DIGITAL
DIGITAL PERSONAL DATA
Draft Rules
Digital Personal Data Protection Act, 2023
[NO. 22 OF 2023]
An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
BE it enacted by Parliament in the Seventy-fourth Year of the Republic of India as follows:—
CHAPTER I
PRELIMINARY
Short title and commencement.
1. (1) This Act may be called the Digital Personal Data Protection Act, 2023.
(2)It shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint and different dates may be appointed for different provisions of this Act and any reference in any such provision to the commencement of this Act shall be construed as a reference to the coming into force of that provision.
COMMENTS
SECTION NOTES
1.1 What is the new Digital Personal Data Protection Act, 2023 all about?
The Digital Personal Data Protection Act, 2023 (‘DPDP Act’) provides for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental there to. The DPDP Act protects digital personal data [that is, the data by which a person (individual) may be identified] by providing for the following:
(a) The obligations of Data Fiduciaries (that is, persons, companies and government entities who process data) for data processing (that is, collection, storage or any other operation on personal data);
(b) The rights and duties of Data Principals (that is, the person to whom the data relates); and
(c) Financial penalties for breach of rights, duties and obligations.
The DPDP Act also seeks to achieve the following:
(a) Introduce data protection law with minimum disruption while ensuring necessary change in the way Data Fiduciaries process data;
(b) Enhance the Ease of Living and the Ease of Doing Business; and
(c) Enable India’s digital economy and its innovation ecosystem.
1.2 When does the DPDP Act come into force?
The DPDP Bill received the assent of the President of India on 11-08-2023. However, section 1(2) of the DPDP Act provides as regards coming into force of the Act as under: It shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint and Different dates may be appointed for different provisions of this Act and Any reference in any such provision to the commencement of this Act shall be construed as a reference to the coming into force of that provision.
1.3 What is the conceptual basis of the DPDP Act?
The conceptual basis of the DPDP Act is the report of the Expert Committee, set up under the Chairmanship of Justice BN Srikrishna titled “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians”
1.4 What are the principles on which the DPDP Act is based on?
The DPDP Act is based on the following seven principles:
(a) The principle of consented, lawful and transparent use of personal data;
(b) The principle of purpose limitation (use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal);
(c) The principle of data minimisation (collection of only as much personal data as is necessary to serve the specified purpose);
(d) The principle of data accuracy (ensuring data is correct and updated);
(e) The principle of storage limitation (storing data only till it is needed for the specified purpose);
(f) The principle of reasonable security safeguards; and
(g) The principle of accountability (through adjudication of data breaches and breaches of the provisions of the DPDP Act and imposition of penalties for the breaches).
1.5 Where can one find elaboration of the above 7 principles which are the basis for the DPDP Act?
One can find elaboration of the above 7 principles in the report of the Expert Committee set up under the Chairmanship of Justice BN Srikrishna titled “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians”. These principles are discussed at relevant places in this book.
1.6 What is the rationale for enacting the DPDP Act?
The report of the Committee of Experts notes the admission by Facebook that the data of 87 million users, including 5 lakh Indian users, was shared with Cambridge Analytica through a third-party application that extracted personal data of Facebook users who had downloaded the application as well as their friends. The Report notes that this admission by Facebook is
demonstrative of several such harms - users did not have effective control over data. Further, they had little knowledge that their activity on Facebook would be shared with third parties for targeted advertisements around the US elections. The incident, unfortunately is neither singular, nor exceptional. Data gathering practices are usually opaque, mired in complex privacy forms that are unintelligible, thus leading to practices that users have little control over. Inadequate information on data flows and consequent spam or worse still, more tangible harms, are an unfortunate reality. The Report notes that “Currently, the law does little to protect individuals against such harms in India”. To fill in the vacuum and protect individuals against such harms, a new law was necessary. Hence, the DPDP Act was enacted with the objective of “keeping citizens’ personal data protected while unlocking the digital economy.”
1.7 What are the aims and objects of the DPDP Act?
In Justice K.S. Puttaswamy (Retd.) v. Union of India, the Hon’ble Supreme Court held that the right to privacy is a fundamental right under Article 21 of the Constitution of India. To make this right meaningful, it was necessary to put in place a data protection framework which, while protecting citizens from dangers to informational privacy originating from state and non-state actors, serves the common good. The data protection framework could not focus on right to privacy alone. There had to be a balancing of right to privacy with other considerations and values. In Puttaswamy (supra), the Supreme Court observed that “Formulation of a regime for data protection is a complex exercise which needs to be undertaken by the State after a careful balancing of the requirements of privacy coupled with other values which the protection of data sub-serves together with the legitimate concerns of the State.”
Thus, the (‘DPDP Act’) aims to provide for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes (needs of digital economy).
1.8 Are there no existing legal provisions protecting digital personal data of individuals from unauthorised use until the DPDP Act comes into force?
No. That is not the case. Until the DPDP Act comes into force, the existing legal provisions to protect digital personal data of individuals are contained in section 43A of the Information Technology Act, 2000, which provides for Compensation for failure to protect data.
Section 43A of the IT Act, 2000 provides that where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
Explanation in section 43A defines the terms “body corporate”, “reasonable security practices and procedures” and “sensitive personal data or information” for the purposes of section 43A as under:
(i) “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
(ii) “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;
(iii) “sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter referred to as the SPDI Rules) were notified by Central Government to define “sensitive personal data or information” and specify “reasonable security practices and procedures”. The SPDI Rules were notified by the Central Government under powers conferred on it by sections 43A and 87(2)(ob) of the IT Act, 2000.
1.9 Whether the existing protection to individuals under section 43A of IT Act and SPDI Rules will continue to be available once the DPDP Act comes into force?
Section 44(2) of the DPDP Act provides for omission of Section 43A of IT Act, 2000 and of the rule-making powers in clause (ob) of sub-section (2) of Section 87 of the IT Act, 2000. Therefore, sections 43A and 87(2)(ob) of the IT Act and SDPI Rules will stand repealed from the date notified by the Central Government under Section 1(2) of DPDP Act for coming into force of Section 44(2) of DPDP Act.
1.10 Does the DPDP Act provide for compensation to affected individuals in case of a personal data breach, like section 43A of the IT Act?
No. There are no provisions for compensation in the DPDP Act along the lines of section 43A.
1.11 What protections are available to individuals under existing provisions of section 43A of the IT Act and the SPDI Rules against unauthorised use/breach of privacy of their personal data?
Rule 2(1)(i) of the SPDI Rules defines “Personal Information” to mean “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.”
Rule 3 of the SPDI Rules defines the term “Sensitive personal data or information” to mean such personal information which consists of information relating to:—
(i) password;
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:
Proviso to Rule 3 clarifies that any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
Rule 4 of SPDI Rules provides for Body corporate to provide policy for privacy and disclosure of information as under:
(a) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract.
(b) Such policy shall be published on website of body corporate or any person on its behalf and shall provide for— clear and easily accessible statements of its practices and policies; type of personal or sensitive personal data or information collected under rule 3; purpose of collection and usage of such information; disclosure of information including sensitive personal data or information as provided in rule 6; reasonable security practices and procedures as provided under rule 8.
Rule 5 of SPDI Rules provides for Collection of information (SPDI) as under:
(1) Body corporate or any person on its behalf shall obtain consent in writing through letter or Fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.
(2) Body corporate or any person on its behalf shall not collect sensitive personal data or information unless —
(a) the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and
(b) the collection of the sensitive personal data or information is considered necessary for that purpose.
(3) While collecting information directly from the person concerned, the body corporate or any person on its behalf snail take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of —
(a) the fact that the information is being collected;
(b) the purpose for which the information is being collected;
(c) the intended recipients of the information; and
(d) the name and address of —
(i) the agency that is collecting the information; and
(ii) the agency that will retain the information.
(4) Body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.
(5) The information collected shall be used for the purpose for which it has been collected.
(6) Body corporate or any person on its behalf permit the providers of information, as and when requested by them, to review the information they had provided and ensure that any personal information or sensitive personal data or information found to be inaccurate or deficient shall be corrected or amended as feasible
(7) A body corporate shall not be responsible for the authenticity of the personal information or sensitive personal data or information supplied by the provider of information to such body corporate or any other person acting on behalf of such body corporate.
(8) Body corporate or any person on its behalf shall, prior to the collection of information including sensitive personal data or information, provide an option to the provider of the information to not to provide the data or information sought to be collected. The provider of information shall, at any time while availing the services or otherwise, also have an option to
withdraw its consent given earlier to the body corporate. Such withdrawal of the consent shall be sent in writing to the body corporate. In the case of provider of information not providing or later on withdrawing his consent, the body corporate shall have the option not to provide goods or services for which the said information was sought.
(9) Body corporate or any person on its behalf shall keep the information secure as provided in rule 8.
(10) Body corporate shall address any discrepancies and grievances of their provider of the information with respect to processing of information in a time bound manner. For this purpose, the body corporate shall designate a Grievance Officer and publish his name and contact details on its website. The Grievance Officer shall redress the grievances or provider of information expeditiously but within one month from the date of receipt of grievance.
To safeguard against unauthorised use or disclosure to third party of SPDI of any individual, Rule 6 provides for the following conditions for Disclosure of information:
(1) Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation.
(2) The information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Government agency shall send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information. The Government agency shall also state that the information so obtained shall not be published or shared with any other person.
(3) Notwithstanding anything contained in (1) above, any sensitive personal data on Information shall be disclosed to any third party by an order under the law for the time being in force.
(4) The body corporate or any person on its behalf shall not publish the sensitive personal data or information.
(5) The third party receiving the sensitive personal data or information from body corporate or any person on its behalf under (1) above shall not disclose it further.
Rule 7 contains provisions regarding Transfer of information as under:
(1) A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules.
(2) The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.
Rule 8 provides for Reasonable Security Practices and Procedures as under:
(1) A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business.
(2) In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.
(3) The international Standard IS/ISO/IEC 27001 on “Information Technology - Security Techniques - Information Security Management System - Requirements” is one such standard referred to in (1) above.
(4) Any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection as per (1) above, shall get its codes of best practices duly approved and notified by the Central Government for effective implementation.
(5) The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under (4) above shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited regularly by entities through independent auditor, duly approved by the Central Government.
(6) The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when the body corporate or a person on its behalf undertakes significant upgradation of its process and computer resource.
1.12 What shortcomings of section 43A and SPDI Rules necessitated the enactment of DPDP Act?
While the SPD Rules were a novel attempt at data protection at the time they were introduced (in 2011), the pace of development of the digital economy has made it inevitable that some shortcomings have become apparent over time. For instance, the definition of sensitive personal data is unduly narrow, leaving out several categories of personal data from its protective remit; its obligations do not apply to the government and may, on a strict reading of Section 43A of the IT Act be overridden by contract.
It was felt that protection was needed for all personal data of an individual and not merely sensitive personal data or information. The DPDP Act is a vast improvement over the SPDI Rules in that it protects all personal data of an individual and not merely sensitive personal data or information of the individual as is the case with the existing regime under section 43A and the SPDI Rules. The DPDP Act casts a fiduciary obligation over Data Fiduciaries (that is, persons, companies and government entities who process data) which is over and above and irrespective of the contractual relations. Recognising the asymmetry of bargaining power between the individual to whom the data relates (Data Principal) who needs services and the provider of services who uses individual’s data, the latter is designated a fiduciary for the former. Hence, on the recommendation of the Report of the Expert Committee, the term “Data Fiduciary” has been advisedly used in DPDP Act for provider of services who uses personal data of the individual providing the services. The service provider entity using personal data of individual for providing the services is put in a position of trust with onus to use personal data fairly and in line with authorisation of individual to whom the personal data relates. This fiduciary relationship cannot be overridden by terms of contract between Data Principal and Data Fiduciary.
Further, the existing regime under Section 43A and SPDI rules apply only to bodies corporate (private sector entities). It has no application to Government and Instrumentalities of Government when they are service providers using the personal data. In DPDP Act, the term “person” has been defined to include the State thereby extending obligations under the DPDP Act to Government also when it processes personal data of individuals.
DIGITAL PERSONAL DATA PROTECTION ACT
2023
WITH DRAFT RULES – BARE ACT WITH SECTION NOTES
AUTHOR : TAXMANN’S EDITORIAL BOARD
PUBLISHER : TAXMANN
DATE OF PUBLICATION : MAY 2025
EDITION : 2ND EDITION 2025
ISBN NO : 9789364553773
NO. OF PAGES : 104
BINDING TYPE : PAPERBACK
DESCRIPTION
Digital Personal Data Protection Act 2023 with Draft Rules [Bare Act with Section Notes] by Taxmann provides a holistic legal framework for processing digital personal data in India. It details the rights and responsibilities of Data Principals and Data Fiduciaries, includes expert Section Notes clarifying legal intentions and usage, and incorporates the Draft Digital Personal Data Protection Rules 2025, plus FAQs that address frequently asked queries.
• Legal Professionals & Practitioners
• Corporate Counsels & Compliance Officers
• Judicial Officers & Regulators
• Academicians & Students
• IT and Data Security Experts
The Present Publication is the 2025 Edition, covering the amended and updated text of the Digital Personal Data Protection Act [Act No. 22 of 2023] and Draft Rules, with the following noteworthy features:
• [Complete Text of the Act & Draft Rules] Presents the unabridged legislative material for a comprehensive understanding
• [Section Notes & Commentary] Clarifies each section’s legislative rationale, practical implications, and relevant contexts
• [FAQs on the DPDP Act] Answers commonly asked questions and highlights core principles such as consent and exemptions
• [Illustrations & Examples] Demonstrates how provisions apply in practical scenarios, facilitating easier comprehension
• [Recent Amendments & Updates] Includes changes to major laws (TRAI Act, IT Act, RTI Act), offering a unified legal snapshot
• [User-friendly Layout] Logical chapter-wise arrangement, helpful indexes, and cross-referencing for quick navigation