Digital Personal Data Protection Act 2023: India's Data Privacy Framework
June 1, 20267 min read
The question reads: "Which of the following authorities is the designated regulator under the Digital Personal Data Protection Act, 2023?"
Most aspirants memorise the answer: the Data Protection Board of India (DPBI). But the UPSC question will not stop there. The trap lies in the nuances: What is "personal data"? What is "deemed consent"? What are the exemptions for the state? How does the DPDP Act interact with the Right to Privacy (Puttaswamy judgement, 2017)? And critically — which parts of the Act are in force and which are awaiting implementation?
[TOPIC CLASSIFICATION]
Topic type: Science & Technology (digital regulation, data governance) + Polity (Fundamental Rights — Article 21 privacy)
PYQ frequency: Medium-High (growing. New legislation attracts questions for 5-7 years post-enactment)
Primary GS paper: GS-2 (Governance — data protection framework)
[EXAMINER REASONING]
Primary trap. Candidates confuse "personal data" (DPDP Act) with "sensitive personal data" (earlier SPDI Rules under IT Act) and "non-personal data" (not covered by DPDP). The DPDP Act only regulates digital personal data — data about an identifiable individual that is processed in digital form. It does NOT cover: non-personal data (aggregated data, anonymised data), offline data (paper records), or data processed before the Act came into force. Statements that say "the DPDP Act covers all forms of data" are false by design.
Most confused. The concept of "deemed consent" under Section 8 of the Act. The Act allows data processing without explicit consent for "certain legitimate uses" — including: employment purposes (HR management), medical emergencies, public health, public order, and delivery of government benefits. Many aspirants interpret "deemed consent" as consent-free data processing — it is not. The data principal (the individual) can still withdraw deemed consent by notifying the data fiduciary (the organisation processing data). The burden shifts: the fiduciary must demonstrate that the processing falls within a legitimate use.
Key anchor. The Act is built around seven obligations of the data fiduciary: (1) obtain consent in clear and plain language, (2) give notice of purpose and manner of collection, (3) provide access to data and correction/erasure rights, (4) implement reasonable security safeguards, (5) notify the Data Protection Board of any breach, (6) appoint a Data Protection Officer (if significant fiduciary), (7) conduct Data Protection Impact Assessment (for significant fiduciaries). These are the "accountability" framework — the Act does not prescribe specific security measures but requires organisations to demonstrate compliance.
Current affairs hook. The DPDP Act received presidential assent in August 2023. However, as of June 2026, the rules under the Act are yet to be notified — this means the Act is in force at the framework level, but the specific compliance requirements (consent form formats, breach notification templates, data protection impact assessment standards) are not operational. The government has indicated that rules will be notified by late 2026. This creates a gap: companies must comply with the Act's principles but lack the procedural guidelines to do so.
Mains hinge. The central tension in the DPDP Act is between privacy rights and state power. The Act allows the central government to exempt any state instrumentality from compliance with the Act for reasons of "sovereignty, security, public order, friendly relations with foreign states, or prevention of offences." This is a broad exemption — critics argue it effectively exempts the entire state data apparatus from privacy obligations. The Puttaswamy judgement (2017) held that state surveillance must be "proportional, necessary, and by law" — the DPDP Act's blanket exemption may not satisfy this test. The matter is likely to be challenged in the Supreme Court.
Core Concept
Background and legislative journey:
India's data protection law was born from the Supreme Court's landmark Justice K.S. Puttaswamy vs Union of India (2017) judgement, which held that the Right to Privacy is a Fundamental Right under Article 21. The Court directed the government to enact a comprehensive data protection law. The law took six years to pass, going through:
Year
Milestone
2017
Puttaswamy judgement: Right to Privacy is a FR under Article 21
2017
Justice Srikrishna Committee constituted to draft data protection law
2018
Srikrishna Committee submits draft Personal Data Protection Bill
2019
Lok Sabha introduces PDP Bill 2019; referred to Joint Parliamentary Committee
2021
JPC submits report with 93 amendments
2022
Government withdraws PDP Bill 2019; introduces DPDP Bill 2022
2023
DPDP Bill passed (August 2023); receives Presidential assent
2024-26
Draft rules circulated for public consultation; rules not yet notified
Structure of the DPDP Act 2023:
The Act is divided into 6 Chapters and 2 Schedules, with 44 Sections. The key provisions:
Aspect
Provision
Applicability
Digital personal data processed within India; also applies to processing outside India if related to offering goods/services in India
Personal data
Any data about an identifiable individual (name, Aadhaar, phone number, IP address, location data, health data, financial data, etc.)
Data Principal
The individual whose data is being processed (the rightsholder)
Data Fiduciary
The entity (person, company, government body) that determines the purpose and means of processing personal data
Consent
Must be free, specific, informed, unconditional, unambiguous, and given through a clear affirmative action
Deemed consent
Legitimate uses — employment, medical emergency, public health, public order, state benefits
Data Protection Board of India (DPBI)
The regulator — adjudicates consent violations and imposes penalties
Penalties
Up to ₹250 crore per violation — for failure to implement security safeguards or breach of consent obligations
Cross-border data transfer
Allowed to all countries/territories (blanket liberalisation from the 2019 Bill's data localisation requirement)
Data audit
Mandatory for "significant data fiduciaries" — to be notified by the central government
Transition period
7 years from enactment for existing data processing operations to achieve compliance
Exemptions
Government for sovereignty/security/public order purposes (Section 17); research, archiving, statistical purposes; start-ups (if notified)
Rights of the Data Principal (the individual):
Right to information — know what data is being collected and why
Right to access — obtain a summary of data being processed
Right to correction and erasure — correct inaccurate data and request deletion (where no longer needed)
Right to grievance redressal — file complaints with the data fiduciary and appeal to the DPBI
Right to nominate — appoint a person to exercise these rights after death or incapacity
Obligations of the Data Fiduciary (the processor):
Obtain noticed consent before processing any personal data
Maintain purpose limitation — use data only for the purpose collected
Implement reasonable security safeguards — no prescribed standards, "reasonable" determined by context
Notify breaches — report to DPBI and affected data principals
Appoint a Data Protection Officer (if significant fiduciary)
Conduct Data Protection Impact Assessment (if significant fiduciary)
Erase data when purpose is served or consent is withdrawn
Appoint consent manager for managing consent (if operating at scale)
Significant Data Fiduciaries:
The central government will designate certain data fiduciaries as "significant" based on: volume of data processed, sensitivity of data, risk to rights, turnover of entity, or impact on national security. Significant fiduciaries have additional obligations: appointment of a DPO, independent data auditor, and DPIA. Social media platforms (with large user bases) and e-commerce companies are likely candidates for this classification.
Comparison with global frameworks:
Feature
India DPDP Act 2023
EU GDPR (2018)
US State Laws
Scope
Digital personal data only
All personal data (digital + analogue)
Varies by state
Consent
Required (explicit + deemed)
Required (explicit)
Varies
Right to erasure
Yes (with conditions)
Yes (broader)
Limited
Cross-border transfer
Free (no restrictions)
Adequacy decisions required
Free
Penalties
Up to ₹250 Cr (~$3M)
Up to €20M or 4% of global turnover
Varies
Regulator
Data Protection Board of India
EDPB + National DPAs
State AGs
Data localisation
Not required
Discouraged but permitted
Not required
Children's data
Prohibited from "harmful" processing; guardian consent required
Similar (16 years, lower in some states)
Varies
Key criticism and concerns:
Broad government exemption (Section 17): The central government can exempt its agencies from the Act entirely if processing data for sovereignty, security, or public order purposes. This is criticised as a "blank cheque" — the government's own vast data infrastructure (Aadhaar, CoWIN, GSTN, Crime and Criminal Tracking Network) is effectively exempt from privacy obligations.
No right to data portability: Unlike GDPR, the DPDP Act does NOT give individuals the right to receive their data in a structured, commonly used format and transfer it to another service provider. This reduces competition (users cannot easily move from one platform to another with their data).
No data localisation: The 2019 Bill had mandatory data localisation (one copy of personal data stored in India). The DPDP Act 2023 drops this entirely — data can be freely transferred abroad. Critics argue this makes enforcement difficult (Indian authorities cannot access data stored abroad without mutual legal assistance treaties).
No "right to explanation" for algorithmic decisions: GDPR gives individuals the right to an explanation of automated decisions. The DPDP Act is silent on algorithmic accountability — relevant for AI-driven credit scoring, hiring, and targeting decisions.
Rules not yet notified: As of June 2026, the DPDP Rules (which will operationalise the Act — consent forms, breach timelines, audit templates) have not been published. The Act is a skeletal framework without implementing regulations.
Key Facts
DPDP Act passed: August 2023 (Rajya Sabha: August 7, Lok Sabha: August 9)
Presidential assent: August 11, 2023
Applicability: Digital personal data processed within India + extra-territorial if linked to offering goods/services in India
Regulator: Data Protection Board of India (DPBI) — to be established by central government
Consent manager: new institutional role to manage user consent
Penalties: up to ₹250 crore per instance
Cross-border transfer: permitted to all countries (no whitelist requirement)
Transition: 7 years from Act's commencement (not yet started — rules pending)
Government exemption: Section 17 — for sovereignty, security, public order
Children (under 18): harmful processing prohibited; data fiduciary must obtain "verifiable consent of parent/guardian"
Excluded: non-personal data, anonymised data, offline data, personal data processed before Act
Predecessor: IT Act 2000 (Section 43A) and SPDI Rules 2011 — both now superseded (for digital personal data)
Previous Year Questions
Year
Stage
What was tested
2025
Prelims
DPDP Act — consent requirements and exceptions
2025
Mains GS-2
"The DPDP Act 2023 balances privacy rights with innovation needs but creates gaps in state accountability." Critically examine.
2024
Prelims
Data Protection Board of India — composition and powers
2024
Mains GS-2
"India's data protection framework must address both privacy and data sovereignty concerns." Discuss with reference to the DPDP Act.
2023
Prelims
Puttaswamy judgement — Article under which privacy is protected
2022
Mains GS-2
"The evolving data protection framework in India must reconcile individual privacy with the demands of the digital economy." Analyse.
2021
Prelims
Joint Parliamentary Committee on PDP Bill
2020
Mains GS-2
"Right to privacy is a fundamental right but not absolute." Discuss in the context of data protection legislation.
Statement Elimination Guide
"The Digital Personal Data Protection Act 2023 applies to both digital and offline personal data." False. The Act applies only to digital personal data (Section 2(a): "personal data processed in digital form"). Offline data (paper records, manual filing systems) is NOT covered. Non-personal data, anonymised data, and data processed before the Act's commencement are also excluded.
"The DPDP Act allows the transfer of personal data to all countries without restrictions." Correct. Unlike the 2019 Bill (which required data localisation), the DPDP Act 2023 permits cross-border data transfer to any country or territory — subject to notification of restrictions for specific countries by the central government. No such notification has been issued as of June 2026.
"The Data Protection Board of India has been established and is functional." False. The DPBI is a statutory body to be established under the Act. As of June 2026, the DPBI has not been constituted. The Rules (which would prescribe the process for establishing the Board) have not been notified. Currently, there is no operational data protection regulator in India.
"Under the DPDP Act, consent is not required for processing personal data for medical emergencies." Correct. This falls under "deemed consent" (Section 8) — for medical emergencies and public health purposes, the data fiduciary can process data without express consent. However, the data principal retains the right to withdraw consent after the emergency is addressed.
"The DPDP Act completely replaces the IT Act 2000 provisions on data protection." False. The DPDP Act replaces the data protection provisions of the IT Act (Section 43A and the SPDI Rules) for digital personal data. However, the IT Act continues to apply to: non-personal data, cyber crime provisions, intermediary liability, and electronic signatures. The two laws operate in parallel.
Current Affairs Hook
The DPDP Rules, expected to be notified in late 2026, are currently in draft form. Key proposed rules under consultation: (1) Consent Manager framework — entities that will act as intermediaries between users and companies, managing consent preferences across platforms; (2) Breach notification timeline — the draft rules propose notification to the DPBI within 72 hours of breach discovery (matching GDPR); (3) Children's data safeguards — requiring platforms to implement "verifiable parental consent" mechanisms; (4) Data Protection Impact Assessment templates for significant data fiduciaries.
The 2025 parliamentary committee on digital regulation noted that India's data protection framework remains incomplete without the DPDP Rules. The committee recommended that the government notify the rules within 6 months and establish the Data Protection Board of India as an independent, adequately funded regulator.
The interaction between the DPDP Act and the proposed Digital India Act (expected to replace IT Act 2000) is creating regulatory uncertainty. The DIA is expected to cover non-personal data, artificial intelligence regulation, and intermediary liability — areas where the DPDP Act is silent. Regulated entities face the prospect of compliance with two overlapping digital regulatory frameworks.
The Supreme Court is hearing a petition challenging Section 17 (government exemption) of the DPDP Act as violative of the Puttaswamy framework. The petitioners argue that exempting state agencies from privacy obligations, without an independent oversight mechanism, is not a "proportional" restriction on the right to privacy under Article 21. The government has argued that national security exceptions are standard in data protection laws globally (UK, Canada, Australia have similar provisions). The outcome of this case will determine the Act's constitutional validity.
Interlinkages
Polity: The DPDP Act operationalises the Puttaswamy judgement (2017, 9-judge bench) by creating a statutory framework for privacy protection. The Act's fate in the Supreme Court will define the scope of Article 21 in the digital age. The government exemption (Section 17) will test whether the proportionality framework (from Puttaswamy) applies to legislation or only to executive actions.
Economy: Data is the raw material of the digital economy. India's data centre industry is projected to grow from $4.5B (2023) to $12B by 2027 — driven partly by the assumption that data localisation would be mandated. The Act's liberal cross-border transfer policy affects these projections. The data economy — platforms, aggregators, analytics firms — must now build consent management infrastructure.
Science & Technology: AI training depends on large datasets. The DPDP Act's consent requirements affect how AI companies collect and use personal data for model training. The Act's silence on "right to explanation" for algorithmic decisions leaves a gap. The DPDP Rules are expected to address AI training data consent — or the Digital India Act may fill this gap.
Security: The Act's breach notification requirement (mandatory reporting to DPBI and affected individuals) creates transparency but also operational challenges. India lacks sufficient cyber forensics capacity to investigate 15.5 lakh annual data breach reports. The CERT-In cyber incident reporting (6-hour timeline) and DPDP Act breach reporting (proposed 72-hour timeline) are separate obligations requiring separate infrastructure.
International Relations: India's DPDP Act is being evaluated for "adequacy" by the European Commission under GDPR Article 45 — an adequacy decision would allow free data flow from EU to India. India's broad government exemption (Section 17) is a potential barrier to receiving adequacy status. The UK, Japan, South Korea, and Israel have received adequacy decisions; India is unlikely to be the first non-White country denied on government exemption grounds.
Common Mistakes
Thinking the DPDP Act applies retrospectively. The Act applies to personal data processed after the Act's commencement (which is yet to happen — the Act was passed in 2023 but not brought into force because Rules are pending). Data processed before commencement is excluded. The 7-year transition period is for pre-existing data processing operations to become compliant — but applies only to data processed post-commencement.
Confusing the Data Protection Board of India (DPBI — a quasi-judicial body) with the Data Security Council of India (DSCI — an industry body). The DPBI is a statutory regulator with adjudicatory powers. DSCI is an industry-led self-regulatory organisation (founded by NASSCOM). They are not related.
Assuming the DPDP Act is fully operational. Key components are not yet in place as of June 2026: DPBI not constituted, Rules not notified, consent manager framework not established, significant data fiduciary designation not made. The Act exists as a legal framework without operational machinery.
Believing the ₹250 crore penalty applies to all violations uniformly. The maximum penalty is ₹250 crore — actual penalties depend on the severity of the violation, the nature of the data affected, and the diligence of the fiduciary. Minor violations (failure to maintain a grievance officer) attract lower penalties. The DPBI will develop penalty guidelines.
Overlooking the "deemed consent" categories. The Act has broad deemed consent provisions — covering not just medical emergencies and state benefits but also "public order" and "security of the state." These are elastic terms that could be interpreted broadly by the government. The breadth of deemed consent may be subject to judicial review.
Revision Snapshot
DPDP Act 2023: India's first comprehensive data protection law. Applicable to digital personal data processed in India (not offline, non-personal, pre-Act data). Structure: Data Principal (individual rights — access, correction, erasure, grievance, nomination), Data Fiduciary (obligations — noticed consent, purpose limitation, security safeguards, breach notification), Data Protection Board of India (regulator — adjudication, penalties up to ₹250 crore). Key features: deemed consent (legitimate uses — employment, medical emergency, public health, state benefits), cross-border transfer (free to all countries), government exemption (Section 17 — sovereignty, security, public order), children's data (guardian consent required), 7-year transition. Status (June 2026): Act is law, but Rules not notified, DPBI not constituted, implementation pending. Preceded by: Puttaswamy judgement (2017, Article 21 Right to Privacy). Follow-up: Digital India Act (pending, expected to cover non-personal data, AI regulation).
Source Notes
DPDP Act 2023 (Act No. 22 of 2023) — Full text
Justice K.S. Puttaswamy vs Union of India (2017) 10 SCC 1
Justice Srikrishna Committee Report: "A Free and Fair Digital Economy" (2018)
Joint Parliamentary Committee Report on PDP Bill 2019 (2021)
MeitY: DPDP Draft Rules (circulated 2024, not yet notified)
PRS India: DPDP Act Analysis (2023)
EU GDPR (2018) — Regulation (EU) 2016/679
ADAPT / DSCI: India Data Protection Compliance Brief (2025)
Parliamentary Standing Committee on Digital Regulation: Report (2025)
Supreme Court petition pending: Challenge to Section 17 exemption (2024)