Understanding the DPDP Act 2023: What Lawyers Need to Know
On 11 August 2023, the Indian Parliament passed the Digital Personal Data Protection Act, 2023 (DPDP Act), marking the culmination of a legislative journey that began with the Justice B.N. Srikrishna Committee report in 2018. The Act received Presidential assent on 11 August 2023 and was published in the Gazette of India as Act No. 22 of 2023. It replaces the data protection provisions that were previously governed by Section 43A of the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
For practicing advocates, the DPDP Act is not merely another statute to be aware of -- it fundamentally changes how law firms, legal technology platforms, and individual practitioners handle personal data in the course of their work.
Key Concepts and Definitions
The DPDP Act introduces a set of defined terms that form the foundation of the new data protection framework. Understanding these is essential before examining the substantive provisions:
- Data Principal: The individual to whom personal data relates. In the legal context, this includes clients, witnesses, opposing parties, and any individual whose personal data a law firm processes.
- Data Fiduciary: Any person (including an entity) who, alone or in conjunction with others, determines the purpose and means of processing personal data. A law firm, a legal technology company, or even a solo practitioner collecting client data qualifies as a Data Fiduciary.
- Data Processor: Any person who processes personal data on behalf of a Data Fiduciary. A cloud hosting provider or a legal research platform used by a law firm would be a Data Processor.
- Significant Data Fiduciary: A Data Fiduciary designated by the Central Government based on factors such as the volume and sensitivity of personal data processed. Significant Data Fiduciaries face additional compliance obligations, including the appointment of a Data Protection Officer and conducting Data Protection Impact Assessments.
Consent: The Foundation of Lawful Processing
Section 6 of the DPDP Act establishes that personal data may only be processed for a lawful purpose after obtaining the free, specific, informed, unconditional, and unambiguous consent of the Data Principal. This consent must be given through a clear affirmative action, such as checking a box or clicking a button. Pre-ticked boxes or bundled consent (where consent for data processing is tied to an unrelated service) are not valid.
The Act also specifies "legitimate uses" under Section 7, where consent is not required. These include processing necessary for the State to provide benefits or services, processing required to comply with a judgment or court order, processing in response to a medical emergency, and processing for employment purposes. Notably for lawyers, processing personal data to comply with a court order or judgment falls under legitimate use, which means advocates do not need separate consent when processing data pursuant to judicial directions.
However, the consent requirement applies fully when a law firm collects client data for its own business purposes, such as client onboarding, billing, or marketing. Law firms must implement proper consent mechanisms with clear, plain-language notices that explain what data is being collected, why it is being collected, and how it will be used.
Rights of the Data Principal
The DPDP Act grants Data Principals a set of enforceable rights under Sections 11 through 14:
- Right to access information: Data Principals can request a summary of the personal data being processed and the processing activities undertaken by the Data Fiduciary.
- Right to correction and erasure: Data Principals can request the correction of inaccurate or misleading personal data, the completion of incomplete data, the updating of outdated data, and the erasure of data that is no longer necessary for the purpose for which it was collected.
- Right to grievance redressal: Data Principals have the right to have their grievances addressed by the Data Fiduciary within a prescribed timeframe.
- Right to nominate: Data Principals can nominate another individual to exercise their rights in the event of their death or incapacity.
For law firms, these rights create operational obligations. If a former client requests erasure of their personal data, the firm must evaluate whether it is legally required to retain the data (for example, under the Bar Council of India rules on record retention or under limitation period requirements) and respond accordingly within the prescribed period.
Obligations of the Data Fiduciary
Sections 8 and 9 of the Act impose specific obligations on Data Fiduciaries that directly affect how law firms and legal technology companies must operate:
- Purpose limitation: Personal data can only be processed for the specific purpose for which consent was obtained. A law firm that collects client data for a specific matter cannot use it for unrelated marketing campaigns without obtaining fresh consent.
- Data minimisation: Only data that is necessary for the stated purpose should be collected. Collecting excessive personal information during client onboarding -- such as Aadhaar numbers when only email and phone number are needed -- would violate this principle.
- Storage limitation: Personal data must not be retained beyond the period necessary for the stated purpose. Once a matter is concluded and the retention period under applicable rules has expired, the data must be erased.
- Reasonable security safeguards: Data Fiduciaries must implement reasonable security safeguards to prevent personal data breaches. This includes technical measures (encryption, access controls) and organisational measures (staff training, data handling policies).
- Breach notification: In the event of a personal data breach, the Data Fiduciary must notify both the Data Protection Board of India and the affected Data Principals.
How the DPDP Act Affects Legal Practice
The practical impact on law firms and legal practitioners is significant. Law firms are Data Fiduciaries for client data. They process personal data of clients, opposing parties, witnesses, and others in the course of litigation and advisory work. Every law firm, regardless of size, must now implement a data protection framework that includes consent mechanisms, data processing records, security safeguards, and breach response protocols.
Legal technology platforms used by firms are typically Data Processors. If a law firm uses a cloud-based case management system or an AI legal research tool, the provider of that tool is a Data Processor and must comply with the instructions of the Data Fiduciary. The law firm, as Data Fiduciary, remains responsible for ensuring that its Data Processors maintain adequate security and comply with the Act.
The penalty framework under the DPDP Act is substantial. Section 33 and the Schedule to the Act prescribe penalties of up to Rs. 250 crore (approximately USD 30 million) for the most serious violations, such as failing to take reasonable security safeguards that result in a data breach. Even less severe violations can attract penalties of up to Rs. 50 crore. The Data Protection Board of India, established under Section 18, is the adjudicatory body for imposing these penalties.
How ApuaLegal Ensures DPDP Compliance
ApuaLegal has been built with DPDP Act compliance as a foundational design principle, not an afterthought. The platform operates on Google Cloud's Mumbai region (asia-south1), ensuring all data remains within India. Here is how ApuaLegal addresses each key requirement of the Act:
- Explicit consent: Users provide clear, informed consent during account creation. The consent notice is presented in plain language, separately from the terms of service, and specifies exactly what data is collected and how it is used.
- Data minimisation: ApuaLegal collects only the data necessary to provide its services -- name, email, bar council enrollment number (for verification), and usage data. No unnecessary personal identifiers are collected.
- Data Principal rights: Users can access, correct, and request deletion of their personal data through their account settings. The platform supports data export in standard formats.
- Security safeguards: All data is encrypted at rest and in transit. Access controls follow the principle of least privilege. Regular security audits are conducted.
- Breach notification: ApuaLegal maintains an incident response protocol that complies with the notification requirements under the DPDP Act.
For law firms evaluating AI tools, DPDP compliance should be a threshold requirement. Any platform that stores data outside India, lacks explicit consent mechanisms, or cannot demonstrate reasonable security safeguards poses a compliance risk that could expose the firm to significant penalties.