Direct Tax
Consulting
ESG Advisory
Indirect Tax
Growth Advisory
Internal Audit
BFSI Audit
Industry Audit
Valuation
RBI Services
SEBI Services
IRDA Registration
AML Advisory
IBC Services
Recovery of Shares
NBFC Compliance
IRDA Compliance
Finance & Accounts
Payroll Compliance Services
HR Outsourcing
LPO
Fractional CFO
General Legal
Corporate Law
Debt Recovery
Select Your Location
The Ministry of Electronic and Information Technology regulates the framework of data protection. Personal data refers to any information that can identify an individual, either directly or indirectly. Both business and government entities process personal data to deliver goods and services. This processing enables an understanding of individual preferences, facilitating customization, targeted advertising, and the development of recommendations. Additionally, processing personal data can support law enforcement activities. However, unchecked processing can negatively impact individuals’ privacy, a fundamental right, potentially leading to financial loss and reputational damages.
Now, India has separate data protection law, as such personal data is governed by the Information Technology Act of 2000. In 2017, the central government established a committee of Experts on Data Protection, led by Justice B.N. Srikrishna, to examine data protection issues in the country.
The Committee’s report was submitted in July 2018, so following the Committee’s recommendations, the Personal Data Protection Bill 2019 was introduced in the Lok Sabha in December 2019. This Bill was then referred to a Joint Parliamentary Committee, which submitted its report in December 2021. The Bill was withdrawn from Parliament in August 2022, and a draft bill was released for public consultation in November 2022. Finally, the Digital Protection Bill, 2023, was introduced in Parliament in August 2023.
The Digital Personal Data Protection (DPDP) Bill is comprehensive legislation aimed at protecting individuals’ personal data in India. It’s India’s first comprehensive personal data protection law after several years. It defines personal data as information that can identify an individual, such as their name, address, phone number, email address, and financial details.
The Bill establishes several rules for collecting, using, and sharing personal data. For instance, it requires data controllers to obtain individuals’ consent before collecting their personal data and prohibits the sale or transfer of personal data to third parties without the individual’s consent.
The DPDP Bill creates a Data Protection Authority (DPA) to ensure compliance with the law. The DPA will have the authority to investigate complaints, impose fines and take other enforcement actions against data controllers who violate the law.
The DPDP Bill represents a significant advancement in data protection in India. It aims to safeguard individuals’ privacy and give them greater control over their personal data. The bill highlights potential issues for consumers, businesses, and the state while also considering recent developments and future regulatory factors.
The Digital Personal Data Protection Bill, 2023 regulates the process of digital personal data, including various other areas related to personal data such as:
Let’s understand the key features of the Digital Personal Data Protection Bill 2023 to protect digital personal data and breach of privacy of individuals in various ways such as:
The Digital Personal Data Protection Bill governs the processing of digital personal data within India, including data collected online or offline digitally. It also applies to processing personal data outside India if it involves offering goods or services or profiling individuals in India.
The personal data may only be processed for lawful purposes with the individual’s consent. A notice must be provided before seeking consent, detailing the data to be collected and the purpose of processing where the consent can be withdrawn at any time.
The individuals whose data is processed, i.e., data principals, have the right to obtain information about processing, request correction and erasure of personal data, nominate someone to exercise their rights if they die, and seek grievance redressal. Individuals must not provide false information, suppress material facts, or impersonate others because violation of this leads to penalties.
Entities determining the purpose and means of processing (data fiduciaries) must ensure data accuracy and completeness, implement security safeguards to prevent data breaches, inform the Data Protection Board of India and affected individuals of a breach occurring and cease retaining personal data once its purpose is fulfilled.
The central government will notify countries where data fiduciaries can transfer personal data, subject to specified terms and conditions.
The rights of data principals and obligations of data fiduciaries do not apply in cases involving preventing and investigating offences or enforcing legal rights or claims where the central government exempts certain activities from the Bill’s provisions, including processing by government entities for state security and public orders.
The central government will establish the Data Protection Board of India to monitor compliance in various data-related situations, areas or laws such as technology & e-commerce law etc., impose penalties and direct necessary measures in case of data breaches and hear grievance from affected individuals.
The Digital Personal Data Protection Bill outlines penalties for various offences, including up to Rs 150 crore for data non-compliance and up to Rs 250 crore for failing to implement security measures to prevent data breaches.
Below are some of the key provisions of the Digital Personal Data Protection Bill 2023 are states:
Data Controllers are required to collect personal data solely for specific, lawful, and legitimate purposes. As per the new bill, they are not allowed to use or share the data for other purposes without the individual’s consent.
The data controller must obtain individuals’ consent before collecting, using or sharing their personal data. This consent must be freely given, specific, and informed.
Data controllers must only collect the personal data necessary for the intended purpose, avoiding collecting excessive or irrelevant information.
Data controllers must ensure that personal data is accurate and up-to-date, taking reasonable steps to correct any inaccuracies or incomplete information.
Data controllers should not store personal data longer than necessary for the intended purpose.
Personal data will be protected from unauthorized access, use, disclosure, or destruction by the data controllers.
Data controllers are responsible for complaints with the DPDP Bill and must implement appropriate technical and organizational measures to safeguard personal data.
If data controllers manage data for more than 10,000+ data subjects, they must appoint a Data Protection Officer to ensure compliance with the Digital Personal Data Protection Act.
In the event of a data breach, the data controller must notify the Data Protection Authority and the affected individuals within 72 hours of becoming aware of the data breach.
Data controllers may transfer personal data to a third country only if that country provides adequate protection for personal data. The bill provides that the Central government restrict the transfer of personal data to certain countries through a notification.
The Digital Personal Data Protection Bill safeguards digital personal data, which identifies individuals and businesses through several measures, the role of introducing the Digital Personal Data Protection Bill are:
A glimpse of the proposed changes in the Digital Personal Data Protection Bill, 2023 is stated below in brief:
The additional provisions introduced in the Digital Personal Data Protection bill include a special provision for the data of children, defined as individuals under 18. Processing of children’s data requires verifiable consent from the parent or guardian and is restricted from activities detrimental to their well-being, such as behaviour monitoring and targeted advertising.
The bill mandates that data fiduciaries obtain verifiable consent frhjom a child’s legal guardian before processing their personal data. To comply, data fiduciaries would need to verify the age of all users to determine if they are children and obtain parental consent accordingly. This measure could help prevent children from providing false declarations, but it may also reduce secrecy in the digital space and prohibit the negative affect on a child’s well-being.
The Digital Personal Data Protection Bill 2023 is the result of over five years of debate and deliberation and marks the beginning of statutory personal data protection regulation in India. The effectiveness of personal data privacy protection will depend on the regulatory development and institutional arrangements that merge in the coming years. The new law provides a necessary framework and sufficient to ensure data privacy.
The DPDP Act of 2023 was introduced to establish comprehensive regulations safeguarding digital data in response to increasing privacy and data security concerns.
The bill received the President’s assent, followed by an official gazette notification, making it law on 11th August 2023.
The Digital India Act of 2023 is founded on the principles of the Digital India Goals 2026, which aim to position India as a key participant in global value chains and prioritize safety and trustworthiness.
The scope of the DPDP Act, 2023, extends to safeguarding personal data within India and encompasses the processing of personal data belonging to individuals worldwide.
The new IT act is the creation of the checking of facts under the IT amendment Rules 2023 which empowered to determine the information’s validity and decide on its presence digitally.
The Reserve Bank of India, on April 11, 2025, posted a Press Release No. 2025-2026/96 on their...
Hong Kong is widely recognized as a leading global business hub, known for its free-market econ...
With India’s growing economy, Non-Banking Financial Companies (NBFCs) have expanded significa...
With the rise of digitalization, the global cryptocurrency market is expanding at an unpreceden...
Non-Banking Finance Companies (NBFCs) are an integral part of India's financial system as they...
Are you human?: 4 + 8 =
Easy Payment Options Available No Spam. No Sharing. 100% Confidentiality
Banks and credit unions that lack digital options have found it tough to stay operational amid the Covid-19 pandemi...
08 Aug, 2020
The advancement of technology has also brought some significant challenges. CIOs in banks are required to identify...
25 Jul, 2020
9870310368 
8860712800