by Konika Gayen Keshervani | June 2026 | 10 Minutes Read
Summary: The DPDP Act 2023 is India’s first comprehensive data protection law. It gives citizens rights to access, correct, and erase their personal data, mandates consent before processing, and imposes penalties up to ₹250 crore for violations. Full compliance kicks in by May 2027, though government exemptions remain a concern.
Every time you download an app, sign up for a service, or share your phone number with a website, your personal data is collected. For decades, India had no clear law telling companies what they could or could not do with that data.That changed in August 2023.
The Digital Personal Data Protection Act, 2023 ” commonly called the DPDP Act” is India’s first comprehensive law specifically designed to protect the personal data of its citizens in the digital world. It was passed by Lok Sabha on 7 August 2023, by Rajya Sabha on 9 August 2023, and received Presidential assent on 11 August 2023. The implementing rules ” the DPDP Rules, 2025 ” were
notified on 13 November 2025, setting the law in motion.
With this Act, India joined the 19th G20 nation to have a comprehensive data protection law ” and signalled to the world that it is serious about governing the digital economy on its own terms.
This article explains everything you need to know: what the law does, what your rights are, who it applies to, what the penalties are, and what the current status of implementation is as of June 2026.
BACKGROUND: WHY WAS THIS LAW NEEDED?
Before the DPDP Act, data protection in India was governed by a patchwork of provisions ” primarily the Information Technology Act, 2000, and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, commonly known as the SPDI Rules.
The SPDI Rules were narrow and outdated. They applied only to certain types of sensitive data, did not cover most everyday processing by apps and companies, and had weak enforcement. As India’s digital economy exploded ” with hundreds of millions of Indians coming online, using apps, making digital payments, and sharing personal information across platforms — the need for a modern, comprehensive data law became urgent.
The process of drafting such a law began formally with the Justice BN Srikrishna Committee, set up to study global data protection frameworks and recommend a framework for India. Its report, published in 2018, laid the groundwork for what eventually became the DPDP Act.
After several draft bills and rounds of public consultation across 2018, 2019, and 2022, the government introduced the final version of the bill in Parliament in August 2023. It was passed with remarkable speed and received Presidential assent within days.
Notably, this is the first Act of Parliament in India where “she/her” pronouns were used throughout, rather than the conventional “he/him” a deliberate and historic drafting choice.
WHO DOES THE DPDP ACT APPLY TO?
The DPDP Act has a broad scope, far broader than many people realise. It applies to:
1. The processing of digital personal data within India ” whether collected online or collected offline and later digitised.
2. Processing of digital personal data outside India, if it involves offering goods or services to individuals located in India.
This extraterritorial reach is significant. A company based in the United
States, Europe, or anywhere else in the world that has Indian users or customers and processes their data is covered by this law — regardless of where the company is physically located or where its servers are.
This mirrors the approach taken by the European Union’s GDPR (General Data Protection Regulation), which similarly applies to any organisation handling data of EU residents, wherever that organisation is based.
KEY TERMS YOU NEED TO KNOW
The DPDP Act introduces a specific vocabulary. Understanding these terms is essential to understanding your rights.
1.DATA PRINCIPAL
This is you the individual whose personal data is being collected or
processed. Under the Act, a Data Principal can also be a child (anyone under 18 years of age), in which case their parents or guardians exercise rights on their behalf.
2.DATA FIDUCIARY
This is the organisation of a company, an app, a government body that determines the purpose and means of processing your personal data. A Data Fiduciary is responsible for how your data is used, protected, and shared.
The term “fiduciary” is deliberate: it implies a duty of trust and
responsibility toward the individual whose data they hold.
3.DATA PROCESSOR
A third party that processes personal data on behalf of a Data Fiduciary. For example, a cloud storage company that stores data for an app would be a Data Processor. Compliance responsibility rests with the Data Fiduciary, even where processing is carried out by a Processor.
4.CONSENT MANAGER
A new type of intermediary created by the Act. Consent Managers are
registered entities that help individuals manage their consents across
multiple platforms and Data Fiduciaries. They act as a central hub through which you can give, track, and withdraw your consents.
5.SIGNIFICANT DATA FIDUCIARY (SDF)
Certain large or high-risk Data Fiduciaries can be designated by the Central Government as Significant Data Fiduciaries, based on the volume and sensitivity of data they handle, their potential national security implications, and the risk of harm to Data Principals. SDFs face
additional obligations beyond ordinary Data Fiduciaries. As of June 2026, the government has not yet published the official list of SDFs.
6. DATA PROTECTION BOARD OF INDIA (DPBI)
The regulator established by the Act. The DPBI receives complaints, conducts investigations, and imposes penalties for non-compliance.
7.PERSONAL DATA
Any data about an individual who is identifiable by or in relation to
such data. This is intentionally broad and covers names, phone numbers, email addresses, location data, biometric data, financial data, and much more.
THE CORE PRINCIPLES OF THE ACT
The DPDP Act follows the SARAL principle — Simple, Accessible, Rational, and Actionable. It adopts a consent-centric, principle-based approach rather than highly prescriptive rules. This gives organisations flexibility in how they implement compliance, while holding them accountable for outcomes.
The core principles underlying the Act are:
LAWFUL PURPOSE
Personal data may only be processed for a lawful purpose, one for which the individual has given consent, or for which the law permits processing without consent (such as certain government functions).
CONSENT
Where processing is based on consent, that consent must be free, specific, informed, unconditional, and unambiguous. It must be as easy to withdraw consent as it was to give it.
DATA MINIMISATION
Only the data necessary for the stated purpose should be collected. Companies cannot collect data “just in case” it might be useful.
PURPOSE LIMITATION
Data collected for one purpose cannot be used for an entirely different
purpose without fresh consent.
STORAGE LIMITATION
Personal data should not be retained for longer than is necessary for the purpose for which it was collected.
ACCURACY
Data Fiduciaries must take reasonable steps to ensure personal data is
accurate and up to date.
SECURITY
Appropriate technical and organisational measures must be in place to protect personal data from breaches, loss, or unauthorised access.
ACCOUNTABILITY
Data Fiduciaries are accountable for compliance with the Act and must be able to demonstrate that compliance.
YOUR RIGHTS AS A DATA PRINCIPAL (CITIZEN)
The DPDP Act grants every Indian citizen a set of enforceable rights over their personal data. These are not aspirational they are legal rights you can exercise and, if violated, seek redress for.
RIGHT TO INFORMATION
You have the right to know what personal data a Data Fiduciary holds about you, what it is being used for, who it has been shared with, and any other information specified by the rules.
RIGHT OF ACCESS
You can request a summary of the personal data being processed about you and the processing activities being undertaken.
RIGHT TO CORRECTION AND ERASURE
You have the right to correct inaccurate or misleading personal data. You also have the right to request erasure of personal data that is no longer necessary for the purpose for which it was collected, or where you have withdrawn consent.
RIGHT TO WITHDRAW CONSENT
Where processing is based on your consent, you can withdraw that consent at any time. The Act requires that withdrawing consent be as easy as giving it. Once you withdraw consent, the Data Fiduciary must stop processing your data (subject to certain exceptions).
RIGHT TO GRIEVANCE REDRESSAL
You have the right to have your complaints addressed by the Data Fiduciary within a specified time. If unsatisfied, you can escalate to the Data Protection Board of India.
RIGHT TO NOMINATE
You can nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.
HOW TO EXERCISE THESE RIGHTS
In practice, you exercise most of these rights by contacting the Data
Fiduciary directly through their designated grievance officer or data
protection officer. If the Data Fiduciary does not respond adequately, you can file a complaint with the Data Protection Board of India through its digital portal.
Consent is the heart of the DPDP Act. Most data processing by private
organisations requires your consent. Here is how the consent framework works.
GIVING CONSENT
Before collecting your data, a Data Fiduciary must give you a notice in
clear, plain language explaining what data is being collected, why it is
being collected, and who it may be shared with. The notice must be available in English and also in any of the 22 languages listed in the Eighth Schedule of the Constitution, upon request.
Consent must be given through a clear affirmative action, not through
pre-ticked boxes, silence, or inactivity.
LAYERED CONSENT
The Act allows for granular consent, meaning you can consent to some types of processing but not others. You do not have to give blanket consent to everything a Data Fiduciary wants to do with your data.
WITHDRAWING CONSENT
You can withdraw your consent for any or all processing at any time. Once withdrawn, the Data Fiduciary must stop processing your data for the relevant purpose. They must also ensure that any third parties (Data Processors) who received your data also stop processing it.
PROCESSING WITHOUT CONSENT -LEGITIMATE USES
The Act also permits processing without consent for certain “legitimate uses”, including:
– Processing by the State for welfare or public interest purposes
– Processing for compliance with any law or court order
– Processing for responding to a medical emergency
– Processing for employment-related purposes under specific conditions
– Processing for certain research, archiving, or statistical purposes
These legitimate uses are meant to be narrow exceptions, not loopholes.
CHILDREN’S DATA -THE STRICTEST RULES
The DPDP Act’s most stringent provisions concern data relating to children defined as anyone under 18 years of age.
VERIFIABLE PARENTAL CONSENT
Before processing a child’s personal data, a Data Fiduciary must obtain
verifiable parental or guardian consent. This is a higher standard than
ordinary consent, the fiduciary must take active steps to verify that
consent is genuinely coming from a parent or guardian, not from the child themselves.
NO BEHAVIOURAL MONITORING OR TARGETED ADVERTISING
Data Fiduciaries are prohibited from engaging in behavioural monitoring of children or directing targeted advertising at children. This is a significant restriction that directly limits how social media platforms, gaming apps, and e-commerce companies can operate when their users include minors.
NO PROCESSING HARMFUL TO CHILDREN
Any processing that could be detrimental to the wellbeing of a child is
prohibited.
EXEMPTIONS FROM PARENTAL CONSENT
The DPDP Rules 2025 carve out limited exemptions from the parental consent requirement including processing by:
– Healthcare providers for emergency treatment
– Educational institutions for student administration
– Government bodies for child welfare services
These exemptions are narrow and purpose-limited.
SIGNIFICANT DATA FIDUCIARIES – EXTRA OBLIGATIONS FOR BIG PLAYERS
The Central Government can designate certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on:
– The volume of personal data processed
– The sensitivity of the data
– The risk of harm to Data Principals
– Potential impact on national security or sovereignty
– Risk to electoral democracy
SDFs face additional obligations beyond those required of ordinary Data Fiduciaries, including:
– Appointment of a Data Protection Officer based in India
– Appointment of an independent Data Auditor
– Periodic Data Protection Impact Assessments
– Additional safeguards as prescribed by the government
As of June 2026, the government has not yet published the official list of SDFs. This is an important gap large platforms like Meta, Google, Amazon, and major Indian tech companies are widely expected to be designated as SDFs, but the absence of a formal list means these enhanced obligations remain in limbo.
CROSS-BORDER DATA TRANSFERS
The DPDP Act takes a permissive approach to cross-border data transfers which have been both praised and criticised. Under the Act, personal data can be transferred to countries or territories outside India that the Central Government notifies as permissible destinations.
The government may restrict transfers to certain countries based on factors it deems relevant.
This is different from the GDPR model, which requires the destination country to have an “adequate” level of data protection before transfers are permitted. The DPDP Act gives the Indian government broader discretion.
As of June 2026, the government has not yet notified the list of permissible destination countries. This creates uncertainty for organisations that regularly transfer data internationally.
THE DATA PROTECTION BOARD OF INDIA -THE REGULATOR
The DPDP Act establishes the Data Protection Board of India (DPBI) as the primary enforcement authority.
FUNCTIONS OF THE DPBI
Once fully constituted, the DPBI is empowered to:
– Receive and inquire into complaints from Data Principals about data breaches or violations of their rights.
– Issue directions to Data Fiduciaries to implement remedial measures.
– Conduct inquiries into non-compliance.
– Impose financial penalties under Schedule 1 of the Act.
– Publish details of violations, creating reputational consequences beyond financial penalties.
APPEALS
Decisions of the Data Protection Board can be appealed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
CURRENT STATUS- JUNE 2026
Phase 1 of the Act’s implementation (November 2025) formally established the DPBI and launched its digital complaint portal and mobile application.However, the government constituted a search-cum-selection committee in late 2025 to appoint the Board’s Chairperson and Members. As of May 2026,applications for these positions were still under evaluation and formal appointments had not yet been publicly announced.
This means the DPBI, while formally established on paper, is not yet fully operational in practice. Its full enforcement capacity depends on the completion of the appointment process a delay that has drawn criticism from privacy advocates.
PENALTIES FOR VIOLATION
The DPDP Act establishes a tiered penalty structure with significant financial consequences for non-compliance. All penalties are imposed by the Data Protection Board after an inquiry.
VIOLATION . MAXIMUM PENALTY
———————————————————————–
Failure to implement adequate security safeguards Rs. 250 crore
Failure to notify data breaches to DPBI . Rs. 200 crore
Breach of obligations relating to children’s data Rs. 200 crore
Processing data without valid consent Rs. 200 crore
Failure to enable Data Principal rights Rs. 200 crore
Breach of duty by Data Principal . Rs. 10,000
Important notes on penalties:
– Multiple violations result in separate, compounding penalties.
– Rs. 250 crore is approximately USD 30 million.
– The Board determines actual penalty amounts based on the nature, gravity, and duration of the breach; the type of data affected; and the fiduciary’s compliance history.
– Penalties will apply once the Act is fully in force (from May 2027)
THE GOVERNMENT EXEMPTION — THE BIG CONCERN
One of the most significant criticisms of the DPDP Act concerns the broad exemptions granted to the government. Section 17 of the Act grants the Central Government authority to exempt its own instrumentalities -government departments, agencies, and bodies from
most provisions of the Act when processing is deemed necessary for:
– The sovereignty and integrity of India
– The security of the State
– Friendly relations with foreign states
– Public order
– Preventing incitement to cognisable offences
Privacy advocates and civil society organisations have argued that these exemptions are dangerously broad. The language is vague enough that virtually any government data processing activity could be characterised as falling within one of these categories.
This creates what critics describe as a two-tier system: Indian citizens enjoy privacy rights against private companies, but have significantly weaker protections against the state itself the entity with the greatest capacity for surveillance and data misuse.
The absence of a dedicated surveillance law in India compounds this problem. There is no comprehensive legal framework governing mass surveillance, facial recognition deployment, or intelligence agency data collection and the DPDP Act’s government exemption does nothing to fill that gap.
WHAT THE DPDP ACT MEANS FOR ORGANISATIONS
For companies and organisations that handle personal data, the DPDP Act is a significant operational reality , particularly once full compliance kicks in by May 2027.
Key obligations for organisations include:
1. CONSENT ARCHITECTURE
Every consent mechanism must be redesigned to meet the Act’s requirements:
clear notice, specific purpose, easy withdrawal. Pre-ticked boxes and
bundled consents are out.
2. DATA MAPPING
Organisations must know exactly what personal data they hold, where it came from, what it is used for, who it is shared with, and where it is stored. This requires comprehensive data mapping exercises.
3. GRIEVANCE MECHANISM
Every Data Fiduciary must have a functional grievance redressal mechanism to handle Data Principal complaints within the prescribed timeline.
4. BREACH NOTIFICATION
Data breaches must be reported to the Data Protection Board and to
affected Data Principals. The Act mandates notification failure to
notify carries penalties of up to Rs. 200 crore.
5. PROCESSOR AGREEMENTS
Where data processing is outsourced to third parties, written contracts must include appropriate data protection provisions.
6. RETROSPECTIVE NOTICES
The DPDP Rules require Data Fiduciaries to issue retrospective notices for personal data processed before the Act and Rules came into effect. This is a significant and unusual requirement it means organisations cannot simply ignore their existing data stocks.
7. CHILDREN’S DATA PROTOCOLS
Any organisation whose services are accessible to children must implement age verification and parental consent mechanisms.
WHAT THIS MEANS FOR YOU -PRACTICAL STEPS FOR CITIZENS
The DPDP Act gives you real, enforceable rights. Here is how to exercise them
in practice.
STEP 1: KNOW WHAT DATA IS BEING COLLECTED
When any app or service asks for your data, you now have the right to a clear notice in plain language. Read it. If it is not clear, that is itself a
potential violation.
STEP 2: GIVE SPECIFIC CONSENT ,NOT BLANKET CONSENT
Do not consent to everything if you do not want everything. The Act allows granular consent. Consent only to what is necessary for the service you want.
STEP 3: WITHDRAW CONSENT WHEN YOU WANT TO
If you no longer want a company to use your data, you can withdraw your consent. The process for withdrawal must be as simple as giving consent. Look for “data settings,” “privacy settings,” or “consent management” in apps and websites.
STEP 4: REQUEST YOUR DATA OR CORRECTIONS
You can write to the Data Fiduciary’s grievance officer and ask what data they hold about you, or ask them to correct inaccurate information. They are legally required to respond.
STEP 5: REQUEST ERASURE
If you have withdrawn consent or the data is no longer needed for its
original purpose, you can request erasure. The Data Fiduciary must comply subject to any legal retention requirements.
STEP 6: FILE A COMPLAINT
If a Data Fiduciary ignores your requests or violates your rights, file a
complaint with the Data Protection Board of India through its digital portal. From Phase 3 onwards (May 2027), financial penalties will apply to non-compliant organisations.
CRITICISMS AND CONCERNS
No law is perfect, and the DPDP Act has attracted substantive criticism from privacy experts, civil society, and technologists. A balanced assessment requires acknowledging these concerns.
1. OVERBROAD GOVERNMENT EXEMPTIONS
As discussed, Section 17’s exemptions for government processing are vague and potentially unlimited. This is the most significant structural weakness of the Act.
2. REGULATORY INDEPENDENCE
The Data Protection Board’s members are appointed by the Central Government.This raises concerns about whether the regulator can effectively hold the government itself accountable as a fundamental tension in any self-regulatory arrangement.
3. NO SURVEILLANCE FRAMEWORK
The Act does nothing to regulate state surveillance. Phone interceptions,facial recognition, intelligence agency databases — these remain governed by old, inadequate provisions.
4. DELAYED APPOINTMENTS
The DPBI’s Chairperson and Members had not been appointed as of June 2026 nearly seven months after Phase 1 was supposed to activate enforcement. This delay undermines the credibility of the framework.
5. LIST OF SDFS NOT PUBLISHED
The government had not published the list of Significant Data Fiduciaries by June 2026, leaving the most important enhanced obligations in uncertainty.
6. CROSS-BORDER TRANSFER COUNTRIES NOT NOTIFIED
The permitted countries for cross-border transfers had not been announced, creating compliance uncertainty for international data flows.These are not merely academic concerns they affect whether the Act’s protections are real or merely theoretical for most Indians.
The Digital Personal Data Protection Act, 2023 is a landmark step for India. For the first time, Indian citizens have a clear, comprehensive legal framework governing what companies and organisations can do with their personal data.
The rights it creates to know, to access, to correct, to erase, to withdraw
consent are real rights, backed by significant financial penalties. The
Consent Manager framework, once operational in November 2026, will make it easier for individuals to control their data across multiple platforms. The Data Protection Board, once fully constituted, will provide a dedicated forum for enforcing these rights.
But a law is only as strong as its implementation. The delays in appointing Board members, the absence of the SDF list, the unnotified transfer countries, and above all the broad government exemptions these are not technical details.They go to the heart of whether the Act will deliver meaningful privacy protection to ordinary Indians, or whether it will remain a framework that looks strong on paper but falls short in practice.
The full compliance deadline is May 2027. That gives India its government, its regulators, its companies, and its citizens roughly a year to get ready.The groundwork laid in that period will determine the Act’s legacy.
For now, the most important thing any Indian citizen can do is the same as it has always been: know your rights. You now have more of them than ever before.
DISCLAIMER
This article is for educational and informational purposes only. It does not constitute legal advice. For specific legal queries, please consult a qualified advocate or data protection professional.
Share Your Opinion
Watch Video :Youtube Video
Read More….
- Can a Doctor Lose Their License for What They Say at a Comedy Show?
- Rights of Content Creators in India: What the Law Protects — and What It Doesn’t
- DIGITAL PERSONAL DATA PROTECTION ACT, 2023
- RIGHT TO PRIVACY IN INDIA
- Stop Eating Newspaper-Wrapped Food: FSSAI Issues Fresh Warning After Mumbai Vada Pav Incident






