India’s Digital Personal Data Protection Act 2023 brought into force

Phased Implementation of the DPDPA

Scope of the DPDPA

The DPDPA applies exclusively to digital personal data. It does not cover non-digital formats unless those records are subsequently digitized. This narrower scope distinguishes it from international data protection laws such as the General Data Protection Regulation (GDPR), which apply to both digital and physical records.

Like the GDPR, the DPDPA does not apply to individuals processing data for personal or household purposes. Drawing a parallel with Singapore’s Personal Data Protection Act of 2012, the DPDPA introduces a broad exemption for personal data that has been publicly disclosed.

Key purposes of exemptions:

• Research and Statistics: Data processing for research or statistical analysis is broadly exempt. However, if the results are used to make decisions about identifiable individuals, the Act’s provisions still apply.
• Government and National Interest: The Act grants wide exemptions to government bodies and for activities related to national security, public order, foreign relations, and crime prevention. These uses must be formally notified to the government.

The specific exemption scenarios under the Rules and the DPDPA are discussed in more detail below.

Key provisions of the DPDPA

Key definitions:

• Personal data: Any data about an individual who is identifiable by or in relation to such data. Notably and in contrast to other international data protection frameworks, the DPDPA treats all personal data uniformly, without imposing heightened obligations for sensitive personal data.
• Data fiduciary: Any person who, alone or with others, determines the purpose and means of processing personal data. This concept is directly borrowed from the GDPR.
• Data principal: The individual to whom personal data relates. For children, this includes their parent or lawful guardian; for persons with disabilities, their lawful guardian.
• Data processor: Any person who processes personal data on behalf of a data fiduciary. The Act does not impose direct obligations on data processors but requires data fiduciaries to ensure compliance through data processing agreements. Unlike the GDPR, the Act does not impose such obligations directly on the data processor; instead, it expects data fiduciaries to ensure compliance by data processors they engage.

1. Notice & consent requirements

• The DPDPA hinges on consent as the primary ground for processing personal data, although additional, narrowly defined lawful grounds are also available. These are defined as "certain legitimate uses" under Section 7, including: specified purposes for which the data principal has voluntarily provided their personal data and has not objected; fulfillment of legal/judicial obligations; medical emergencies and health services; breakdown of public order; and employment. Notably, the Act does not include "contractual necessity" and "legitimate interests," which appear in the GDPR and other developed data protection laws as legal grounds for data processing.
• Data fiduciaries must provide clear, independent privacy notices specifying what personal data is collected, the purposes of processing, and the goods or services enabled. These notices must:
  • Include an itemized description of the personal data to be processed;
  • Provide the specified purpose(s) of processing;
  • Offer a specific description of the goods, services, or uses that the processing enables;
  • Be presented independently of other information, in clear and plain language; and
  • Include links or other clear means to withdraw consent, exercise rights, and complain to the Data Protection Board.
• Like the GDPR, Section 6 of the DPDPA requires that consent for processing personal data must be "free, specific, informed, unambiguous, and unconditional with a clear affirmative action." Consent should be limited to such personal data as is necessary for the specified purpose. In practice, this may mean that data fiduciaries cannot rely on "bundled consent."
• Data principals have a right to withdraw their consent at any time, and data fiduciaries are required to ensure that withdrawal mechanisms are as simple as the original consent process and enable the data principal to exercise their rights under the DPDPA. Once consent is withdrawn, personal data must be deleted unless a legal obligation to retain data applies.

2. Personal data breach notification

• Immediate Notification to the Board: Data Fiduciaries must inform the Data Protection Board without delay upon discovering a personal data breach, detailing its nature, extent, timing, location, causes, consequences, and mitigation steps.
• 72-Hour Follow-Up: Within 72 hours, Data Fiduciaries must follow up with an updated report which must be submitted, including remedial actions, findings on the breach’s origin, and proof of notifications sent to affected individuals. Extensions may be granted upon written request.
• Informing Data Principals: Affected individuals (referred to as Data Principals) must be notified promptly via their registered communication channels. No fixed timeline is prescribed for this notification.

3. Data Principal rights

• Data Fiduciaries must publish procedures for Data Principals to exercise their rights, including allowing nominees to act on behalf of incapacitated or deceased individuals.

4. Security safeguards

• The Rules specify reasonable security safeguards, including encryption, obfuscation, masking, use of virtual tokens, access controls, monitoring, data backups, detection of unauthorized access, and contractual security measures.

5. International data transfers

• Rule 15 allows data fiduciaries to transfer personal data outside India. However, such transfers must comply with any conditions imposed by the Central Government through general or special orders. These conditions may focus on whether the transferred data could be accessed by foreign states or their agencies. While this rule remains largely unchanged from the draft version of the Rules, its full scope is still undefined. Future restrictions could range from outright bans on transfers to certain blacklisted countries to more flexible mechanisms like adequacy frameworks, binding corporate rules, or standard contractual clauses.
• Rule 13 gives the government authority to restrict cross-border data transfers, especially for Significant Data Fiduciaries. Based on recommendations from a government-appointed committee, the government may designate specific categories of personal and traffic data that cannot be transferred outside India. This opens the door for future limitations tied to foreign government access, despite the DPDP Act’s generally permissive approach to international transfers.

6. Data of vulnerable persons

• Under Rule 10, data fiduciaries must adopt appropriate technical and organizational measures to ensure that parental consent is obtained before processing any personal data of a child. Fiduciaries must conduct due diligence to confirm that the individual identifying themselves as the parent or lawful guardian is, in fact, an adult. The Rules outline 3 pathways for this verification: using reliable information the fiduciary already holds, relying on identity or age details voluntarily provided by the parent, or using a token or credential issued by the government or an authorized entity.
• The Rules exempt only specific classes of entities and tightly defined purposes from the requirement to obtain parental consent and the restriction on tracking, monitoring, and targeted advertising (Fourth Schedule). These apply mainly to clinical and healthcare establishments, allied health professionals, educational institutions, and certain childcare and caregiving settings, and only when processing is for the listed purposes (such as delivering health services, education, or essential caregiving functions). Notably, there are two new permitted purposes:
  • determining a child’s real-time location for specified child-focused services; and
  • tracking and monitoring where necessary to ensure that a service or advertisement is not likely to have a detrimental effect on the child’s well-being.

These are narrow, purpose-specific carve-outs rather than a broad relaxation: entities must still check both that they fall within an exempt class and that a particular processing activity fits one of the enumerated purposes.

7. Significant Data Fiduciaries (SDFs)

• Definition: SDFs are entities that process large volumes of sensitive personal data or pose significant risks to individuals’ rights or national interests.
• Designation: The Central Government can designate an entity as an SDF based on the volume and sensitivity of data processed, risks to data principals, impact on national security or public order, and threats to electoral democracy.
• Stricter Compliance: SDFs are subject to higher accountability and oversight than ordinary data fiduciaries.
• Key Obligations:
  • Data Protection Officer (DPO): Must appoint a DPO based in India to oversee compliance and act as the main point of contact for data protection matters.
  • Independent Data Auditor: Must engage an independent auditor to review compliance and maintain clear records of processing activities.
  • Annual Assessments: Required to conduct annual Data Protection Impact Assessments (DPIAs) and audits, with findings reported to the Data Protection Board. This is in contrast to the GDPR which by default, requires all public bodies and entities carrying out large-scale processing of sensitive data and systematic monitoring of individuals as their core activity to appoint a data protection officer.
  • Algorithmic Due Diligence: Must ensure that technical and algorithmic systems do not harm data principals’ rights or cause unfair outcomes.
  • Data Localization: For certain categories of personal data specified by the government, SDFs must ensure such data is not transferred outside India unless explicitly permitted, keeping sensitive data within Indian jurisdiction.

8. Data retention

• Specific Rules for Large Platforms: Certain data fiduciaries operating large platforms, such as e-commerce, social media, and gaming platforms, must not retain personal data for more than three years after the last user interaction. The three-year retention period starts from the later of the data principal’s last request (for the specified purpose or to exercise their rights) or the commencement of the Rules. Data fiduciaries must provide prior notice to users before deleting their personal data.
• New One-Year Minimum Retention for All Data Fiduciaries: All data fiduciaries must retain personal data, associated traffic data, and certain logs for at least one year for specified purposes (such as responding to lawful requests or supporting investigations), after which such data must be erased unless another law requires longer retention.

9. Consent managers

• Under the DPDPA, consent managers are independent entities entrusted to manage data subjects’ consent for sharing data through an interoperable, secure and transparent platform. They serve as a single point of contact for users to give, manage, review, and withdraw consent for personal data processing.
• Consent managers must be registered with the Data Protection Board of India and comply with technical, operational, and financial requirements set by the Board. They must be incorporated in India, meet minimum net-worth and governance requirements, and operate independently, avoiding conflicts of interest with data fiduciaries whose consents they manage.
• Consent must be free, specific, informed, unconditional, and unambiguous, and limited to what is necessary for the specified purpose.
• Under the Act, consent managers are responsible to data principals, likely to mitigate potential conflicts of interest, such as financial reliance on data fiduciaries. They are required to act in the best interests of users, promoting transparency and empowering individuals with control over their personal data.
• Additional responsibilities for consent managers may be introduced through future regulatory updates.

10. Government access

• Rule 23 preserves the Central Government’s power to require data fiduciaries or intermediaries to provide personal data for reasons related to India’s sovereignty, integrity, security, or to fulfill legal functions.
• The government may also direct that an entity must not disclose that it has furnished information, where such disclosure could prejudice interests like sovereignty and security.

Exemptions to the DPDPA

• The Rules provide exemptions from restrictions under the DPDPA for certain processing in education, healthcare, and child services, including behavioral monitoring or tracking of children for specific purposes.
• The Rules also exempt personal data processing for research, archiving, or statistical purposes, provided certain conditions are met. Key safeguards include ensuring processing is lawful and not used to make decisions about specific individuals, and implementing governance and security measures appropriate to the research context.
• These are in addition to the exemption in Section 17 of the DPDPA, which outlines circumstances in which certain requirements under the Act may be relaxed or waived for data fiduciaries and data processors:
  • Section 17 of the Act provides certain exemptions to data fiduciaries from the consent and notice requirements in specific cases, including processing personal data by courts or tribunals, enforcing legal rights, and processing non-Indian residents’ data within India.
  • Section 17(1) outlines specific scenarios where key provisions of the Act, particularly those in Chapter II, Chapter III, and Section 16, do not apply. These exemptions are designed to ensure flexibility in contexts where strict compliance may hinder legal, regulatory, or commercial operations.

Such exemptions acknowledge that enforcing all privacy safeguards universally may not be feasible or beneficial in every context, aiming to strike a balance between protecting individual privacy and advancing broader societal goals such as national security, law enforcement, scientific research, and public interest journalism.

Exemption scenarios under Section 17 of the DPDPA

• For enforcing legal rights or claims.
• By courts, tribunals, or regulatory bodies performing judicial or supervisory functions.
• For law enforcement purposes: prevention, detection, investigation, or prosecution of offences.
• If an Indian entity processes personal data of individuals located outside India, and this is done under a contract with a foreign party, the Act's core obligations do not apply.
• For company mergers, demergers, or restructuring approved by competent authorities.
• For assessing financial details of loan defaulters, in line with other applicable laws.

Clause 17(1)(d) is particularly significant for outsourcing, IT services, and cross-border data processing, as it ensures Indian companies can operate under foreign contracts without duplicative compliance burdens for non-resident data subjects. This exemption facilitates international business operations, allowing Indian service providers to handle foreign personal data without being bound by domestic privacy rules, provided the data subjects are not within Indian territory. Notably, such exemption for the processing of foreign data does not exist under the GDPR.

Key departures from global data protection frameworks

• The DPDPA does not introduce extra requirements for entities handling sensitive or critical personal data, unlike earlier drafts of the legislation.
• It also does not recognize special categories of personal data, such as racial or ethnic origin, political beliefs, or sexual orientation, that receive enhanced protection under the GDPR.
• Crucially, however, organizations must assess whether they qualify as a Significant Data Fiduciary, as this classification carries stricter compliance obligations. This designation is based on factors such as the volume and sensitivity of personal data processed, along with other criteria outlined in the Rules.

Next steps for organizations

• Redesign Age-Verification Flows: Platforms, especially those targeting minors (such as social media and apps), should update user flows to implement robust age-verification and parental consent mechanisms.
• Ensure Breach Readiness: Update incident response plans to ensure notification “without delay” to the Data Protection Board upon discovering a breach, with a detailed follow-up report within 72 hours. Prepare systems to notify affected individuals quickly and maintain documentation of all notifications sent.
• Align Retention and Deletion Workflows: Review and update data retention and deletion policies to comply with the minimum one-year log retention and the three-year cap for certain classes of data fiduciaries.
• Assess SDF Status and Prepare for Compliance: Monitor user numbers and the sensitivity of data processed to determine if your organization qualifies as a Significant Data Fiduciary (SDF). If so, plan for annual Data Protection Impact Assessments, independent audits, and algorithmic impact reviews.
• Monitor Regulatory Updates: Stay alert for further government notifications, particularly regarding international data transfer restrictions and the classification of Significant Data Fiduciaries, as these may affect compliance obligations.

Conclusion

The Digital Personal Data Protection Act and its Rules establish a landmark framework for privacy, user rights, and accountability in India. As phased implementation progresses, organizations must proactively update their data practices to meet core obligations such as breach reporting, retention limits, and age verification.

Businesses now need to move from “issue-spotting” to implementation: mapping data flows, updating notices and contracts, planning for breach reporting and retention, re-examining children's data handling, and assessing the risk of being classified as an SDF.

Further government notifications are anticipated, particularly around international data transfer restrictions and the formal designation of Significant Data Fiduciaries.

For any assistance in understanding the impact of this update, feel free to reach out to the authors or your usual Hogan Lovells contact.

Authored by Charmian Aw and Ciara O'Leary.