Support Centre



Law: The Digital Personal Data Protection Act, 2023 ('the Act')

Regulator: Data Protection Board of India established under the Act (website currently unavailable).

Summary: Data protection has been of growing concern in India since the Supreme Court of India declared privacy a fundamental right in the Puttaswamy case in 2017. Following the Supreme Court's decision, from 2018 to 2022 there were multiple legislative attempts to enact a comprehensive data privacy law.

The Indian legislator's efforts culminated with the enactment of the Act in August 2023. The Act regulates the processing of digital personal data and provides for a maximum penalty of INR 250 crore (approx. $31 million) for the breach of its provisions. Importantly, the entry into force of the Act is to be announced by the Indian Government via notification in the Official Gazette.

Notably, the Act only applies to digital personal data, imposes obligations on entities that qualify as 'data fiduciaries', establishes data subject rights for 'data principals', and generally allows outwards transfers of data from India. In line with international standards, the Act establishes lawful grounds for data processing, data subject rights, and introduces requirements including the appointment of a consent manager, vendor management, and data security.

The Act is accompanied by other legislation which provide personal data protections, namely the Information Technology Act, 2000 ('the IT Act'), as amended by the Act, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ('the SPDI Rules') issued thereunder.


In this Insight article, Mathew Chacko, Aadya Misra, and Ada Shaharbanu, from Spice Route Legal, delve into India's new data protection law, uncovering its hidden commercial implications and shedding light on the challenges and opportunities it presents for businesses operating in the country.

The EU's General Data Protection Regulation (GDPR) is often touted as the 'gold-standard' for personal data protection and has been in force for more than five years. In August 2023, India enacted the much-awaited Digital Personal Data Protection Act, 2023 (the DPDP Act)1. While the DPDP Act may not be as granular as the GDPR in many aspects, it signifies a crucial milestone in India's journey towards upholding digital data protection. Harsh Walia, Supratim Chakraborty, Shobhit Chandra, Sumantra Bose, Sanjuktha Yermal, Shramana Dwibedi, and Vanshika Lal, from Khaitan & Co., provide a comparison between the GDPR and the DPDP Act and their approaches to areas such as data processor obligations, children's data, and cross border data transfers.

The absence of a comprehensive data protection law has affected India's progress towards becoming a global leader in business, technology, and outsourcing. The enactment of the Digital Personal Data Protection Act, 2023 (the Act), brings with it a promise of enabling the processing of personal data in a way that respects both individual rights and the legitimate needs of businesses to process data for lawful purposes. But what are the key implications businesses need to be aware of? Since the Act is yet to take effect and will likely be rolled out in phases, readiness to comply will be paramount. 

In this Insight article, Harsh Walia, Partner at Khaitan & Co., explores the implications of the Act for businesses, offering guidance on how to navigate the new obligations. This proactive approach will not only ensure adherence to legal requirements but also cultivate a culture of responsible data practices in this digital age.

On August 11, 2023 the Digital Personal Data Protection Act, 2023 (the Act) received the assent of the President of India and was published in the Official Gazette, representing a landmark in India's long journey towards the adoption of a comprehensive privacy framework. In particular, the Act aims to regulate the processing of digital personal data in a manner that balances the need to lawfully process data with the rights of individuals regarding the protection of their personal data.

In this Insight article, OneTrust DataGuidance Research provides an overview of the Act, highlighting its key requirements.

The Ministry of Electronics and Information Technology of the Government of India ('MeitY') published the draft Digital Personal Data Protection Bill, 2022 ('the Draft Bill') on 18 November 2022 for public consultation, which was open until 2 January 2023. Aaron Kamath and Varsha Rajesh, from Nishith Desai Associates, discuss the content of the draft Bill and its potential impact on businesses.  

After various legislative predecessors, on 18 November 2022, the Ministry of Electronics and Information Technology ('MeitY') issued the Digital Personal Data Protection Bill, 2022 ('the Bill') for public consultation.

In this Insight article, Supratim Chakraborty, Harsh Walia, Shobhit Chandra, Sumantra Bose, Tashi Gyanee, Sanjuktha Yermal, and Shramana Dwibedi, from Khaitan & Co., discuss key differences and similarities between the Bill and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

On 18 November 2022, the Ministry of Electronics and Information Technology ('MeitY') released a draft of the Digital Personal Data Protection Bill, 2022 ('the 2022 Bill'). The 2022 Bill is the fourth iteration of India's proposed personal data protection framework and is a considerably leaner version compared to the erstwhile versions, including its predecessor, the Data Protection Bill, 2021 ('the 2021 Bill'), introduced by the Joint Parliamentary Committee of the Indian Parliament.

Rachit Bahl, Rohan Bagai, and Archana Iyer, from AZB & Partners, draw comparisons between the 2022 Bill and the 2021 Bill, highlighting key similarities and differences and touching on issues surrounding consent, data transfers, data breach notifications, and the role of the supervisory authority, among others.

Following the withdrawal, in August 2022, of the Personal Data Protection Bill, 2019, the Ministry of Electronics and Information Technology ('MeitY') issued, on 18 November 2022, a new Digital Personal Data Protection Bill, 20221 ('the Bill') marking a new landmark in India's journey towards the adoption of a comprehensive privacy framework.

OneTrust DataGuidance Research provides an overview of the newly presented Bill, which is open for public consultation until 17 December 2022.

The proliferation of digital lending platforms led the Reserve Bank of India ('RBI'), India's banking regulator, to appoint a Working Group on Digital Lending ('the Working Group') to make recommendations for its regulation, especially from the perspective of ensuring data security, privacy, confidentiality, and consumer protection1. Pursuant to the submission of the report by the Working Group on 18 November 20212, the RBI announced, in a press release dated 10 August 20223,  its acceptance of, and intention to implement, certain recommendations made by the Working Group, and consequently released the Guidelines on Digital Lending on 2 September 20224 ('the Guidelines'). Arun Prabhu, Partner at Cyril Amarchand Mangaldas, provides an introduction to the Guidelines, including their scope, applicability, and storage obligations.

In the age of digitisation and the internet, the importance of data has increased to a great extent. Subsequently, the need for comprehensive data protection laws has also been noted across several nations over the past few decades. The easy access to the global market and improved communication due to the borderless nature of the internet plays a major role in the Big Data economy. The free flow of data has resulted in closer integration of the communities across the globe and technological advancements in the corporate entities. AMLEGALS Law Firm discusses the intricacies pertaining to cross-border data transfer in India and the best practices associated with such transfer of data across the globe.

The Indian Computer Emergency Response Team ('CERT-In'), the Government nodal agency that deals with cybersecurity threats in India, issued a direction relating to 'Information security practices, procedures, prevention, response, and reporting of cyber incidents for safe & trusted internet'1 ('the Direction') to impose stringent requirements for cybersecurity reporting and introduce broader compliance requirements. Subsequently, CERT-In released frequently asked questions2 ('the FAQs') to clarify certain aspects of the Direction. The Ministry for Electronics and Information Technology ('MeitY') has since held a meeting on 10 June 2022 with stakeholders to provide informal clarifications on certain aspects of the Direction and the FAQs. Aaron Kamath, Varsha Rajesh, and Aniruddha Majumdar, from Nishith Desai Associates, discuss the contents of the Direction, as well as its impact on the industry.