Understanding Your Rights Under the Digital Personal Data Protection Act 2023

Share Us

Understanding Your Rights Under the Digital Personal Data Protection Act 2023
16 Aug 2023
5 min read

Blog Post

As we find ourselves increasingly entrenched in the digital age, it's crucial to be well-versed with the laws and regulations that govern our online presence.

This blog post outlines how the Digital Personal Data Protection Act 2023 safeguards your digital rights, effectively aiming to arm you with sufficient knowledge to navigate the digital world safely and responsibly. 

In a significant development, the Digital Personal Data Protection Bill has successfully passed through the legislative process, marking a pivotal step towards safeguarding personal data rights.

The bill, tabled by Minister for Electronics & Information Technology, Ashwini Vaishnaw, recently garnered approval in both the Lok Sabha and Rajya Sabha, with its fate now resting upon the President of India's assent, represented by Draupadi Murmu.

A Comprehensive Framework for Data Protection: The core objective of the 2023 Digital Personal Data Protection Bill revolves around the establishment of a robust and all-encompassing framework to protect personal data.

This framework is designed to encompass data collected across India, spanning the digital landscape as well as traditional offline sources. Remarkably, the bill's provisions extend their reach beyond national borders, encompassing scenarios where data processing occurs internationally, yet involves the provision of goods or services to individuals within India.

Insightful Exploration Ahead: As the Digital Personal Data Protection Act 2023 becomes a potential reality, it's imperative to delve deeper into its nuances. This blog aims to unravel the intricacies of the act, shedding light on the rights it bestows upon individuals in the digital realm.

From understanding the scope of personal data protection to grasping the implications of international data transactions, this blog serves as a comprehensive guide to navigating the digital landscape in an era of heightened privacy concerns.

Join us on this journey as we decode the Digital Personal Data Protection Act 2023, empowering you with insights to safeguard your digital footprint and exercise your rights in the evolving data-driven world.

The Digital Personal Data Protection Act 2023, commonly known as PDPA, fundamentally changes the way personal data is handled, providing individuals unparalleled control over their personal information.

As users of digital platforms like Google, Facebook, WhatsApp, Instagram, and Twitter, it is vital that we understand our rights under this groundbreaking legislation. 

The PDPA sets a new standard for data privacy, empowering individuals to take control of their digital footprint. It regulates the collection, use, and disclosure of personal data by organizations, ensuring that your data isn’t used without your express permission.

The Act is built on the premise of transparency, so you always know what, why, and how your data is being utilized. 

"The Digital Personal Data Protection Act 2023 gives individuals control over their personal data. Our digital presence and activities create an extensive pool of personal data, and it's high time we had the right to monitor and control how this data is used."

Understanding Your Rights Under the Digital Personal Data Protection Act 2023

In the digital age, where data is the new currency, navigating the complex world of data privacy can seem daunting. Yet, with the PDPA in place, we have the tools and rights to protect ourselves.

What is Digital Personal Data Protection Act 2023?

The PDPA is a comprehensive law that regulates the collection, use, and processing of personal data in India. It was passed by the Indian Parliament on August 11, 2023, and came into force on January 27, 2024.

The PDPA defines personal data as any information that can be used to identify an individual, such as their name, address, phone number, email address, and biometric data. It also applies to sensitive personal data, which is information that is more sensitive, such as their financial information, health data, and biometric data.

In this digital age, our personal data has become a valuable commodity. As we navigate the internet, whether it be using Google, Facebook, WhatsApp, Instagram, Twitter or any other online service, we leave a digital footprint that can be exploited if not protected.

Enter the Digital Personal Data Protection Act 2023 (PDPA). 

The PDPA is a ground-breaking piece of legislation that aims to provide individuals with greater control over their personal data. It lays out a comprehensive framework for businesses and organizations on how to collect, use, and manage personal data responsibly. In essence, the PDPA is designed to protect your personal data and privacy in the digital world. 

Highlights of the Digital Personal Data Protection Bill 2023

The Digital Personal Data Protection Bill, 2023, is designed to establish a framework for the responsible processing of digital personal data. Balancing individuals' rights to safeguard their personal data with the necessity of lawful data processing, the Bill introduces several salient features to regulate the digital data landscape.

Protecting Digital Personal Data:

The Bill centers around the safeguarding of digital personal data, ensuring that individuals' identities remain protected while allowing for legitimate data processing. It encompasses the responsibilities of Data Fiduciaries, who process data, as well as the rights and duties of Data Principals, the individuals to whom the data pertains. Financial penalties for breaches of rights, obligations, and duties are also introduced to enforce compliance.

Aim and Impact:

The Bill's overarching objectives include a seamless integration of data protection laws with minimal disruption, enhanced quality of life, improved business practices, and the advancement of India's digital economy and innovation ecosystem.

Core Principles: Built on seven fundamental principles, the Bill sets the tone for responsible data handling. These principles include:

Consent, Lawfulness, and Transparency: Data processing must be carried out with informed and transparent consent.

Purpose Limitation: Personal data should only be used for the purpose for which consent was granted.

Data Minimisation: Only the necessary personal data should be collected for the specified purpose.

Data Accuracy: Ensuring data accuracy and regular updates.

Storage Limitation: Data should only be stored for as long as needed for the specified purpose.

Security Safeguards: Implementing reasonable security measures to protect data.

Accountability: Adjudicating breaches and imposing penalties for non-compliance.

Innovative Aspects: The Bill incorporates innovative elements to streamline and simplify its provisions:

SARAL Approach: The Bill follows a Simple, Accessible, Rational, and Actionable Law framework by employing plain language, illustrations for clarity, minimal cross-referencing, and the omission of complex provisos.

Gender Inclusivity: The use of "she" instead of "he" marks a significant milestone, acknowledging women's role in parliamentary law-making.

Empowering Individual Rights: The Bill grants individuals several crucial rights to assert control over their personal data:

Access to Information: Individuals have the right to know about the processing of their personal data.

Correction and Erasure: The right to correct and erase inaccurate or outdated data.

Grievance Redressal: A mechanism for addressing grievances related to personal data processing.

Nomination of Representatives: In cases of death or incapacity, the right to nominate a representative to exercise data rights.

What are my rights under the PDPA?

“Knowledge is power. But above all, it’s protection. Understand your rights under the PDPA and take control of your personal data.”

The right to access your personal data: You have the right to request a copy of your personal data from any organization that is collecting or processing it. The organization must provide you with this information within 30 days of your request.

The right to correct inaccurate or incomplete personal data: You have the right to correct any inaccurate or incomplete personal data that is being collected or processed by an organization. The organization must make the correction within 30 days of your request.

The right to object to the processing of your personal data: You possess the right to oppose the processing of your personal data under specific circumstances. This can be exercised when the data processing involves direct marketing objectives or relies on your consent. The entity handling your data must halt the processing unless they can provide valid and well-founded reasons that justify their need to continue processing it.

The right to be forgotten: You have the right to request that an organization delete your personal data if it is no longer necessary for the purpose for which it was collected or processed. The organization must delete your data within 30 days of your request, unless it is required to keep it for legal reasons.

The right to data portability: You have the right to request that an organization transfer your personal data to another organization in a structured, commonly used, and machine-readable format. This right only applies to personal data that you have provided to the organization, and that is being processed by the organization on the basis of your consent or to perform a contract with you.

The right to restrict the processing of your personal data: You have the right to request that an organization restrict the processing of your personal data in certain circumstances, such as if you contest the accuracy of the data or if you object to the processing of the data for direct marketing purposes. The organization must restrict the processing of your data unless it can show that there are compelling legitimate grounds for continuing to process it.

The right to withdraw your consent: You have the right to withdraw your consent to the processing of your personal data at any time. This will not affect the lawfulness of the processing that has already taken place.

The right to complain to the Data Protection Authority: If you believe that your rights under the PDPA have been violated, you have the right to complain to the Data Protection Authority. The DPA is an independent body that is responsible for enforcing the PDPA.

Protecting Your Personal Data

Understanding the PDPA empowers you to take control of your personal data. But, how can you put these rights into practice? 

Action Description
Be vigilant Always be aware of where and how you're sharing your personal data. Read privacy policies and understand how your data will be used.
Exercise your rights Don't hesitate to exercise your rights under the PDPA. If you believe your personal data is being misused, take action.
Maintain data hygiene Regularly update and clean your data. This includes checking your privacy settings and deleting unneeded personal information.

In a world that's more connected than ever, the PDPA is a crucial tool for protecting your personal data. As users of the digital world, it's incumbent upon us to familiarize ourselves with our rights and to exercise them when necessary.

Protection of Children and Persons with Disabilities' Data"

Safeguarding the personal data of children and individuals with disabilities is a pivotal aspect of the Data Protection and Privacy Bill (DPDP) framework. The Bill establishes stringent measures to ensure the privacy and well-being of these vulnerable groups in the digital realm.

Consent Requirement: For the processing of personal data belonging to children and persons with disabilities, the Bill mandates the acquisition of verifiable consent from their parents or lawful guardians. This crucial step aims to maintain transparency and accountability in data handling.

Enhanced Protections for Children: The DPDP Bill goes a step further to ensure the protection of children's personal data. It explicitly prohibits the tracking or behavioral monitoring of children, along with targeted advertising directed at them. Additionally, the Bill restricts the processing of children's data if it's likely to have a detrimental impact on their well-being.

Exemptions and Empowerment: The Bill introduces a mechanism for the Central Government to grant exemptions in specific scenarios. This includes allowing certain classes of data fiduciaries and processing purposes to be exempt from obtaining parental consent and the prohibition of behavioral monitoring. This strategic provision ensures flexibility while maintaining data protection standards.

Empowering Data Fiduciaries: Furthermore, the Bill empowers the Central Government to exempt data fiduciaries from stringent requirements when processing data of children aged above a certain threshold but under 18 years. This provision takes into account the unique circumstances of this age group, ensuring a balanced approach to data processing.

The PDPA's Impact on Social Media Platforms

From Facebook's newsfeed to Instagram's story highlights, from Twitter's trending hashtags to WhatsApp's status updates, our digital lives are intrinsically linked to social media platforms. The Digital Personal Data Protection Act 2023 (PDPA) brings about significant changes to the way these platforms handle our personal data. Let's delve into the specifics of how the PDPA impacts these popular digital networks. 

Social media platforms like Google, Facebook, WhatsApp, Instagram, and Twitter are subject to the PDPA.

Facebook and Instagram 

Under the PDPA, Facebook and its subsidiary, Instagram, are legally obligated to offer you explicit options for consent. This means they must provide clear information about the data they gather, how they use it, and who they share it with. The platforms must also ensure that opting out of data collection is as easy as opting in. 


With the PDPA in place, Twitter must now provide transparency in its data usage policies. The company has to disclose any third-party affiliations that have access to your data. Additionally, Twitter users have the right to request deletion of their personal data held by the company. 


Given the end-to-end encryption that WhatsApp prides itself on, the PDPA's implications extend to this platform too. WhatsApp is required to make its privacy policies more transparent, giving users the right to choose whether they want their data to be used for targeted advertising. 

Remember, the PDPA empowers you to control your personal data. It's all about ensuring your digital privacy.

Also Read: Driving Circular Economy Forward: Empowering Change through Upcycling Innovations

Steps to Take to Ensure Your Personal Data is Protected Under the PDPA

1. Familiarize Yourself with the Act 

The first step towards safeguarding your personal data is to familiarize yourself with the Digital Personal Data Protection Act 2023. This legislation was enacted to ensure that companies and organizations handle individuals' personal data with utmost care and respect. Understanding the Act's provisions will empower you to be aware of your rights and how to exercise them. 

2. Limit the Sharing of Your Personal Data 

The fewer people who have access to your personal data, the less likely it is to be misused. Therefore, you should strive to limit the amount of personal data you share online. Be cautious about the information you provide to websites, apps, and online services. Do not share personal data unless absolutely necessary, and always verify the authenticity of the platform you're using. 

3. Make Use of Privacy Settings 

Most online platforms, like Google and Facebook, offer users a range of privacy settings that can be adjusted to control who can access and view your personal data. These settings are a powerful tool for protecting your digital privacy. Be proactive about using them; regularly review and update your privacy settings to fit your comfort level. 

4. Regularly Update Your Devices 

Updates to your devices, such as smartphones and computers, often include improved security measures to protect against new threats. Regularly updating your devices can thus offer an additional layer of protection for your personal data. Never ignore software updates; consider them as crucial for your digital security. 

5. Report Any Suspected Data Breaches 

If you suspect that your personal data has been mishandled or breached, it is essential to report it promptly. Under the PDPA, companies are obligated to investigate any reported data breaches and take corrective action. Do not hesitate to assert your rights; your vigilance could prevent further misuse of your data. 

Remember, your personal data is precious; treat it with the care it deserves. By taking these steps, you can ensure your personal data is protected, and your rights under the PDPA are upheld.

Tips to protect your personal data

  • Be careful about what personal information you share online. This includes your name, address, phone number, email address, and any other information that could be used to identify you. Think twice before sharing this information on social media or other online platforms.
  • Only share personal information with organizations that you trust. When you provide personal information to an organization, make sure you understand how they will be using it. Read the privacy policy carefully before clicking "agree."
  • Use strong passwords and keep them safe. A strong password is at least 8 characters long and includes a mix of uppercase and lowercase letters, numbers, and symbols. Do not use the same password for multiple accounts.
  • Be aware of the privacy settings on your devices and online accounts. Take the time to review the privacy settings on your devices and online accounts. Make sure you understand who can see your information and how it can be used.
  • Be careful about clicking on links in emails or on websites. Phishing emails and malicious websites are often designed to steal personal information. Do not click on links in emails or on websites unless you are sure they are legitimate.
  • Use a VPN when you are using public Wi-Fi. A VPN encrypts your traffic, making it more difficult for hackers to steal your personal information.

Some additional tips for protecting your personal data:

  • Keep your software up to date. Software updates often include security patches that can help to protect your devices from malware and other threats.
  • Be careful about what apps you download. Only download apps from trusted sources.
  • Be aware of the risks of social media. Social media platforms can be a goldmine for cybercriminals. Be careful about what information you share on social media.
  • Shred or delete sensitive documents before you throw them away.

By following these tips, you can help to protect your personal data and keep it safe from unauthorized access.

What to Do if Your Rights Under the PDPA are Violated

Often, individuals are unaware of the course of action to take when their rights under the Digital Personal Data Protection Act 2023 (PDPA) are violated. The key is to ascertain such violations and follow the correct procedures to address them. This process involves several steps that you, as a data subject, need to take control of your personal data and ensure its protection. 

Identify the Violation 

First and foremost, you must identify the violation. The PDPA grants you certain rights over your personal data, such as the right to access your data, the right to correct inaccurate data, and the right to delete or limit the use of your data. If any of these rights have been breached, it qualifies as a violation. It might be a denial of access to your data, incorrect data being held about you, or misuse of your personal information. 

Document the Violation 

Once you've identified the violation, the next step is to document it. This could involve taking screenshots, saving emails, or noting down dates and times of events. This documentation serves as evidence of the violation. 

Contact the Responsible Party 

The third step involves contacting the party responsible for the violation. This could be the company or organization that has mishandled your data. In your communication, you should explain the violation, provide the evidence you've gathered, and demand that the violation be rectified. 

File a Formal Complaint 

If the responsible party fails to address the issue, the next step is to file a formal complaint with the data protection authority in your country. These bodies are responsible for enforcing the PDPA and can take action against the violators. When submitting your complaint, be sure to include all the evidence you've collected and a detailed account of the violation. 

Seek Legal Advice 

If your complaint doesn't lead to satisfactory results, you may need to seek legal advice. Lawyers specializing in data protection laws can provide guidance on how to proceed and may be able to represent you in legal proceedings against the violating party. 

Please remember that these steps are crucial in ensuring that your rights under the PDPA are upheld. It's your data, and you have the right to control how it's used.

The Future of Personal Data Protection: What to Expect

 rapidly evolving digital landscape, the future of personal data protection is a subject of paramount importance. The Digital Personal Data Protection Act 2023 (PDPA) has laid a strong foundation for citizens to manage and protect their personal data. But what can users expect in the future?

Firstly, the evolution of technology is bound to bring about new challenges and opportunities. We can anticipate an increase in the sophistication of data protection measures, but also a corresponding rise in threats. As a result, the PDPA and similar laws will need to be continuously updated and adapted to stay effective. 

"The future of data protection is not static, it is a dynamic process that must continually evolve to keep pace with technological advancements. It is a journey, not a destination."

Furthermore, the PDPA 2023 has set a precedent that other countries are likely to follow. This means we could see the emergence of more comprehensive international standards for digital personal data protection. Let's look at some key trends to watch out for: 

Greater Transparency: Companies may be required to be more transparent about how they use and store personal data. This could include providing clearer privacy policies and more detailed information about data use.

Informed Consent: There will be a shift towards requiring explicit and informed consent for data collection and use. This means users must understand what they are agreeing to and have the right to opt out.

Data Minimization: This refers to collecting and storing only the necessary amount of data for a specific purpose. Companies might have to demonstrate that they are not holding more data than required.

Increased Accountability: Organizations will be held more accountable for data breaches and misuse of personal data. This could lead to stricter penalties and enforcement.

Finally, while we can speculate about the shape of things to come, one thing is certain. The conversation around personal data protection is only going to intensify in the future. As users, it's essential to stay informed and vigilant in order to safeguard our digital rights.


The Digital Personal Data Protection Bill, 2023, stands as a pivotal legislative effort to create a robust framework for responsible digital data management.

By prioritizing individuals' rights while facilitating lawful data processing, the Bill aims to propel India's digital landscape into an era of transparency, accountability, and enhanced data privacy.

The DPDP Bill's provisions regarding the data of children and persons with disabilities underscore the government's commitment to upholding their rights and privacy in the digital age.

By requiring parental consent, prohibiting detrimental data processing, and offering flexibility through exemptions, the Bill seeks to strike a harmonious balance between data utilization and individual well-being.

You May Like


TWN In-Focus