The Digital Personal Data Protection Act, 2023 (“Act”) intends to balance the need to process personal data with the right of individuals to protect their personal data. This fundamental balance shapes every aspect of the Act, from how organisations collect data to how individuals can protect their data. But before we delve into the complexities of the Act, it is essential to understand who is “processing” personal data, why they are doing so, and what this means for the digital ecosystem.

Understanding the Basics: The Data Landscape

Any data about an individual who is identifiable by such data is personal data. Collecting, storing, sharing or performing any operation on personal data is considered processing. The Act is constrained within the contours of digital processing, so merely noting details on a paper is not governed by this Act.

In this framework, two key actors emerge. The person determining the means and purpose of processing personal data is termed as the Data Fiduciary, essentially, the organisations, that decide how and why data is used. The individual to whom this personal data belongs is the Data Principal. Where a Data Fiduciary engages a third party to process data on its behalf, that entity is called a Data Processor.

Consider a simple example: when an individual registers on a website, providing their name, age, mobile number, email address, or any data through which they can be identified, that data is processed by the website owner or organisation for various reasons, including marketing goods or services, delivering products, understanding user behaviour, and more. This processing enables them to provide goods or services effectively. The website owner may process this data directly or delegate it to third parties, i.e., Data Processor.

Why We Needed a Regulatory Reset

Before the notification of the DPDP Act, organisations could process data with very limited restraints under the Information Technology Act, 2000. The digital landscape was characterised by opaque and vague data practices, opaque not just for Data Principals but also for Data Fiduciaries themselves. It had become common practice to hoard data and track behaviour without accountability, with little to no internal or customer-facing policy explaining how Data Principals could check if their data was being processed or how it was being used. For instance, if you provided your mobile number to a website for order delivery, the website owner could use that number to advertise products or even share it with third parties without any legal implication.

The DPDP Act changes this fundamentally. It covers nearly every form of individuals’ online presence and obligates organisations to redesign their data-driven technology ecosystems. The Act provides guard rails for Data Fiduciaries and rights to Data Principals to safeguard against breaches or misuse. The consequences of non-compliance are significant, breaches can lead to penalties up to INR 250 crore. This is not merely about punishment, it is about creating a system where accountability is built into every data transaction.

Building a New Framework

Organisations have traditionally functioned on a “collect more” and “store more” mindset, leading to silent hoarding and unmanaged flows of data. The Act transforms this approach entirely. It facilitates Data Principals in having control over why, how, what, and by whom their data is being processed. Equally important, it enables Data Fiduciaries to conduct a thorough inventory of the data they collect, understand the purpose of collection, establish timelines for retention, and obtain proper consent from Data Principals. This is not just about compliance, it is an opportunity for organisations to build digital trust by demonstrating their commitment to protecting personal data.

The Role of Consent

At the heart of this new framework is consent, but not consent as a mere formality. The Act requires consent to be free, specific, informed, unconditional and unambiguous, obtained through a clear affirmative action. For fresh data collection, Data Fiduciaries must provide notice that is understandable independently of any other information and gives in clear and plain language a fair account of the details necessary to enable the Data Principal to give specific and informed consent. This notice must include an itemised description of personal data and the specified purpose.

For data collected before the Act's provisions come into effect, Data Fiduciaries must give notice to Data Principals informing them of the personal data and purpose for which it has been processed, the manner in which they may exercise their rights, and the manner in which they may make a complaint to the Board. Data Fiduciaries may continue processing until the Data Principal withdraws consent.

To facilitate this consent management, the Act introduces Consent Managers, a person registered with the Board who act as a single point of contact to enable Data Principals to give, manage, review and withdraw consent through an accessible, transparent and interoperable platform. Consent Managers must be companies incorporated in India with sufficient technical, operational and financial capacity, and a net worth of not less than two crore rupees. They have obligations including enabling Data Principals to give consent, ensuring personal data is shared in a manner that contents are not readable by the Consent Manager, maintaining records, and avoiding conflicts of interest with Data Fiduciaries. This creates an intermediary layer that empowers Data Principals while simplifying compliance for Data Fiduciaries.

The Compliance Roadmap

Achieving compliance requires organisations to fundamentally rethink their data practices. This transformation begins with clarity, organisations must identify all touch points where they receive data and understand what kind of data they collect. They must then determine which data qualifies as personal data under the Act. Next comes comprehensive documentation. Organisations must maintain logs detailing why personal data is being collected (the purpose), who is collecting it (including third parties), what personal data is being processed, for what duration it will be retained, and whether it is being sent to third parties for processing. This level of granularity may seem burdensome, but it is essential for creating accountable systems.

Security and Breach Management

The Act mandates that Data Fiduciaries implement appropriate technical and organisational measures and take reasonable security safeguards to prevent personal data breaches. When breaches occur, Data Fiduciaries must intimate each affected Data Principal without delay in a concise, clear and plain manner, describing the breach, consequences, mitigation measures, safety measures the Data Principal may take, and contact information. To the Data Protection Board of India, Data Fiduciaries must intimate without delay a description of the breach, and within seventy-two hours provide detailed information including updated description, facts, circumstances and reasons, mitigation measures, findings regarding who caused the breach, and remedial measures.

Data Retention

The Act introduces discipline around data retention, moving away from indefinite storage. For certain classes of Data Fiduciaries, specific timelines apply. E-commerce entities and social media intermediaries with not less than two crore registered users must erase data three years from the date on which the Data Principal last approached the Data Fiduciary or from the commencement of the Rules, whichever is latest, with exceptions for enabling Data Principals to access user accounts or virtual tokens. Additionally, Data Fiduciaries must retain personal data, associated traffic data, and logs of processing for a minimum period of one year from the date of processing.

Empowering Data Principals

The Act is not just about imposing obligations on Data Fiduciaries, it fundamentally empowers Data Principals with the right to obtain a summary of personal data being processed and the identities of all other Data Fiduciaries and Data Processors with whom their personal data has been shared. They have the right to correction, completion, updating and erasure of their personal data, and the right to readily available means of grievance redressal.

Special Considerations: Children, Significant Data Fiduciaries, and Cross-Border Transfers

The Act recognises that certain categories require enhanced protection. For children's personal data, Data Fiduciaries must obtain verifiable consent of the parent or lawful guardian, following detailed procedures prescribed in the Rules. For entities processing large volumes of sensitive data, the Act provides for designation as Significant Data Fiduciaries. The Government will notify who qualifies based on factors including volume and sensitivity of personal data processed, risk to rights of Data Principals, potential impact on sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order. Significant Data Fiduciaries face additional obligations including appointing a Data Protection Officer based in India, appointing an independent data auditor, and undertaking periodic Data Protection Impact Assessments. For processing of personal data outside India, the Act provides that the Central Government may restrict transfer of personal data to certain countries or territories by notification. Any transfer must meet requirements specified by the Central Government in respect of making personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.

The Path Forward: Building Digital Trust

Incorporating these changes in existing systems will require financial investment, employee training, structural changes in dataflow, revised contracts with Data Processors, and establishment of grievance mechanisms. This is not a simple plug-in change. The transformation will be costly and time consuming. However, this realignment leads to clean data practices and fundamentally changes historical practices of data processing. Individual’s data privacy is not just a legal obligation but a business imperative. Organisations that embrace this transformation early will not only avoid penalties but will position themselves as leaders in the trust first digital landscape.

This update has been contributed by Udit Mendiratta (Partner) and Apeksha Singh (Associate).

Argus Knowledge Centre is now on WhatsApp! Send us a message on +91 8433523504 to receive updates from our Knowledge Centre.