"The DPDP Act marks the end of an era of unfettered data harvesting. It mandates a paradigm shift from passive privacy policies to proactive, demonstrable, and architecture-deep data governance."
The Dawn of Data Fiduciary Accountability
Following years of legislative deliberation and the foundational mandate established in 'K.S. Puttaswamy v. Union of India (2017) 10 SCC 1' (Right to Privacy), the Digital Personal Data Protection (DPDP) Act, 2023, is now the bedrock of digital regulation in India. The Act pivots away from the complex classification of 'sensitive' personal data found in the earlier GDPR-inspired drafts, adopting a more streamlined, albeit rigorous, approach applicable to all digital personal data.
At the epicenter of the Act is the 'Data Fiduciary'—any person or entity determining the purpose and means of processing personal data. The Act places the ultimate burden of compliance, including the actions of third-party Data Processors, squarely on the Fiduciary.
The Notice and Consent Paradigm (Sections 5 & 6)
Sections 5 and 6 of the DPDP Act overhaul the mechanics of user consent. Gone are the days of pre-ticked boxes and monolithic privacy policies hidden in legalese. Consent must now be free, specific, informed, unconditional, and an unambiguous indication of consent through a clear affirmative action.
Crucially, the Act introduces the prerequisite of an itemized 'Notice'. Before requesting consent, Data Fiduciaries must provide a clear notice detailing the specific data to be collected and the exact purpose of processing. Furthermore, this notice must be available in English and all 22 languages specified in the Eighth Schedule of the Constitution. Corporations must re-engineer their user interfaces (UI/UX) to capture consent granularly and provide an accessible mechanism for consent withdrawal.
Significant Data Fiduciaries (SDF) and Board Oversight
Section 10 of the Act grants the Central Government the authority to designate certain entities as Significant Data Fiduciaries (SDFs) based on data volume, risk to electoral democracy, public order, and state security. SDFs bear an enhanced compliance burden.
Obligations for SDFs include the mandatory appointment of an India-based Data Protection Officer (DPO) who reports directly to the Board of Directors, the appointment of an Independent Data Auditor, and the execution of periodic Data Protection Impact Assessments (DPIAs). For large tech conglomerates and financial institutions, achieving SDF compliance requires comprehensive enterprise-wide audits.
Breach Notification and Punitive Framework
Unlike previous IT Rules, the DPDP Act mandates compulsory notification of personal data breaches to both the Data Protection Board of India and the affected Data Principals. The penalties for non-compliance are severe and financially punitive, eschewing criminal liability in favor of massive civil fines.
Failure to take reasonable security safeguards to prevent a breach can attract a penalty of up to ₹250 Crores. Failure to notify the Board or affected principals carries a penalty of up to ₹200 Crores. Consequently, corporations must immediately update their Data Processing Agreements (DPAs) with third-party vendors, incorporating strict indemnity clauses and immediate breach reporting timelines.
Key Takeaways
- Consent under the DPDP Act must be explicit, itemized, and preceded by a multi-lingual Notice explaining the exact data usage.
- Data Fiduciaries hold ultimate liability, necessitating the urgent revision of vendor and Data Processor contracts.
- Significant Data Fiduciaries (SDFs) are subject to stringent mandates, including Data Protection Impact Assessments and mandatory DPOs.
- Penalties for data breaches and failure to implement security safeguards can reach up to ₹250 Crores per instance.
Amrita Pritam
Legal Associate · Corporate Law & Arbitration