Digital Personal Data Protection (DPDP) Act

Context

Recently, the Supreme Court of India issued a formal notice to the Union Government in response to a petition challenging the constitutional validity of certain provisions of the Digital Personal Data Protection (DPDP) Act, 2023 and the DPDP Rules, 2025. The court is specifically examining whether the Act’s broad exemptions for state agencies and the amendment to Section 8(1)(j) of the Right to Information (RTI) Act create a “compensation vacuum” for citizens and unconstitutionally restrict the public’s right to know.

1. Applicability and Scope

  • Digital Focus: The Act applies to the processing of personal data that is collected in digital form or collected offline and later digitized.
  • Territorial Jurisdiction: It applies to data processing within India. It also has extraterritorial jurisdiction if the processing is in connection with offering goods or services to Data Principals in India.
  • Exclusions: It does not apply to personal data processed by an individual for personal or domestic purposes or data made publicly available by the Data Principal themselves.

2. Key Definitions

  • Data Principal: The individual to whom the personal data relates. For children (under 18) or persons with disabilities, this includes their parents or lawful guardians.
  • Data Fiduciary: The entity (individual, company, or State) that determines the purpose and means of data processing.
  • Data Processor: Any entity that processes data on behalf of a Data Fiduciary.
  • Consent Manager: A registered entity that provides a single, interoperable platform for individuals to manage, review, and withdraw their consent.

3. Seven Core Principles of DPDP Act

The Act is built on a “SARAL” (Simple, Accessible, Rational & Actionable Law) framework based on:

  1. Consented & Lawful Use: Data must be processed with explicit consent for lawful purposes.
  2. Purpose Limitation: Use of data is restricted only to the purpose specified at the time of consent.
  3. Data Minimization: Only the minimum necessary data should be collected.
  4. Accuracy: Ensuring data is correct and updated.
  5. Storage Limitation: Data should be deleted once the purpose is fulfilled.
  6. Security Safeguards: Reasonable measures to prevent data breaches.
  7. Accountability: Fiduciaries are responsible for compliance.

4. Significant Data Fiduciaries (SDF)

The Central Government can notify certain fiduciaries as SDFs based on factors like the volume of data processed and risk to national sovereignty. SDFs have additional obligations:

  • Appointing a Data Protection Officer (DPO) based in India.
  • Appointing an independent data auditor.
  • Conducting Data Protection Impact Assessments (DPIA).

5. Rights and Duties of Data Principals

  • Rights: Right to access information, right to correction/erasure, right to grievance redressal, and the Right to Nominate (to exercise rights in case of death or incapacity).
  • Duties: Data Principals must not furnish false information, suppress material facts, or file frivolous complaints. Violation of duties can lead to a penalty of up to Rs 10,000.

6. The Data Protection Board of India (DPBI)

  • Nature: A quasi-judicial, digital-first body established to adjudicate breaches and complaints.
  • Powers: It can summon witnesses, inspect documents, and impose financial penalties.
  • Appeals: Decisions of the DPBI can be appealed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

7. Penalties and Exemptions

  • Penalties: Can range up to Rs 250 crore for failing to prevent a data breach. There is no provision for criminal jail terms; penalties are purely financial.
  • State Exemptions: The Government can exempt its instrumentalities from the Act in the interest of sovereignty, security of the state, or public order.
  • RTI Amendment: The Act amends Section 8(1)(j) of the RTI Act to prohibit the disclosure of all “personal information,” removing the previous “public interest” exception.
Q. With reference to the Digital Personal Data Protection (DPDP) Act, 2023, consider the following statements:

1. The Act applies to both digital personal data and non-digital data that remains in physical paper-based records.

2. Under the Act, a Data Principal has the right to nominate any individual to exercise their data rights in the event of their death or incapacity.

3. The Data Protection Board of India is empowered to provide compensation to individuals whose data privacy has been violated by a Data Fiduciary.

4. The Act removes the "public interest" override previously available under the RTI Act for disclosing personal information of public officials.

How many of the above statements are correct? 
(a) Only one 
(b) Only two 
(c) Only three 
(d) All four

Solution: Answer: (b)

•	STATEMENT 1 IS INCORRECT: The Act applies specifically to digital personal data (collected online or digitized later). It does not apply to non-digital data that remains in physical/analog form.
•	STATEMENT 2 IS CORRECT: The Act introduces the Right to Nominate, allowing a Data Principal to name someone to manage their data rights in case of death or incapacity.
•	STATEMENT 3 IS INCORRECT: While the Board can impose heavy penalties (up to Rs 250 crore), these fines are credited to the Consolidated Fund of India. The Act does not provide a mechanism for direct compensation or restitution to the individual victim.
•	STATEMENT 4 IS CORRECT: The DPDP Act amended the RTI Act to create a blanket exemption for personal information, effectively deleting the provision where such info could be disclosed if it served a larger public interest.

Practice Today’s MCQs

Latest Articles

Latest Articles

Deep Analysis for IAS Mains
Editorial Explained
UPSC Prelims Bytes
What to Read from Newspaper