In recent weeks, India’s legislators passed a data protection law that outlines how technology companies handle users’ data. The Digital Personal Data Protection Act, 2023 gives government authorities powers to request information from firms and issue directives to block content based on the recommendations of a data protection board appointed by the federal government. It also grants the government the power to exempt state agencies from its provisions while affording users the right to amend or delete their personal data.   

This is an evolution of India’s Personal Data Protection Bill, 2019, and introduces penalties of up to 2.5 billion rupees ($30 million) for infringements and noncompliance. The expanded scope of exemptions has raised concerns among certain rights groups, particularly regarding potential weakening of the landmark Right to Information law established in 2005. It enables citizens to obtain data from public officials, such as state employee salaries.  

The Digital Personal Data Protection Bill,2022 introduced the concept of “deemed consent,” wherein, under specific circumstances, an individual’s silence or inaction could signify consent. Section 7 of the Digital Personal Data Protection Act, 2023 modifies the deemed consent process, replacing it with a set of “Certain Legitimate Uses” for which “data fiduciaries” (controllers) may process personal data. One example of a “legitimate use” arises where a “data principal” (individual) has voluntarily provided their personal data for a specified purpose and has not indicated that they do not consent to such use.  

For entities regularly engaged in collecting and processing employee data, the notion of “Certain Legitimate Uses” presents a dual challenge. While streamlined consent processes could ease administrative burdens and enhance efficiency, organisations must exercise caution, aligning their data collection practices with the fairness, transparency, and accountability principles enshrined in the law.   

Furthermore, the Digital Personal Data Protection Act strengthens the right to withdraw consent, granting individuals the ability to retract their agreement at any point. Organisations are now mandated to establish mechanisms that facilitate this withdrawal process, ensuring individuals retain full control over their personal data where they have provided consent. Non-compliance with this provision could result in legal repercussions, underscoring the necessity for organisations to establish robust consent management systems.  

As a B Corp Data Protection Office, HewardMills is dedicated to assisting clients to address internal data privacy concerns and business practices. If you have any concerns on navigating the update to the Indian Digital Personal Information Protection Act, 2023, or any other emerging issues, we can support your team. 

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at