ValkyaEditorial
Weekly Report

The Digital Personal Data Protection Act 2023: the substantive architecture

A practitioner's primer on the structural design of India's first comprehensive data-protection statute — lawful basis, data-fiduciary obligations, the Significant Data Fiduciary tier, data-principal rights, cross-border transfers, exemptions, the Data Protection Board, the Schedule's ₹250 crore penalty cap, and the staged repeal of Section 43A IT Act and the SPDI Rules 2011. Written as the foundational reference for any DPDP question.

Valkya Editorial· Legal Intelligence··15 min read

The legislative arc

The DPDP Act arrived after a long incubation. The constitutional foundation was laid by the nine-judge bench in K.S. Puttaswamy v. Union of India (2017) 10 SCC 1, which declared informational privacy a facet of the right to privacy under Article 21. The Srikrishna Committee report of July 2018 produced the first comprehensive draft, refined into the Personal Data Protection Bill 2019 and recommitted to the Joint Parliamentary Committee, which reported in December 2021. The 2019 Bill was withdrawn in August 2022 after substantive industry resistance to the categorical localisation regime and the breadth of state-instrumentality exemptions. A redrafted Digital Personal Data Protection Bill 2022 was released for public consultation in November 2022, refined into the Digital Personal Data Protection Bill 2023, and passed by both Houses in August 2023. The Act received Presidential assent on 11 August 2023 and was notified in the Gazette on the same day as Act 22 of 2023.

The statute's design philosophy is distinct from its principal international comparators. The Act is structurally lighter than the EU General Data Protection Regulation — it deliberately avoids the GDPR's adequacy-based cross-border framework, its sectoral-purpose-limitation discipline, and its prescriptive enumeration of lawful bases beyond consent. The Act is more rights-centric than the US sectoral framework, with a uniform data-principal rights regime across the economy. The result is a framework that is operationally lighter at the level of legislative text but heavier at the level of delegated legislation — the DPDP Rules 2025, notified on 13 November 2025, supply the substantive operational architecture.

Scope and definitions

Section 3 defines the territorial and personal scope of the Act. The Act applies to the processing of digital personal data — including data originally in non-digital form that is later digitised — within India where the data is collected in digital form or digitised. It applies extraterritorially where processing is carried out in connection with the offering of goods or services to data principals in India. The Act expressly excludes personal data processed by an individual for personal or domestic purposes and personal data made publicly available by the data principal or by another person under a legal obligation.

The architectural categories the Act establishes are foundational. The data principal is the individual to whom the personal data relates; in the case of a child, the parent or lawful guardian; in the case of a person with disability, the lawful guardian. The data fiduciary is any person who, alone or in conjunction with others, determines the purpose and means of processing personal data — the analogue of the GDPR's controller. The data processor is any person who processes personal data on behalf of a data fiduciary. The Significant Data Fiduciary is a data fiduciary notified under Section 10 on the basis of volume, sensitivity, risk to electoral democracy or security of the state, and other factors specified by Central Government. Personal data is broadly defined as any data about an identified or identifiable individual; the Act does not separately categorise "sensitive" personal data, departing from the SPDI Rules 2011 taxonomy.

The omission of a sensitive-data subcategory is significant for operational design. The pre-DPDP framework under Section 43A of the IT Act and the SPDI Rules 2011 had treated sensitive personal data — financial information, health information, sexual orientation, biometric data — as a distinct class with elevated processing obligations. The DPDP architecture treats all personal data uniformly at the level of statute; sectoral regulators (RBI, IRDAI, SEBI) continue to operate sector-specific data-protection regimes that effectively reintroduce a sensitive-data layer for financial, insurance and securities information.

Sections 4 to 7 establish the lawful basis for processing. Section 4 sets out that personal data may be processed only for a lawful purpose for which the data principal has given consent or for certain legitimate uses specified in Section 7. Consent is the default and primary basis.

Section 5 requires the data fiduciary to give the data principal a notice before or at the time of seeking consent. The notice must contain the personal data being collected, the purpose of processing, the manner in which the data principal may exercise their rights, and the manner of grievance redressal. The notice must be available in English and in any of the languages specified in the Eighth Schedule of the Constitution at the option of the data principal — a substantive accessibility obligation that goes beyond the GDPR's plain-language standard.

Section 6 sets the consent standard. Consent must be free, specific, informed, unconditional and unambiguous, with a clear affirmative action, and must signify agreement to the processing of personal data for the specified purpose and limited to such personal data as is necessary for that purpose. The provision codifies the Puttaswamy informational-self-determination principle in operational form. Consent may be withdrawn at any time with consequences for the validity of post-withdrawal processing under Section 6(4). The Consent Manager mechanism in Section 6(7) enables data principals to give, manage, review and withdraw consent through a registered intermediary that holds the consent record across multiple data fiduciaries — the operational hub of the framework.

Section 7 enumerates the legitimate uses that operate as the alternative pathway to consent. The list is exhaustive — narrower than the GDPR's open-ended legitimate-interest ground — and includes voluntary provision by the data principal for a specified purpose, performance of any function under any law for the time being in force, compliance with court orders, response to medical emergencies, response to epidemics and threats to public health, employment-related processing, and ensuring safety during any disaster or breakdown of public order. The exhaustive character of the list is a substantive constraint: where neither consent nor a Section 7 ground is available, the processing is not lawful under the Act.

Data fiduciary obligations

Section 8 sets out the foundational obligations of every data fiduciary. The provision is the operational core of the Act. The fiduciary is responsible for compliance even where processing is carried out by a data processor on the fiduciary's behalf — the principal-pass-through architecture that aligns with GDPR controller-processor doctrine. The fiduciary must ensure the completeness, accuracy and consistency of personal data, particularly where the data may be used to make a decision that affects the data principal or where it is disclosed to another data fiduciary.

The fiduciary must implement reasonable security safeguards to prevent personal data breach. The standard is operational rather than prescriptive at the level of the Act — the DPDP Rules 2025 supply specific safeguard categories including encryption, access controls, logging and monitoring. The fiduciary must give notice of any personal data breach to the Data Protection Board and to affected data principals, in such form and manner as may be prescribed by Rule. The breach-notification regime under the Rules tightens the operational architecture; the rule-level prescription is the substantive timing and content discipline.

Section 8(7) establishes the purpose-limitation and storage-limitation discipline: the fiduciary must erase personal data when the data principal withdraws consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier. The provision codifies a substantive right to erasure operating on the fiduciary by statutory obligation rather than only on data-principal request — a structural feature distinguishing the Indian framework from the GDPR's request-driven Article 17 right.

Section 10 establishes the Significant Data Fiduciary tier. The Central Government may notify any data fiduciary or class of data fiduciaries as Significant on the basis of factors including the volume and sensitivity of personal data processed, the risk to the rights of data principals, the potential impact on the sovereignty and integrity of India, the risk to electoral democracy, the security of the state, and public order. Notified Significant Data Fiduciaries face elevated obligations — appointment of a Data Protection Officer who is based in India and accountable to the board of the fiduciary; appointment of an independent data auditor; conduct of periodic data protection impact assessment and periodic audit; and other measures prescribed by Rule.

Cross-border transfers

Section 16 establishes the cross-border transfer regime. The architecture is negative list: the Central Government may, by notification, restrict the transfer of personal data to such country or territory outside India as may be specified. Transfers to any country or territory not so restricted are permitted by default. The architecture is the structural opposite of the GDPR's adequacy regime, in which transfers are prohibited unless the destination is on a positive adequacy list or covered by an approved transfer mechanism.

The design choice has operational implications. For the multinational data fiduciary, the Indian regime is substantially lighter on cross-border transfers than the GDPR — until and unless a negative-list notification issues for a particular destination. The architecture is, however, layered: sectoral regulators retain their cross-border restrictions. The RBI Master Direction on Storage of Payment System Data of 6 April 2018 continues to require payment-system data to be stored only in India; the IRDAI maintains sectoral restrictions on insurance data; the SEBI Cybersecurity and Cyber Resilience Framework maintains restrictions on securities-market data. The Section 16(2) proviso preserves these sectoral regimes.

The DPDP cross-border framework does not displace existing sectoral restrictions. It overlays them. For the practitioner advising on cross-border architecture, the analysis runs through the sectoral overlay first, the Section 16 negative list second, and the operational design of the data flow third. As of June 2026 no negative-list notification has issued under Section 16.

The Data Protection Board

Section 18 establishes the Data Protection Board of India as the first-instance adjudicatory body. The Board comprises a Chairperson and such number of other Members as the Central Government may notify, with qualifications including data governance, administration, implementation of laws, dispute resolution, IT, digital economy, law and management. Members serve for two-year terms, eligible for reappointment. The Chairperson is the principal executive officer.

The Board's functions under Sections 27 to 28 include holding inquiries into complaints by data principals, issuing directions, imposing financial penalties, accepting voluntary undertakings under Section 32, and conducting suo motu inquiries where it has reason to believe a contravention has occurred. The Board has the power to summon witnesses, examine on oath, require production of documents and inspect records. Proceedings are conducted as far as practicable in digital form.

Appeals from Board orders lie to the Telecom Disputes Settlement and Appellate Tribunal under Section 29, within 60 days of the order. Further appeal lies to the Supreme Court under Section 30 on a question of law. The architecture is consistent with the appellate framework for several other sectoral regulators and supplies operational continuity for practitioners familiar with the TDSAT machinery.

The Board's procedural autonomy is substantial. The DPDP Rules 2025 operationalise the Board's working — the constitution of inquiry benches, the procedure for voluntary undertaking, the form and content of notices, and the publication of orders. The institutional architecture is the principal innovation of the Act; the Indian framework is rare among major data-protection regimes in establishing a dedicated regulator-tribunal hybrid as the first-instance adjudicator rather than channelling complaints through the courts.

Penalties and the Schedule

The Schedule to the Act sets out the penalty structure. The headline figure is Rs. 250 crore as the maximum penalty for failure of a data fiduciary to take reasonable security safeguards to prevent personal data breach. The Schedule prescribes graded penalties: up to Rs. 200 crore for failure to notify breaches; up to Rs. 200 crore for failure to fulfil children's-data obligations under Section 9; up to Rs. 150 crore for failure of Significant Data Fiduciaries to fulfil their additional obligations; up to Rs. 50 crore for breach of duties of data principals under Section 15; up to Rs. 10,000 for breach of certain duties by data principals themselves; and a residual Rs. 50 crore for breach of any other obligation under the Act.

The penalty cap is per breach per Schedule entry, not aggregate per fiduciary per year. The architectural significance is that a fiduciary facing multiple breach events or breaches engaging multiple Schedule entries faces cumulative exposure that may substantially exceed Rs. 250 crore. The Section 33 factors guiding the Board's penalty calibration include the nature, gravity and duration of the breach; the type and nature of the personal data affected; the repetitive nature of the breach; the gain made or loss avoided as a result of the breach; the action taken by the person to mitigate the loss; and the proportionality of the penalty in relation to the resources of the person.

The penalty regime is operationally substantial. For the major data fiduciary with national-scale processing, the exposure runs into hundreds of crores per significant breach event. For the operational compliance team, the penalty architecture is the principal disciplinary input — the cost-of-non-compliance calculation that drives investment in safeguards, breach-response infrastructure and audit programmes.

Repeals and transitions

Section 44(3) of the DPDP Act repeals Section 43A of the Information Technology Act 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (the SPDI Rules) on full commencement of the substantive DPDP provisions. The repeal is staged with the DPDP Rules 2025 commencement schedule: substantive data-fiduciary obligations take effect on 13 May 2027, at which point Section 43A and the SPDI Rules cease to apply prospectively.

The transitional architecture is significant for practitioners advising on pending matters. Section 43A compensation claims for breaches that occurred before the repeal commencement remain governed by Section 43A — the substantive law in force at the time of the breach continues to apply to pre-commencement events. The Vinod Kaushik v. Madhvika Joshi line of Section 43A adjudicating-officer jurisprudence remains operative for pre-2027 breach events and will continue to generate orders through the transitional window and beyond.

The repeal also has operational implications. The SPDI Rules 2011 sensitive-personal-data taxonomy — financial information, biometric data, sexual orientation, health information — does not carry across to the DPDP Act, which does not separately categorise sensitive personal data. Compliance programmes built around the SPDI taxonomy must be recast around the DPDP architecture. Sectoral regulators that had built their data-protection regimes by reference to the SPDI Rules — the RBI Account Aggregator framework, the IRDAI data-protection regulations, the SEBI cybersecurity framework — are reissuing or refreshing sectoral guidance to align with the DPDP Act.

Sections 69, 69A, 72, 72A and 79 of the IT Act 2000 are not repealed by Section 44(3) and continue in force. The interception architecture under Section 69, the blocking-order architecture under Section 69A (the Shreya Singhal-disciplined regime), the criminal-confidentiality offence under Section 72, the Section 72A disclosure offence and the intermediary safe-harbour under Section 79 operate alongside the DPDP framework. The two regimes overlap on disclosure and security-of-personal-data questions but address distinct enforcement architectures.

What the Act did not do

The DPDP Act did not codify a regulated category of sensitive personal data. The architectural choice to treat personal data uniformly leaves sectoral overlays to do the work; the result is operational unevenness across sectors. The Act did not establish a separate children's data regime beyond the Section 9 parental-consent obligation and the prohibition on tracking, behavioural monitoring and targeted advertising directed at children — the deeper architectural design of children's data is delegated to Rule. The Act did not establish a journalism, academic research or archival carve-out independent of the Section 17(3) government-notification power; the Press Council and the journalism community had argued for a categorical carve-out at the level of statute. The Act did not articulate a substantive automated-decision-making discipline — the GDPR's Article 22 analogue is absent.

The Act did not resolve the relationship with the Right to Information Act 2005. Section 17(1)(c) preserves disclosure under any law for the time being in force — but the operational interface between RTI and DPDP on personal-information requests has been left for case-specific adjudication. The post-Subhash Chandra Agrawal (2020) 5 SCC 481 framework of reading privacy into Section 8(1)(j) of the RTI Act supplies the transitional doctrinal architecture; the longer-term framework will accumulate through Data Protection Board orders and TDSAT appeals.

The Act did not establish a comprehensive data-localisation requirement. The cross-border negative-list framework leaves the Central Government free to impose restrictions on specific destinations, but the architectural default is open — opposite of the GDPR's adequacy regime. The architectural choice is consequential for the design of multinational data flows; the practitioner advising on cross-border architecture works with substantial structural freedom unless and until a negative-list notification issues.

Sources

  1. MeitY — Digital Personal Data Protection Act 2023 (Act 22 of 2023), full text and Gazette notification of 11 August 2023.
  2. MeitY — Digital Personal Data Protection Rules 2025, G.S.R. 833(E) dated 13 November 2025.
  3. MeitY — Explanatory Memorandum to the Digital Personal Data Protection Bill 2023 and the Parliamentary Standing Committee report.
  4. SCC OnLine — K.S. Puttaswamy v. Union of India (2017) 10 SCC 1 (constitutional foundation).
  5. LiveLaw — DPDP commentary archive and DPDP Rules notification coverage.
  6. BarandBench — DPDP Act and Rules coverage; tranche-implementation reportage.

Related reading

The DPDP Rules, 2025: what the November notification actually does — and when

India's first comprehensive data-protection framework is now operational, but in a staged sequence: Consent Manager rules effective November 2026; substantive Significant Data Fiduciary obligations effective May 2027. A practitioner's read on the architecture, the timeline, and the compliance work that has just become urgent for law firms and for the entities they advise.

Valkya Editorial··10 min

DPDP at six months: Phase-II readiness as the consent-manager regime approaches

Six months into the staged rollout of the Digital Personal Data Protection Act, 2023 — and the DPDP Rules notified by MeitY on 13 November 2025 — the practitioner architecture is now substantially visible. Phase I (the Data Protection Board's establishment) is live; Phase II (the consent-manager regime) takes effect on 14 November 2026; Phase III (the compliance obligations and the ₹250 crore penalty ceiling) takes effect on 14 May 2027. A practitioner read on where data fiduciaries should be at the six-month mark and what the remaining eighteen months require.

Valkya Editorial··8 min

Cyber and data protection: May-June 2026 roundup

The May-June 2026 cycle in Indian cyber and data-protection practice is dominated by the DPDP Rules 2025 first-year operationalisation, the transitional jurisprudence under Section 43A of the IT Act 2000 in its final operative phase, and the continuing post-Kunal Kamra recalibration of the intermediary-liability framework. A focused round-up of what changed in policy, what changed in the courts, and what practitioners are tracking.

Valkya Editorial··10 min
Research this line of authority in Valkya

Trace how this proposition has been treated across Indian courts — citations, bench strength, and subsequent history — in one workspace built for litigators.

Open Valkya →