What Is the DPDP Act 2023 and Who Does It Apply To?

The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) is India's dedicated law for protecting personal data in the digital age. It received Presidential assent on 11 August 2023. The Act extends to the whole of India and establishes, for the first time, a complete set of rights for individuals whose data is being processed, along with corresponding obligations for the organisations that process it.

The Act is built on two balancing principles: the right of individuals to protect their personal data, and the need for organisations to process personal data for lawful purposes. It does not ban data processing — it creates rules for doing it responsibly. Think of it as the rulebook that every company handling Indian personal data must now follow.

The Act is organised into 44 sections spread across 9 chapters, plus 1 Schedule. It covers everything from how consent must be obtained, to what happens when there is a data breach, to the penalties for non-compliance. It also establishes a new regulator — the Data Protection Board of India — to enforce the law and adjudicate complaints.

Importantly, the Act does not come into force all at once. Different provisions are appointed to take effect on different dates, spread across a phased timeline running from November 2025 through May 2027. This gives organisations time to prepare, but also means compliance obligations are already live for some provisions.

The DPDP Act has a broad reach. It applies to the processing of digital personal data that is either collected in digital form (for example, data entered on a website or app) or collected in non-digital form and later digitised (for example, a paper form that is scanned and stored electronically). If your organisation handles personal data in any digital format within India, the Act applies to you.

The Act also reaches beyond India's borders. If an organisation located outside India processes personal data in connection with offering goods or services to individuals within India, the Act applies to that organisation too. For example, if a company based in Singapore runs an e-commerce platform that sells to Indian customers and collects their personal data, that company falls under the DPDP Act — even though it has no physical presence in India.

There are two important exemptions. First, the Act does not apply when an individual processes personal data for a purely personal or domestic purpose. If you maintain a personal contact list on your phone for your own use, the Act does not regulate that. Second, the Act does not apply to personal data that a person has voluntarily made publicly available, or that someone else was required by law to make public.

The Act provides a clear illustration of the second exemption: if a person writes a blog sharing their views and makes their personal data publicly available on social media, the Act does not apply to that publicly available data. This exemption recognises that data deliberately put into the public domain carries different expectations of privacy.

Section 38 establishes the supremacy clause. The DPDP Act is "in addition to" other laws — meaning it does not replace existing legislation. However, if there is a conflict between the DPDP Act and any other law in force, the DPDP Act prevails. This is a critical provision for compliance planning. Wherever another law sets a lower standard for data protection, the DPDP Act's higher standard applies.

Section 39 removes civil court jurisdiction for any matter that the Data Protection Board is empowered to determine. No civil court can entertain any suit or proceeding in respect of any matter that the Board has jurisdiction over. This channels all data protection disputes through the Board → TDSAT → Supreme Court pathway and prevents parallel litigation in civil courts.

Section 35 provides good faith protection for the Central Government, the Board, the Chairperson, Members, officers, and employees. No suit or legal proceeding can be brought against them for anything done in good faith under the Act. This protects regulators from personal liability when they exercise their powers reasonably.

Section 36 gives the Central Government the power to call for information from the Board, Data Fiduciaries, and intermediaries. Rule 23 specifies the purposes for which the government may exercise this power: matters relating to sovereignty or security, performing functions under any law, and assessing whether Data Fiduciaries should be designated as Significant Data Fiduciaries. Rule 23 also includes a secrecy provision: if the government determines that disclosing the fact of the information request would prejudice sovereignty or security, the Data Fiduciary must not reveal the request to anyone without the government's permission.

Section 43 gives the Central Government a power to remove difficulties in implementing the Act, exercisable within three years of the Act's commencement. This is a standard Indian legislative provision that allows the government to issue orders resolving ambiguities or practical obstacles that arise during the initial implementation period.

Section 40 grants rulemaking power across 26 different matters specified in the Act. Section 41 requires that all rules and notifications made under the Act be laid before Parliament for 30 days, during which Parliament may modify or annul them. This provides democratic oversight of the delegated legislation.

Section 44 amends three existing laws to align them with the new data protection framework. These are not minor housekeeping changes — they fundamentally shift where data protection law lives in the Indian legal system.

First, the TRAI Act 1997 is amended to give the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) jurisdiction over appeals from the Data Protection Board. TDSAT already handles telecom-related disputes and has established procedures for complex technical matters. By routing DPDP appeals through TDSAT, the Act reuses an existing institution rather than creating a new appellate body.

Second — and this is the most significant change — the Information Technology Act 2000 is amended in two critical ways. Section 43A of the IT Act, which required body corporates to pay compensation for negligent handling of sensitive personal data, is omitted entirely. Additionally, Section 87(2)(ob) of the IT Act, which gave the government power to make rules regarding sensitive personal data or information (the basis for the SPDI Rules 2011), is also omitted. These deletions mean that the DPDP Act is now the sole, comprehensive law governing personal data protection in India. The IT Act's previous data protection provisions — and the rules made under them — no longer have statutory backing.

Third, the Right to Information Act 2005 is amended. Section 8(1)(j) of the RTI Act, which previously provided a complex exemption for personal information held by public authorities, is simplified. The previous version required a balancing test between the right to information and the individual's right to privacy. The amended version replaces that test with a simpler exemption aligned with the DPDP Act's framework.

For organisations that previously relied on the IT Act's Section 43A or the SPDI Rules for their data protection compliance framework, this change is decisive. Those provisions are gone. Compliance now means compliance with the DPDP Act and Rules.