DPDP Act
1 min
India’s Digital Personal Data Protection Act 2023 creates the country’s first comprehensive data protection framework. It establishes rights for ‘data principals’ including informed consent, access to information, correction and erasure, and grievance redress. ‘Data fiduciaries’ (similar to controllers) must process personal data lawfully, implement security safeguards, and fulfill data principal requests. The Act creates a Data Protection Board to adjudicate complaints and impose penalties up to ₹250 crore (~$30M). However, Section 17 gives the central government sweeping exemption powers for state security, sovereignty, public order, and other specified purposes. This means the strong protections can be bypassed for government activities. Cross-border transfer is permitted to countries not blacklisted by the government. The interaction between DPDP and the IT Act’s surveillance powers creates a regime where individual protections coexist with extensive government access.