AN OVERVIEW OF THE DIGITAL PERSONAL DATA PROTECTION ACT AND RULES
Articles / By Kurian K Jose
The legal landscape of digital personal data protection in India is governed by The Digital Personal Data Protection Act, 2023 (“Act”) and the recently enacted Digital Personal Data Protection Rules, 2025 (“Rules”). The Act and Rules try to balance the rights of individuals to protect their digital personal data while recognising the need to process such personal data for lawful purposes. Two key terms that one needs to understand before delving into the provisions of the Act and Rules are PERSONAL DATA and PROCESSING OF DATA.
WHAT IS PERSONAL DATA?
According to Sec. 2(t) of the Act, personal data means any data about an individual who is identifiable by or in relation to such data. To put it in other words personal data means i) any data about an individual who is identifiable by such data and ii) any data about an individual who is identifiable in relation to such data. The first part is pretty straight forward any data about an individual who is identifiable by such data means, the data itself is sufficient to single out the person. E.g.- Name and Residential Address; Official IDs such as Aadhaar Card, Passport, PAN Card, Voter ID Card, Employee ID. The second part, any data about an individual who is identifiable in relation to such data, means a data when used in relation to other data, allows an individual to be identified. In other words the data when combined with other data held by the entity or data publicly available, allows a person to be identified. This is a very broad scope designed to protect against various methods of tracking or profiling. E.g.- Location data, IP Address, Device ID, Date of Birth, Gender, Marital Status, Photograph, Bank Account details, Credit Card Details or Medical Records. Basically these data alone are not enough to identify an individual but when combined with other data, a person could be identified. Thus, to sum it up the scope of personal data as per the Act is very wide. It includes any data which by itself or when combined with other data is capable of identifying a person.
WHAT IS MEANT BY PROCESSING OF DATA?
According to Sec. 2 (x) of the Act, “processing” in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction; This definition is extremely broad and is intended to cover every single action that can be performed on digital personal data, from the moment it is collected until it is finally destroyed. As aforesaid, mere collection or storage of digital personal data by itself would fall under the definition of data processing as per the Act.
APPLICABILITY OF THE ACT
As per section 3 of the Act, it applies to the processing of digital personal data within India and also to the processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to individuals in India. Exemptions- However the Act shall not apply to
i) personal data processed by an individual for any personal or domestic purpose (E.g.- personal contact list, emailing friends, or taking family photos) and;
ii) personal data that is made or caused to be made publicly available by the individual himself (E.g.- data posted in social media publicly) or by any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
iii) Research, archiving or statistical purposes if it is carried on in accordance with the standards specified in the second schedule of the Rules (Rule 16 of the Rules)
iv) Partly exempted for state and its instrumentalities for certain purposes.
OBLIGATIONS OF DATA FIDUCIARY
Before going further, the following terms should be understood:
Data Fiduciary- A Data Fiduciary is the one who determines the purposes and means of processing personal data. In other words, the Data Fiduciary decides the how and why of a data processing operation (Sec. 2(i) of the Act). A Data Fiduciary can be a legal person, it could be an individual, a company, a firm, an association of persons or the State. The Data Fiduciary makes material decisions relating to the processing of personal data, such as determining the purposes for which personal data is collected, stored, used, altered and disclosed.
Data principal - means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf (Sec. 2(j) of the Act).
Data Processor- means any person who processes personal data on behalf of a Data Fiduciary (Sec. 2(k) of the Act). A Data Processor is the individual or the legal person/company/firm that carries out processing activities, on behalf of and in accordance with the Data Fiduciary’s instructions. In other words, the Data Fiduciary can provide personal data to the Data Processor to carry out such processing activities on its behalf. A Data Fiduciary does not need the consent of data subjects to engage a processor. Arrangements between the Data Fiduciary and Data Processor are governed by a legal agreement. Any queries an individual may have regarding the role of the processor ought to be directed back to the Data Fiduciary who engaged the processor in the first place. (E.g.- When a business (Data Fiduciary) outsources the calculation and disbursement of employee salaries, taxes, and benefits to a specialized IT company, such company is a Data Processor, When a bank (Data Fiduciary) contracts a third-party IT company to manage, maintain, or update its customer database and core systems, such IT company is a Data Processor.
- Data to be processed in accordance with the provisions of the Act and for a lawful purpose- Personal data shall be processed by a person only in accordance with the provisions of the Act and only for a lawful purpose (Sec.4 of the Act).
- Requirement of consent of Data Principal - Personal data shall be processed only if the Data Principal has given his/her consent for such use(Sec. 4 (1)(a) of the Act). However, the consent of the Data Principal is not necessary for certain legitimate uses as provided under section 7 of the Act, such as for a specified purpose for which consent was voluntarily given by the Data Principal, for the State for various purposes, for compliance with Judgment or decree of a court, for responding to medical emergencies, for the purpose of employment etc.
In order to obtain such consent, the Data Fiduciary is bound to give a request to the Data Principal. In the said request the personal data and the purpose for which the same is processed shall be mentioned (Sec.5 of the Act & Rule 3 of the Rules).
- The consent shall be limited to such personal data as is necessary for specified purpose - The consent given by the Data Principal shall be limited to such personal data as is necessary for such specified purpose (Sec.6(1) of the Act).
Illustration. - X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (i) the processing of her personal data for making available telemedicine services, and (ii) accessing her mobile phone contact list, and X signifies her consent to both. Since phone contact list is not necessary for making available telemedicine services, her consent shall be limited to the processing of her personal data for making available telemedicine services.
- Data principal shall have the right to withdraw the consent- Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw his/her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given (Sec.6(4) of the Act). Once the Data Principal withdraws the consent, the Data Fiduciary shall, within a reasonable time, cease processing the personal data of such Data Principal (Sec.6(6) of the Act).
- Consent Managers - Consent Manager is a unique concept introduced by the Act. It means a registered person (entity), who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform (Sec. 2(g) of the Act). The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager. The Consent Manager shall be accountable to the Data Principal and shall act on her behalf. Every Consent Manager shall be registered with the Board constituted under Sec. 18 of the Act (Sec. 6(7), (8) and (9) of the Act).
- Data fiduciary to protect personal data by taking reasonable security safeguards - A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach (Sec.8(5) of the Act). The reasonable security safeguards include at minimum the following as per Rule 6 of the Rules:
(i) appropriate data security measures, such as securing of personal data through encryption, obfuscation, masking or the use of virtual tokens mapped to that personal data;
(ii) appropriate measures to control access to the computer, computer system, computer network, data, computer data base or software, used by such Data Fiduciary or such a Data Processor, wherever applicable;
(iii) visibility on the accessing of such personal data, through appropriate logs, monitoring and review, for enabling detection of unauthorised access, its investigation and remediation to prevent recurrence;
(iv) reasonable measures for continued processing in the event of confidentiality, integrity or availability of such personal data being compromised as a result of destruction or loss of access to personal data or otherwise, such as by way of data-backups;
(v) for enabling the detection of unauthorised access, its investigation, remediation to prevent recurrence and continued processing in the event of such a compromise, retain such logs and personal data for a period of one year, unless compliance with any law for the time being in force requires otherwise;
(vi) appropriate provision in the contract entered into between such Data Fiduciary and such a Data Processor, wherever applicable, for taking reasonable security safeguards; and
(vii) appropriate technical and organisational measures to ensure effective observance of security safeguards.
- Intimation in the event of personal data breach - In the event of a personal data breach, the Data Fiduciary shall give the Board constituted under Sec. 18 of the Act and each affected Data Principal, intimation of such breach. The intimation to the Board in this regard shall be given within seventy-two hours of becoming aware of the breach, or within such longer period as the Board may allow on a request made in writing in this behalf (Rule 7 of the Rules).
- Deletion of data - A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force, erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier, and shall cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor (Sec.8(7) of the Act).
- Appointment of Contact person - A Data Fiduciary shall prominently publish, in its website or app, the business contact information of a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data. (Sec. 8(9) of the Act and Rule 9 of the Rules)
- Grievances redressal - A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals (Sec. 8(10) of the Act) .
- Significant Data Fiduciary - This is a critical category under the Act, that imposes enhanced and stricter compliance obligations on high-risk or large-scale data processing entities. The Central Government has the authority to notify any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary based on several factors. Being classified under this category triggers a set of mandatory additional duties such as appointment of a Data Protection Officer and other obligations that go beyond the baseline obligations required of a regular Data Fiduciary.
RIGHTS OF DATA PRINCIPAL
- Right to access information about personal data - The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent- a) a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data; (b) the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and (c) any other information related to the personal data of such Data Principal and its processing, as may be prescribed (Sec. 11 of the Act).
- Right to correction and erasure of personal data - A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent (Sec. 12 of the Act).
- Right of grievance redressal - A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of the Act and the Rules. The Data Principal shall exhaust this opportunity of redressing her grievance before approaching the Board constituted under Sec. 18 of the Act(Sec. 13 of the Act).
DATA PROTECTION BOARD OF INDIA
Data Protection Board of India (“Board”) is the authority which would be established by the Central Government for the implementation and enforcement of the Act. The Board is empowered to adjudicate disputes and non-compliance issues between individuals and entities (Data Fiduciaries) that process personal data. The proceedings of adjudication may be initiated upon receiving a complaint from an affected Data Principal , a reference from the Central Government, or suo motu. The Board can impose significant monetary penalties for non-compliance, as specified in the Schedule of the Act. The Board also has the power to issue binding directions to the concerned person (Data Fiduciary or Data Processor) to ensure compliance of the provisions of the Act. The Board shall, as far as practicable, function as a digital office, handling complaint filings, inquiries, hearings, and decision-making through digital means. The Board also has the power to advise the Central Government to block the website, app, etc., of a Data Fiduciary who repeatedly breaches the provisions of the Act.
PENALTIES UNDER THE ACT
As aforesaid the Data Protection Board can impose significant penalties for the breach of provisions of the Act. Following are the penalties that could be imposed under the Act.
|
Sl No |
Provisions Breached |
Penalty |
|
1 |
Failure to take reasonable security safeguards to prevent a personal data breach by Data Fiduciary. |
Up to Rs. 250 Crore |
|
2 |
Failure to notify the Data Protection Board and affected Data Principals in the case of a personal data breach. |
Up to Rs. 200 Crore |
|
3 |
Breach of obligations in relation to Children's Data |
Up to Rs. 200 Crore |
|
4 |
Breach of additional obligations by a Significant Data Fiduciary |
Up to Rs. 150 Crore |
|
5 |
Breach of duties by Data principal |
Up to Rs. 10,000/- |
|
6 |
Breach of any term of voluntary undertaking accepted by the Board under section 32. |
Up to the extent applicable for the breach in respect of which the proceedings were instituted. |
|
7 |
Breach of any other provision of the Act or Rules. |
Up to Rs. 50 Crore |
Although significant monetary penalties are mentioned in the Act, the said amount goes to the Government of India. There is no provision in the Act which grants compensation to the Data Principal in the event of a personal data breach.
IMPLEMENTATION TIMELINE
The provisions of the Rules are implemented in a phased manner. The Rules relating to the short title, definitions and constitution of the Data Protection Board came into force on November 14th, 2025. The Rule relating to registration and obligations of Consent Managers shall come into force after November 14th, 2026. The Rules shall fully come into force after 14th May, 2027.
