DPDP Act 2023 | UPSC CSE

Why in News: The Government of India has notified the Digital Personal Data Protection (DPDP) Rules, 2025, completing the full operationalisation of the DPDP Act, 2023.

Together, the Act and Rules create a citizen-centric, innovation-friendly data governance framework for responsible handling of digital personal data.

Key Highlights of the DPDP Rules, 2025

  • Introduce an 18-month phased compliance timeline to help organisations transition smoothly.
  • Require standalone, simple, purpose-specific consent notices from all Data Fiduciaries.
  • Mandate that Consent Managers must be Indian companies, ensuring domestic accountability.
  • Adopt the SARAL designSimple, Accessible, Rational and Actionable — using plain language and illustrations to support user understanding.

Key Terms under the DPDP Act, 2023

1. Data Principal

  • The individual whose personal data is processed.
  • Rights include:
    • access to information on data processing
    • correction, updating or deletion
    • grievance redressal
    • nomination of another person in case of death or incapacity
  • For children (below 18 years), consent must be provided by a parent or legal guardian.

2. Data Fiduciary

  • Any entity or organisation that determines the purpose and means of processing personal data.
  • They collect, store, process or use personal data and carry primary responsibility for compliance.

3. Significant Data Fiduciary (SDF)

  • A subset of Data Fiduciaries designated by the Central Government based on:
    • volume and sensitivity of data
    • risk to individual rights
    • national security, sovereignty or public order concerns
  • Large digital platforms (social media, e-commerce, fintech, etc.) often fall into this category.

4. Consent Manager

  • An entity providing a transparent and interoperable platform through which individuals give, manage or withdraw consent.

5. Data Protection Board of India (DPBI)

  • An independent regulatory body established under the Act.
  • Functions:
    • monitor compliance
    • manage data breach responses
    • adjudicate grievances
    • impose monetary penalties
  • Appeals against DPBI orders go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

About the Digital Personal Data Protection Act, 2023

  • India’s first comprehensive data protection law, aimed at protecting individual privacy while enabling lawful and innovation-friendly data use.
  • Enacted nearly six years after the Supreme Court’s 2017 KS Puttaswamy judgment, which recognised privacy as a fundamental right under Article 21.

Applicability of the Act

  • Applies to digital personal data processed within India, whether directly collected or digitised later.
  • Applies to processing outside India if done for offering goods or services within India.
  • Does not apply to:
    • personal/domestic use of data
    • data made public by the Data Principal
    • data required to be public under law

Consent Framework Under the Act

  • Data processing allowed only for lawful purposes and based on valid, informed consent.
  • Consent can be withdrawn anytime.
  • Section 9 adds safeguards for children:
    • mandatory verifiable parental consent
    • prohibition of harmful processing
    • prohibition of targeted advertising at minors
  • Consent not required if processing relates to:
    • government services and functions
    • medical emergencies
    • legal obligations

Rights and Duties of Data Principals

Rights

  • ask how personal data is being processed
  • request correction, updating or deletion
  • seek grievance redressal
  • nominate another person to exercise these rights

Duties

  • avoid filing false or frivolous complaints
  • furnish accurate information
  • Violation may attract a fine up to ₹10,000.

Obligations of Data Fiduciaries

  • Ensure accuracy, security, and purpose limitation in data processing.
  • Implement safeguards to prevent breaches and notify both DPBI and affected individuals in case of breaches.
  • Erase personal data once its purpose is fulfilled and no law requires further retention.

Significant Data Fiduciaries (SDFs): Additional Duties

  • Appoint a Data Protection Officer (DPO).
  • Conduct independent data audits.
  • Undertake Data Protection Impact Assessments (DPIA).
  • Follow additional governmental requirements on high-risk or sensitive technologies.

Exemptions under the Act

Certain rights and obligations (except security safeguards) do not apply in cases involving:

  • agencies notified for national security, sovereignty, public order
  • research, archiving, statistical processing
  • start-ups or specific notified fiduciaries
  • enforcement of legal rights and claims
  • prevention, detection, investigation of offences
  • judicial or regulatory functions
  • processing personal data of non-residents under foreign contracts (within India)

Data Protection Board of India (DPBI):

  • Set up as a digital-first adjudicatory body.
  • Members appointed for two years, eligible for reappointment.
  • Functions include:
    • ensuring compliance
    • breach management
    • imposing penalties
    • grievance redressal
  • Appeals go to TDSAT.

Source: PIB

Visit Our Monthly Archives for UPSC CSE:

Discover more from eGyanPeeth

Subscribe now to keep reading and get access to the full archive.

Continue reading

Left Menu Icon