In an exclusive conversation with CISO Forum, Pavan Duggal, a distinguished advocate practicing in the Supreme Court of India and a leading expert in Cyber Law, Cybercrime Law, Cybersecurity Law, and Artificial Intelligence Law, delves into the transformative impact of India’s Digital Personal Data Protection (DPDP) Act, 2023. This landmark legislation aims to establish a robust data protection framework, ensuring greater accountability for businesses handling personal data.
Duggal highlights how the Act, inspired by global standards like GDPR, introduces unprecedented penalties of up to ₹250 crore per violation, making compliance a top priority for organizations. He discusses the Act’s key provisions, its wide-ranging implications for businesses across sectors, and the challenges of adapting to its stringent regulations.
With the draft DPDP Rules 2025 currently under review, Duggal shares insights on how enterprises can prepare for this significant shift, ensuring they navigate India’s evolving data governance landscape effectively.
CISO Forum: Can you provide an overview of the Digital Personal Data Protection (DPDP) Act and its primary objectives?
Pavan Duggal: India has not yet had a dedicated law on data protection. That is why an urgent need was felt to have a law that can help protect and preserve personal data in the data economy ecosystem. This objective was primarily the guiding force behind the enactment of the Digital Personal Data Protection Act 2023.
This particular legislation is a subset of the overall cyber law umbrella provided by the Information Technology Act 2000. It deals only with the limited aspect of protecting and preserving personal data. Now, it’s defined different categories of stakeholders, whether data principals, data fiduciaries, or data processors, and has provided for an unprecedented fining regime in the country.
Should you contravene the law’s provisions, you could be exposed to fines of up to 250 crore rupees per contravention. So, that being the case, this is expected to be a game-changing legislation. This legislation has still not come into force when we talk because the central government is currently finalizing the rules under the DPDP Act. The draft Digital Personal Data Protection Rules 2025 has been put up for public comment by the government by the 18th of February.
So once these rules are finalized and implemented and the law is implemented, we will see new game-changing legislation that promises to not just protect Indians’ personal data but, more significantly, also provide for a robust, sound, secure, and resilient data economy in the country.
CISO Forum: How does the DPDP Act compare to global data protection laws such as the GDPR? What are the key similarities and differences?
Pavan Duggal: The Indian DPDP Act has been tremendously influenced and inspired by the General Data Protection Regulation or the GDPR of the European Union, except that we have sought to come up with a law that’s not just a copy paste, but a law that’s been customized according to the existing ground realities in the country. We must realize that the countries had data protection legal frameworks in place in the European ecosystem earlier. Still, these frameworks were to be replaced by a mother framework, the GDPR.
So, there was a culture of data protection. But in contrast, when I look at the Indian ecosystem, I find that the concept of data protection is virtually non-existent. This is because, in India, people still have the impression that they can copy anybody’s data, use it, and monetize it without fearing the consequences of the law.
So, for the first time, once the DPDP Act comes up, there will be a semblance of a detailed legal framework to protect data. However, when I look at the comparative provisions between the DPDP Act and the GDPR, I find that the GDPR is far more comprehensive, broad, and expansive in its ambit. The only deviation that India has made is that while GDPR provides for fines up to 4% of the annual total global turnover of the offending party, in India, we have chosen not to go in the route of defining fines in terms of the percentages of global annual turnover, but in terms of quantum of monies definable under Indian rupees.
Therefore, under the DPDP Act, the minimum fine imposed on a data fiduciary or a data processor must be 50 crore rupees. The maximum fine can go up to 250 crore rupees per contravention. So, this legislation quickly realizes that in India, people are not afraid to go to jail. But when you tell them we will take money from you, they will get serious and comply with the law.
By providing for these unprecedented fines of up to 250 crore rupees, the Indian DPDP Act marks and breaks new ground in data protection legislation in India. To that extent, it is different from the GDPR.
Let us quickly realize that GDPR is a mature model. It has been with us for many years, and there is now substantial jurisprudence on GDPR. However, in the context of the DPDP Act, once the federal legislation comes into being, we have to wait and see how the jurisprudence will evolve. In India, people still do not have respect for data, personal data of persons, or protection or related aspects. We also must be mindful that India does not have a dedicated law on cybersecurity.
Consequently, we find that it is a very different kind of ecosystem, wherein we are now trying to sow seeds of data protection. Only time will tell how they will actually flower and become more successful in the coming times.
CISO Forum: What are the key provisions of the DPDP Act, and how do they impact businesses and individuals in India?
Pavan Duggal: The DPDP promises to impact almost all business sectors in India. There’s not going to be a single sector that will be left outside the ambit, scope, applicability, or impact of the Digital Personal Data Protection Act. This is so because today, Indians in every sector use others’ data. If you are a company, you have your employees’ data. If you are a partnership or even a sole proprietorship, you are dealing with data of your customers, vendors, suppliers, and clients, and that being so, you are still covered under this law.
The government’s idea was to develop an all-encompassing law so that we could have common minimum standards of harmonization regarding data protection. That is the origin. Everybody is going to be impacted. Yes, you have to be mindful that the government will have the power to exempt certain entities from the applicability of the DPDP Act.
But even if they are exempt, they will still be required to ensure compliance with cybersecurity and other data protection parameters. So, all said and done, it is going to impact everyone. The million-dollar question is, will the 250 crore fine apply to anyone, or will everybody be exempt? As of now, the law states that the 250 crore rupees fine can be imposed on any entity or individual found to be violating or contravening the provisions of the DPDP Act.
So, everybody in the ecosystem has to tighten their belts and specifically remember the need to proactively comply with the DPDP Act and the draft DPDP rules as and when they are notified and implemented by the central government.
CISO Forum: What challenges do businesses face in complying with the DPDP Act, and how can they navigate these requirements effectively?
Pavan Duggal: Almost all sectors in India will face massive challenges in implementing the DPDP Act. The reason for this is not very easy. This is so because the DPDP Act is a generic legislation. It has kept many things grey and left it to the rulemaking power of the central government to specify the grace homes using distinctive rules. However, looking at the draft of the DPDP Rules 2025, one quickly realizes that almost all ambiguities under the DPDP Act have not been addressed. So, there are going to be huge problems.
For example, the DPDP Act has repealed section 43A of the IT Act, which deals with the remedy of seeking unlimited damages as compensation. This section will be repealed once the DPDP Act comes into force. If it is so repealed, we have to be mindful that this section has defined the concept of reasonable security practices.
You must be mindful that Rule 8 of the Information Technology, Reasonable Security Practices and Procedures, and Sensitive Personal Data or Information Rules 2011 defines ISO 27001 as a parameter of reasonable security practices and procedures. So once this law comes up, Section 43A is repealed, and the concept of reasonable security practices and procedures is thrown out the window. Instead, the DPDP Act has developed a new concept of reasonable security safeguards, which is much bigger, broader, and more comprehensive.
However, it includes not just security protocols but also encryption mechanisms. What those will be for each entity and sector is itself very significant. We do not have much clarity there. Hopefully, after the public comments, the government will give clarity, but we must realize that in this data ecosystem, a one-size-fits-all approach will not be the best. Why? Because the requirements for security and encryption in the banking and financial sectors would be utterly different from those in retail and manufacturing. So, you must develop sector-specific guidelines vis-a-vis security and reasonable security safeguards. So, that is one example. There is going to be a practical problem.
The government will give country companies some time, an interim time, to ensure compliance. During that period, you are expected to do everything possible to have appropriate processes and documents in place to ensure compliance with the law. Once the preparation period is over, the full-blown law legislation will come into force. And that is when a fine of 250 or 50 crore rupees will occur.
Therefore, there is a need for more proactive compliance. Each sector must now specifically ask the government what the draft DPDP rules mean for their industry, what specific new customized compliances they have to deal with, and how they can ensure that innocent or bona fide activities do not fall prey to contraventions under the DPDP Act or that they do not get exposed to criminal liability or even civil liability of fines up to 250 crore rupees.
So, a lot of grey zones is there; we hope that after the public comment period is over, the government will take into consideration all these comments and thereafter then come up with more comprehensive, detailed, and finalized rules that can then illuminate, guide and supervise the working of various stakeholders in different sectors on how they can take cogent, proactive, practical steps to protect personal data in their respective fields of practice or discipline.
These are exciting times, but the bottom line is you all have to wake up from your deep slumber. The time for resting on your laurels is gone. The time for picking somebody’s data and misusing it is gone. Today, you will not be allowed to go ahead and collect or process data on any data principle. Until such time, you will give a detailed written notice to the data principal, informing them of why you want to collect their data and the various objectives for which the data will be used.
Once you give this detailed notice and once the data principal consents to the notice by giving his crystal clear, free, unequivocal consent, then in such a scenario, you will be entitled to go ahead and use, collect, or process the personal data of the said data principal; otherwise, not. You do not comply with this law, meaning a sword of 250 crore rupees will always hang on your head.
Also, even when you comply with the law, you still do not know at what point in time your actions could become tantamount to contraventions under the DPDP Act, which then could still expose you to fines ranging from 50 crore rupees to 250 crore rupees. So, a lot of work is required by the data stakeholders to be on the right side of the law and to ensure that they do not face unprecedented fines of up to 250 crore rupees per contravention.
