What Data is Protected by India's DPDPA? A Comprehensive Guide to the India’s Data Privacy Law

Sameer Ahirrao -

In today's data-driven era, personal information is a highly valuable asset. As people share increasing amounts of their personal data with online platforms and digital services, the demand for strong data protection has become vital. To address this, India introduced the Digital Personal Data Protection Act (DPDPA) in 2023, which creates a comprehensive system for protecting personal data. This article explores the extent of the protection offered by the DPDPA, outlining the specific types of data covered by this significant law.

What is India's DPDPA 2023?

The Digital Personal Data Protection Act (DPDPA) 2023 is a groundbreaking law designed to protect individuals' privacy in the digital era. Enforced from September 1, 2023, it covers all organizations handling the personal information of individuals in India.

What is personal data?

Under India's DPDPA, personal data is broadly defined as any information that can identify an individual, either directly or indirectly, through details like a name, ID number, location, or online identifier. This includes a variety of information such as:

However, the DPDPA does not cover personal data that is:

  • Used for law enforcement or national security purposes
  • Processed for journalism or artistic expression
  • Handled for personal or family use

Key principles of the India’s DPDPA

India's DPDPA is built around six core principles:

  • Lawfulness: Personal data must be processed in a legal, fair, and transparent manner.
  • Purpose Limitation: Data should be collected for specific, clear, and legitimate purposes and not used for anything beyond those purposes.
  • Data Minimization: Only the necessary amount of data relevant to the intended purpose should be collected.
  • Accuracy: Personal data must be accurate and updated when required.
  • Storage Limitation: Data should only be retained as long as needed for the stated purposes.
  • Integrity and Confidentiality: Personal data must be securely processed, protecting it from unauthorized access, loss, or damage.

Rights of data principals

India's DPDPA gives individuals several key rights regarding their personal data, including:

  • The right to access their data
  • The right to correct inaccurate data
  • The right to have their data erased
  • The right to limit the processing of their data
  • The right to transfer their data to another entity (data portability)
  • The right to object to the processing of their data

Enforcement of the DPDPA

India's DPDPA is enforced by the Data Protection Authority of India (DPA), an independent agency tasked with ensuring the Act is properly implemented. The DPA can investigate complaints, impose fines, and direct organizations to adhere to the regulations.

Final thoughts

India's DPDPA is a major law that will significantly change how organizations handle personal data in the country. It gives individuals more control over their data and places stricter requirements on organizations that process it. Entities affected by the DPDPA need to take measures to ensure they comply with the Act.