The Digital Personal Data
Protection Act, 2023

Foundational interpretative framework establishing statutory nomenclature.

Territorial and material scope with extraterritorial reach provisions.

Binary lawful basis: Consent or Legitimate Uses under Section 7.

Mandatory pre-consent notice in prescribed form and vernacular languages.

Architecture for valid consent with withdrawal mechanics.

Exhaustive enumeration of non-consent processing grounds.

Core fiduciary duties spanning accuracy, security, retention, and breach notification.

Enhanced protections with verifiable parental consent requirement.

Entitlement to summary of personal data and processing activities.

Correction of inaccurate/incomplete data and erasure rights.

Tiered redressal mechanism with prescribed timelines.

Succession planning for data rights through nomination.

Reciprocal obligations on data subjects—a novel feature.

Enhanced regime for high-risk data processors with DPIA and audit requirements.

Negative list approach to cross-border data flows.

Broad State and security exemptions with proportionality safeguards.

Constitution of the Data Protection Board of India as the primary regulatory authority.

Board composition with Chairperson and Members appointed by Central Government.

Fixed tenure provisions for Chairperson and Members.

Grounds and procedure for removal of Board members.

Core regulatory functions including inquiry, penalties, and directions.

Procedure for conducting inquiries into alleged violations.

Mechanism for resolution through voluntary commitments.

Mediation and other ADR mechanisms for dispute resolution.

Appellate mechanism to Appellate Tribunal.

Exclusion of civil court jurisdiction in favor of Board.

Mechanism for recovery of penalties as arrears of land revenue.

Monetary penalties up to ₹250 Crore with voluntary undertaking mechanism.

Power to block access to platforms persistently violating Act provisions.

Application of Act provisions to government instrumentalities.

Rule-making authority vested in Central Government.

Central Government power to issue orders for removing difficulties in implementation.

Repeal of IT Act privacy provisions and transitional arrangements.

Provisions for processing of data collected before commencement.

Consequential amendments to RTI Act and other legislation.

Regulatory framework for Consent Managers under the Act.

Provisions for staged commencement of Act sections.

Supplementary definitions extending Section 2 of the Act.

Detailed requirements for Section 5 notices including language and format.

Registration process and obligations for Consent Managers under Section 2(g).

Processing of personal data by State for subsidies, benefits, services.

Technical and organisational security measures under Section 8(5).

Intimation of personal data breach under Section 8(6).

Time period for specified purpose to be deemed no longer served.

Contact information of person to answer questions about processing.

Verifiable consent for processing personal data of child under Section 9.

Additional obligations for Significant Data Fiduciaries under Section 10.

Mechanisms for Data Principals to exercise rights under Sections 11-13.

Requirements for transfer of personal data outside India.