The Digital Personal Data Protection Act (DPDPA) 2023 is India's first comprehensive data protection law. It establishes a framework for processing digital personal data, recognizing individuals' right to protect their data, and setting obligations on entities that collect and process such data.
Consent-based processing of personal data with explicit notice requirements
Data fiduciary obligations including purpose limitation and data minimization
Significant data fiduciaries designated based on volume and sensitivity of data processed
Cross-border data transfer allowed to notified jurisdictions without data localization requirement
Data Protection Board of India established for enforcement and adjudication
Penalties up to ₹250 Cr for non-compliance with data breach notification obligations
Rights including access, correction, erasure, and grievance redressal for data principals
Supreme Court declares Right to Privacy a fundamental right in Puttaswamy judgment.
Justice Srikrishna Committee submits first draft Data Protection Bill.
Personal Data Protection Bill 2019 introduced in Parliament.
Digital Personal Data Protection Act 2023 passed and receives Presidential assent.
Draft DPDP Rules released for public consultation.
Expected enforcement with Data Protection Board operational.
Covered Entities
All data fiduciaries
Max Penalty
₹250 Cr per breach
Compliance Timeline
12 months post enforcement
Data Principal Rights
7 rights
Exemptions
Govt notified
| Country | Status | Notes |
|---|---|---|
| EU | GDPR | Extra-territorial application, DPO requirement, 4% global turnover fines |
| USA | Sectoral (CCPA etc.) | State-level laws; no comprehensive federal privacy law |
| China | PIPL Active (2021) | Strict data localization, cross-border transfer security assessment |
| Brazil | LGPD Active | Modeled after GDPR, 2% revenue penalty, DPO required |