 2023, a significant step toward enforcing the K.S. Puttaswamy v. Union of India (2017) judgment affirmed the right to privacy as a fundamental right under Article 21 of the Indian Constitution.

  • The law addresses the need to protect the data privacy of Indian citizens.

  • The Act and its Provisions:

  • The DPDP Act, 2023, marks a landmark step in data privacy legislation in India, making it the country's first comprehensive privacy law.

  • Aims:

  • to safeguard the digital privacy of citizens

  • enforce transparency in data processing practices, and

  • create a framework for both individual rights and data fiduciaries' obligations.

  • The Act requires data fiduciaries (firms that collect and use personal data) to safeguard the digital data of Indian citizens and prescribes penalties for breaches

  • It provides exemptions for the State and its instrumentalities from its provisions

  • Rights and Obligations for Data Principals and Fiduciaries:

  • Data Principals (Individuals) have Right to access, correct, update, or erase personal data.

  • They have clear timelines for the response from data fiduciaries (90 days maximum)

  • Data Fiduciaries (Entities) have obligations to issue clear and simple consent notices.

  • They have to maintain a Designated Data Protection Officer

  • Data Protection Board of India (DPBI):

  • It will function as a digital-first institution, handling complaints, and issuing penalties for non-compliance.

  • The board, with four members appointed by MeitY, can hold inquiries and impose penalties for data breaches.

  • Large tech firms, designated as significant data fiduciaries will face additional compliance requirements.

  • Implementation Timeline

  • Data fiduciaries have until November 2026 to comply with provisions (such as appointing a Data Protection Officer)

  • The Consent Manager framework, which allows firms to manage data removal and amendment rights for users (data principals) will also come into force in November 2026

  • It may take until May 2027 for large tech firms to be subject to the full force of the Act

  • Concerns Raised:

  • Transparency activists claim the law weakens the Right to Information (RTI) Act, 2005, by removing the obligation to provide personal information.