A reasonable legislation – Digital Personal Data Protection Act 2023 | 1 September 2023 | UPSC Daily Editorial Analysis

Please Share with maximum friends to support the Initiative.

What's the article about?

  • It talks about the recently enacted Digital Personal Data Protection Act, 2023 (DPDP Act).


  • GS2: Government Policies and Interventions for Development in various sectors and Issues arising out of their Design and Implementation.
  • GS3: Basics of Cyber Security
  • Prelims


  • India has enacted the Digital Personal Data Protection Act 2023 (DPDP Act) after a long wait. This law will impact all entities, businesses, or commercial enterprises that process any personal data, and, most significantly, the data principals in India. This article analyzes the DPDP Act and its implications.

Digital Personal Data Protection Act, 2023 (DPDP Act):

  • The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first data protection act, which aims to regulate the processing of digital personal data and respect individuals' right to protect their data while recognizing the need for innovation and growth in the digital economy.
  • The key provisions of the DPDP Act are as follows:
    • Applicability: The DPDP Act applies to the processing of digital personal data, which is broadly defined as data in digital form (whether stored locally or in the cloud) that relates to a natural person who can be identified from that data or from other information in the possession of the data fiduciary[.
    • Data Fiduciary: The DPDP Act defines a data fiduciary as any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.
    • Data Protection Authority: The DPDP Act establishes a Data Protection Authority (DPA) to oversee and enforce the provisions of the Act. The DPA will have the power to investigate and impose penalties for non-compliance with the Act.
    • Cross-border data transfers: The DPDP Act allows for cross-border transfers to all countries, unless specifically restricted by the Indian Government.
    • Data localization: The DPDP Act requires certain categories of personal data to be stored only in India. The categories of data will be notified by the Central Government.
    • Consent: The DPDP Act requires data fiduciaries to obtain explicit and informed consent from data principals (individuals whose data is being processed) for the processing of their personal data.
    • Data breach notification: The DPDP Act requires data fiduciaries to notify the DPA and affected data principals of any data breaches that are likely to cause harm to the data principals.
    • Penalties: The DPDP Act imposes penalties for non-compliance with the Act, including fines of up to 4% of the data fiduciary's global turnover or INR 150 crores (whichever is higher).


  • Impact on India's Economy and Trade Negotiations:
    • The DPDP Act will be an important milestone in India's journey to become a $3-trillion economy.
    • It will also impact the various multilateral trade negotiations that are underway and the G20 presidency that India shoulders this year.
    • Having a framework that allows for free cross-border data flows as the default mechanism will enable India to consolidate its position as the emerging leader for technological innovation.
  • Meaningful Rights for Data Principals:
    • The DPDP Act provides for meaningful rights for data principals. It will foster accountability and transparency.
    • Having a dedicated adjudicatory mechanism in the Data Protection Board will ensure that institutional knowledge is built, leading to consistency in pronouncements and enforcement action.
    • Doing away with criminal prosecution aligns it with the government's overall intent to decriminalize economic offences.
    • Providing for voluntary undertakings in the course of a proceeding before the Board will foster self-compliance.
  • India's Unique Approach to Setting Up a Data Protection Regime:
    • While India has adopted an approach that allows for free flow of data across borders, the government has retained the ability to blacklist countries or jurisdictions to which data transfers may be restricted.
    • Some of the powers that the government has retained for itself, such as the power to block access to information in certain cases or seek information without due safeguards, is unprecedented.
    • It remains to be seen how these powers are ultimately exercised, especially given that there is a distinct lack of due process prescribed.
  • Challenges and Grey Areas:
    • There are still more elements of how the DPDP Act will be operationalized that are yet to be defined through subordinate legislation.
    • There are also significant exemptions available to the government. By mere notification, the government (parts or all of it) can be exempt from the applicability of the entire law.
    • There are also grey areas that will require privacy and legal professionals to apply their expertise and experience to decipher.

Way Forward:

  • The DPDP Act is a reasonable legislation that focuses on enabling principles. Given that it is horizontally applicable, sector-neutral, and extraterritorially applicable, the impact across the economy within and outside India will be high.
  • There will be undoubtedly an impact on compliance cost and business models, and so a transition period will be given to allow entities to align themselves with this new law.

Please Share with maximum friends to support the Initiative.

Download the Samajho App

Join 5 lakh+ students in downloading PDF Notes for 2000+ Topics relevant for UPSC Civil Services Exam. &nbsp Samajho Android App: https://bit.ly/3H9hva1 Samajho iOS App: https://apple.co/3H8ZJE2 &nbsp Samajho IAS Youtube Channel (300K+ Subscribers): https://www.youtube.com/@SamajhoIAS