BharatNotes What is Digital Personal Data Protection Act?
The Digital Personal Data Protection (DPDP) Act, 2023 is India's first standalone, comprehensive legislation on the protection of digital personal data. It received presidential assent on 11 August 2023. The Act builds on the Supreme Court's nine-judge verdict in K.S. Puttaswamy v. Union of India (2017), which held that the right to privacy is intrinsic to the right to life and personal liberty under Article 21. It regulates how "personal data" in digital form is collected, stored, and processed, balancing an individual's right to protect their data against the lawful need to process it.
The Bill was passed by the Lok Sabha on 7 August 2023 and the Rajya Sabha on 9 August 2023. Its operational rules — the DPDP Rules, 2025 — were notified by the Ministry of Electronics and Information Technology (MeitY) on 13-14 November 2025, drawing on 6,915 public inputs received during the draft consultation (January-February 2025).
Key Features
The Act adopts a "SARAL" design philosophy (Simple, Accessible, Rational, Actionable) and rests on principles such as consent, purpose limitation, data minimisation, accuracy, storage limitation, and accountability.
| Element | Provision |
|---|---|
| Data Principal | The individual whose personal data is processed |
| Data Fiduciary | The entity determining the purpose and means of processing |
| Significant Data Fiduciary (SDF) | Higher-risk fiduciaries notified by the Centre, with extra duties (DPO, audits, DPIA) |
| Children's data | Verifiable parental consent required for anyone under 18; behavioural tracking and targeted advertising to children prohibited |
| Maximum penalty | Up to ₹250 crore per instance (e.g., failure to prevent a data breach) |
The Data Protection Board of India — established in the National Capital Region with four members — is a "born digital" body that monitors compliance, hears grievances, and imposes penalties through an online portal and app.
Significance and Current Status
The Act gives citizens enforceable rights to access, correct, and erase their data, and to grievance redressal. As of the November 2025 notification, provisions are being enforced in phases, with the substantive obligations expected to take full effect around 14 May 2027.
A key controversy is Section 44(3), which amends Section 8(1)(j) of the RTI Act, 2005 to broaden the exemption for "personal information," prompting opposition demands for its repeal over concerns it weakens transparency.
UPSC Angle
This is a foundational topic for GS3 (technology, cyber-security, digital economy) with a GS2 dimension (rights, RTI, governance). Aspirants should master the core terminology, the Data Protection Board's role, the ₹250 crore penalty cap, the under-18 consent rule, and the privacy-versus-transparency debate sharpened by the RTI amendment.
