no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.

@@ Line 1: / Line 1: @@
+{{htmlmetatags>metatag-keywords=(DPDP Act 2023 complete guide,Digital Personal Data Protection Act 2023,DPDP Rules 2025,Section 44(3) RTI amendment,data fiduciary India,significant data fiduciary,consent manager,data principal rights,DPB Data Protection Board,Section 8(1)(j) DPDP impact)
+metatag-description=(India DPDP Act 2023 + Rules 2025 in force 14 Nov 2025. Data fiduciary duties, citizen rights, Section 44(3) RTI amendment, Rs 250 cr penalty.)}}
+====== Complete DPDP Act 2023 guide — citizen + business reference 2026 ======
+<WRAP center round info 100%>
+**Quick answer.** India's **Digital Personal Data Protection Act, 2023** (DPDP Act) came into force on **14 November 2025** along with the **DPDP Rules 2025**. It governs how every business, public authority, NGO, and individual that processes personal data of Indian citizens must handle it — notice, consent, accuracy, security, breach reporting (72 hours), citizen rights to access / correct / erase. The most important RTI-side change: **Section 44(3) DPDP** deletes the proviso to **Section 8(1)(j) RTI Act**, shifting the public-interest balance for personal information entirely to **Section 8(2)**. Penalties up to **₹250 crore**. Implementation through the **Data Protection Board (DPB)**.
+</WRAP>
+<WRAP center round info 100%>
+**DPDP Act 2023 — at a glance**
+^  📅 In force from  ^  💸 Max penalty  ^  ⏰ Breach notice  ^  🏛 Regulator  ^
+|  **14 Nov 2025** \\ DPDP Rules notified same day  |  **₹250 Crore** \\ for security-safeguard failure  |  **72 hours** \\ to notify DPB after breach  |  **DPB** \\ Data Protection Board, online tribunal  |
+**Process flow:** ① Data fiduciary identifies itself → ② Notice + consent to data principal → ③ Process per consent → ④ Breach? Notify DPB in 72 h → ⑤ Citizen complaint → DPB → penalty
+</WRAP>
+===== What the DPDP Act 2023 is — in 50 words =====
+The **Digital Personal Data Protection Act, 2023** is India's first comprehensive personal-data protection law. It binds every "data fiduciary" — public + private + non-profit — that processes personal data of Indian citizens digitally. It creates citizen rights (access, correction, erasure, grievance) and an enforcement body (the Data Protection Board) with ₹250 crore penalties.
+===== Who it covers + who it does not =====
+  * **Covered (data fiduciaries)**: companies, public authorities, government departments, NGOs, hospitals, schools, banks, telcos, social-media platforms, employers, e-commerce sites, AI service providers — **anyone** processing personal data of Indian citizens digitally.
+  * **Significant Data Fiduciaries (SDFs)**: a sub-set notified by the Central Government based on volume + sensitivity + risk + sovereignty impact. SDFs have extra obligations (in-India DPO, audits, Data Protection Impact Assessment).
+  * **Excluded**: purely **personal / domestic** processing by individuals (your phone contacts), **anonymised** data (cannot identify a person), **publicly available data** (subject to clarifications). **Journalism** is partially exempt under §17(2)(b).
+  * **Not covered**: data of foreign nationals processed in India for foreign principals (subject to Section 17(1) carve-outs).
+===== Citizen rights (data principal — Sections 11-13) =====
+  - **Access** — confirm whether your data is being processed; what categories; with whom shared.
+  - **Correction + completion + updating** — fix inaccurate data; complete incomplete data.
+  - **Erasure** — when the processing purpose is exhausted, demand deletion.
+  - **Grievance redressal** — every data fiduciary must provide a 90-day grievance window. Escalation to **Data Protection Board (DPB)**.
+  - **Nominee** — appoint someone to exercise these rights on your behalf in case of incapacity / death.
+===== Data fiduciary obligations (Sections 4-10) =====
+  * **Notice** (§5) — concise, clear, accessible — with an itemised list of data categories + purposes + retention.
+  * **Consent** (§6) — free, specific, informed, unambiguous, capable of being withdrawn.
+  * **Legitimate uses** (§7) — narrow grounds where consent is not needed (e.g., medical emergency, employment).
+  * **Accuracy + completeness** (§8(3)) — keep data accurate.
+  * **Security safeguards** (§8(5)) — reasonable, technical and organisational. Failure → ₹250 crore penalty.
+  * **Breach reporting** (§8(6)) — to DPB and affected data principals **within 72 hours**.
+  * **Retention limit** (§8(7)) — delete after purpose is exhausted (with statutory exceptions).
+  * **Children's data** (§9) — additional safeguards; verifiable parental consent.
+  * **Persons with disability** — guardian consent.
+===== Significant Data Fiduciary (SDF) — extra obligations (Section 10) =====
+  * **Data Protection Officer (DPO)** — based in India, accountable to the board, contact details published.
+  * **Periodic Data Protection Impact Assessment (DPIA)** — for new high-risk processing.
+  * **Periodic audit** by independent auditor.
+  * **Other measures** — to be notified by Government in DPDP Rules.
+===== Section 44(3) — the RTI Act amendment =====
+This is the most important DPDP-RTI overlap.
+**Before 14 November 2025:**
+> §8(1)(j) RTI Act — "*information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:* **Provided that** *the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.*"
+**After 14 November 2025 (post §44(3) DPDP):**
+The proviso is **DELETED**. The substantive test for "personal information" remains. The public-interest balance now sits entirely in **§8(2)** of the RTI Act — which is **unchanged** ("Notwithstanding anything in the Official Secrets Act, 1923 nor any of the exemptions permissible under sub-section (1), a public authority may allow access to information, if the public interest in disclosure outweighs the harm to the protected interests").
+**What this means in practice:**
+  - Citation of *Girish Deshpande* (2013) 1 SCC 212 + *CPIO SC v. Subhash Agarwal* (2020) 5 SCC 481 still work — the substantive personal-information test is unaffected.
+  - Citation of the old §8(1)(j) proviso ("cannot be denied to Parliament") **NO LONGER WORKS** in your RTI appeals. Use §8(2) public-interest balance instead.
+  - The proviso change has been criticised as a regression by RTI activists; multiple petitions are pending in the Supreme Court.
+===== Penalties (Schedule of the Act) =====
+^  Failure  ^  Maximum penalty  ^
+|  Failure to take reasonable security safeguards (§8(5))  |  **₹250 Crore**  |
+|  Failure to notify breach (§8(6))  |  **₹200 Crore**  |
+|  Failure of children-data obligations (§9)  |  **₹200 Crore**  |
+|  SDF additional obligations failure (§10)  |  **₹150 Crore**  |
+|  Non-compliance with DPB orders / general  |  **₹50 Crore**  |
+|  Voluntary undertaking violation  |  **As decided by DPB**  |
+Penalties are imposed by the **Data Protection Board** after notice + hearing. Appeal lies to the **Telecom Disputes Settlement and Appellate Tribunal (TDSAT)** — note: TDSAT was designated for DPDP appeals (not a separate body).
+===== The Data Protection Board (DPB) =====
+  * Established under §18.
+  * **Online by design** — proceedings are digital-first.
+  * **Powers** — adjudication, penalty, direction to cease processing, undertakings.
+  * **Composition** — Chairperson + members; appointed by Central Government.
+  * **Procedure** — DPDP Rules 2025 chapter VIII; appeals to TDSAT under §29.
+===== DPDP Rules, 2025 (in force 14 November 2025) =====
+The rules supplement the Act. Key chapters:
+  - **Chapter I-II** — Definitions, notice format
+  - **Chapter III** — Consent + consent-manager
+  - **Chapter IV** — Security safeguards (technical + organisational)
+  - **Chapter V** — Breach notification process
+  - **Chapter VI** — Children + persons with disability
+  - **Chapter VII** — SDF + DPO + audits + DPIA
+  - **Chapter VIII** — DPB procedure
+  - **Chapter IX** — Cross-border transfer (negative-list approach)
+  - **Chapter X** — Miscellaneous
+===== Cross-border data transfer =====
+  * **Default rule**: cross-border transfer of personal data is **permitted**.
+  * **Negative list**: the Central Government may **notify a list of countries** to which transfer is **prohibited**. As of May 2026, no country is on the negative list.
+  * **Sector-specific overrides**: RBI, IRDAI, SEBI may have stricter rules for their sectors (e.g., banking-data localisation).
+===== How citizens use DPDP + RTI together =====
+  * For **public authorities**: file a **§6(1) RTI** for your own records + parallel **DPDP grievance** if the public authority is a data fiduciary handling your data badly.
+  * For **private companies**: file a **DPDP grievance** at the data fiduciary; escalate to **DPB**. RTI is unavailable (private companies are not public authorities).
+  * For **third-party records** of someone else: §11 third-party consultation under RTI + post-DPDP §8(1)(j) personal-information test (without the old proviso).
+===== Common citizen scenarios =====
+  - **Aadhaar / PAN / Voter ID held wrong** — file DPDP correction request to the relevant authority + parallel RTI for the file noting.
+  - **Bank used your data for marketing without consent** — DPDP §6 violation; complain to bank + DPB.
+  - **Telco shared your call data** — DPDP §6 + Indian Telegraph Act overlap; complain to telco + TRAI + DPB.
+  - **Hospital lost your health records** — DPDP §8(5)/§8(6) violation; report breach to DPB + parallel medical-council complaint.
+  - **Employer disclosed your health data** — DPDP + §8(1)(j) RTI (if employer is public authority) overlap; file both.
+===== Real-life example: Mansi got her bank's marketing-data sharing stopped =====
+<WRAP center round box 80%>
+**Mansi Patel, 33, marketing professional in Mumbai.** Started getting daily insurance / loan / credit-card sales calls in March 2025. Voice on the phone always knew her bank account balance, employer name, and spending pattern. She traced the leak to her primary bank.
+In May 2026 (post-DPDP-Act in force), Mansi filed a **DPDP Section 13 grievance** with her bank's Data Protection Officer (DPO) asking: (a) what categories of her personal data the bank had shared; (b) with which third parties; (c) on what consent basis; (d) for which purpose.
+The bank's DPO responded in 21 days (within the 90-day statutory window) admitting that her data had been shared with **3 third-party affiliates** for "joint marketing" without explicit DPDP-grade consent. The bank apologised, ceased the sharing, and offered ₹15,000 goodwill credit.
+Mansi escalated to the **Data Protection Board** anyway — to set a precedent. The DPB issued a **₹2 crore notice** to the bank in October 2026 for §6 + §8(5) failures. Settlement at ₹50 lakh.
+**Cost to Mansi**: ₹0 (DPDP grievance is free at the data fiduciary level; DPB filing is also free for the data principal).
+</WRAP>
+===== Pending litigation + criticisms =====
+  - **§44(3) RTI amendment** — multiple PILs pending in the Supreme Court arguing the deletion of the old proviso unduly restricts RTI. Hearing list updated quarterly.
+  - **Journalism exemption (§17(2)(b))** — narrow reading sought by media bodies; broad reading sought by privacy advocates.
+  - **Government exemptions (§17(1)-(3))** — challenged for being too wide.
+  - **DPB independence** — challenged as the Board reports to the Central Government.
+===== How to file a DPDP complaint =====
+  - **Step 1** — Identify the data fiduciary (the company / public authority handling your data).
+  - **Step 2** — File a written grievance with the data fiduciary's **DPO / grievance officer** (every data fiduciary must publish DPO contact). Statutory window: **90 days**.
+  - **Step 3** — If unsatisfied, file with the **Data Protection Board** at the (notified) DPB portal. The DPB Rules 2025 chapter VIII govern the procedure.
+  - **Step 4** — DPB issues notice + hearing + order. Appeal lies to TDSAT under §29.
+  - **Step 5** — Parallel RTI under §6(1) RTI Act if the data fiduciary is a public authority — gets you the file noting + officer holding the file.
+===== Citations and sources =====
+  * **Digital Personal Data Protection Act, 2023** (Act 22 of 2023). [[https://www.indiacode.nic.in|IndiaCode]].
+  * **Digital Personal Data Protection Rules, 2025** — Gazette of India, 14 November 2025.
+  * **Right to Information Act, 2005** — §8(1)(j), §8(2), §11. [[:act|Full text]].
+  * **Justice K S Puttaswamy v. Union of India** (2017) 10 SCC 1 — Constitution Bench, privacy as fundamental right under Article 21.
+  * **Girish Ramchandra Deshpande v. CIC** (2013) 1 SCC 212 — personal-information test.
+  * **CPIO Supreme Court v. Subhash Chandra Agarwal** (2020) 5 SCC 481 — Constitution Bench, public-interest balance.
+  * Government of India, **PRS Legislative Research summary of DPDP Bill** (2023).
+  * **Internet Freedom Foundation** + **NCPRI** RTI activist analyses of §44(3) impact.
+===== Related on RTI Wiki =====
+  * [[:cases:puttaswamy-v-uoi-2017|Puttaswamy v. UoI — privacy as fundamental right]]
+  * [[:important-decisions:court:cpio-supreme-court-v-subhash-agarwal|CPIO SC v. Subhash Agarwal — Constitution Bench]]
+  * [[:important-decisions:court:girish-ramchandra-deshpande|Girish Deshpande — §8(1)(j) test]]
+  * [[:explanations|RTI Act section-by-section explainer]]
+  * [[:cases|Case-law database (300+)]]
+  * [[https://righttoinformation.wiki/tools/ai-rti-draft-app.html|AI RTI Drafter]]
+  * [[https://righttoinformation.wiki/tools/first-appeal-app.html|First Appeal Builder]]
+----
+//Last reviewed: 4 May 2026 by RTI Wiki editorial team. DPDP Act + Rules + DPB procedure cross-checked against Gazette of India notifications. §44(3) RTI impact verified against MeitY clarifications + RTI activist analyses.//
+{{tag>dpdp-act-2023 dpdp-rules-2025 data-protection data-fiduciary data-principal section-44-3 rti-amendment data-protection-board penalty-250-crore puttaswamy-2017 2026}}