DECODING THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 – PART I: WHY INDIA NEEDED A DATA PROTECTION LAW IN THE FIRST PLACE?

Imagine your personal data being used in almost everything that is done on a day-to-day basis. From ordering online through e-commerce websites, surfing and scrolling through social media, to banking transactions through digital banking platforms everything uses your personal data. Yet there were no sufficient laws governing this digital economy except the Information Technology Act, 2000 and the Information Technology Rules, 2011 (SPDI Rules). These laws were not sufficient for the evolving digital economy.

The year 2017 marked the most significant milestone, as the Hon’ble Supreme Court of India recognised privacy as a fundamental right under Article 21 of the Constitution of India in the popularly known ‘Justice K.S. Puttaswamy case’. Before this case, ‘Privacy’ was treated as a vague concept. After this case, the Court observed that in the age of the modern digital economy, the personal data of individuals was being processed without adequate regulation and directed the Government to frame a suitable law.

The Justice Srikrishna Committee submitted a detailed report along with the draft Personal Data Protection Bill in the year 2018. This report became the initial blueprint for India’s data protection framework. After multiple debates and revisions in Parliament, the Government released a revised draft called the Digital Personal Data Protection Bill for public consultation. In the year 2023, the Union Cabinet approved the Digital Personal Data Protection Bill, 2023, which subsequently received the President’s assent and officially became law. The Government later notified the Digital Personal Data Protection Rules, 2025.

Let us understand the fundamentals of the Act in simple words.

What is ‘Personal Data’?

Personal data means any data that can identify an individual directly or indirectly. This may include a name, phone number, email address, bank details, location data, Aadhaar number, biometric data, or even a device ID that can be linked to a specific user.

What is ‘Processing’?

Processing is a very broad concept. It includes any operation performed on data, such as collecting, storing, analysing, sharing, transferring, or deleting. Essentially, if a company handles personal data in any manner, it is considered processing.

When Does the Act Apply? (Majorly important areas)

1. Digital Personal Data Processing in India:

Handling and processing customer or employee data in digital form, such as through cloud storage, databases, and digitised documents.

2. Non-digital Data that Later Becomes Digital:

Any data that was collected and stored on paper but is later converted into digital form. For example, a hospital may collect patient data on paper and later store it digitally. Once digitised, the Act applies.

3. Child Data Processing:

Any processing involving the monitoring or tracking of children (individuals under 18 years of age).

4. Data Processing Outside India but Targeting Indians:

Even if a company is located outside India, the Act applies if it collects or processes the data of individuals in India while offering goods or services to them. Companies such as Netflix, Amazon, Google, and Meta must comply with the DPDP Act when dealing with Indian users.

Situations Where the Act Does NOT Apply

1. Personal or Domestic Use:

Data processed by individuals solely for personal, household, or domestic purposes without any commercial intent, such as saving your friend’s phone number. The law does not regulate such activity.

2. Publicly Available Personal Data:

If personal data is already publicly available, the law may not apply.

3. Research and Statistical Processing:

Certain activities such as academic research, archiving, or statistical analysis may be exempt if specific safeguards are followed.

4. Government Exemptions:

Data processed by the Government for purposes such as maintaining national security, public order, or fulfilling legal functions necessary for the sovereignty and integrity of the country may be exempt under certain circumstances.

In a world increasingly driven by digital transactions and data-driven technologies, protecting personal data has become a critical necessity rather than a choice. The Digital Personal Data Protection Act, 2023 is India's first data protection act, and it has established a framework for the processing of personal data in India. In the next part of this series, we will explore the core legal structure under the Act and understand the roles and responsibilities of key stakeholders.