The Digital Personal Data Protection (DPDP) Act, 2023 is India’s first comprehensive data privacy law and has emerged as a high-frequency topic in CLAT 2026 and 2027 examinations. This article provides a complete CLAT-oriented analysis of the Act, covering key provisions, rights, obligations, and the legal reasoning framework you need for exam day.
Key Facts: DPDP Act 2023 at a Glance
| Parameter | Details |
|---|---|
| Full Name | Digital Personal Data Protection Act, 2023 |
| Passed by Parliament | August 2023 |
| Presidential Assent | August 11, 2023 |
| Regulator | Data Protection Board of India (DPBI) |
| Replaces | IT Act Section 43A (partially) |
| Applies To | Digital personal data processed in India + data of Indian citizens processed abroad |
| Maximum Penalty | u20b9250 crore per breach |
Key Definitions u2014 Learn These for CLAT
- Personal Data: Any data about an identifiable individual
- Data Principal: The individual whose data is collected (the citizen)
- Data Fiduciary: Entity that determines purpose and means of processing (e.g., a company)
- Data Processor: Entity that processes data on behalf of the fiduciary
- Significant Data Fiduciary (SDF): High-risk entities designated by the government
- Consent Manager: New entity that manages consent on behalf of data principals
Rights of Data Principal (Individual) u2014 CLAT Focus
- Right to Information u2014 Know what data is collected and how it’s processed
- Right to Correction and Erasure u2014 Correct inaccurate data or delete data
- Right to Grievance Redressal u2014 File complaints with Data Fiduciary or DPBI
- Right to Nominate u2014 Nominate someone to exercise rights posthumously
Note: The Act does NOT include the “Right to be Forgotten” as a standalone right (unlike GDPR) u2014 this is a common CLAT MCQ trap.
Obligations of Data Fiduciary
| Obligation | Details |
|---|---|
| Lawful basis for processing | Consent OR legitimate use (government purposes) |
| Purpose limitation | Data used only for specified purpose |
| Data minimisation | Collect only what is necessary |
| Storage limitation | Delete after purpose is served |
| Data breach notification | Notify DPBI and affected users |
| Appoint DPO (for SDFs) | Data Protection Officer required |
Cross-Border Data Transfers
The DPDP Act allows cross-border data transfers to countries notified by the Indian government as “safe” u2014 a whitelist approach (unlike the EU GDPR’s adequacy decision system). This distinction is important for legal reasoning questions comparing GDPR and DPDP.
DPDP vs. GDPR u2014 Comparison Table
| Feature | India DPDP Act 2023 | EU GDPR 2018 |
|---|---|---|
| Right to be Forgotten | Not separately listed | Explicit right (Article 17) |
| Data Localisation | Whitelist approach | Adequacy decision approach |
| Penalty | Up to u20b9250 crore | Up to 4% global turnover |
| Children’s data | Age 18 (verifiable parental consent) | Age 16 (varies by member state) |
| DPO requirement | Only for SDFs | Mandatory for certain controllers |
Exemptions Under DPDP Act
The Act provides exemptions that CLAT frequently tests in legal reasoning passages:
- National security and public order
- Research and statistical purposes
- Courts and tribunals
- Government’s “legitimate use” (without consent) for subsidies, licenses, etc.
Data Protection Board of India (DPBI)
The DPBI adjudicates complaints and imposes penalties. It is NOT a court u2014 its decisions can be appealed to the High Court. This is important: the Act creates a quasi-judicial body, not a full tribunal, which has been criticised by civil liberties groups.
FAQ u2014 DPDP Act for CLAT
Is the DPDP Act applicable to offline data?
No. The DPDP Act applies only to digital personal data u2014 data that is either collected digitally or later digitised. Physical/offline data is not covered.
What is the age for children’s data protection under DPDP?
Under the DPDP Act, a “child” is anyone below 18 years. Processing a child’s data requires verifiable parental consent, and Data Fiduciaries cannot serve behavioural advertising to children.
What is a Significant Data Fiduciary?
A Significant Data Fiduciary (SDF) is a Data Fiduciary designated by the government based on factors like volume of data processed, risk to national security, and impact on rights. SDFs have additional obligations including appointing a DPO and conducting Data Protection Impact Assessments.
Master DPDP Act and other key laws with CLAT Gurukul’s Complete Law Package. Practice on Free CLAT Mock Tests with data law passages. Read our Legal Reasoning Strategy Guide for more.
