Overview
The Digital Personal Data Protection Act, 2023 is India’s primary data protection legislation governing the collection, storage, use, sharing, and processing of digital personal data. The Act applies to personal data collected in digital form or offline data subsequently digitized, and seeks to protect privacy while enabling lawful processing for legitimate purposes.
The Act establishes obligations for Data Fiduciaries (organizations or entities processing personal data), including obtaining valid consent, ensuring data accuracy where necessary, implementing reasonable security safeguards, deleting data when no longer required, and notifying authorities and affected individuals in the event of breaches. Additional obligations apply to entities classified as Significant Data Fiduciaries, which may be subject to stricter governance and audit requirements.
Individuals (Data Principals) are granted rights relating to access to information about processing, correction and erasure of personal data, grievance redressal, and nomination rights. The Act also includes provisions for children’s data protection, government exemptions in specified circumstances, cross-border data transfer controls, and duties for individuals when exercising their rights.
To enforce compliance, the Act establishes the Data Protection Board of India, empowered to investigate non-compliance, adjudicate matters, and impose significant financial penalties for violations. Overall, the legislation creates a comprehensive privacy and accountability framework intended to strengthen trust in India’s digital economy and regulate responsible use of personal data.