Digital Data Protection Act 2023 Explained
What Is the Digital Personal Data Protection Act, 2023?
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive law aimed at safeguarding digital personal data—information you share online or that businesses collect and process digitally.
This law seeks to strike a balance: giving individuals control over their data, while allowing lawful processing by companies.
Important note: It has not yet fully come into force—various provisions will be activated gradually via government notifications.
Key Provisions
| Feature | What It Means |
|---|---|
| Consent & Notice | Data must be collected only with clear, informed consent. Companies must tell you why they collect your data, what they will do with it. |
| Rights Over Data | You can ask to access, correct, or erase your data. |
| Duty to Protect Data | Organizations (data fiduciaries) must use security measures and report data breaches to the Data Protection Board and affected users. |
| Cross-Border Transfers | Transfer outside India is allowed only if the country is approved by the government. |
| Significant Data Fiduciaries (SDFs) | Entities processing large volumes or sensitive data will have extra obligations (e.g. appointing a Data Protection Officer, audits). |
| Data Protection Board | A regulatory body (adjudicatory) to hear complaints, enforce rules, and impose penalties. |
| Extraterritorial Scope | Even if a company is abroad, if it processes data of people in India, the Act can apply. |
| Penalties | For violations, fines can go up to ₹250 crore (when severe). |
FAQs
-
1. Can a website share my phone number without permission?
-
No. Sharing personal data without your consent is prohibited under the Act.
-
2. Can I ask a website to delete my account and data?
-
Yes, you have the right to erasure (delete your data).
-
3. If a company misuses my Aadhaar, what can I do?
-
File a complaint with the Data Protection Board once active—they can penalize the company.
-
4. Why do I get marketing calls after using an app? Is it legal?
-
Only if you consented. Otherwise, it's a violation of your data rights.
-
5. Can I see all the data a company has collected about me?
-
Yes, you can request access to your personal data.
-
6. The privacy policy is full of legal jargon—I can't understand it. What now?
-
The Act requires it to be in clear, understandable language. If not, you can complain.
-
7. My data was leaked by a service. Can I take action immediately?
-
Yes. The company is obligated to report the breach and you can lodge a complaint.
-
8. Are my private chats protected under this Act (like WhatsApp messages)?
-
The Act deals with digital personal data processed by services (e.g., metadata, profile info), not private encrypted chats.
-
9. Can companies store my data abroad?
-
Yes, but only in approved jurisdictions that the Indian government permits.
-
10. I gave consent once—can they use my data forever?
-
No. Consent must be specific, and you can withdraw it anytime.
-
11. Who enforces this law and handles complaints?
-
The Data Protection Board of India will act as the adjudicating body.
-
12. What types of data are protected?
-
Name, address, phone, email, health info, financial data—anything that identifies you digitally.
-
13. Can schools or colleges freely use student data?
-
Only for limited educational purposes and with necessary safeguards.
-
14. Is this law already effective?
-
No. Though passed, many parts await official notification and rule-making.
-
15. What if the violation is small (e.g. minor misuse)?
-
The Board may impose lower penalties for lesser offences, depending on the nature and harm.
Add new comment