Picture this: It's a Monday morning, you're late for work and waiting for your ride to arrive. You receive a call from an unknown number and answer it, assuming it's your ride. Instead, you are greeted by a cheerful telemarketer asking if you're interested in getting a credit card while launching into its benefits. Sounds frustrating, right? For most of us, being bombarded by various telemarketers is an almost daily occurrence.

Data privacy and security is a prime and most urgent matter. Therefore, the Indian Ministry of Electronics and Information Technology (MeitY) released the Digital Personal Data Protection (DPDP) Bill in 2022, which the Indian Parliament passed in this Monsoon Session. Read further to understand the DPDP Act, its key provisions, and discuss how it will benefit the citizens of India.

What is the DPDP Act and who does it apply to?

Following the Supreme Court of India's verdict in 2017 establishing the right to privacy as a fundamental right under the Indian constitution, the MeitY formed an expert committee to draft the DPDP Bill in 2018. After extensive discussions and amendments, the bill was reintroduced to the Parliament in 2021, but considering the need for a more comprehensive legal framework, the MeitY decided to withdraw the bill for further review.

This was done with an intent to develop a more robust framework to address the challenges of personal data protection in India and ensure that the final bill would encompass the evolving digital landscape and provide sufficient security for individuals' privacy rights. The now passed DPDP Act aims to regulate the processing and protection of personal data in the country and levies significant implications for businesses operating in India.

The act applies to various entities involved in the processing of personal data. These entities are defined in the act as follows:

  1. Data fiduciary is any person or organization, whether located in India or outside, who determines the purpose and means of processing personal data, including businesses, government agencies, and other entities.

  2. Data principals are individuals to whom the personal data relates, including parents or lawful guardians, in the case of personal data of children.

  3. Data processor is any person or entity that processes personal data on behalf of a data fiduciary.

Want to know more about the terminologies of the DPDP Act? Check out our guide: DPDP Act 101.


The act applies to the processing of personal data collected within the territory of India, whether collected online, or offline and digitized. It also applies to the processing of personal data outside of India if it involves profiling people in India or offering goods and services to people in India.

However, it does not apply to the non-automated processing of personal data, offline personal data, personal data processed by individuals for personal or domestic purposes, and personal data contained in records that have been in existence for at least 100 years.

How does the DPDP Act empower citizens?

Let's take the previous scenario, where you received a phone call from an unknown third-party marketing agency promoting credit cards for a popular financial institution. Let's assume you were contacted based on recent purchases made on an e-commerce platform. You are concerned about how your data, including purchase history, is being used on the e-commerce platform and shared without your consent. However, with the adoption of this act, you can exercise your rights in the following ways:

  1. Right to information: You visit the platform's website and request information about the personal data the company has collected on you, and the purposes for which it is being processed.

  2. Consent and notice: Upon requisition, you find out that the organization has failed to give clear notice during the purchase process about sharing your data with third-party marketing companies. You realize that the company had not obtained your consent for the data sharing.

  3. Right to correction and deletion: You contact the e-commerce platform and ask for the removal of the shared information from its marketing databases and that your data is no longer shared with third parties.

  4. Grievance redressal: Despite your request, if you continue receiving unsolicited marketing communication, you may file a complaint with the Data Protection Board of India (DPBI) against the e-commerce platform for non-compliance with the DPDP Act's provisions.

  5. DPBI investigation: The DPBI will initiate an investigation and examine the e-commerce platform's data processing practices. If it's found that the platform failed to obtain proper consent and violated the data protection obligations outlined in the act, the DPBI will move onto enforcement and remediation.

  6. Enforcement and remedial measures: The DPBI will issue an order to the e-commerce platform to stop sharing users' data immediately and take corrective actions to ensure compliance along with a substantial penalty for its non-compliance.

  7. Revision of data protection policies: Due to the investigation and enforcement actions, the e-commerce platform will be forced to revise its data protection policies and implement stronger consent processes to ensure compliance to the act's provisions.

This scenario demonstrates how the DPDP Act will empower citizens to exercise control over their personal data, seek redressal for violations, and prevent unsolicited marketing communications. Further, it will also encourage businesses to prioritize data protection and privacy with secure data processing practices.

While the citizens are meant to be protected by the DPDP Act, there are also certain repercussions if a user fails to comply with their duties as specified in the act. In case a user fails to provide authentic information or lodges frivolous grievances, they can be fined up to ₹10,000. However, the penalties are subject to the discretion of the Data Protection Board, and the specific amount of the penalty will depend on factors such as the nature and gravity of the violation, etc.

The DPDP Act in India is a comprehensive framework that aims to protect personal data and regulate its processing. Further, the act is also designed to safeguard the privacy of citizens, giving them greater control over their personal data and ensuring that it is processed and shared only with their explicit consent.

Interested to know about the responsibilities of the data fiduciaries and the implications of the DPDP Act on businesses? Check out the second part of this blog!

Discover more about the DPDP Act and its provisions by exploring our dedicated minisite.

  • Please enter a business email id
  • By clicking 'Read the ebook', you agree to processing of personal data according to the Privacy Policy

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks


© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.