1 Introduction
1.What is the new Digital Personal Data Protection Act, 2023 all about?
The Digital Personal Data Protection Act, 2023 (‘DPDP Act’) provides for the processing of digitalpersonaldata in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
The DPDP Act protects digital personal data [that is, the data by which a person (individual) may be identified] by providing for the following:
(
a) The obligations of Data Fiduciaries (that is, persons, companies and government entities who process data) for data processing (that is, collection, storage or any other operation on personal data);
(b)The rights and duties of Data Principals (that is, the person to whom the data relates); and
(c) Financial penalties for breach of rights, duties and obligations. The DPDP Act also seeks to achieve the following:
(a) Introduce data protection law with minimum disruption while ensuring necessary change in the way Data Fiduciaries process data;
(b) Enhance the Ease of Living and the Ease of Doing Business; and
(c)Enable India’s digital economy and its innovation ecosystem.
2.Whether DPDP Act applies to data in non-digital form?
The DPDP Act applies to digital personal data i.e. personal data in digital form. Therefore, DPDP Act will not apply to data in non-digital form.
However, in terms of clause (a) of section 3 of DPDP Act, DPDP Act shall apply to personal data in non-digital form which is digitised subsequently.
3. When does the DPDP Act come into force?
The DPDP Bill received the assent of the President of India on 11.08.2023. However, the DPDP Act does not provide for coming into force of the provisions with effect from the date of the President’s assent. As regards coming into force of the Act. Section 1(2) of the DPDP Act provides as under:
It shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint and different dates may be appointed for different provisions of this Act and any reference in any such provision to the commencement of this Act shall be construed as a reference to the coming into force of that provision.
In exercise of its powers under section 1(2), the Central Government has, vide Notification G.S.R. 843 (E), dated 13.11.2025, appointed the dates of coming into force of various provisions of the DPDP Act as per the Table below:
Sub-section (2) of section 1, section 2, sections 18 to 26 sections 35, 38, 39, 40, 41, 42, 43, and sub-sections (1) and (3) of section 44
Sub-section (9) of section 6 and clause (d) of sub-section (1) of section 27
Sections 3 to 5, sub-sections (1) to (8) and (10) of section 6, sections 7 to 10, sections 11 to 17, section 27 except clause (d) of sub-section (1) of the said section, sections 28 to 34, 36, 37 and sub-section (2) of section 44
The date of publication of Notification G.S.R. 843(E) in the Official Gazette (13.11.2025) [Clause (a) of the Notification]
One year from the date of publication of the Notification in the Official Gazette (13.11.2026) [Clause (b) of the Notification read with sections 3(66) and 9 of the General Clauses Act,1897]
18 months from the date of publication of the Notification in the Official Gazette (13.05.2027) [Clause (c) of the Notification read with sections 3(35) and 9 of the General Clauses Act,1897]
The date of coming into force is 13.11.2025 for the following provisions:
sub-section (2) of section 1,
section 2,
sections 18 to 26
sections 35, 38, 39, 40, 41, 42, 43, and
sub-sections (1) and (3) of section 44.
“Year” is to be reckoned according to the Calendar year as per British Calendar in terms of section 3(66) of the General Clauses Act, 1897. “Month”, according to section 3(35) of the General Clauses Act, 1897, means a month reckoned according to the British calendar. In terms of section 9(1) of the General Clauses Act,1897, the word “from” is used to exclude the first in a series of days or any other period of time. In view of the above provisions of the General Clauses Act, the following position emerges
“One year from the date of publication” of the Notification in the Official Gazette is to be reckoned from 13.11.2025 after excluding 13.11.2025. That is to say, one year is to be reckoned as calendar year 14.11.2025 to 13.11.2026. Therefore, 13.11.2026 is the date of coming into force for sub-section (9) of section 6 and clause (d) of sub-section (1) of section 27.
18 months from the date of publication of the Notification is 18 calendar months reckoned as 14.11.2026 to 13.05.2027. Therefore, 13.05.2027 is the date of coming into force for: sections 3 to 5,
sub-sections (1) to (8) and (10) of section 6, sections 7 to 10,
sections 11 to 17,
section 27 except clause (d) of sub-section (1) of the said section,
sections 28 to 34, 36, 37 and sub-section (2) of section 44
See Resume of DPDP Act provisions given at the start of this book along with relevant provisions of the Digital Personal Data Protection Rules, 2025 (referred to hereinafter as ‘the DPDP Rules, 2025’ or ‘the DPDP Rules’).
Act?
Yes, the Digital Personal Data Protection Rules, 2025, have been notified on 14.11.2025.
See Resume of DPDP Rules provisions given at the start of this book along with relevant provisions of the DPDP Act.
5. What is the conceptual basis of the DPDP Act?
The conceptual basis of the DPDP Act is the report of the Expert Committee set up under the Chairmanship of Justice BN Srikrishna titled “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’.
6. What are the principles on which the DPDP Act is based on?
The DPDP Act is based on the following seven principles:
(a) The principle of consented, lawfulandtransparentuse of personal data;
(b) The principle of purposelimitation (use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal);
(c) The principle of dataminimisation (collection of only as much personal data as is necessary to serve the specified purpose);
(d) The principle of dataaccuracy (ensuring data is correct and updated);
(e) The principle of storagelimitation (storing data only till it is needed for the specified purpose);
(f) The principle of reasonablesecuritysafeguards; and
(g) The principle of accountability (through adjudication of data breaches and breaches of the provisions of the DPDP Act and imposition of penalties for the breaches).
The DPDP Act is guided by seven core principles of consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability. [PIB Press Release, dated 14-11-2025]
The law rests on seven core principles. These include consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards and accountability. These principles guide every stage of data processing. They also ensure that personal data is used only for lawful and specific purposes. [PIB Press Release, dated 17-11-2025]
are the basis for the DPDP Act?
One can find elaboration of the above 7 principles in the report of the Expert Committee set up under the Chairmanship of Justice BN Srikrishna titled “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians”. These principles are discussed at relevant places in this book.
8. What is the rationale for enacting the DPDP Act?
The report of the Committee of Experts notes the admission by Facebook that the data of 87 million users, including 5 lakh Indian users, was shared with Cambridge Analytica through a third-party application that extracted personal data of Facebook users who had downloaded the application as well as their friends. According to the Report notes that this admission by Facebook is demonstrative of several such harms - users did not have effective control over data. Further, they had little knowledge that their activity on Facebook would be shared with third parties for targeted advertisements around the US elections. The incident, unfortunately is neither singular, nor exceptional. Data gathering practices are usually opaque, mired in complex privacy forms that are unintelligible, thus leading to practices that users have little control over. Inadequate information on data flows and consequent spam or worse still, more tangible harms, are an unfortunate reality. The Report notes that “Currently, the law does little to protect individuals against such harms in India”. To fill in the vacuum and protect individuals against such harms, a new law was necessary. Hence, the DPDP Act was enacted
with the objective of “keeping citizens’ personal data protected while unlocking the digital economy.”
9. What are the aims and objects of the DPDP Act?
In Justice K.S. Puttaswamy (Retd.) v. Union of India, the Hon’ble Supreme Court held that the right to privacy is a fundamental right under Article 21 of the Constitution of India. To make this right meaningful, it was necessary to put in place a data protection framework which, while protecting citizens from dangers to informational privacy originating from state and non-state actors, serves the common good. The data protection framework could not focus on right to privacy alone. There had to be a balancing of right to privacy with other considerations and values.
In Puttaswamy(supra), the Supreme Court observed that “Formulation of a regime for data protection is a complex exercise which needs to be undertaken by the State after a careful balancing of the requirements of privacy coupled with other values which the protection of data sub-serves together with the legitimate concerns of the State.”
Thus, the (‘DPDP Act’) aims to provide for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes (needs of digital economy).
Central Government, are there no existing legal provisions protecting digital personal data of individuals from unauthorised use ?
No. That is not the case. Till the date the DPDP Act comes into force, the existing legal provisions to protect digital personal data of individuals are contained in section 43A of the Information Technology Act, 2000 which provides for Compensation for failure to protect data.
Section 43A of the IT Act, 2000 provides that where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
Explanation in section 43A defines the terms “body corporate”, “reasonable security practices and procedures” and “sensitive personal data or information” for the purposes of section 43A as under:
(i) “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
(ii) “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;
(iii) “sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter referred to as the SPDI rules) were notified by Central Government to define “sensitive personal data or information” and specify “reasonable security practices and procedures”. The SPDI Rules were notified by the Central Government under powers conferred on it by sections 43A and 87(2)(ob) of the IT Act, 2000.
11. Whether the existing protection to individuals under section 43A of IT Act and SPDI Rules will continue to be available once the DPDP Act comes into force?
In terms of section 44(2) of the DPDP Act, sections 43A and 87(2)(ob) of IT Act, 2000 and SPDI Rules shall stand repealed from the date notified by Central Government under section 1(2) of DPDP Act for coming into force of section 44(2) of DPDP Act. Sub-section (2) of section 44 has been notified to come into force with effect from 13.05.2027. Therefore, Sections 43A and 87(2)(ob) of IT Act and SPDI Rules shall stand omitted with effect from 13.05.2027.
12. Whether the DPDP Act provides for compensation to affected individuals in case of personal data breach like section 43A of IT Act?
No. There are no provisions for compensation in DPDP Act along the lines of section 43A.
However, see Chapter11.
13. What protections are available to individuals under existing provisions of section 43A of IT Act and SPDI Rules against un-
Rule 2(1)(i) of the SPDI Rules defines “Personal Information” to mean “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.”
Rule 3 of the SPDI Rules defines the term “Sensitive personal data or information” to mean such personal information which consists of information relating to:—
(i) password;
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
Proviso to Rule 3 clarifies that any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
Rule 4 of SPDI Rules provides for Body corporate to provide policy for privacy and disclosure of information as under:
(a) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract.
(b) Such policy shall be published on website of body corporate or any person on its behalf and shall provide for—
Clear and easily accessible statements of its practices and policies;
Type of personal or sensitive personal data or information collected under rule 3;
Purpose of collection and usage of such information;
Disclosure of information including sensitive personal data or information as provided in rule 6;
Reasonable security practices and procedures as provided under rule 8.
Rule 5 of SPDI Rules provides for Collection of information as under:
(1) Body corporate or any person on its behalf shall obtain consent in writing through letter or Fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.
(2) Body corporate or any person on its behalf shall not collect sensitive personal data or information unless —
(a) the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and
(b) the collection of the sensitive personal data or information is considered necessary for that purpose.
FAQS ON DIGITAL PERSONAL DATA PROTECTION ACT 2023
AUTHOR : TAXMANN’S EDITORIAL BOARD
PUBLISHER : TAXMANN
DATE OF PUBLICATION : NOVEMBER 2025
EDITION : 2026 EDITION
ISBN NO : 9789371268233
NO. OF PAGES : 204
BINDING TYPE : PAPERBACK
DESCRIPTION
FAQs on Digital Personal Data Protection Act 2023 is Taxmann’s compact yet authoritative handbook to India’s new privacy framework. Built around 150 well-structured FAQs, statutory resumes, government clarifications, and Expert Committee insights, this Edition provides a clear, practical understanding of the DPDP Act and the DPDP Rules 2025. Beyond answering questions, it offers:
• A complete resume of all sections of the DPDP Act, with commencement dates
• A rule-wise resume of the DPDP Rules 2025 with enforcement timelines
• A 13-chapter thematic framework covering definitions, applicability, fiduciary obligations, cross-border processing, rights, penalties, and appeals
• A dedicated chapter on the DPDP–RTI interplay, clarifying disclosure limits and privacy safeguards
• Integrated PIB clarifications and policy reasoning throughout This book is designed for a wide range of legal, compliance, and technology professionals, including:
• Data Protection Officers, Privacy Professionals, and Compliance Teams
• Legal Practitioners, In-house Counsel, and Policy Advisors
• IT & Security Teams, including CIOs, CISOs
• Digital Businesses, Data Fiduciaries, Start-ups, and Consent Manager Platforms
• Students, Researchers, and Academicians
• Public Authorities, Government Departments, and RTI Officers
The Present Publication is the 2026 Edition, updated till 23rd November 2025. This book, authored by Taxmann’s Editorial Board, has the following noteworthy features:
• [150 FAQs] explaining the complete DPDP ecosystem with cross-references to statutory provisions
• [Statutory Resumes] of the DPDP Act and DPDP Rules with precise commencement dates
• [Expert Committee Reasoning] incorporated into explanations on identifiability, purpose limitation, and processing standards
• [Government Clarifications from PIB] integrated with relevant topics
• [Comprehensive RTI Interplay Analysis] covering disclosure permissions, privacy overrides, and harm-test considerations
• [Transitional Framework Guidance] , including continued applicability of SPDI Rules till 12th May 2027 and phased commencement of key provisions
• [Practical Compliance Guidance] on notices, consent, rights, grievance redressal, Board procedures, and appeals
• [User-friendly Structure] enabling quick navigation from statute → FAQ → practical interpretation