What Is Digital Personal Data Protection Act, 2023?
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data protection law — enacted in August 2023 after more than five years of legislative iteration. The Act governs the processing of digital personal data within India and the processing of digital personal data outside India when such processing is in connection with offering goods or services to data principals (the Act's term for data subjects) in India. DPDP Act is built around a simple rights/obligations framework: data principals have six rights (access, correction, erasure, nomination, grievance redressal, and withdrawal of consent); data fiduciaries (controllers) have corresponding obligations centered on notice, consent, data minimization, purpose limitation, and breach notification. The Act designates certain 'Significant Data Fiduciaries' based on volume and sensitivity for heightened obligations including mandatory Data Protection Officers and annual audits. The Data Protection Board of India — a statutory body under MeitY — is the exclusive enforcement authority, with power to issue directions and impose financial penalties up to ₹250 crore (approximately USD 30 million) per contravention. The Board became operational in phases during 2025 with rules notified under Section 40.
At a glance
- Full name
- Digital Personal Data Protection Act, 2023
- Short code
- DPDP Act
- Jurisdiction
- India
- Enacted
- 2023
- Last major update
- Rules notified in phases from 2025; Data Protection Board operational
- Regulator
- Data Protection Board of India
- Private right of action
- No
- Statutory citation
- Act No. 22 of 2023
Scope — who DPDP Act covers
Protected data
Data subject rights
Right to obtain information about processing (Section 11) — summary of personal data processed and with whom shared
Right to correction, completion, updating, and erasure (Section 12)
Right of grievance redressal (Section 13) — readily available means to register grievances
Right to nominate (Section 14) — designate an individual to exercise rights on death or incapacity
Right to withdraw consent (Section 6)
Right to not be subject to processing without lawful basis
Notable features
DPDP Act is notably concise (a single law, ~20 pages) compared to GDPR or LGPD, and relies heavily on delegated rulemaking by the Central Government. It uniquely introduces the 'nomination' right (Section 14) allowing data principals to name someone to exercise their rights on death or incapacity — an innovation not found in GDPR/LGPD. The Act also exempts the State and certain processing in the interest of national security, public order, or prevention of offences, which has been contested on constitutional grounds.
Enforcement & penalties
Regulator: Data Protection Board of India
Penalties: Schedule to the Act sets maximum penalties per contravention: up to ₹250 crore (approximately USD 30 million) for failing to take reasonable security safeguards; ₹200 crore for failing to notify breaches; ₹150 crore for violations relating to children's data; ₹250 crore for violations by Significant Data Fiduciaries. The Data Protection Board determines penalties case-by-case based on nature, gravity, duration, and impact.
Private right of action: DPDP Act does not grant a private right of action. Enforcement runs exclusively through the Data Protection Board of India. Data principals can file complaints with the Board, which may impose financial penalties (remitted to the Consolidated Fund of India). Individual damages typically require parallel civil/tort claims under general Indian law.
Relevance to data brokers
DPDP Act applies extraterritorially to any data fiduciary that offers goods or services to data principals in India. Given India's ~800 million internet users, DPDP compliance is now a baseline for any global data-broker business. Indian residents can file complaints with the Data Protection Board. The ₹250 crore per-contravention cap combined with the Board's enforcement mandate creates meaningful enforcement risk for non-compliant brokers.
Exercise your rights
Remove your data from 300+ brokers for $5
OfflistMe drafts opt-out emails citing DPDP Act and other applicable laws. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
Does DPDP Act replace the Information Technology Rules (SPDI Rules 2011)?+
Yes — once Section 44(3) of DPDP Act is fully in force, it repeals Section 43A of the IT Act 2000 (the basis for the 2011 Sensitive Personal Data or Information Rules). Until rules are fully notified and in force, the SPDI Rules continue to apply for sensitive data categories they covered.
How do I file a complaint under DPDP Act?+
Under Section 13, you must first approach the data fiduciary's grievance officer. If the data fiduciary fails to resolve the complaint within a prescribed period, you can escalate to the Data Protection Board of India. The Board's process for accepting complaints has been established via notification under Section 28.
What is a Significant Data Fiduciary?+
A data fiduciary notified by the Central Government as 'Significant' based on volume and sensitivity of personal data processed, risk of harm to data principals, public order implications, and security of the state. Significant Data Fiduciaries have additional obligations under Section 10 including appointing a Data Protection Officer, conducting Data Protection Impact Assessments, and undertaking periodic audits.
Does DPDP Act apply to foreign data brokers?+
Yes. Section 3(b) extends the Act to processing outside India that is in connection with offering goods or services to data principals in India. A foreign data broker selling profiles on Indian residents falls within scope.
Official sources & citations
Other international privacy regimes
DPDP Act sits in a global ecosystem of data-protection laws. Compare with other jurisdictions that shape cross-border data flows: