Digital Personal Data Protection Act, 2024 (DPDP Act)

Digital Personal Data Protection Act, 2024 (DPDP Act)

The Digital Personal Data Protection Act, 2024 (DPDP Act) is a landmark law aimed at safeguarding personal data in India’s rapidly growing digital economy. It strengthens user privacy and regulates Big Tech while maintaining a balance between data protection and innovation. The Act builds on the Digital Personal Data Protection Act, 2023, and the Draft Digital Personal Data Protection Rules, 2025, which provide an implementation framework.

Background & Need for the Act

• Rise of Digital Economy – India has over 800 million internet users, making personal data protection crucial.
• Big Tech Concerns – Companies like Google, Facebook, and Amazon collect vast amounts of user data. Without regulation, this can lead to privacy violations and misuse of personal data.
• Past Efforts – The first draft of the Personal Data Protection Bill (PDP Bill) was introduced in 2019, but it was withdrawn in 2022 due to concerns over stringent rules and impact on businesses.
• Global Trends – The EU’s General Data Protection Regulation (GDPR) is a benchmark for data protection worldwide. India’s DPDP Act is inspired by GDPR but tailored to India’s needs.

Key Features of DPDP Act, 2024

1. Empowering Citizens (Data Principals)
   • Data Principal – The individual whose personal data is being collected (e.g., a user of a social media platform).
   • Citizens have the right to control their data, including:
     • Right to Information – Know how and why their data is being used.
     • Right to Correction & Erasure – Request correction or deletion of data.
     • Right to Grievance Redressal – File complaints in case of data misuse.
     • Right to Nominate – Appoint someone to manage data in case of death or incapacity.
2. Regulating Data Fiduciaries (Companies & Govt. Bodies)
   • Data Fiduciary – Any entity (company, govt. body, organization) that collects and processes personal data.
   • Key obligations of Data Fiduciaries:
     • Obtain Informed Consent before collecting data.
     • Provide Clear Privacy Notices explaining how data is processed.
     • Ensure Data Security to prevent breaches.
     • Notify Users & Authorities in case of a data breach.
   • Significant Data Fiduciaries (SDFs) – Large companies with vast data must follow higher compliance requirements, such as:
     • Annual Data Protection Impact Assessments
     • Appointment of a Data Protection Officer
3. Digital-First Approach
   • "Born Digital" Governance – The Data Protection Board (DPB) will handle grievances digitally, allowing users to file complaints online without visiting an office physically.
   • Faster Resolutions – AI-driven systems will help process complaints efficiently.
4. Child Data Protection
   • Parental Consent Required – Companies cannot collect data of children (below 18 years) without explicit parental consent.
   • No Targeted Ads or Behavioral Monitoring – Businesses cannot track children’s online behavior for advertising purposes.
5. Cybersecurity & Data Breach Notification
   • Mandatory Security Measures – Companies must implement "reasonable security safeguards" to prevent cyberattacks and data leaks.
   • Breach Notification – If a data breach occurs, companies must inform users and the Data Protection Board immediately.
6. Financial Penalties for Violations
   • Strict penalties for companies failing to protect user data.
   • Fines range from ₹50 crore to ₹250 crore, depending on:
     Severity of the violation
     Whether the company made efforts to reduce harm
7. Lower Compliance Burden for Small Businesses
   • Startups & MSMEs (Micro, Small & Medium Enterprises) have less strict regulations than large tech companies.
   • Helps encourage innovation while still protecting user privacy.

Digital Personal Data Protection Rules, 2025 (Implementation Framework)

• The Draft Digital Personal Data Protection Rules, 2025, provide guidelines for implementation:
• How companies should inform users about data collection
• Registration & obligations of Consent Managers
• Setting up & functioning of the Data Protection Board
• Rules for government data processing for subsidies & benefits

Public Consultation – The government is inviting public feedback until February 18, 2025.

Comparison: DPDP Act vs. EU’s GDPR

Importance of DPDP Act for India

• Strengthens Privacy – Protects citizens’ personal data from misuse & surveillance.
• Regulates Big Tech – Ensures accountability of large tech firms (Google, Meta, Amazon).
• Encourages Innovation – Balances data protection with economic growth.
• Aligns with Global Standards – Brings India closer to GDPR-like regulations.
• Digital-First Approach – Reduces bureaucratic delays and encourages paperless governance.

Challenges & Criticism

• Exemptions for Government – The Act allows government agencies to bypass some data protection rules for national security & public order, raising concerns about potential misuse.
• No Right to Be Forgotten – Unlike GDPR, this Act does not provide users the right to demand permanent deletion of their data from all platforms.
• Limited Scope for Non-Personal Data – The Act mainly focuses on personal data and does not regulate anonymized (non-personal) data, which can still be misused.

Way Forward

• Strengthen Oversight on Government Data Processing to prevent misuse.
• Introduce the "Right to Be Forgotten" to allow permanent deletion of personal data.
• Clarify Rules for Cross-Border Data Transfers to protect user data while allowing international business.

The Digital Personal Data Protection Act, 2024 is a game-changer for India’s digital governance & privacy protection. While it empowers users and regulates tech giants, challenges remain in government exemptions and enforcement. With public feedback & refinements, India can create a world-class data protection framework balancing privacy, innovation, and national security.

Additional Aspects of the DPDP Act, 2024

Concept of "Legitimate Uses" (Processing Data Without Consent)

While consent is a key principle, the Act also allows data processing without user consent in certain cases, known as “Legitimate Uses”. This includes:

• State Welfare Programs – The government can process data for subsidies, benefits, and public services without requiring individual consent.
• Employment-Related Purposes – Employers can collect necessary employee data for payroll, benefits, and workplace security.
• Public Interest & Research – Academic and research institutions can process anonymized data for scientific research and analytics.
• Legal & Regulatory Compliance – Businesses can store and use data as required by law, such as maintaining tax records.

Why it matters? This ensures seamless public service delivery and avoids bureaucratic hurdles while maintaining privacy safeguards.

Data Localization: No Blanket Ban on Cross-Border Data Transfers

Unlike earlier drafts that mandated data localization (storing Indian data only within India), the DPDP Act, 2024 allows cross-border data transfer with some restrictions:

• The government will notify "trusted countries" where Indian personal data can be transferred.
• This balances global business needs while ensuring data security.

Why it matters?

• This removes hurdles for international companies operating in India.
• Avoids costly data storage requirements for Indian startups.
• Still ensures sensitive data is not sent to high-risk countries.

Special Category of Data Fiduciaries – Significant Data Fiduciaries (SDFs)

Large corporations (e.g., Meta, Google, Amazon) and entities handling vast amounts of user data fall under this category.

SDFs have additional obligations:

• Appointing a Data Protection Officer (DPO) to oversee compliance.
• Conducting annual data protection audits.
• Performing Data Protection Impact Assessments (DPIA) to evaluate risks.
• Reporting large-scale breaches directly to the Data Protection Board.

Why it matters?

Ensures Big Tech & large corporations are held accountable for data protection.

"Consent Managers" – New Role in Data Ecosystem

• A Consent Manager is a government-registered entity that helps users manage their data permissions across multiple platforms.
• Users can give, modify, or withdraw consent through a single dashboard instead of managing it separately for every app/website.
• Consent Managers must be independent & neutral, ensuring user rights are protected.

Why it matters? This simplifies digital privacy for citizens, preventing forced consent & data exploitation by Big Tech.

Data Principal’s Duties – Citizen Responsibilities

Apart from rights, users (Data Principals) also have certain duties:

• Provide accurate and truthful data when signing up for services.
• Avoid filing frivolous complaints about data privacy violations.
• Do not misuse rights to harass Data Fiduciaries (e.g., unnecessary deletion requests).

Why it matters? Encourages responsible digital behavior, preventing misuse of privacy laws for personal or commercial gain.

Data Protection Board (DPB) – Fast-Track Dispute Resolution

A new regulatory authority that:

• Adjudicates complaints about data breaches & misuse.
• Can levy fines & issue orders to companies violating the Act.
• Functions digitally – complaints can be filed online.
• Encourages voluntary undertakings – if companies acknowledge their mistakes and fix them, strict penalties may be avoided.

Why it matters? Ensures quick, tech-driven grievance redressal, reducing the burden on courts.

Sector-Specific Rules – Adaptability to Different Industries

Unlike one-size-fits-all policies, the DPDP Act allows sector-specific rules.

• Example: Health & FinTech companies may have stricter data protection norms than e-commerce.
• The government can issue sector-specific data regulations over time.

Why it matters? Provides flexibility while ensuring sensitive sectors (like healthcare, finance) get extra protection.

Global Context – How It Compares to China & US Models

Why it matters? India’s approach is a middle ground between strict EU privacy laws & flexible US laws.