About Us

Knowledge Centre

Reach AMAMRI

Understanding India's New Protection Law

By Kunal Yadav, Advocate | Amamri Lawyers, New Delhi

The Digital Personal Data Protection Act, 2023, provides legislation for protection and regulation of personal data of individuals for the simultaneous purpose of data protection and processing by and for lawful means and purposes, and for the addressal of matters connected to or incidental to the processing of digital personal data.

Evolution of the Act

With the K.S. Puttaswamy, 2017 judgment, the hon’ble Supreme Court held that the ‘Right to Privacy’ shall be identified as a fundamental right of the citizens of India, that laid the stepping stone for legal protection of data of individuals. To bring in effect the hon’ble court’s precedent, the Central Government, in July 2017, formulated a committee, chairmanship by Justice B.N. Srikrishna, for the purpose of addressal of data protection issues and for drafting laws for the subject. The Central Government in August 2023, passed the DPDP Act and brought the same in effect.

Applicability of the Act

In accordance with Section 3 of the Act, the Act extends its applicability to processing of digital data which may be collected in digital and non-digital means, within and outside of the territory of India, with due prescription, and hence, the key stakeholders involved in the same which are provided as:

  • Data Fiduciary: any person(s) that determine the purpose and means of personal data processing;
  • Data Principal: individual to whom the personal data relates and where such individual is a child or disable person, the individual shall refer to the parent or legal guardian respectively;
  • Data Processor: any person who processes personal data on behalf of the Fiduciary;
  • Data Protection Officer: individual appointed by the Fiduciary for the purpose of data Protection.

Mandate of the Act

In accordance with Chapter 2 of the Act in its principle it mandates share of consent of a Data Principal by way of mandating all Data Fiduciaries that wish to collect or use such data to their or the Principal’s benefit, by way of making a request of consent before proceeding to obtaining such data. The request is mandated to be made such that it includes the following:

  • the personal data and the purpose for which the same is proposed to be processed;
  • the manner in which an individual may exercise her rights in accordance with the Act;
  • the manner in which the Data Principal may make a complaint to the Data Protection Board of India in accordance with the subject Act.

Nature of Consent of the Mandate

The Act provides in Section 6 that this consent of the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the conditional request made and shall be such that the Principal may exercise their right to withdraw the same on their own accord by way of a Consent Manager. The personal data of any individual shall be utilised by the Fiduciary in accordance with the legitimate means of use as provided in the Act.

Rights and Duties of Data Principals

The Principal of the data shall secure their right:

  • to obtain any information in regard to their personal data, including its use, the information of the fiduciaries it is shared with, any related processing activities, etc;
  • to correction, completion, updating and erasure of their personal data for the processing of which they have previously given consent;
  • to have readily available means of grievance redressal provided by the Fiduciary or Consent Manager in respect of any act or omission of such Fiduciary or Consent Manager;
  • to nominate, any other individual, who shall, in the event of death or incapacity of the Principal, exercise their rights in accordance with the Act;

However, the Data Principal is expected to comply to the duties as provided in the Act that state:

  • Compliance to the provisions of the Act;
  • prevention of impersonation of any other individual in providing personal data;
  • prevention of concealment of any material fact in providing personal data;
  • providing verifiable and authentic information.

Obligations of Data Fiduciaries

  • To comply and be responsible for compliance of the use of data of Principal, with the provisions of this Act;
  • may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract;
  • ensure the completeness, accuracy and consistency of data and data processing of the Principal;
  • protect personal data in its possession or under its control, including in respect of any processing undertaken;
  • in the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach;
  • may erase the personal data upon withdrawal of consent of the Principal and once its assumed that the data may no longer serve further purpose.

Data Protection Board of India

The Data Protection Board of India (hereinafter referred to as the ‘Board’) is mandated to resolve disputes of the nature wherein personal data breach of the Principal has occurred, which may also be in observance by any Data Fiduciary or Consent Manager, or any other related dispute as covered in the Act. The directions of the Board provided in compliance to the procedures to be followed by the Board as provided by the Act, shall be binding on such person.

Any appeal shall be made to the appellate tribunal to the decision of the Board within a period of sixty days from the date of receipt of the order or direction appealed against, subject to provisions of the Act.

Penalties

While determining the amount of monetary penalty to be imposed, the Board shall have regard to the following matters:

  • the nature, gravity and duration of the breach;
  • the type and nature of the personal data affected by the breach;
  • repetitive nature of the breach;
  • whether the person, as a result of the breach, has realized a gain or avoided any loss;
  • whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;
  • whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act; and
  • the likely impact of the imposition of the monetary penalty on the person.


The penalties that may be imposed by way of this Act by the Board and shall vary between a sum of ten thousand rupees to two hundred fifty crores, as provided in Schedule 1 of the DPDP Act, 2023.

Other Blogs

16/02/2026

The Supreme Court’s decision in All India Football Federation v. Rahul…

17/02/2026

Securing Rights to a Design; Production, Use, Sale and Related…

Let's Connect

AMAMRI LAWYERS is a global law firm delivering strategic legal solutions while driving mentorship, reform, and innovation in law.

Contact Details

Phone Number : +91 11-35000277 / +91 11-35000278
Email: contact@amamri.legal

Phone Number : +91 11-35000277
                                +91 11-35000278
Email: contact@amamri.legal

Global Perspective. Strategic Precision.

M-03, LGF, Lajpat Part 3, New Delhi-110024, INDIA

J/45 sector 41, Noida, Uttar Pradesh- 201303

213, Raheja Chambers, Free Press Journal Rd, Nariman Pt, Mumbai – 400021

A1-308, Sobha aquamarine, Green glen Layout, Bellandur, Bangalore, 560103

202, 2nd Floor, Krishna Kamudi Apartment, vivekananda nagar Colony, Kukatpally, Hyderabad, Telangana – 500072.

176, Anupam Nagar Extension, Sachin Tendulkar Marg, City Center, Gwalior- 474011

G-04 2020, Commercial 11, 176-0, Saih Shuaib 2, Real Estate Management, Dubai Industrial City (DIC) Dubai, UAE

ABOUT US

BLOG

EXPERTISE

CONTACT US

  • Copyright © Amamri 2026