BACK TO DPDP ACT
DPDP Act 2023

Section 1

Short Title, Extent and Commencement

THE STATUTE

Original Text

(1) This Act may be called the Digital Personal Data Protection Act, 2023. (2) It extends to the whole of India and also applies to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India. (3) It shall come into force on such date as the Central Government may, by notification, appoint; and different dates may be appointed for different provisions of this Act.

Simplified

Section 1 establishes India's data protection jurisdiction in two critical dimensions. Domestically, it covers all processing of digital personal data within India. Extra-territorially, it follows the GDPR's 'targeting' principle: any foreign entity that processes data of Indian residents in connection with offering goods or services to them is subject to the DPDP Act, regardless of where the entity is located. This means a US e-commerce company shipping to India, a UK streaming platform with Indian subscribers, or a European app processing Indian users' data must all comply with Indian data protection law. The offshore application is a major expansion of India's regulatory reach — unlike the IT Act's SPDI Rules which only clearly applied to entities 'in India'. The phased commencement approach allows the government to notify different provisions at different dates, enabling a graduated rollout as the Data Protection Board infrastructure and subsidiary rules are established. As of 2024-25, the Central Government has been rolling out provisions in tranches.

Common Queries

The DPDP Act 2023 received Presidential assent on 11 August 2023 but has not been brought fully into force at once — Section 1(3) provides for phased commencement by Central Government notification. Different provisions are being notified at different dates, allowing the government to build the Data Protection Board infrastructure before full compliance obligations go live.
Yes. Section 1(2) extends the Act to India and also applies to processing outside India that is connected with offering goods or services to Data Principals in India. An Indian company with international operations that processes data of Indian users even outside India must comply.
The Act applies to all Data Fiduciaries by default, but the Central Government can exempt classes of small businesses or startups under Section 17(4). Until a specific exemption is notified, even small businesses processing digital personal data technically have DPDP obligations — though enforcement priority will likely focus on larger entities first.
The IT Act 2000 and its SPDI Rules 2011 were piecemeal, lacked enforcement teeth, had unclear extra-territorial reach, did not create Data Principal rights, and predated the explosion of digital data collection. The DPDP Act creates a comprehensive rights-based framework mandated by the Supreme Court's recognition of privacy as a fundamental right in Puttaswamy (2017).

Legal Context

The DPDP Act 2023 came after a decade-long journey. The Justice B.N. Srikrishna Committee submitted its report in 2018; the Personal Data Protection Bill 2019 was introduced, referred to a Joint Parliamentary Committee which submitted its report in 2021, but the bill was withdrawn in 2022. A more streamlined Digital Personal Data Protection Bill 2022 was circulated for public consultation, and the final DPDP Act 2023 received Presidential assent on 11 August 2023. The Supreme Court's Puttaswamy judgment (2017) establishing privacy as a fundamental right was the constitutional mandate that made comprehensive data protection legislation unavoidable.

Key Rules & Provisions

First comprehensive standalone data protection statute in India — supersedes the patchwork of IT Act Section 43A and SPDI Rules.

Extra-territorial application using targeting principle — modelled on GDPR Article 3.

Phased commencement enables infrastructure-first rollout of the Data Protection Board.

Related Case Laws

K.S. Puttaswamy v. Union of India (2017)

(2017) 10 SCC 1
RELEVANCE

9-judge bench held privacy is a fundamental right — the constitutional foundation that necessitated the DPDP Act and informs interpretation of all its provisions.