Understanding India's Digital Personal Data Protection Act 2023

Rs 250 crore. That's the maximum fine a company can face for mishandling your personal data under India's Digital Personal Data Protection Act, 2023. To put that in perspective, that's roughly $30 million — enough to wipe out the annual profit of plenty of mid-size Indian tech firms. And yet, when I bring up the DPDP Act in conversations with friends, family, even people working in IT, most of them give me a blank stare. Some have vaguely heard of it. Almost nobody has read it.

I find that strange. Not in a judgmental way — privacy law isn't exactly weekend reading material. But this particular piece of legislation affects every single person in India who uses a phone, opens an app, or fills out a form online. That's somewhere around 850 million people right now. Probably more by the time you're reading this.

So I want to walk through it. Not like a textbook, not like a government summary sheet. Just... what this law actually does, who should be worried, who should be relieved, and where the whole thing still feels incomplete. I've been tracking this legislation since the Justice B.N. Srikrishna Committee first released its draft back in 2018, and honestly, the version we got in August 2023 looks nothing like what that committee originally imagined.

Six Years, Four Drafts, and a Lot of Compromises

Most people don't realize how long this law took to arrive. The Supreme Court declared privacy a fundamental right in the Puttaswamy judgment of 2017. That was supposed to be the starting gun. Justice Srikrishna's committee delivered a draft Personal Data Protection Bill in 2018. Parliament got a version in 2019. Then a Joint Parliamentary Committee rewrote chunks of it by 2021. Then the government withdrew the whole thing in 2022, said they'd start fresh, and finally passed the DPDP Act in August 2023.

Six years. Four major drafts. And along the way, some things got dropped that privacy advocates had fought hard for. The right to data portability — gone. A fully independent Data Protection Authority — reworked into a government-appointed Board. Regulation of non-personal data — punted to some future legislation that nobody seems to be working on.

I think that history matters because it tells you something about the priorities behind this law. It isn't a radical privacy charter. It's a middle-ground document that tries to give citizens some control over their data while not scaring away businesses or restricting government too much. Whether that balance is right probably depends on who you ask.

My NLU Delhi classmates who work in corporate law? They think it's reasonable. My friends in digital rights activism? They think it's been gutted. I'm somewhere in between, which is maybe the most honest place to be.

But let's get into what the law actually says.

The DPDP Act applies to personal data — meaning any data that can identify you or that relates to an identifiable person — when it's processed digitally within India. It also covers data processed outside India if it's connected to offering goods or services to people in India. So a fintech startup in Bangalore and an e-commerce platform headquartered in Singapore that ships to Mumbai are both caught by this.

Offline data that later gets digitized? Covered too. Your handwritten form at a hospital that gets entered into their database falls under the Act. That surprised a few people I spoke with in the healthcare sector.

The law introduces two main roles. A Data Fiduciary is any person or organization that decides why and how personal data gets processed — your bank, your telecom provider, the IRCTC app, that random gaming app your kid downloaded. A Data Principal is you. The person whose data it is. Indian residents, basically, though the Act doesn't use the word "citizen" — it says "individual."

There's a third category too: Data Processors. These are entities that process data on behalf of a Fiduciary. Think cloud hosting providers, analytics firms, third-party payment gateways. They're governed indirectly — the Fiduciary remains responsible for what the Processor does with your data, which means the Fiduciary better have a solid contract in place.

Consent sits at the center of the whole framework. Before a Data Fiduciary collects your data, they need to give you a notice — in clear, plain language — explaining what data they want, why they want it, and how you can complain to the Data Protection Board if something goes wrong. Your consent has to be "free, specific, informed, unconditional and unambiguous," with a "clear affirmative action." No more pre-ticked boxes. No more burying consent in a 47-page terms-of-service document that nobody reads.

And here's what I think is one of the more powerful provisions: you can withdraw consent at any time. Just as easily as you gave it. If an app makes you jump through 12 screens to revoke a permission you granted with one tap, that's probably a violation. The withdrawal won't affect anything already done with your data legally, but going forward, they have to stop.

Now, the Act does carve out some situations where consent isn't needed. These are called "legitimate uses," and they include things like: data needed by the State for benefits and services (your Aadhaar-linked subsidies, for example), medical emergencies, compliance with court orders, employment-related processing, and publicly available data. That government exemption is broad — I'll come back to that because it's probably the single most debated part of this whole law.

Your rights as a Data Principal are spelled out in sections 11 through 14. You can ask any Data Fiduciary to confirm whether they're processing your data and get a summary of what they hold. You can request corrections and updates — if your address changed after you moved from Pune to Hyderabad, you shouldn't be stuck with the old one in every database. You can demand erasure of data that's no longer needed for its original purpose. And you can nominate someone to exercise these rights on your behalf in case of death or incapacity, which is a thoughtful addition that I haven't seen in many other countries' privacy laws.

There's also a grievance redressal mechanism. Every Data Fiduciary must have someone you can contact with complaints. If they don't resolve it satisfactorily, you go to the Data Protection Board.

But rights come with duties. Section 15 says Data Principals must not file frivolous or false complaints, must not suppress material information, and must not impersonate someone else while exercising these rights. If you violate these duties, you can be fined up to Rs 10,000. It's a small amount, but the principle is there — the law doesn't want people weaponizing privacy rights.

What Businesses Are Actually Dealing With — and the Government Exemption Nobody Wants to Talk About

I've spoken to compliance officers at three mid-size Indian startups since the rules started getting clearer, and honestly, the mood ranges from mildly panicked to resigned. Not because the requirements are unreasonable — most of them aren't — but because the specifics are still being figured out through the rule-making process, and running a business on "we'll tell you later" isn't fun.

Here's what Fiduciaries have to do. They must process data only for the purpose they stated when collecting consent. They need to keep data accurate and up to date. They must implement "reasonable security safeguards" — the Act doesn't define what "reasonable" means precisely, which has left a lot of room for interpretation and a lot of lawyers billing a lot of hours. They can't retain data beyond the period needed for the stated purpose, and once that period ends or the Data Principal withdraws consent, they have to delete it. Not archive it, not anonymize it — delete it. Along with any data shared with Processors.

Breach notification is mandatory. If there's a personal data breach, the Fiduciary must inform both the Data Protection Board and each affected Data Principal. The Act doesn't specify a time window the way GDPR gives you 72 hours — it says "in such form and manner as may be prescribed." So we're waiting on the rules for that. From what I've heard through the grapevine, it might end up being something like 72 hours as well, but nobody's confirmed it officially.

Then there's the Significant Data Fiduciary designation. The government can tag certain entities based on the volume and sensitivity of data they handle, the risk to Data Principals, and potential impact on India's sovereignty and security. If you're designated as one, you get a heavier compliance load: mandatory Data Protection Officer based in India, independent data audits, Data Protection Impact Assessments, and periodic reporting to the Board.

Who'll get tagged? Nobody's been officially named yet, but I'd guess the usual suspects — Reliance Jio, Flipkart, Paytm, Zomato, large banks, insurance companies. Probably some government entities too, though that's where things get politically interesting.

Because here's the part that keeps coming up in every panel discussion and every privacy law seminar I've attended in the last year: Section 17. It gives the Central Government the power to exempt any government agency from the entire Act — or specific provisions of it — on grounds including sovereignty, security, public order, or prevention of offenses. The exemption is broad. Critics say it essentially means the government can surveil you without the constraints that apply to private companies.

And they're not wrong to be concerned. If a private company collects your data without consent, you can complain to the Board and they can be fined. If a government agency does the same thing but has a Section 17 exemption, you might have no recourse at all under this Act. You'd have to go through other legal channels — possibly a writ petition under Article 226 or a Puttaswamy-based fundamental rights argument. That's expensive, slow, and uncertain.

I think this exemption is the single biggest weakness of the DPDP Act. It's not unique to India — most countries have national security carve-outs in their data protection laws. But the breadth of discretion here, combined with the fact that the Board members are all government-appointed, makes some people uncomfortable. Myself included, if I'm being honest.

The penalties structure is tiered. At the top, Rs 250 crore for failing to take reasonable security measures that leads to a breach. Rs 200 crore for not notifying the Board and affected individuals about a breach. Rs 150 crore for non-compliance by a Significant Data Fiduciary with its additional obligations. Rs 50 crore for other violations by Data Fiduciaries. And that Rs 10,000 fine for Data Principals who breach their duties.

These are caps, not fixed amounts. The Board has discretion to set the actual penalty based on factors like the nature of the violation, the number of people affected, and whether the Fiduciary tried to mitigate the damage. I suspect early enforcement will involve relatively modest fines as the Board establishes itself, with bigger penalties coming later once everyone's had a chance to comply. That's how it usually works with new regulatory bodies.

Cross-border data transfers got a lighter treatment than many expected. The earlier drafts required data localization — keeping Indian data on Indian servers. The final Act doesn't mandate that. Instead, it allows transfers to any country unless the government specifically blacklists it. So data can flow to AWS servers in Virginia or a Google Cloud region in Frankfurt unless the government says otherwise. This was a big win for tech companies who'd been dreading the infrastructure costs of mandatory localization.

Children's data gets extra protection under Section 9. Fiduciaries can't process a child's personal data without verifiable consent from a parent or guardian. "Child" means anyone under 18, which seems high — plenty of 16- and 17-year-olds manage their own digital lives. The Act also bans tracking and behavioral monitoring of children, and prohibits targeted advertising directed at them. For platforms like YouTube, Instagram, and gaming apps with massive under-18 user bases in India, this is going to require real product changes. Age verification alone is a headache that nobody's solved well globally, and I doubt Indian companies will crack it either.

The Data Protection Board itself is structured as a digital-first body. Complaints and hearings are meant to happen electronically. Board members are appointed by the Central Government based on recommendations from a selection committee. Each member serves a two-year term, renewable. The Board's decisions can be appealed to the Telecom Disputes Settlement Appellate Tribunal (TDSAT), which is interesting — it means privacy disputes end up in a telecom tribunal rather than a dedicated privacy court.

One practical question I keep getting from readers: does this affect my WhatsApp chats, my Google searches, my UPI transaction history? Yes. All of it. If a service processes your personal data digitally in India, the DPDP Act applies. WhatsApp needs consent to collect your metadata. Google needs a lawful basis for your search history. PhonePe and Google Pay need to tell you exactly what they're doing with your transaction data. Whether these companies will actually change their behavior depends entirely on how strictly the Data Protection Board enforces the law once it's fully operational.

And right now, in early 2026, the Board is still getting its feet under it. Rules are being drafted. Some have been published for public comment. The full enforcement machinery probably won't be running at full speed until late 2026 or even 2027. Companies know this, which is why many are taking a wait-and-watch approach rather than scrambling to overhaul everything immediately. Smart ones are starting early — conducting data audits, updating privacy policies, training their teams. Others are gambling that enforcement won't be aggressive. That gamble might pay off in the short term. In the long term? Probably not.

I want to end on something practical. If you're reading this as an ordinary person — someone who uses mAadhaar, pays with UPI, books trains on IRCTC, stores documents on DigiLocker — here's what I'd suggest. Start reading privacy policies. I know, I know, nobody does. But just skim them. Look for what data they collect, how long they keep it, and whether they share it with third parties. If an app asks for permissions that seem unrelated to what it does — like a flashlight app wanting access to your contacts — that's a red flag.

Exercise your rights when something feels off. Write to the company's grievance officer. It's probably an email address buried in their privacy policy, but it's there. Ask what data they hold on you. Request deletion of stuff you don't want them to have. Most companies won't fight you on this because the cost of non-compliance is too high.

And keep an eye on how the government uses its own exemptions under this Act. Democracies work best when citizens pay attention. The DPDP Act gave us a framework — flawed in parts, genuinely useful in others. Whether it actually protects 1.4 billion people's privacy or becomes a paper tiger depends a lot on what happens over the next two years. And it depends, more than people realize, on whether enough of us bother to use the rights we've been given.