Digital Personal Data Protection Act, 2023: Rights, Obligations, and the Road to Data Privacy in India
Introduction: The Digital Data Challenge
Every time an individual opens a banking application, books a flight, fills out an online form, or scrolls through a social media feed, personal information changes hands. Details such as Aadhaar numbers, PAN data, mobile contacts, geolocation, browsing patterns, and financial credentials are continuously harvested, stored, and processed by a vast array of entities — often without the assessee or individual fully understanding the extent of such collection.
Recognising the urgent need to regulate this data ecosystem, the Government of India enacted the Digital Personal Data Protection Act, 2023 (hereinafter referred to as the DPDP Act). This legislation represents a foundational shift in India's approach to digital governance and individual privacy rights. It lays down a structured, enforceable legal framework that governs every stage of personal data handling — from the moment data is collected to the point it is deleted.
The DPDP Act seeks to achieve a careful equilibrium between two competing imperatives:
- Upholding the constitutional right to privacy of every individual in the digital space
- Facilitating lawful, responsible data use for innovation, public administration, and economic development
This article provides a comprehensive breakdown of the DPDP Act — covering its applicability, key definitions, individual rights, legitimate use exceptions, penalties, and compliance obligations.
Core Definitions Under the DPDP Act
Before examining the substantive provisions, it is essential to understand the foundational terminology introduced by the legislation.
1. Data Principal
The Data Principal is the individual to whom the personal data belongs. In practical terms, whenever an entity collects personal information — be it a name, address, biometric detail, or financial record — the person whose data is being collected is the Data Principal under the DPDP Act.
This definition is significant because the entire rights framework under the Act is constructed around protecting the interests of the Data Principal.
2. Data Fiduciary
A Data Fiduciary is any person, company, government authority, body, or organisation that determines the purpose and means of processing personal data. The term "fiduciary" reflects the trust-based responsibility that such entities carry in handling another person's information.
Entities that typically qualify as Data Fiduciaries include:
- Commercial banks and non-banking financial companies
- E-commerce and retail platforms
- Healthcare providers and hospital networks
- Social media and digital content platforms
- Educational institutions and EdTech companies
- Government departments collecting citizen data
3. Data Processor
A Data Processor is an entity that processes personal data on behalf of a Data Fiduciary, rather than for its own independent purposes. Common examples include cloud infrastructure providers, third-party analytics firms, and outsourced payroll processing companies.
Note: The Data Processor does not determine the purpose of processing — that responsibility rests solely with the Data Fiduciary.
Scope and Territorial Applicability
A. Processing Within Indian Territory
The DPDP Act applies to the processing of digital personal data collected within India, whether that data was gathered through online means or collected offline and subsequently converted into digital format.