Module 01 — DPDP Act 2023 — what changed

1. 2017: Justice Srikrishna Committee report
2. 2019: PDP Bill introduced
3. 2022: Withdrawn
4. August 2023: DPDP Act passed
5. February 2026: DPDP Rules notified

For RTI work: §8(1)(j) of RTI Act is recalibrated by DPDP. The two laws now interact at every personal-data RTI.

Applies to digital personal data processed:

1. In India
2. Outside India in the course of offering goods/services to data principals in India

Exclusions:

1. Personal/domestic use
2. Publicly available data (with caveats)
3. Court-ordered processing
4. Research/statistical/archival (with safeguards)

1. Data Principal = the person whose data
2. Data Fiduciary = the entity that decides purposes/means (≈ Controller in GDPR)
3. Data Processor = entity processing on behalf of Fiduciary
4. Consent Manager = registered intermediary for managing consent
5. Significant Data Fiduciary (SDF) = high-volume / sensitive — extra obligations
6. Data Protection Board of India (DPB) = adjudicatory body

Consent must be:

1. Free (not coerced)
2. Specific (per purpose)
3. Informed (privacy notice in clear language, in 22 schedule languages)
4. Unconditional (services cannot be denied for refusing optional consent)
5. Unambiguous (positive action, not pre-ticked)
6. Withdrawable (any time, as easy as giving)

Consent for children (<18): verifiable parental consent required.

7 legitimate uses where consent is bypassed:

1. (a) Voluntary provision by data principal
2. (b) State function — subsidy, benefit, license
3. © Compliance with judgement
4. (d) Medical emergency
5. (e) Disaster / public-health crisis
6. (f) Employment-related (limited)
7. (g) Public interest specified in Rules

This is the bridge to RTI — RTI requests for govt records often map to §7(b)/(g).

Quiz available from your course dashboard.

• ← Course overview
• Next: Final exam — DPDP Act 2023 + Rules 2026 Crash Course

Last reviewed: 24 April 2026.