Data PrivacyThe Digital Personal Data Protection Act,2023

August 13, 20230

The Digital Personal Data Protection Act,2023 of India

The Data privacy framework is finally in place with the Digital Personal Data Protection Act, 2023(“PDPDA,2023”) getting enacted with the assent of the President of India on 11th August, 2023.

The date of implementation of different provisions shall be notified, in a stage wise manner, from time to time.


There are over 80 crore Internet users in India. India is amongst the highest consumers and producers of data per capita amongst the countries. It has become clear over the last few years that while the Internet and technology are a force for good and connectivity, Internet is also a place where user harm and misuse can exist if rules and laws are not prescribed.

That is why laws and rule-making for the Internet has to be around the basic foundational principles and expectations of the citizens of openness, safety and trust and accountability.

Further, the Supreme Court in the Puttaswamy case in 2017, has declared the right to privacy as protected as part of the fundamental rights guaranteed by the Constitution of India. Therefore, it has become imperative that digitised personal data of the citizens of India be protected .

To sum up, while digitisation using personal data of Data Principals has transformed delivery of services to them enhancing ease of living, Data Principals are also increasingly at risk of harm from misuse of their personal data.


An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.


The entire enactment has thrusted upon three aspects as under;

A.Lawful Usage

Personal data should be used by organizations in a manner that is lawful, fair to the individuals concerned, and transparent to individuals.Only those items of personal data that are required for attaining a specific purpose must be collected.

B.Accuracy of Personal Data

Reasonable effort should be made to ensure that the data of an individual is accurate and kept up to date.

C.Data processing

The following would constitute the basis of data processing under the Bill:
(a) Processing may be done only in accordance with the provisions of the Bill and the rules made thereunder;
(b) It may be done only for lawful purposes; and
(c) It may be done on consent, or for certain legitimate uses specified in the Bill.

D.Reasonable safeguards

Reasonable safeguards are to be taken to ensure that there is no un-authorized collection or processing of personal data. This is intended to prevent personal data breaches.

The person who decides the purpose and means of processing personal data should be accountable for such processing.


There are seven principles on which this enactment has been formulated. For the ease of understanding, it is being covered under a separate write up.


Before requesting consent, the Data Fiduciary must give a written notice specifying the purpose for which data will be processed, with the option to access it in any of the Indian languages listed in the 8th Schedule to the Constitution.

Consent given shall be limited to personal data necessary for such purpose, and the giving of consent for personal data not necessary for the purpose may not be made a condition for processing. It shall be withdrawable at any time.

G.Data Control Board of India

The complaints related to contravention of the provisions of DPDPA,2023 has to be filed with the Data Control Board of India.


In terms of Section 38 of the PDPDA,2023, this enactment shall be considered to be a law in addition to and not in derogation of any other law for the time being in force.

In the event of any conflict between a provision of this Act and a provision of any other law for the time being in force, the provision of this Act shall prevail to the extent of such conflict.

To know more about the issues discussed above, You may please connect with or

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.