The Digital Personal Data Protection Act, 2023 has introduced a legal framework that places Data Fiduciaries — entities that determine the purpose and means of processing personal data — at the centre of India’s data protection regime. For Data Fiduciaries operating in Delhi, whether as technology companies, financial institutions, hospitals, educational institutions, or retail businesses, understanding the precise nature of their legal obligations under the Act is critical. This blog offers legal insights for Data Fiduciaries navigating the DPDP compliance landscape in Delhi, with a focus on consent governance, rights management, security obligations, and enforcement risks. Understanding the Role and Responsibilities of a Data Fiduciary Under the DPDP Act, a Data Fiduciary is defined as any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data. This definition encompasses a wide range of entities, from large corporations to sole proprietorships, provided they process personal data in a digital form. In Delhi, this includes businesses across virtually every sector — from banking and insurance to e-commerce and hospitality. A Data Fiduciary’s primary obligations include providing notice to Data Principals about the nature and purpose of data processing, obtaining valid consent or establishing another lawful basis for processing, implementing security safeguards, enabling Data Principals to exercise their rights, and notifying the Data Protection Board of data breaches. The cumulative weight of these obligations demands a dedicated governance infrastructure. Consent as a Legal Instrument: Requirements and Limitations Consent is the default lawful basis for processing personal data under the DPDP Act. However, the Act permits processing without consent in specified circumstances — such as for the performance of a function of the State, to comply with a legal obligation, to respond to medical emergencies, or for purposes related to employment. Data Fiduciaries must carefully assess which legal basis applies to each category of data processing they undertake. Where consent is relied upon, it must be obtained through a notice that meets the Act’s requirements: plain language, specific purpose statement, information about rights, and details of the grievance officer. The notice must also inform the Data Principal of the right to withdraw consent and the process for doing so. Organisations should audit their privacy notices and consent flows to identify gaps and update them before the Act’s provisions take full effect. Enabling Data Principal Rights: Practical Challenges and Solutions The DPDP Act grants Data Principals a suite of rights, including the right to obtain information about processing, the right to correct or erase personal data, the right to nominate a representative, and the right to grieve. For Data Fiduciaries, operationalising these rights at scale — particularly for organisations with millions of customers — presents practical challenges. Businesses in Delhi should invest in digital tools and workflows that allow customers to submit requests easily, track their progress, and receive timely responses. Internal processes must be designed to retrieve, correct, or delete personal data across disparate systems and databases. For organisations with complex data ecosystems, this may necessitate investment in data management platforms that support request handling and audit logging. Enforcement, Penalties, and the Risk of Non-Compliance The DPDP Act’s enforcement regime is anchored by the Data Protection Board, which has the authority to conduct investigations, summon evidence, and impose significant financial penalties. Under Section 33 of the Act, penalties for non-compliance can be substantial: up to INR 250 crore for failure to implement reasonable security safeguards, INR 200 crore for failure to notify a data breach, and INR 10,000 for failure to respond to a Data Principal’s grievance. Beyond financial penalties, non-compliance exposes Data Fiduciaries to reputational damage, loss of customer trust, and potential litigation. In Delhi’s competitive business environment, a data breach or regulatory action can have lasting consequences. Proactive compliance — including regular audits, staff training, and engagement with legal counsel — is the most effective risk mitigation strategy. Conclusion For Data Fiduciaries operating in Delhi, the DPDP Act represents a significant legal development that demands genuine organisational commitment. Navigating its requirements — from consent governance and rights management to security safeguards and enforcement preparedness — requires a multi-disciplinary approach that brings together legal, technical, and operational expertise. Organisations that treat DPDP compliance as a governance priority rather than a checkbox exercise will be better equipped to protect their customers’ data, avoid regulatory penalties, and operate with confidence in India’s evolving digital economy. This blog is for informational purposes only and does not constitute legal advice. Organisations should consult qualified legal counsel for DPDP Act compliance. #DPDPActForBusinessesInDelhi#UnderstandingDPDPRegulatoryFramework#BusinessResponsibilitiesUnderDPDPAct#DelhiDataProtectionComplianceGuide#CrossBorderDataTransfersIndia#DataProcessingAgreementsCompliance#DataGovernanceUnderDPDPAct#ConsentAndPrivacyComplianceIndia#DataProtectionOfficerRequirements #DataProtectionImpactAssessmentIndia

India’s Digital Personal Data Protection Act, 2023 (DPDP Act) establishes a comprehensive regulatory framework for the governance of personal data in the digital economy. For businesses based in or operating from Delhi — one of India’s primary commercial hubs — understanding the architecture of this framework and the specific responsibilities it imposes is essential. The Act not only sets out obligations for organisations that process personal data but also creates institutional structures — most notably the Data Protection Board of India — to enforce compliance. This blog examines the regulatory structure under the DPDP Act and the corresponding responsibilities of businesses. The Regulatory Architecture Under the DPDP Act The DPDP Act establishes the Data Protection Board of India (DPBI) as the principal regulatory and adjudicatory authority. The Board is empowered to receive and adjudicate complaints filed by Data Principals, conduct inquiries into alleged violations, and impose monetary penalties on Data Fiduciaries and Data Processors found to be in breach of their obligations. The Board’s decisions are subject to appeal before the Appellate Tribunal, and thereafter to the High Court. The Act also vests significant rule-making and designation powers in the Central Government. Rules made under the Act are expected to specify matters such as the form and manner of consent notices, the categories of Significant Data Fiduciaries, data localisation requirements, and the conditions under which personal data may be transferred outside India. Businesses in Delhi must monitor both the primary legislation and evolving subordinate legislation to maintain compliance. Defining Business Responsibilities Under the Act The DPDP Act categorises entities involved in data processing into Data Fiduciaries — organisations that determine the purpose and means of processing personal data — and Data Processors — entities that process data on behalf of a Data Fiduciary. Both bear distinct legal responsibilities. Data Fiduciaries are primarily responsible for ensuring that personal data is processed lawfully, that consent obligations are met, and that Data Principals can exercise their rights. Data Processors, while not directly liable to Data Principals for most obligations under the Act, must process data only in accordance with the instructions of the Data Fiduciary and must implement security measures to prevent breaches. The contractual arrangement between Fiduciaries and Processors is therefore a key instrument of DPDP compliance, and businesses in Delhi should ensure their data processing agreements are updated to reflect the Act’s requirements. Significant Data Fiduciaries: Enhanced Obligations Businesses designated as Significant Data Fiduciaries (SDFs) by the Central Government face a heightened set of obligations under the DPDP Act. These include appointing a Data Protection Officer resident in India, undertaking periodic Data Protection Impact Assessments to identify and mitigate risks associated with data processing activities, and engaging an independent data auditor to assess their compliance. The designation as an SDF is based on criteria including the volume and sensitivity of personal data processed, the risk posed to national security or public order, and the potential impact on the rights of Data Principals. Large technology companies, e-commerce platforms, financial institutions, and health-tech organisations in Delhi should assess whether they may fall within the SDF category and take preparatory steps accordingly. Cross-Border Data Transfers and Localisation The DPDP Act permits the transfer of personal data outside India to countries or territories notified by the Central Government, subject to any conditions that may be prescribed. This is a departure from earlier legislative proposals that envisaged blanket data localisation requirements. However, businesses must remain attentive to rules that may impose conditions on cross-border transfers, particularly for sensitive personal data. For Delhi-based multinationals and companies with international operations, establishing a clear understanding of permissible transfer mechanisms — and ensuring that overseas recipients maintain equivalent data protection standards — will be a critical component of the DPDP compliance programme. Conclusion The regulatory framework established by the DPDP Act, 2023 places significant responsibilities on businesses operating in Delhi. From obtaining lawful consent and enabling Data Principal rights to implementing security safeguards and managing cross-border data flows, the scope of compliance is both broad and substantive. The penalties prescribed under Section 33 of the Act — with fines of up to INR 250 crore for certain violations — further underscore the importance of building robust, institutionalised data governance practices that evolve alongside the regulatory landscape. This blog is for informational purposes only and does not constitute legal advice. Organisations should consult qualified legal counsel for DPDP Act compliance. #DPDPAct #DPDPCompliance #DataProtectionIndia #PrivacyLawIndia #DataGovernanceIndia #RegulatoryCompliance #DataFiduciaryObligations #TechnologyLaw #DelhiBusinesses #DataProtectionBoardIndia

The Digital Personal Data Protection Act, 2023 has fundamentally altered the obligations of organisations that handle personal data in India. For businesses in Delhi — spanning sectors such as banking, healthcare, retail, legal services, and information technology — transitioning to a DPDP-compliant operating model requires a structured, step-by-step approach. Compliance is not a one-time exercise but an ongoing governance commitment that touches legal, technical, operational, and human resource functions across the organisation. This practical guide outlines the key steps organisations in Delhi should consider as they build or strengthen their DPDP compliance frameworks. Step 1: Conduct a Data Mapping and Inventory Exercise The first and most foundational step in any DPDP compliance programme is understanding what personal data the organisation collects, from whom, for what purpose, where it is stored, and with whom it is shared. This process — commonly known as data mapping or data inventory — provides the baseline upon which all subsequent compliance activities are built. For Delhi-based organisations, this exercise should cover all business units, digital platforms, third-party integrations, and legacy systems. Particular attention should be paid to special categories of data, such as financial, health, or identity-related information, which may attract enhanced obligations or specific processing restrictions under the Act or subordinate rules. Step 2: Review and Update Consent Mechanisms The DPDP Act imposes strict requirements on how consent is sought and managed. Organisations must review all existing consent collection mechanisms — including website privacy policies, mobile application permissions, paper-based consent forms, and customer onboarding processes — to ensure they comply with the Act’s requirements of specificity, clarity, and verifiability. Consent notices must be provided in a clear and plain language, and organisations must build the technical capability to receive, record, and honour consent withdrawals. Consent management platforms or in-house consent registries may be required, particularly for organisations with large or diverse customer bases. Step 3: Establish a Grievance Redressal Mechanism Every Data Fiduciary is required to establish a mechanism for Data Principals to exercise their rights under the Act, including the right to access, correction, erasure, and grievance redressal. Organisations in Delhi should designate a responsible officer or team to handle data subject requests, establish response timelines, and maintain records of requests and outcomes. For Significant Data Fiduciaries, the appointment of a Data Protection Officer (DPO) is mandatory. Even for non-SDF organisations, appointing a privacy lead or data governance champion is considered best practice, as it signals accountability and facilitates faster response to regulatory enquiries or data breach incidents. Step 4: Strengthen Data Security and Incident Response Implementing appropriate security safeguards is both a legal obligation under the DPDP Act and a practical necessity given the growing prevalence of data breaches. Organisations should conduct regular security risk assessments, implement access controls and data encryption, and establish clear protocols for detecting, containing, and reporting data breaches. A documented incident response plan that includes procedures for notifying the Data Protection Board and affected Data Principals is essential. Organisations should also review and update their contracts with Data Processors — including cloud service providers, marketing agencies, and IT vendors — to ensure that security and breach notification obligations are appropriately flowed down. Conclusion Building DPDP compliance in Delhi is a structured undertaking that demands cross-functional commitment from legal, IT, operations, and leadership teams. By conducting a thorough data inventory, updating consent mechanisms, establishing robust grievance redressal channels, and strengthening data security practices, organisations can position themselves for compliance with the DPDP Act’s requirements. Given the financial penalties prescribed under Section 33 of the Act — which can reach up to INR 250 crore for certain violations — a proactive, documented compliance programme is not only legally prudent but also a sound business strategy. This blog is for informational purposes only and does not constitute legal advice. Organisations should consult qualified legal counsel for DPDP Act compliance. #Step-by-step DPDP Act compliance guide for businesses in Delhi #How organisations in Delhi can build DPDP compliance frameworks #DPDP Act compliance checklist for Delhi businesses #Data mapping and consent management under DPDP Act 2023 #Practical guide to DPDP compliance for Indian organisations #How to implement DPDP Act requirements in Delhi businesses #Data security and grievance redressal compliance under DPDP Act #DPDP Act compliance steps for Data Fiduciaries in India #Building a data protection compliance programme under DPDP Act #Legal and operational roadmap for DPDP compliance in Delhi

The Digital Personal Data Protection Act, 2023 (DPDP Act) has introduced a comprehensive legal framework governing the processing of personal data in India. For organisations headquartered or operating in Delhi — one of India’s foremost commercial and administrative centres — understanding the specific legal obligations imposed by this legislation is critical. The DPDP Act establishes a tiered system of duties applicable to Data Fiduciaries, Significant Data Fiduciaries, and Consent Managers, each carrying distinct compliance requirements. This blog provides an analytical overview of the key legal obligations under the Act that businesses in Delhi must navigate. The Obligation to Provide Notice and Obtain Consent One of the foundational pillars of the DPDP Act is the requirement for informed consent. Before processing personal data, a Data Fiduciary must provide the Data Principal with a clear notice in plain language that describes the personal data to be processed, the purpose for which it will be used, the manner in which the Data Principal may exercise their rights, and the process for filing a complaint before the Data Protection Board. Consent obtained must be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action by the Data Principal. Critically, consent may be withdrawn at any time, and the withdrawal must be made as easy as the initial grant of consent. Organisations in Delhi must audit their existing data collection mechanisms to ensure they meet these standards, particularly for digital platforms that process large volumes of user data. Data Retention and Erasure Obligations The DPDP Act mandates that personal data not be retained beyond the period necessary for the purpose for which it was collected. Once the purpose has been fulfilled or the Data Principal withdraws consent — and there is no other legal basis for retention — the Data Fiduciary must erase the personal data. This principle of storage limitation requires organisations to implement automated or procedural data lifecycle management systems. The Act also requires Data Fiduciaries to ensure that data processed by Data Processors — third parties engaged to process data on behalf of the Fiduciary — is handled in accordance with the Fiduciary’s obligations. Data Processing Agreements must therefore be reviewed and updated to reflect the requirements of the DPDP Act, including obligations relating to data security and breach notification. Security Safeguards and Breach Notification Every Data Fiduciary is required to implement reasonable security safeguards to prevent personal data breaches. While the Act delegates the specification of detailed technical standards to subordinate rules, the overarching expectation is that organisations adopt measures commensurate with the nature and volume of data they process. This may include access controls, encryption, pseudonymisation, audit logging, and periodic security assessments. In the event of a personal data breach, the Data Fiduciary must notify the Data Protection Board as well as affected Data Principals in such form and within such time as may be prescribed. Failure to report a breach in a timely manner is itself a ground for penalty under the Act, making robust incident response planning an indispensable component of DPDP compliance. Obligations of Significant Data Fiduciaries The DPDP Act introduces a heightened compliance tier for Significant Data Fiduciaries (SDFs), designated by the Central Government based on criteria such as the volume and sensitivity of personal data processed, potential risk to national security, and likely impact on fundamental rights. SDFs are required to appoint a Data Protection Officer (DPO) based in India, conduct periodic Data Protection Impact Assessments (DPIAs), and engage an independent data auditor to evaluate their compliance posture. For large technology companies and data-intensive businesses operating in Delhi, the possibility of being classified as an SDF necessitates a proactive assessment of current data governance frameworks. Establishing a dedicated DPO function and instituting a DPIA process should be prioritised as organisations prepare for the Act’s full operationalisation. Conclusion The DPDP Act, 2023 represents a significant shift in how organisations must approach the collection and processing of personal data. For businesses in Delhi, compliance is a multi-dimensional exercise spanning consent management, data lifecycle governance, security infrastructure, breach response protocols, and — for some entities — the enhanced obligations of Significant Data Fiduciaries. Understanding these obligations in detail is the first step toward building a legally sound and operationally resilient data protection programme. This blog is for informational purposes only and does not constitute legal advice. Organisations should consult qualified legal counsel for DPDP Act compliance. #DPDP Act, #Digital Personal Data Protection Act 2023, #Data Privacy Law India, #Delhi DPDP Compliance, #Data Fiduciary Obligations, #Significant Data Fiduciary, #DPO India, #DPIA Compliance, #Data Breach Notification, #Consent Management

India’s digital economy has witnessed exponential growth over the past decade, with Delhi emerging as one of the country’s most active commercial and technology hubs. As organisations across sectors increasingly rely on the collection, processing, and storage of personal data, the legal landscape governing such activities has undergone a fundamental transformation. The enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act) marks a watershed moment in India’s data governance framework, establishing clear obligations for entities that handle personal data and setting out enforceable rights for individuals. Understanding what DPDP compliance entails — and why it matters for businesses operating in Delhi — is now an essential legal and operational priority. Background and Legislative Intent of the DPDP Act The DPDP Act, 2023 was enacted by the Parliament of India with the objective of providing a robust framework for the protection of digital personal data. Replacing decades of piecemeal provisions scattered across the Information Technology Act, 2000, the DPDP Act introduces a comprehensive, purpose-driven regime that governs how personal data of Indian citizens is collected, stored, processed, and transferred. The law draws conceptual inspiration from global frameworks such as the EU General Data Protection Regulation (GDPR) while being tailored to India’s unique socio-economic context. At its core, the Act recognises that individuals — referred to as Data Principals — have a fundamental right to the protection of their personal data, while simultaneously acknowledging the legitimate need of organisations — referred to as Data Fiduciaries — to process such data for lawful purposes. The Act establishes the Data Protection Board of India as the primary regulatory authority responsible for adjudicating complaints, conducting inquiries, and imposing penalties for violations. Who Does the DPDP Act Apply To? The DPDP Act applies to the processing of digital personal data within India, as well as to the processing of personal data outside India if such processing is in connection with any activity related to offering goods or services to Data Principals within India. For businesses operating in Delhi, this has significant implications: any organisation that collects, stores, or uses personal data of individuals — whether customers, employees, or users — must evaluate its data handling practices against the requirements of the Act. The Act categorises Data Fiduciaries into two broad types: general Data Fiduciaries subject to standard compliance obligations, and Significant Data Fiduciaries (SDFs), which are entities whose processing of personal data is likely to pose a high risk to the rights of Data Principals. SDFs attract additional obligations, including the appointment of a Data Protection Officer, the conduct of Data Protection Impact Assessments, and the engagement of independent data auditors. Key Obligations for Data Fiduciaries Under the DPDP Act, Data Fiduciaries operating in Delhi are required to fulfil several critical obligations. First, they must obtain free, specific, informed, and unambiguous consent from Data Principals before processing their personal data, except in cases where processing is permitted on other lawful grounds such as compliance with legal obligations or performance of a contract. The consent must be obtained through a clear and plain-language notice explaining the purpose of processing. Second, Data Fiduciaries must implement appropriate technical and organisational measures to ensure data security, prevent data breaches, and safeguard the personal data they process. In the event of a data breach, organisations are required to notify the Data Protection Board and affected Data Principals in accordance with prescribed timelines. Third, Data Fiduciaries must adhere to data minimisation principles, ensuring that only the personal data necessary for the stated purpose is collected and retained. Rights of Data Principals and Redressal Mechanisms The DPDP Act confers several important rights upon Data Principals — the individuals whose data is being processed. These include the right to access information about the personal data held about them, the right to correction and erasure of inaccurate or outdated data, the right to grievance redressal, and the right to nominate a representative to exercise rights on their behalf. Businesses in Delhi must establish accessible mechanisms to receive and respond to such requests within prescribed timelines. Non-compliance with these obligations can attract significant financial penalties under Section 33 of the DPDP Act. Penalties can reach up to INR 250 crore for failure to implement adequate security safeguards and up to INR 200 crore for failure to notify a data breach. These figures underscore the financial and reputational risks associated with non-compliance. Conclusion The DPDP Act, 2023 represents a new era of data accountability in India. For businesses in Delhi — operating across sectors ranging from finance and healthcare to e-commerce and information technology — understanding and implementing DPDP compliance is not merely a regulatory obligation but a strategic imperative. Organisations that proactively align their data governance practices with the Act’s requirements will be better positioned to build trust with customers, mitigate regulatory risk, and operate with greater legal certainty in an increasingly data-driven economy. This blog is for informational purposes only and does not constitute legal advice. Organisations should consult qualified legal counsel for DPDP Act compliance. Keywords : #DPDP Act compliance services Delhi #compliance lawyer in Delhi #Digital Personal Data Protection Act compliance India #DPDP Act legal consultancy Delhi #Data protection compliance services India #DPDP Act advisory for businesses #Data privacy lawyer Delhi NCR #DPDP compliance consultant India

Chapter II of the Digital Personal Data Protection Act, 2023 (DPDPA) outlines the obligations of the Data Fiduciary. The Act first establishes the grounds on which personal data may be processed. According to these provisions, a data fiduciary may process personal data of a data principal only in accordance with the provisions of the Act and for a lawful purpose, meaning any purpose that is not expressly forbidden by law. The Act further prescribes specific compliance obligations that must be followed by data fiduciaries when processing personal data. Two central requirements under this framework are consent and notice. Consent Consent forms the foundation of lawful personal data processing under the Act. The DPDPA specifies several conditions that must be fulfilled for consent to be valid. First, the consent must be free, specific, informed, unconditional, and unambiguous, and it must involve a clear affirmative action by the data principal. Such consent signifies that the data principal agrees to the processing of their personal data only for the specified purpose. However, if the consent contradicts any provision of the Act or any other law currently in force in India, the consent will be invalid to the extent of such infringement. The Act also requires that the request for consent must be communicated in clear and plain language. The data principal must have the option to access the request in English or in any of the languages specified in the Eighth Schedule of the Constitution of India. These languages include Assamese, Bengali, Gujarati, Hindi, Kannada, Kashmiri, Konkani, Malayalam, Manipuri, Marathi, Nepali, Oriya, Punjabi, Sanskrit, Sindhi, Tamil, Telugu, Urdu, Bodo, Santhali, Maithili, and Dogri. The consent request must also include contact details of a Data Protection Officer or another authorised person designated by the data fiduciary to respond to queries or communications from data principals regarding the exercise of their rights under the Act. A Data Protection Officer (DPO) is an individual who represents Significant Data Fiduciaries (SDFs). The DPO must be based in India and is responsible to the Board of Directors or a similar governing body. The officer acts as the point of contact for data principals in case they face any grievances. The Act further requires data fiduciaries to ensure that data principals can easily withdraw their consent whenever they wish. Once consent is withdrawn, the data fiduciary must stop processing the personal data within a reasonable time. An exception exists where law permits continued processing of such data even after the withdrawal of consent. In such cases, the data fiduciary may continue the processing. It is also important to note that when consent is withdrawn, the data principal must bear any resulting consequences, and the withdrawal does not affect the legality of data processing that occurred before the withdrawal. Notice Another crucial compliance requirement under the Act is the notice provided to the data principal. The notice either accompanies or precedes the request for consent. Its purpose is to inform the data principal about important aspects of data processing. The notice must inform the data principal of: Which personal data is being accessed and the purpose for processing it The manner in which the data principal can exercise their rights The process through which a complaint can be made to the Data Protection Board of India Further requirements relating to notice are specified in the DPDP Rules. According to these rules, the notice must be presented in an understandable form and independent of other information provided by the data fiduciary. It must provide clear and simple information enabling the data principal to give specific and informed consent for the processing of personal data. The notice must include: A clear, item-by-item description of the personal data being collected The exact purpose for collecting such data, along with a clear explanation of the goods, services, or uses that the data will enable Additionally, the notice must provide the specific link to the data fiduciary’s website or application and explain other available methods through which the data principal can: Withdraw consent as easily as it was given Exercise their rights under the Act File a complaint with the Data Protection Board of India Through these provisions, the Digital Personal Data Protection Act, 2023 establishes structured compliance requirements governing how personal data may be processed and how data principals must be informed and empowered during the process.

The Digital Personal Data Protection Act, 2023 (DPDPA) adopts a broad and comprehensive approach while defining personal data. Personal data refers to any information that can be used to identify an individual, who is referred to under the Act as a Data Principal. This definition is intentionally wide in scope to ensure that various forms of personal information receive adequate legal protection. Personal data includes traditional identifiers such as names and addresses, as well as modern digital identifiers like IP addresses and browsing history. In addition to these, financial information, opinions, and even biometric data fall within the scope of the Act, provided that such information can be linked to a specific individual. By adopting this wide definition, the Act ensures that a broad range of personal information is covered and protected. The applicability of the Act is addressed under Section 3 of the DPDPA. This provision specifies the situations in which the Act applies to the processing of personal data. Firstly, the Act applies to the processing of digital personal data within India. This includes personal data that is collected directly in digital form. It also includes data that is originally collected in non-digital form but is subsequently digitised. Therefore, physical records that are later scanned, converted into digital format, or stored electronically fall within the scope of the Act. This provision ensures that personal data receives protection regardless of the form in which it was originally collected. Secondly, the Act provides for extra-territorial jurisdiction. This means that the provisions of the Act may apply even to entities located outside India. If a foreign company, organisation, or entity processes personal data in connection with offering goods or services to individuals in India, it becomes subject to the provisions of the Act. This ensures that individuals in India remain protected even when their personal data is processed by organisations located outside the country. Despite its broad applicability, the Act also provides certain specific exclusions. The provisions of the Act do not apply to personal data that is used by individuals for domestic purposes. Additionally, personal data that has been made publicly available by the Data Principal themselves, or personal data that has been made public because it was required by law, is also excluded from the scope of the Act. The Act applies broadly to entities or persons that determine the purpose and means of processing personal data. Such entities are referred to as Data Fiduciaries under the Act. The term Data Fiduciary includes a wide range of entities such as individuals, Hindu Undivided Families, companies, firms, associations of persons, bodies of individuals (whether incorporated or not), the State, and every other artificial juristic person. These entities are responsible for ensuring that the processing of personal data complies with the obligations laid down under the Act. Furthermore, the Act provides for the designation of certain entities as Significant Data Fiduciaries (SDFs). This designation is based on factors such as the volume and sensitivity of personal data processed, as well as the risk posed to the sovereignty and integrity of India, electoral democracy, or public order. Entities classified as Significant Data Fiduciaries are required to comply with additional obligations under the Act, reflecting the higher level of risk associated with large-scale or sensitive data processing. Through these provisions, the Digital Personal Data Protection Act, 2023 establishes a framework that determines the entities and circumstances to which the law applies, while also identifying situations where its provisions do not extend.

The Digital Personal Data Protection Act, 2023 (DPDPA) establishes a structured enforcement framework to ensure compliance with data protection obligations. One of the most significant mechanisms under the Act is the imposition of monetary penalties for violations. These penalties are administered by the Data Protection Board of India, which has the authority to investigate contraventions and impose financial sanctions where necessary. The power to impose penalties arises when a person—typically a data fiduciary—is found to have violated obligations prescribed under the Act or the rules framed under it. The penalties are not arbitrary but are determined according to the Schedule to Section 33 of the Act, which specifies maximum limits for different categories of violations. Factors Considered by the Board While Imposing Penalties Before determining the appropriate penalty, the Data Protection Board must take into account several important factors to assess the seriousness of the violation. These considerations ensure that the enforcement process remains balanced and proportionate. The Board evaluates: Nature, gravity, and duration of the breach Type and nature of personal data affected Whether the breach was repetitive in nature Whether the entity took steps to mitigate the breach Whether any financial gain was derived from the violation These criteria help ensure that penalties reflect the severity of the violation and the conduct of the entity involved. Another important feature of the Act is that penalties collected are credited to the Consolidated Fund of India. The monetary penalties imposed by the Board are therefore regulatory in nature and do not directly compensate affected individuals. Penalty Structure under Section 33 of the Act The Act establishes a categorical penalty structure, where specific violations correspond to specific maximum penalty limits rather than a single uniform fine. According to the official Schedule under Section 33(1), the following maximum penalties may be imposed: Failure to Implement Reasonable Security Safeguards (Section 8(5))Maximum penalty: ₹250 crores Failure to Notify the Board and Affected Data Principals of a Personal Data Breach (Section 8(6))Maximum penalty: ₹200 crores Failure to Fulfil Additional Obligations Relating to Children’s Data (Section 9)Maximum penalty: ₹200 crores Failure to Fulfil Additional Obligations of a Significant Data Fiduciary (Section 10)Maximum penalty: ₹150 crores Breach of Duties under Section 15This includes situations such as filing a false complaint by a data principal.Maximum penalty: ₹10,000 Breach of Any Other Provision of the Act or RulesMaximum penalty: Up to ₹50 crores Breach of a Voluntary Undertaking Accepted by the Board (Section 32)In such cases, the penalty applicable is the same as that prescribed for the original breach. This structured penalty framework ensures that violations are addressed in proportion to their nature and seriousness. Enforcement and Compliance Mechanism The Data Protection Board does not impose penalties automatically. It conducts an evaluation of the circumstances surrounding the violation. In particular, the Board examines: Whether the entity gained commercially from the violation Whether steps were taken to mitigate the breach Whether the processing activity was stopped promptly The overall impact of the breach on individuals and their data rights This approach introduces an element of regulatory flexibility, allowing entities that take prompt remedial actions to potentially face reduced penalties. In addition to imposing penalties, the Board also has the authority to issue directions to ensure compliance. If a data fiduciary fails to follow such directions, the Board may impose additional penalties. In serious cases of non-compliance, these penalties may reach the highest tier permitted under the relevant category. Conclusion The penalty framework under the Digital Personal Data Protection Act, 2023 is designed to function as a strong deterrent against data protection violations. By specifying clear penalty limits and requiring the Board to consider contextual factors, the Act seeks to balance strict enforcement with procedural fairness. The system ultimately encourages organisations to adopt robust data protection practices and ensures accountability in the handling of personal data.

Withdrawal of the Personal Data Protection Bill, 2019 (2022) An important stage in the legislative journey towards the Digital Personal Data Protection Act, 2023 occurred on 3 August 2022, when the Government of India formally withdrew the Personal Data Protection Bill, 2019 from Parliament. This decision followed extensive parliamentary deliberations and the submission of the Joint Parliamentary Committee (JPC) report in December 2021. The withdrawal of the Bill did not signify the abandonment of India’s data protection policy objectives. Rather, it reflected the Government’s recognition that the existing Bill required substantial restructuring instead of incremental amendments. Reasons for Withdrawal Several factors led to the decision to withdraw the 2019 Bill: Need for Comprehensive RedraftingThe recommendations of the Joint Parliamentary Committee suggested extensive structural changes to the Bill. Implementing these recommendations would have required rewriting significant portions of the legislation, making piecemeal amendments impractical. Shift Toward a Simpler Legislative FrameworkThe Government indicated that a new approach would focus on creating a simpler and more streamlined legal structure that could be implemented efficiently and reduce regulatory complexity. Alignment with India’s Digital Governance PrioritiesIndia’s rapidly expanding digital ecosystem required a regulatory framework capable of supporting innovation, digital commerce, and governance initiatives. The Government therefore decided to draft a new law that would align more closely with evolving digital policy objectives. Importantly, the withdrawal was largely procedural in nature. It was not a rejection of the need for data protection legislation but rather a strategic step toward developing a revised framework. Digital Personal Data Protection Act, 2023 Enactment Following the withdrawal of the earlier Bill, the Government introduced a new legislative proposal which ultimately led to the enactment of the Digital Personal Data Protection Act, 2023 in August 2023. This Act marked India’s first dedicated statute governing the processing and protection of personal data in the digital environment. Key Characteristics of the Act The Digital Personal Data Protection Act, 2023 reflects a more focused and operational framework compared to the earlier legislative proposals. Applicability to Digital Personal DataThe Act applies specifically to digital personal data, including data collected online as well as data collected offline that is subsequently digitised. Establishment of the Data Protection Board of IndiaInstead of the Data Protection Authority proposed in earlier drafts, the Act creates a Data Protection Board of India, responsible for adjudicating complaints and enforcing compliance. Penalty-Based Enforcement FrameworkThe Act primarily relies on financial penalties and regulatory enforcement mechanisms rather than criminal liability. This approach aims to ensure compliance while maintaining regulatory efficiency. Cross-Border Data TransfersUnlike earlier localisation-heavy proposals, the Act permits cross-border transfer of personal data, except to countries specifically restricted by the Central Government. State Exemption PowersThe legislation retains provisions allowing the State to exempt certain agencies from its application on specified grounds, supported by statutory authority. Overall, the Act represents a narrower but more implementable framework, designed to facilitate regulatory clarity and practical enforcement. Rules and Implementation (2024–2025) Following the enactment of the Act, the Government began working on its implementation through subordinate legislation and institutional mechanisms. Between 2024 and 2025, the focus shifted toward operationalising the law through several measures: Drafting and notification of Digital Personal Data Protection Rules Establishment and regulation of consent managers Development of enforcement and grievance redressal mechanisms Introduction of phased compliance timelines for organizations processing personal data These steps marked the transition of the law from a purely legislative framework to a functional regulatory regime. Concluding Analysis The legislative development of India’s data protection framework can be understood through distinct phases: 2018 Draft: Expert-driven and rights-oriented framework. 2019 Bill: Government-led proposal with broader regulatory ambition and state exemptions. JPC Phase: Parliamentary scrutiny leading to structural critique and expansionist recommendations. Withdrawal (2022): Recognition that the Bill required fundamental redesign. DPDP Act, 2023: A streamlined, digital-focused, and implementation-oriented statute. This evolution illustrates India’s effort to balance constitutional privacy protections, economic development, governmental interests, and the realities of technological governance in an increasingly digital society.