INTRODUCTION
In this growing digital world, your data is equal to your currency. But the question here arises: do you even own it? Every time you click on “I Agree” while surfing any website, do you have the knowledge that your data is being tracked? Whatever you do online, whether using social media, engaging in online transactions, shopping, or any other activity, all these leave a digital footprint that is being collected by various unknown sources. With these rising concerns about data privacy infringement, India has introduced a long-awaited and much-needed legislation through the Digital Personal Data Protection Act, 2023 (DPDP). The act is expected to be enforced and implemented in 2025. This act aims to provide new rights to users and focuses on stricter obligations, creating a defining moment for how India conducts activities on digital platforms and specifying how such platforms will use the information of internet users.
WHAT IS THE DPDP ACT?
The digital personal data protection act or DPDP act passed in August 2023 is Indian legislation that balances individuals right to secure their data against the need to process such data for authorized purposes the app establishes requirement on data fiduciaries who process data and define the rights and responsibilities of data principles the people to whom data belongs it also imposes financial penalties for violations.
The DPDP is the follow-up to India’s Personal Data Protection Bill PDPB 2022, the country’s most recent attempt to enact comprehensive data privacy legislation. The bill was one of several pieces of legislation, including the national IT governance framework policy and the new Digital India Act.
The act is focused on the processing of digital data, which also includes personal data collected within the territory of India and later on digitized, including such data outside India as well.
The act was passed by Parliament in August 2023 and received presidential assent on August 11, 2023. While the law is already in place, it is expected to be enforced in stages, starting in 2025, once the central government issues formal notification and operational rules.
This Legislation is crucial as it marks an inflection point, as, at the outset, digital platforms in India would be seeking clear consent from users, authorize you to access or remove your data, and would lead to strict penalties for misusing it.
RIGHTS AND PENALTIES UNDER THE DPDP ACT
The Digital Personal Data Protection Act,2023, provides not just a platform for grievances but also empowers internet userswith a set of enforceable rights over their personal data. The rights that an internet user can legally expect as a digital citizen in India through the DPDP Act are as follows:
1. RIGHT TO ACESS INFORMATION – Individuals will have the right to know more about how personal data is handled, and the data fiduciary will provide this information in an easy-to-understand manner.
2. RIGHT TO CORRECTION AND ERASURE – In case where any data is incorrect, outdated, incomplete, or needs any kind of modification, one can request it to be corrected. It also includes a request for data to be deleted altogether when it’s no longer needed or consent is withdrawn, leading to the clearance of the digital footprint.
3. RIGHT TO GRIEVANCE REDRESSAL – Individuals have a right to Grievance redressal. Any app or business that handles your data must give you a way to complain, usually through a grievance officer. One can bring up the matter directly with them if your data is being misused or if your request is being disregarded. An individual can also take the issue to the Data Protection Board of India, which will serve as the official body to uphold their rights and hold platforms responsible if they don’t react appropriately.
4. RIGHT TO NOMINATE – If a person passes away or becomes incapacitated, they can designate a family member or other trusted people to manage their data rights in their place. This ensures that your digital privacy doesn’t disappear with you in the event of mental incapacity or death.
PENALTIES AND EXCLUSIONS
Another important feature of the DPDP Act is the penalty clause. Noncompliance with the requirements by data fiduciaries can result in penalties of up to INR250 crore.Some of these include Breach of duty by the data principal up to INR10,000. Failure to notify the data protection board and the affected data principals in the event of a personal data breach is up to INR200 crore. Breach of additional obligations relating to children, up to INR200 crore.
The act excludes non-automated personal data, offline personal data, and personal data that has been in existence for at least 100 years. The maximum penalty of INR500 crore has been eliminated. Currently, no facility for grievance redressal review is included. The 72-hour time limit for reporting a data breach to authorities is exempt.
DRAFT DPDP RULES SPARK INDUSTRY CONCERNS- RECENT DEVELOPMENT
The Ministry of Electronics and Information Technology (MeitY) released the draft of the DPDP rules 2025 in January 2025, which seeks to implement the DPDP Act. Issues have arisen regarding this, as industrial stakeholders are concerned about these potential regulations. Significantly, Rule 22 hasdrawn attention for potentially granting the central government extensive authority to obtain personal information from businesses, which has sparked concernsabout unrestricted monitoring and data privacy violations.
Concerns have also been raised about the draft guideline’s return of data localization requirements. Trade groups contended that these regulations could impede the unrestricted movement of data across national boundaries, which runs counter to the DPDP acts more liberal approach to transferring data.
These developments have accentuated an ongoing debate between making sure of national security and defending individual data privacy rights. The final rule is still awaited, which will provide clarity on how these provisions will be implemented and enforced.
WHAT THE DPDP ACT LACKS
The DPDP Act 2023 is an essential step towards the protection of data privacy in India, but it does not come without its shortcomings. There are a lot of concerns regarding the act, but the power it provides to the government, which includes eliminating its agencies from the law in the name of national security, with little transparency or oversight. It also lacks specific safeguards for children’s data and does not provide enough gate to the data protection board, which feels more like a formality than a watchdog. In real-world scenarios, users’ rights are limited, such as knowing how their data is used or saying “no” effectively. In sum, it sparks a discourse about privacy but leaves us wanting far more clarity, accountability, and actual control.
CONCLUSION
The DPDP Act 2023 made a huge step towards putting the person at the center of the data protection discourse. It empowers consumers like never before by promising consent-based data usage, the right to access data and amend personal information, and sanctions for data misuse. However, while the tagline Your data, Your Rules seems empowering, that throwing back will be determined by how the law is implemented and if institutional accountability.
In 2025, as more of our lives become digital, this law serves as a reminder that privacy is a right, not a privilege. Now, it is up to all of us users, businesses, and the government to ensure that those standards are not only written but also obeyed.