4.1 — Digital Personal Data Protection Act 2023 (DPDP Act)
The DPDP Act 2023 received Presidential assent in August 2023. It establishes a comprehensive framework for processing digital personal data in India, based on the principles of consent, purpose limitation, data minimization, accuracy, storage limitation, and accountability.
Data Fiduciary (determines purpose and means of processing — equivalent to GDPR 'controller'), Data Processor (processes on behalf of fiduciary), Data Principal (the individual whose data is processed — equivalent to GDPR 'data subject').
Consent requirements: Processing requires free, specific, informed, unconditional, and unambiguous consent with clear affirmative action. Consent must be as easy to withdraw as to give. 'Legitimate uses' allow processing without consent in specific cases (government services, medical emergencies, employment).
Obtain information about what personal data is being processed and how.
Request correction of inaccurate data or erasure of data no longer needed.
File complaints with the Data Fiduciary, and escalate to the Data Protection Board of India (DPBI).
Nominate another person to exercise rights on behalf of the Data Principal (e.g., in case of death or incapacity).
SDFs are designated by the government based on volume/sensitivity of data processed. SDFs must: (1) appoint a Data Protection Officer (DPO) based in India, (2) conduct periodic Data Protection Impact Assessments (DPIAs), and (3) undergo independent audits. Know the three SDF obligations for the exam.
| Violation | Maximum Penalty |
|---|---|
| Non-compliance with general obligations | Up to ₹50 crore (~$6M) |
| Failure to protect against data breach | Up to ₹250 crore (~$30M) |
| Violation of children's data provisions | Up to ₹200 crore (~$24M) |
| Non-compliance by Data Processor | Up to ₹50 crore (~$6M) |
| Violation of additional SDF obligations | Up to ₹150 crore (~$18M) |
| Data Principal breach of duties | Up to ₹10,000 |