DPDP Act 2023 vs IT Act 2000: What Changed and What It Means for Your Business
How India's Digital Personal Data Protection Act 2023 supersedes the IT Act 2000 Section 43A and the SPDI Rules 2011. A regulatory comparison for compliance officers and business leaders.
India’s Data Protection Framework Just Changed
For over a decade, India’s data protection obligations sat inside the Information Technology Act, 2000. Specifically, Section 43A (inserted via the 2008 amendment) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These instruments were not purpose-built data protection legislation. They were afterthoughts grafted onto a law originally drafted to regulate electronic commerce and cybercrime.
The IT Act 2000 arrived when India’s internet user base was under 20 million. It addressed digital signatures, electronic governance, and computer-related offences. Personal data protection was not a consideration at the time of drafting. When Section 43A was added eight years later, it introduced the concept of a “body corporate” being liable for negligent handling of sensitive personal data. The SPDI Rules followed three years after that, attempting to define what “sensitive personal data” meant and what “reasonable security practices” looked like.
This framework served as India’s de facto data protection regime until the Digital Personal Data Protection Act, 2023 received Presidential assent on 11 August 2023. The DPDP Act represents India’s first dedicated personal data protection statute. It replaces an incidental, narrow, and weakly enforced framework with one that is specific in scope, broad in applicability, and backed by material financial penalties.
Understanding what changed between the two regimes is not an academic exercise. It determines what your organisation must do differently starting now.
IT Act Section 43A vs DPDP Act: Side-by-Side Comparison
The following table maps the key regulatory dimensions across both frameworks. Every row represents a compliance obligation that has shifted.
| Dimension | IT Act 2000 / Section 43A + SPDI Rules 2011 | DPDP Act 2023 |
|---|---|---|
| Primary purpose | Electronic commerce and cybercrime regulation | Personal data protection |
| Scope of data covered | ”Sensitive personal data or information” (SPDI) only | All digital personal data |
| Definition of personal data | Narrow: passwords, financial data, health data, sexual orientation, biometrics, medical records | Broad: any data about an identifiable individual in digital form |
| Who is regulated | ”Body corporates” (companies and LLPs) | Any person processing digital personal data (individuals, companies, government, trusts) |
| Consent model | Opt-out for general data; opt-in for SPDI collection | Opt-in for all personal data processing; free, specific, informed, unconditional |
| Data subject rights | Limited: access and correction of SPDI only | Comprehensive: information, correction, erasure, grievance redressal, nomination |
| Children’s data | No specific provisions | Verifiable parental consent required for under-18s; restrictions on tracking and targeted advertising |
| Cross-border transfers | No restrictions (SPDI Rules had contractual safeguard requirement) | Government may restrict transfers to specified countries via notification |
| Breach notification | No mandatory notification requirement | Mandatory notification to the Data Protection Board and affected Data Principals |
| Enforcement body | Adjudicating Officers under IT Act; CERT-In for incidents | Data Protection Board of India (DPBI) |
| Maximum penalty | Rs 5 crore (compensation-based, per adjudication) | Rs 250 crore per contravention |
| Compliance verification | Self-certification; ISO 27001 as deemed compliance | Obligations defined in statute; significant data fiduciaries face additional requirements including audits and DPO appointment |
The magnitude of the shift is visible across every dimension. The DPDP Act is not an incremental update to Section 43A. It is a replacement architecture.
What the SPDI Rules Got Wrong
The SPDI Rules of 2011 represented India’s first attempt at codifying data protection obligations. They deserve recognition for establishing baseline concepts: consent for collection, purpose limitation, reasonable security practices. But they contained structural weaknesses that rendered them ineffective as a data protection framework.
Narrow Applicability
The Rules applied only to “body corporates” handling “sensitive personal data or information.” This excluded government bodies, unincorporated entities, partnerships, and individuals acting in a professional capacity. It also excluded all personal data that did not fall within the enumerated SPDI categories. If your organisation collected names, addresses, email addresses, and purchase histories but not passwords or health records, the Rules did not apply.
Vague Definitions
The term “reasonable security practices and procedures” was left undefined beyond a reference to IS/ISO/IEC 27001 or “codes of best practices” approved by the government. Organisations that obtained ISO 27001 certification were deemed compliant regardless of whether they actually protected the data in question. The standard became a checkbox rather than a meaningful security requirement.
Weak Consent Architecture
For general personal data, the Rules allowed an opt-out model. Organisations could collect and process data unless the individual explicitly objected. Even for SPDI, the consent requirement lacked specificity about what constituted valid consent, how withdrawal should be facilitated, or what obligations arose upon withdrawal.
No Independent Regulator
Enforcement sat with Adjudicating Officers appointed under the IT Act, the same officials responsible for adjudicating cybercrime disputes. There was no dedicated data protection authority, no proactive enforcement mechanism, and no systematic compliance monitoring. The result was predictable: enforcement actions were rare, penalties were modest, and compliance was treated as optional by most organisations.
No Breach Notification
The SPDI Rules contained no obligation to notify individuals or any authority when a data breach occurred. CERT-In’s 2022 directions introduced a 6-hour incident reporting requirement, but this applied to cybersecurity incidents broadly, not specifically to personal data breaches with corresponding obligations toward affected individuals.
What the DPDP Act Changes
The DPDP Act 2023 addresses each of the SPDI Rules’ structural weaknesses. The changes are not cosmetic. They represent a fundamentally different regulatory philosophy.
Broader Scope
The Act applies to every person (not just body corporates) processing digital personal data within India, or processing digital personal data of individuals in India from outside India. Government bodies are explicitly included. The scope covers all digital personal data, not just enumerated sensitive categories.
Clear Consent Framework
Consent under the DPDP Act must be free, specific, informed, and given through a clear affirmative action. Consent requests must be presented in plain language, accompanied by a notice specifying the data being collected and the purpose of processing. The Act mandates that withdrawal of consent must be as easy as giving it, and that withdrawal does not affect the lawfulness of processing completed before withdrawal.
Data Principal Rights
The Act establishes a structured rights framework for Data Principals:
- Right to information about what data is being processed and why
- Right to correction and erasure of personal data
- Right to grievance redressal directly with the Data Fiduciary, with escalation to the Data Protection Board
- Right to nominate another individual to exercise rights in case of death or incapacity
These rights create operational obligations. Organisations must build the infrastructure to receive, verify, and fulfil rights requests within prescribed timelines.
Independent Enforcement
The Data Protection Board of India operates as a dedicated adjudicatory body. It receives complaints, conducts inquiries, and imposes penalties. This is a purpose-built enforcement mechanism, not a general IT tribunal handling data protection as a side responsibility.
Material Penalties
The penalty framework reaches Rs 250 crore per contravention, with specific penalty schedules for different categories of non-compliance. The scale of financial exposure transforms data protection from a theoretical risk into a board-level concern.
Cross-Border Transfer Controls
The Central Government may restrict transfers of personal data to specified countries or territories by notification. This power did not exist under the IT Act framework. Organisations with international data flows must monitor government notifications and adjust their transfer mechanisms accordingly.
Breach Notification
Mandatory breach notification to both the Data Protection Board and affected Data Principals is a new obligation. The IT Act framework had no equivalent requirement for personal data breaches specifically.
The Transition Period
The DPDP Act has received Presidential assent but key provisions await notification of their effective dates by the Central Government. The rules under the Act are still being drafted. During this period, Section 43A and the SPDI Rules technically remain in force for matters they cover.
When the relevant DPDP Act provisions are brought into effect, Section 43A is expected to be repealed or significantly narrowed for personal data matters. The DPDP Act explicitly states that its provisions shall have effect notwithstanding anything inconsistent contained in any other law.
What Businesses Should Do Now
Waiting for the final rules is not a compliance strategy. The Act’s core obligations, including consent requirements, Data Principal rights, and breach notification, are defined in the statute itself. The rules will provide procedural detail, not change the fundamental obligations.
During this transition, organisations should:
- Map existing data processing activities against DPDP Act requirements, not just SPDI Rules categories
- Audit current consent mechanisms for compliance with the Act’s consent standards
- Establish rights fulfilment processes before the first Data Principal request arrives
- Document lawful bases for all personal data processing activities
- Review cross-border data transfers and identify dependencies on jurisdictions that may be restricted
The DPDP compliance timeline provides a structured view of expected enforcement milestones.
What This Means for Your Compliance Programme
If your organisation was compliant with the SPDI Rules, you are not automatically compliant with the DPDP Act. The gap between the two frameworks is too wide for inherited compliance.
Key New Obligations
| Obligation | SPDI Rules Status | DPDP Act Requirement |
|---|---|---|
| Consent for all personal data (not just SPDI) | Not required | Mandatory |
| Consent notice in plain language | No format prescribed | Specified format with itemised purposes |
| Withdrawal mechanism | Vaguely referenced | Must be as easy as giving consent |
| Right to erasure | Not recognised | Mandatory upon valid request |
| Right to nomination | Not recognised | Must be facilitated |
| Breach notification to individuals | Not required | Mandatory |
| Children’s data protections | Not addressed | Verifiable parental consent; no tracking |
| Data Protection Officer appointment | Not required | Required for significant data fiduciaries |
| Periodic data protection audit | Not required | Required for significant data fiduciaries |
The Gap Analysis Is Not Optional
Every organisation processing digital personal data of individuals in India needs to conduct a structured gap analysis between its current compliance posture (built for SPDI Rules or ISO 27001) and the DPDP Act’s requirements. The areas most likely to reveal gaps are:
- Consent infrastructure. Most organisations lack purpose-specific, withdrawable consent mechanisms that meet the Act’s standards.
- Rights fulfilment workflows. Correction, erasure, and information rights require operational processes that did not exist under the old regime.
- Breach response plans. Notification obligations to both the Board and affected individuals require documented procedures, designated response teams, and tested communication channels.
- Vendor and processor management. Data Fiduciary obligations extend to how processors handle data on your behalf.
If you have not compared your current data protection programme against the DPDP Act’s requirements, start with the free DPDP Gap Assessment. It maps your organisation’s current posture against the Act’s obligations and identifies where the gaps are.
For a structured walkthrough of every compliance requirement, use the DPDP Compliance Checklist.
The old framework is ending. The new one is already law. The only variable is how prepared your organisation will be when enforcement begins.