The digital lives of Indian citizens, from social interactions on platforms like Instagram and Snapchat to financial transactions via UPI and Paytm, are now governed by a historic piece of legislation: the Digital Personal Data Protection (DPDP) Act of 2023, India.
India’s Digital Personal Data Protection (DPDP) Act, 2023, coupled with the recently notified rules, marks a historic shift, finally giving citizens enforceable control over their digital lives.
As the world’s largest data market, this law forces global tech giants, e-commerce platforms, and social media companies to overhaul their operations. This is what every Indian user needs to know about the new privacy regime.
Your New Rights and Control as a User (Data Principal)
1. Right to Privacy is a Fundamental Right
The entire foundation of the DPDP Act rests on the recognition of the Right to Privacy. This right was affirmed as a fundamental right under Article 21 of the Constitution of India in 2017, following the landmark K.S. Puttaswamy versus Union of India judgment. This means that individuals are entitled to a private digital life, much like they are entitled to an offline private life.
2. You Have the Right to be Forgotten (Erasure)
The law reinforces your right to seek the erasure or correction of your personal data. Companies must delete your data once the original purpose for its collection has been served (storage limitation). Furthermore, the company must notify you at least 48 hours before the time period for erasure is completed, giving you a chance to exercise your rights.
3. Consent Must be “Clear Affirmative Action”
The days of confusing, pre-ticked boxes and blanket consent for everything are over. Your consent must now be free, specific, informed, unconditional, and unambiguous, requiring a clear affirmative action (i.e., you actively click a non-pre-ticked box). Withdrawal of consent must be as easy as giving it. To ensure accessibility, any official notice provided to users regarding privacy issues, policy, or terms of use must be available in English as well as 22 official constitutional languages listed under the 8th Schedule of the Constitution of India.
4. The Rise of the Consent Manager
The Act introduces a new entity: the Consent Manager. This entity must be an Indian company. A Consent Manager must be registered with the Data Protection Board and acts as a Single Point of Contact (SPOC). Their function is to enable the Data Principal to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform. This makes managing your data permissions across multiple apps much simpler.
Strict New Obligations for Online Platforms
5. Total Ban on Targeted Ads for Minors
This is perhaps the biggest change for social media and online gaming. The Act mandates that companies obtain verifiable parental consent before processing the personal data of a child (defined as under 18). Crucially, the law prohibits behavioural tracking, profiling, and targeted advertising directed at children.
6. Mandatory Data Minimisation by Data Fiduciaries
The term ‘data fiduciaries’ refers to any person who, alone or in conjunction with others, determines the purpose and means of processing personal data. Companies, known as Data Fiduciaries, are obligated to collect only the personal data that is necessary for a specific, lawful purpose (purpose limitation).
They must take reasonable security safeguards, such as encryption and masking, to protect the data. They are also held accountable for the actions of any third-party Data Processors they hire.
The Data fiduciary must perform a Data Protection Impact Assessment (DPIA) and an Independent Audit of its systems every 12 months to verify compliance with security measures, policies, and technical safeguards.
7. 72-Hour Breach Notification is Mandatory
In the event of a personal data breach, companies must notify the newly established Data Protection Board of India (DPBI) within 72 hours of becoming aware of the breach. They must also inform the affected users promptly and in plain language, explaining the nature of the breach and the steps taken to address it.
Enforcement and Accountability
8. Penalties Up to ₹250 Crore and Transfer Restrictions
Non-compliance with the Act, such as failure to take security measures or the misuse of data, can result in monetary fines imposed by the Data Protection Board. Penalties for certain offenses can go up to ₹250 crore. Furthermore, the Center (Central Government) retains the ultimate power to restrict the transfer of personal data to any country or territory outside India by notification, if deemed necessary. These penalties are meant to be a significant deterrent for large platforms like Meta, Google, and others.
9. The Digital-First Data Protection Board of India (DPBI)
The DPBI is the regulatory body established by the Central Government to oversee compliance, address grievances, and impose penalties. The Board has the power to direct urgent remedial or mitigation measures upon receiving intimation of a personal data breach. Importantly, civil courts are generally barred from hearing suits or proceedings for any matter over which the Board has jurisdiction, ensuring a specialized and speedy dispute resolution mechanism.
Notably, the board is designed to function as an entirely digital institution, allowing citizens to file and track their complaints online through a dedicated platform or mobile app.
10. Global Scope (“Extraterritorial Applicability”)
The DPDP Act is not limited to companies operating solely within India. It has extraterritorial applicability, meaning it applies to the processing of personal data outside India if that processing is done for the purpose of offering goods or services to individuals in India.
This ensures that global social media and e-commerce giants serving the Indian market must comply, regardless of where their servers are located. Furthermore, the Act covers data collected in both digital form and physical form (offline or online).
When the India’s DPDP Act becomes Effective?
The entire law is not effective immediately. While the rules are notified, the Central Government has provided a phased implementation timeline, giving companies up to 12 to 18 months to fully comply with the administrative guidelines and transition their backend systems.
However, the Data Protection Board (DPBI) has been established and is operational immediately.
Key Takeaways
- Right to Privacy: Now a fundamental right in the digital space.
- Consent: Must be explicit, informed, and easily withdrawn.
- Data Minimization: Companies must collect only necessary data.
- Breach Notification: Mandatory 72-hour notification for data breaches.
- Extraterritorial Applicability: Applies to global companies serving Indian users.
Join our community by subscribing to our Weekly Newsletter to stay updated on the latest AI updates and technologies, including the tips and how-to guides.
(Also, follow us on Instagram (@inner_detail) for more updates in your feed and our WhatsApp Channel to get daily news straight to your Messaging App).
