 18 November 2022: The Ministry of Electronics and Information

Technology released the Digital Personal Data Protection Bill, 2022 for
public consultation.[4][5]
 5 July 2023: The cabinet approved the Digital Personal Data Protection
Bill, 2023 which was the revised version of the 2022 bill.[6]
 3 August 2023: Digital Personal Data Protection Bill, 2023 was introduced
in Lok Sabha, the lower house of the Parliament of India.[7]
 7 August 2023: Digital Personal Data Protection Bill, 2023 was passed
by Lok Sabha.[8]
 9 August 2023: Digital Personal Data Protection Bill, 2023 was introduced
and passed by Rajya Sabha, the upper house of the Parliament of India.[9]
 11 August 2023: President of India gave assent to the Digital Personal Data
Protection Bill, 2023 which made it the Digital Personal Data Protection
Act, 2023.[10][11]

Introduction to the Digital Personal Data Protection Act

Good morning, everyone. Today, I will be introducing the Digital Personal Data
Protection Act (DPDPA), 2023, a significant step in safeguarding personal data in the
digital landscape of India. With increasing reliance on digital platforms, protecting
personal data has become not only a necessity but a constitutional imperative to
balance individual rights and technological growth.
Historical Background
The path to the DPDPA began in 2012, when concerns about privacy and data
breaches were rising due to the rapid growth of internet usage. The need for a
comprehensive law was sparked by the Justice A.P. Shah Committee Report (2012),
which first introduced the concept of a privacy framework. The absence of robust
legal protections became more evident as data breaches and unauthorized data sharing
increased.
A major breakthrough occurred in 2017, with the landmark Supreme Court judgment
in the Puttaswamy v. Union of India case. The Court ruled that privacy is a
fundamental right under Article 21 of the Constitution, which guarantees the right
to life and personal liberty. This judgment created a direct constitutional need for the
government to legislate on data privacy.
Subsequently, the government set up the Justice B.N. Srikrishna Committee to draft
data protection legislation. The Committee submitted its report in 2018, leading to
multiple iterations of the bill. The final version, the Digital Personal Data Protection
Act, 2023, was passed by the Parliament in August 2023.
Constitutional Needs
The constitutional foundation for the DPDPA is deeply rooted in the right to privacy
under Article 21, as interpreted in the Puttaswamy case. The judgment emphasized
the need for safeguarding personal data from both state and non-state actors. It
recognized that in the digital age, individuals have a right to control their personal
information.
Moreover, the Act addresses concerns about balancing Fundamental Rights under
Part III of the Constitution, including freedom of speech and expression (Article
19) and the right to trade or practice any profession (Article 19(1)(g)). While ensuring
personal data protection, the DPDPA also provides for necessary restrictions in areas
like national security and public interest, consistent with Article 19(2), which allows
for reasonable restrictions on freedom of expression.
Key Provisions of the DPDPA
1. Personal Data and Consent: The Act defines personal data and emphasizes
the importance of obtaining consent from data principals before collecting or
processing their data. This is in line with the "informed consent" principle.
2. Data Fiduciaries: The Act introduces the concept of Data Fiduciaries, entities
that collect, store, and process data. They are held accountable for ensuring that
data is used lawfully and for the intended purpose.
 3. Data Protection Board: The Act establishes a Data Protection Board to
address grievances related to violations of the law.
4. Cross-border Data Transfers: It allows cross-border transfers of personal
data, subject to restrictions, but places emphasis on countries that offer
adequate data protection standards.
5. Exemptions for Government: Certain exemptions are provided to the
government for processing data in the interest of national security and public
order, but this has raised concerns about the potential for surveillance.
Landmark Cases Shaping the Law
1. Puttaswamy v. Union of India (2017): As mentioned earlier, this case is the
foundation of the right to privacy and forms the basis for data protection laws.
The Supreme Court's recognition of privacy as a fundamental right forced the
government to act swiftly in framing a legal structure to protect personal data.
2. K.S. Puttaswamy v. Union of India (Aadhaar Case): This case dealt with the
constitutionality of the Aadhaar Act. Though Aadhaar was upheld for its
benefits in welfare distribution, the Court imposed restrictions on private
companies accessing Aadhaar data, emphasizing the need for data protection
laws like the DPDPA.
3. Google LLC v. Competition Commission of India (2022): In this case, issues
related to data monopolies and the use of personal data by large tech companies
came to the forefront. It underscored the need for legislation to prevent misuse
of personal data and ensure fair competition.
Challenges and Criticisms
While the Digital Personal Data Protection Act, 2023 is a progressive law, it has its
share of challenges and criticisms. The primary concern is the broad exemptions
granted to the government, which critics argue could lead to state surveillance.
Moreover, the law places a significant compliance burden on small businesses,
raising concerns about its potential impact on innovation and startups.
Another criticism is the lack of a data localization requirement, which some argue
weakens India's data sovereignty. However, the law has been praised for its attempt to
balance individual privacy rights with the demands of a digital economy.
Conclusion
In conclusion, the Digital Personal Data Protection Act, 2023 is a landmark step in
the evolution of privacy laws in India. It is a direct response to the constitutional
mandate laid out in the Puttaswamy judgment and reflects the growing awareness of
personal data protection in the digital age. As India continues to grow as a digital
economy, the DPDPA provides the necessary legal framework to protect personal data
while fostering innovation and global cooperation.

The Digital Personal Data Protection Act, 2023 (DPDPA) and the European
Union's General Data Protection Regulation (GDPR) share similar principles but
differ in key aspects. The DPDPA-2023 applies only to digital personal data, while
GDPR covers all forms of personal data. [36] Unlike GDPR, DPDPA-2023 does not
distinguish between personal and sensitive personal data. [37] Both laws grant similar
rights to individuals but differ in their approach to legal bases for data processing.[36]

Rights and provisions

[edit]
 Right to access personal data[43][44]
 Right to correction and erasure of data[43][44]
 Right to revoke consent[43][44]
 Special provisions for the protection of data related minors (under 18 children)
[43][44]

 Minimum penalty for breach is 50 crore INR[43][44]

 The terms and conditions and information related to collection of data should
be made available in all the 22 languages in the 8th schedule of the Indian
constitution[43][44]
 Right to grievance redressal[43][44]
 Right to nominate a consent manager to manage their data related requests on
behalf of a data principal (The right to nominate a person to exercise rights in
case of death or incapacity)[43][44]
 The Act does not permit processing which is detrimental to well-being of
children or involves their tracking, behavioral monitoring or targeted
advertising[43][44]