Chapter II of the Digital Personal Data Protection Act, 2023 (DPDPA) outlines the obligations of the Data Fiduciary. The Act first establishes the grounds on which personal data may be processed. According to these provisions, a data fiduciary may process personal data of a data principal only in accordance with the provisions of the Act and for a lawful purpose, meaning any purpose that is not expressly forbidden by law. The Act further prescribes specific compliance obligations that must be followed by data fiduciaries when processing personal data. Two central requirements under this framework are consent and notice. Consent Consent forms the foundation of lawful personal data processing under the Act. The DPDPA specifies several conditions that must be fulfilled for consent to be valid. First, the consent must be free, specific, informed, unconditional, and unambiguous, and it must involve a clear affirmative action by the data principal. Such consent signifies that the data principal agrees to the processing of their personal data only for the specified purpose. However, if the consent contradicts any provision of the Act or any other law currently in force in India, the consent will be invalid to the extent of such infringement. The Act also requires that the request for consent must be communicated in clear and plain language. The data principal must have the option to access the request in English or in any of the languages specified in the Eighth Schedule of the Constitution of India. These languages include Assamese, Bengali, Gujarati, Hindi, Kannada, Kashmiri, Konkani, Malayalam, Manipuri, Marathi, Nepali, Oriya, Punjabi, Sanskrit, Sindhi, Tamil, Telugu, Urdu, Bodo, Santhali, Maithili, and Dogri. The consent request must also include contact details of a Data Protection Officer or another authorised person designated by the data fiduciary to respond to queries or communications from data principals regarding the exercise of their rights under the Act. A Data Protection Officer (DPO) is an individual who represents Significant Data Fiduciaries (SDFs). The DPO must be based in India and is responsible to the Board of Directors or a similar governing body. The officer acts as the point of contact for data principals in case they face any grievances. The Act further requires data fiduciaries to ensure that data principals can easily withdraw their consent whenever they wish. Once consent is withdrawn, the data fiduciary must stop processing the personal data within a reasonable time. An exception exists where law permits continued processing of such data even after the withdrawal of consent. In such cases, the data fiduciary may continue the processing. It is also important to note that when consent is withdrawn, the data principal must bear any resulting consequences, and the withdrawal does not affect the legality of data processing that occurred before the withdrawal. Notice Another crucial compliance requirement under the Act is the notice provided to the data principal. The notice either accompanies or precedes the request for consent. Its purpose is to inform the data principal about important aspects of data processing. The notice must inform the data principal of: Which personal data is being accessed and the purpose for processing it The manner in which the data principal can exercise their rights The process through which a complaint can be made to the Data Protection Board of India Further requirements relating to notice are specified in the DPDP Rules. According to these rules, the notice must be presented in an understandable form and independent of other information provided by the data fiduciary. It must provide clear and simple information enabling the data principal to give specific and informed consent for the processing of personal data. The notice must include: A clear, item-by-item description of the personal data being collected The exact purpose for collecting such data, along with a clear explanation of the goods, services, or uses that the data will enable Additionally, the notice must provide the specific link to the data fiduciary’s website or application and explain other available methods through which the data principal can: Withdraw consent as easily as it was given Exercise their rights under the Act File a complaint with the Data Protection Board of India Through these provisions, the Digital Personal Data Protection Act, 2023 establishes structured compliance requirements governing how personal data may be processed and how data principals must be informed and empowered during the process.

The Digital Personal Data Protection Act, 2023 (DPDPA) adopts a broad and comprehensive approach while defining personal data. Personal data refers to any information that can be used to identify an individual, who is referred to under the Act as a Data Principal. This definition is intentionally wide in scope to ensure that various forms of personal information receive adequate legal protection. Personal data includes traditional identifiers such as names and addresses, as well as modern digital identifiers like IP addresses and browsing history. In addition to these, financial information, opinions, and even biometric data fall within the scope of the Act, provided that such information can be linked to a specific individual. By adopting this wide definition, the Act ensures that a broad range of personal information is covered and protected. The applicability of the Act is addressed under Section 3 of the DPDPA. This provision specifies the situations in which the Act applies to the processing of personal data. Firstly, the Act applies to the processing of digital personal data within India. This includes personal data that is collected directly in digital form. It also includes data that is originally collected in non-digital form but is subsequently digitised. Therefore, physical records that are later scanned, converted into digital format, or stored electronically fall within the scope of the Act. This provision ensures that personal data receives protection regardless of the form in which it was originally collected. Secondly, the Act provides for extra-territorial jurisdiction. This means that the provisions of the Act may apply even to entities located outside India. If a foreign company, organisation, or entity processes personal data in connection with offering goods or services to individuals in India, it becomes subject to the provisions of the Act. This ensures that individuals in India remain protected even when their personal data is processed by organisations located outside the country. Despite its broad applicability, the Act also provides certain specific exclusions. The provisions of the Act do not apply to personal data that is used by individuals for domestic purposes. Additionally, personal data that has been made publicly available by the Data Principal themselves, or personal data that has been made public because it was required by law, is also excluded from the scope of the Act. The Act applies broadly to entities or persons that determine the purpose and means of processing personal data. Such entities are referred to as Data Fiduciaries under the Act. The term Data Fiduciary includes a wide range of entities such as individuals, Hindu Undivided Families, companies, firms, associations of persons, bodies of individuals (whether incorporated or not), the State, and every other artificial juristic person. These entities are responsible for ensuring that the processing of personal data complies with the obligations laid down under the Act. Furthermore, the Act provides for the designation of certain entities as Significant Data Fiduciaries (SDFs). This designation is based on factors such as the volume and sensitivity of personal data processed, as well as the risk posed to the sovereignty and integrity of India, electoral democracy, or public order. Entities classified as Significant Data Fiduciaries are required to comply with additional obligations under the Act, reflecting the higher level of risk associated with large-scale or sensitive data processing. Through these provisions, the Digital Personal Data Protection Act, 2023 establishes a framework that determines the entities and circumstances to which the law applies, while also identifying situations where its provisions do not extend.

The Digital Personal Data Protection Act, 2023 (DPDPA) establishes a structured enforcement framework to ensure compliance with data protection obligations. One of the most significant mechanisms under the Act is the imposition of monetary penalties for violations. These penalties are administered by the Data Protection Board of India, which has the authority to investigate contraventions and impose financial sanctions where necessary. The power to impose penalties arises when a person—typically a data fiduciary—is found to have violated obligations prescribed under the Act or the rules framed under it. The penalties are not arbitrary but are determined according to the Schedule to Section 33 of the Act, which specifies maximum limits for different categories of violations. Factors Considered by the Board While Imposing Penalties Before determining the appropriate penalty, the Data Protection Board must take into account several important factors to assess the seriousness of the violation. These considerations ensure that the enforcement process remains balanced and proportionate. The Board evaluates: Nature, gravity, and duration of the breach Type and nature of personal data affected Whether the breach was repetitive in nature Whether the entity took steps to mitigate the breach Whether any financial gain was derived from the violation These criteria help ensure that penalties reflect the severity of the violation and the conduct of the entity involved. Another important feature of the Act is that penalties collected are credited to the Consolidated Fund of India. The monetary penalties imposed by the Board are therefore regulatory in nature and do not directly compensate affected individuals. Penalty Structure under Section 33 of the Act The Act establishes a categorical penalty structure, where specific violations correspond to specific maximum penalty limits rather than a single uniform fine. According to the official Schedule under Section 33(1), the following maximum penalties may be imposed: Failure to Implement Reasonable Security Safeguards (Section 8(5))Maximum penalty: ₹250 crores Failure to Notify the Board and Affected Data Principals of a Personal Data Breach (Section 8(6))Maximum penalty: ₹200 crores Failure to Fulfil Additional Obligations Relating to Children’s Data (Section 9)Maximum penalty: ₹200 crores Failure to Fulfil Additional Obligations of a Significant Data Fiduciary (Section 10)Maximum penalty: ₹150 crores Breach of Duties under Section 15This includes situations such as filing a false complaint by a data principal.Maximum penalty: ₹10,000 Breach of Any Other Provision of the Act or RulesMaximum penalty: Up to ₹50 crores Breach of a Voluntary Undertaking Accepted by the Board (Section 32)In such cases, the penalty applicable is the same as that prescribed for the original breach. This structured penalty framework ensures that violations are addressed in proportion to their nature and seriousness. Enforcement and Compliance Mechanism The Data Protection Board does not impose penalties automatically. It conducts an evaluation of the circumstances surrounding the violation. In particular, the Board examines: Whether the entity gained commercially from the violation Whether steps were taken to mitigate the breach Whether the processing activity was stopped promptly The overall impact of the breach on individuals and their data rights This approach introduces an element of regulatory flexibility, allowing entities that take prompt remedial actions to potentially face reduced penalties. In addition to imposing penalties, the Board also has the authority to issue directions to ensure compliance. If a data fiduciary fails to follow such directions, the Board may impose additional penalties. In serious cases of non-compliance, these penalties may reach the highest tier permitted under the relevant category. Conclusion The penalty framework under the Digital Personal Data Protection Act, 2023 is designed to function as a strong deterrent against data protection violations. By specifying clear penalty limits and requiring the Board to consider contextual factors, the Act seeks to balance strict enforcement with procedural fairness. The system ultimately encourages organisations to adopt robust data protection practices and ensures accountability in the handling of personal data.

Withdrawal of the Personal Data Protection Bill, 2019 (2022) An important stage in the legislative journey towards the Digital Personal Data Protection Act, 2023 occurred on 3 August 2022, when the Government of India formally withdrew the Personal Data Protection Bill, 2019 from Parliament. This decision followed extensive parliamentary deliberations and the submission of the Joint Parliamentary Committee (JPC) report in December 2021. The withdrawal of the Bill did not signify the abandonment of India’s data protection policy objectives. Rather, it reflected the Government’s recognition that the existing Bill required substantial restructuring instead of incremental amendments. Reasons for Withdrawal Several factors led to the decision to withdraw the 2019 Bill: Need for Comprehensive RedraftingThe recommendations of the Joint Parliamentary Committee suggested extensive structural changes to the Bill. Implementing these recommendations would have required rewriting significant portions of the legislation, making piecemeal amendments impractical. Shift Toward a Simpler Legislative FrameworkThe Government indicated that a new approach would focus on creating a simpler and more streamlined legal structure that could be implemented efficiently and reduce regulatory complexity. Alignment with India’s Digital Governance PrioritiesIndia’s rapidly expanding digital ecosystem required a regulatory framework capable of supporting innovation, digital commerce, and governance initiatives. The Government therefore decided to draft a new law that would align more closely with evolving digital policy objectives. Importantly, the withdrawal was largely procedural in nature. It was not a rejection of the need for data protection legislation but rather a strategic step toward developing a revised framework. Digital Personal Data Protection Act, 2023 Enactment Following the withdrawal of the earlier Bill, the Government introduced a new legislative proposal which ultimately led to the enactment of the Digital Personal Data Protection Act, 2023 in August 2023. This Act marked India’s first dedicated statute governing the processing and protection of personal data in the digital environment. Key Characteristics of the Act The Digital Personal Data Protection Act, 2023 reflects a more focused and operational framework compared to the earlier legislative proposals. Applicability to Digital Personal DataThe Act applies specifically to digital personal data, including data collected online as well as data collected offline that is subsequently digitised. Establishment of the Data Protection Board of IndiaInstead of the Data Protection Authority proposed in earlier drafts, the Act creates a Data Protection Board of India, responsible for adjudicating complaints and enforcing compliance. Penalty-Based Enforcement FrameworkThe Act primarily relies on financial penalties and regulatory enforcement mechanisms rather than criminal liability. This approach aims to ensure compliance while maintaining regulatory efficiency. Cross-Border Data TransfersUnlike earlier localisation-heavy proposals, the Act permits cross-border transfer of personal data, except to countries specifically restricted by the Central Government. State Exemption PowersThe legislation retains provisions allowing the State to exempt certain agencies from its application on specified grounds, supported by statutory authority. Overall, the Act represents a narrower but more implementable framework, designed to facilitate regulatory clarity and practical enforcement. Rules and Implementation (2024–2025) Following the enactment of the Act, the Government began working on its implementation through subordinate legislation and institutional mechanisms. Between 2024 and 2025, the focus shifted toward operationalising the law through several measures: Drafting and notification of Digital Personal Data Protection Rules Establishment and regulation of consent managers Development of enforcement and grievance redressal mechanisms Introduction of phased compliance timelines for organizations processing personal data These steps marked the transition of the law from a purely legislative framework to a functional regulatory regime. Concluding Analysis The legislative development of India’s data protection framework can be understood through distinct phases: 2018 Draft: Expert-driven and rights-oriented framework. 2019 Bill: Government-led proposal with broader regulatory ambition and state exemptions. JPC Phase: Parliamentary scrutiny leading to structural critique and expansionist recommendations. Withdrawal (2022): Recognition that the Bill required fundamental redesign. DPDP Act, 2023: A streamlined, digital-focused, and implementation-oriented statute. This evolution illustrates India’s effort to balance constitutional privacy protections, economic development, governmental interests, and the realities of technological governance in an increasingly digital society.

Introduction of the Personal Data Protection Bill, 2019 As part of India’s broader journey culminating in the Digital Personal Data Protection Act, 2023, the Government introduced the Personal Data Protection Bill, 2019 in the Lok Sabha on 11 December 2019. The Bill was introduced by Ravi Shankar Prasad, then Union Minister for Electronics and Information Technology. The 2019 Bill was a revised version of the 2018 draft prepared by the Justice B.N. Srikrishna Committee. While it retained the foundational structure of rights and regulatory oversight, it incorporated several modifications reflecting the Government’s policy approach. Salient Features of the 2019 Bill The 2019 Bill continued the rights-based framework established in the 2018 draft. It preserved: Rights of data principals Obligations of data fiduciaries Oversight by a Data Protection Authority However, it introduced certain key features: Broad Exemptions to the StateThe Bill allowed the Central Government to exempt its agencies from certain provisions on grounds such as national security, sovereignty, public order, and integrity of India. These provisions became one of the most debated aspects of the Bill. Data Localisation RequirementsSensitive personal data was required to be stored in India, although transfers abroad were permitted under specified conditions. This reflected concerns about data sovereignty and regulatory control. Establishment of the Data Protection Authority of IndiaThe Bill proposed a statutory Data Protection Authority (DPA) to monitor compliance, issue regulations, and enforce penalties. Despite maintaining the overall structure of the earlier draft, the 2019 Bill attracted significant criticism from industry stakeholders and civil society groups, particularly regarding government exemptions and compliance burdens. Reference to the Joint Parliamentary Committee (JPC) Immediately after its introduction, the Bill was referred to a Joint Parliamentary Committee (JPC). The referral was prompted by: Significant public concern Industry opposition Civil society criticism regarding the scope of government exemptions The decision to refer the Bill indicated Parliament’s recognition of the need for deeper scrutiny and broader stakeholder engagement. Joint Parliamentary Committee (2019–2021) Constitution and Functioning of the JPC The JPC comprised members from both Houses of Parliament. Initial Chairperson: Meenakshi Lekhi Final Chairperson (at the time of tabling the report): P. P. Chaudhary The Committee conducted extensive stakeholder consultations, heard expert testimonies, and examined comparative global data protection frameworks. Its deliberations spanned nearly two years, reflecting the complexity and importance of the subject. JPC Report (December 2021) On 16 December 2021, the JPC submitted its report recommending substantial structural changes. The Committee concluded that the 2019 Bill required fundamental restructuring rather than minor amendments. Major Recommendations of the JPC Expansion of ScopeThe Committee recommended that the law regulate both personal and non-personal data and suggested renaming it the “Data Protection Act” to reflect a broader mandate. Stronger Definition of Harm“Harm” was expanded to include psychological manipulation and behavioural profiling, acknowledging emerging digital risks. Mandatory Data Breach ReportingAll data breaches were to be reported to the authority within 72 hours, without discretionary exemptions. Regulation of Government ExemptionsState exemptions were recommended to be subject to standards of legality, necessity, and proportionality, along with stronger procedural safeguards. Institutional ReformsThe appointment process of the Data Protection Authority was recommended to include independent experts to strengthen institutional autonomy. Children’s Data ProtectionStricter rules were proposed for processing children’s data, particularly concerning profiling and targeted advertising. Implementation TimelinesClear timelines were recommended for operationalising the authority and enforcing compliance obligations.  

I. Constitutional and Policy Background (Pre-2018) Justice K.S. Puttaswamy v. Union of India India’s journey toward a comprehensive data protection law began with a constitutional milestone. In 2017, a nine-judge Constitution Bench of the Supreme Court in Justice K.S. Puttaswamy v. Union of India unanimously declared that the right to privacy is a fundamental right under Articles 14, 19, and 21 of the Constitution. The Court held that privacy is intrinsic to life and personal liberty, and extends to informational self-determination. In doing so, it emphasized that any restriction on privacy must satisfy the tests of legality, necessity, and proportionality, along with procedural safeguards. This judgment came at a time when India was undergoing rapid digital transformation: Expansion of Aadhaar-linked welfare schemes Growth of digital governance platforms Rapid penetration of smartphones and internet usage Rise of e-commerce, fintech, and data-driven private enterprises The absence of a dedicated data protection framework created legal uncertainty. While the Information Technology Act, 2000 and related rules addressed certain aspects of data security, they lacked a rights-based architecture. Post-Puttaswamy, it became constitutionally imperative for the State to enact a comprehensive data protection regime that balanced innovation with civil liberties. II. Expert Committee and Draft Bill, 2018 Constitution of the Srikrishna Committee (2017) In response to the Supreme Court’s mandate, the Government of India constituted an Expert Committee in 2017 under the chairmanship of: Justice B. N. Srikrishna The Committee included senior policymakers, technologists, academics, and legal experts such as Aruna Sundararajan, Dr. Ajay Bhushan Pandey, Dr. Gulshan Rai, Prof. Rishikesha Krishnan, Prof. Rajat Moona, Arghya Sengupta, and Rama Vedashree. The Committee’s objective was to examine data protection issues and recommend a robust legislative framework suitable for India’s socio-economic realities. Draft Personal Data Protection Bill, 2018 In July 2018, the Committee submitted: Its landmark report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians” The Draft Personal Data Protection Bill, 2018 The report emphasized that data protection is not merely a regulatory issue, but a constitutional necessity rooted in dignity and autonomy. Key Features of the 2018 Draft Data Principals’ RightsIndividuals (termed “data principals”) were granted rights such as: Right to confirmation and access Right to correction and erasure Right to data portability Right to be forgotten This marked a shift toward a rights-centric framework. Data Fiduciaries and Data ProcessorsBorrowing conceptually from global frameworks like the EU GDPR, the Bill introduced: Data Fiduciaries — entities determining purpose and means of processing Data Processors — entities processing data on behalf of fiduciaries The fiduciary relationship underscored a duty of care toward individuals. Data Protection Authority (DPA)The Bill proposed an independent regulator — the Data Protection Authority — with investigative, corrective, and adjudicatory powers. Sensitive Personal Data ClassificationThe Bill categorized certain data (health, biometric, financial, etc.) as “sensitive personal data,” requiring higher compliance standards. Cross-Border Data Transfer RestrictionsIt introduced localization mandates for sensitive personal data, reflecting concerns over sovereignty and enforcement. Emphasis on Consent and Purpose LimitationProcessing was required to be: Lawful Fair and reasonable Based on informed consent Limited to specified purposes Conclusion The 2018 Draft Bill laid the intellectual and structural foundation for India’s modern data protection regime. While the legislative journey witnessed multiple revisions and debates, the constitutional anchor remained constant: privacy as a fundamental right. Ultimately, this evolutionary process culminated in the enactment of the Digital Personal Data Protection Act, 2023, reflecting India’s attempt to harmonize digital innovation, state interests, and individual rights in a rapidly transforming technological landscape.