8.3 India's DPDP Act

In August 2023, India enacted the Digital Personal Data Protection Act (DPDP Act) — the country's first comprehensive national data privacy law, applicable to the digital processing of personal data. With over 1.4 billion people and one of the world's fastest-growing digital economies, India's privacy framework will have enormous global significance.

Scope

The DPDP Act applies to the digital processing of personal data within India, and to processing outside India if it involves the personal data of individuals in India (extraterritorial scope). 'Personal data' is information that identifies or is capable of identifying an individual. The Act dös not regulate non-digital (offline) processing.

The consent model

Consent is the primary — and default — legal basis for processing. Under the DPDP Act, consent must be free, specific, informed, unconditional, and unambiguous. It must be signified through a clear affirmative action. The notice and consent model requires that before processing, data fiduciaries provide a notice explaining what data is collected, how it will be used, and the individual's rights — in clear and plain language, and in languages listed in the Eighth Schedule of the Indian Constitution.

Other lawful bases — called legitimate uses — exist for specific scenarios: employment-related processing, medical emergencies, safety and public order, legal proceedings, and state functions. These are more narrowly defined than GDPR's equivalents.

Rights of data principals

The DPDP Act grants individuals (called data principals) the following rights:

• Right to access: to receive a summary of personal data held and processing activities.
• Right to correction and erasure: to have inaccurate or no-longer-needed data corrected or deleted.
• Right to grievance redressal: to have complaints addressed by the data fiduciary within a defined timeframe.
• Right of nomination: uniquely, individuals can nominate another person to exercise their rights in the event of death or incapacity — a provision reflecting India's specific social and cultural context.

Data fiduciary obligations

Organisations processing personal data — called data fiduciaries — must: limit collection to what is necessary (data minimisation); retain data only as long as needed; implement reasonable security safeguards; notify the Data Protection Board and affected individuals in the event of a data breach; and not process children's data without verifiable parental consent.

Significant Data Fiduciaries

The government may notify certain organisations as Significant Data Fiduciaries (SDFs) based on the volume of data processed, sensitivity, risk to national security, or impact on democracy. SDFs face additional obligations: appointment of a Data Protection Officer, periodic data protection impact assessments, and algorithmic audits.

The Data Protection Board of India

The Data Protection Board of India is the adjudicatory body — not a traditional regulator. It hears complaints, imposes penalties (up to INR 250 crore per violation for certain breaches), and can order remedies. Critics have raised concerns about the Board's independence, as its members are appointed by the central government.

Cross-border data transfers

The DPDP Act permits cross-border transfers of personal data, subject to the central government notifying which countries or territories are restricted. This is a permissive default with a government-controlled blacklist, rather than an allowlist or adequacy-based model.

Status as of 2024

The DPDP Act was signed into law in August 2023 but its substantive provisions are not yet fully in force — implementing rules (data rules) are still being developed. Organisations should monitor the rulemaking process closely.

Your takeaway

The DPDP Act represents a major moment in global privacy law — bringing the world's most populous democracy into the regulatory mainstream. Once fully operational, it will reshape data flows, compliance programmes, and digital product design for any organisation engaged with India's digital market.