Digital Personal Data Protection Act, 2023: Analysis

Author’s note

Now you can face penalties up to Rupees 250 crores, our faculty said this while I was attending classes for Diploma in information System Audit, he said in case you are found guilty of leaking the customer’s data then you are gone! Now, What is it? Let’s discuss by this article

Introduction

This act focusses on the privacy and data governance for people, that recognises the individual’s right to privacy while ensuring that organisations can process data for legitimate and lawful purposes.

That means this act’s main intent is to create new rights, imposing significant obligations, and introduction of the penalties that can go up to Rs. 250 crores.

In this article I have discussed the analysis of this act, covering applicability, legal intent, compliance requirements, rights, exemptions, audits, enforcement, and long-term implications.

Applicability of the DPDP Act, 2023 “the act”

Under Section 3, the act applies to processing of digital personal data, whether it’s collected digitally, by portals, apps, websites, Customer relationship management tools, ERPs, email, or digital onboarding. Even it is applicable if the data is collected offline but later digitised, like for example paper forms later uploaded to systems may or may not be through migration. If the data is processed outside India and the goods/services are offered to individuals withinIndia, then also this act will be applicable.

Non applicability

The Act does not apply if data is solely used for personal/domestic purposes like personal contacts, home recordings etc, also suppose I posted my phone number on social media, then I made my personal data available publicly, in that case I am not liable by this act.

Do STS Ventures, being a small firm comes in the preview of this act?

Being a small consulting firm, it will come under the act as for KYC purposes it collects names, phone numbers, Aadhaar, PAN, email IDs, financial or professional data of it’s clients. Hence STS Ventures shall be data fiduciary and I being the customer am data principal.

Objective and Legal intent of the act

This act aims to set up a balance between individual rights by protecting their privacy as a fundamental right by ensuring transparency, control over personal data, correction and erasure, grievance mechanisms, as well as protection against misuse.

It allows businesses and government bodies to process data responsibly, ensuring economic activity continues without compromising rights as it mandates adequate technical, organisational, and legal safeguards. Also, the high penalties are introduced to ensure compliance seriousness.

Remember? Way our data got leaked at Railyatri, or even AIMS? But fact is nobody was held accountable for the same, hence this act is most important decision of an hour aims to bring discipline, transparency, and accountability into India’s digital ecosystem.

Grounds for processing

First ground is the consent framework that means the consent must be free, specific, informed, unconditional, unambiguous, and through a clear affirmative action. Also the consent withdrawal must be as easy as giving consent.

Second ground is the users shall be legitimate (Section 7), that means no consent is required when processing is for government benefits/subsidies, court orders, legal obligations, emergencies (medical), public health crises, employment purposes, or disaster management.

Obligations of STS Ventures as per the example above

Section 8 sets out the obligations every organisation must follow accountability even if it outsource its data processing, also it must inform, before collecting data, that means what data is being collected, why it is being collected, how rights can be exercised, and how to file a complaint.

Also, STS Ventures shall implement the reasonable cybersecurity measures and every data breach must be reported to The data protection board, as well as affected individuals.

Data Retention & erasure

Data must be erased when purpose is fulfilled, consent is withdrawn, and storage is no longer legally required. Also a proper grievance mechanism is mandatory and a DPO/Authorised Officer’s contact details must be displayed.

Special protection for children (Section 9)

Processing of children’s data (below 18 years) requires a verifiable parental consent, with no behavioural monitoring, no targeted advertising, and no harmful or detrimental activities. This impacts schools, ed-tech platforms, gaming apps, and content platforms dealing with minors.

Significant data fiduciary (SDF) obligations

SDFs like banks, UIDAI, Zomato, PhonePe, LIC, etc have more responsibilities that means they must appoint a data protection officer who must be located in India, along with that they shall appoint an independent data auditor, conduct data protection impact assessments and carry out periodic audits.

Rights of STS Ventures as per above example

The act grants comprehensive rights like right to access a summary of data processed, processing activities, sharing details, even they have right to correction, completion & updation of data.

They have the right to erasure, subject to legal retention requirements, like audit files must be retained till minimum 7 years, so it’s legal requirement.

My duties being data principal in above case

I must not impersonalise things, and should not file frivolous complaints, and furnish authentic information.

Exemptions (Section 16 & 17)

Transfers to certain countries may be restricted. The Government may notify banned jurisdictions, hence the exemptions for state functions includes law enforcement, Courts, and sovereignty and security matters. Also, there are exemptions for research & statistics, provided the data is anonymised/unlinked from individuals. Also, certain compliance relaxations may be granted to startups.

Data Protection Board of India

The Board is established to Conduct inquiries, Issue directions, Impose penalties, accept voluntary undertakings, operate as a digital office (online filings, hearings & orders). This Board functions with civil court powers for summoning, inspecting documents, collecting evidence, etc.

Penalties

I personally feel they are very harsh penalties, let’s discuss by this schedule:

These penalties are per instance, making compliance mandatory for even small entities.

Power to block non-compliant platforms (Section 37)

If an organisation repeatedly violates the Act, the Government may direct intermediaries to block public access to the platform within India. I feel, this is one of the strongest powers in Indian cyber law.

Relation with other laws

The DPDP Act operates in addition to other laws like Income Tax act, Companies act, RBI act, and it prevails in case of conflict.

Amendment to Income-tax act

Earlier, Income-tax Act, 1961 had Section 43A, which penalized companies for failure to protect data (mostly IT/outsourcing companies processing foreign data). Now DPDP has introduced a new and stronger penalty system for mishandling personal data for all sectors. So, to avoid two different penalty laws running at the same time, DPDP removed Section 43A, that means “Personal-data breach liability will now be governed by DPDP penalties, not by the old tax law.”

Amendment to RTI act

The Right to Information Act, 2005 allows citizens to request information from govt. bodies. However, sometimes these RTI replies may contain someones personal data (like mobile number, address, medical info, bank details etc). DPDP amendment ensures that privacy is protected even more strongly, and govt. departments must be careful not to disclose personal data unless allowed by law.

Amendment to TRAI Act

TDSAT gets jurisdiction TRAI Act, 1997 governs telecom disputes that means the telecom disputes settlement and appellate tribunal resolves disputes against telecom orders. amendment clarifies that cases involving TRAI orders, data issues, or regulatory overlap in telecom can be appealed before TDSAT.

Conclusion

The Digital Personal Data Protection Act, 2023 is not just another compliance requirement but it is a structural shift in how organisations collect, process, store, and share personal data. It elevates privacy to the level of a protected legal right while ensuring that businesses can continue operations responsibly.

***

Author can be contacted at [email protected]