DPDP Act VS DPDP Act 2023 vs PDP Bill 2019: What Changed?
The original Personal Data Protection Bill went through 4 years of evolution before becoming the DPDP Act. Here's what was dropped, added, and modified.
From PDP Bill to DPDP Act: The Evolution
Indiaโs data protection journey started with the Justice Srikrishna Committeeโs draft in 2018, became the Personal Data Protection Bill 2019, was reviewed by a Joint Parliamentary Committee, withdrawn in 2022, and finally enacted as the Digital Personal Data Protection Act 2023. Understanding what changed helps interpret the final law.
Major Changes: PDP Bill โ DPDP Act
| Feature | PDP Bill 2019 | DPDP Act 2023 |
|---|---|---|
| Scope | All personal data (digital + offline) | Digital personal data only |
| Sensitive data | Defined categories (health, finance, biometric, genetic, caste, religion) | No separate category |
| Social media intermediaries | Special obligations, verified accounts | Removed |
| Data localization | Mandatory for critical personal data | Replaced with blacklist approach |
| DPA structure | Multi-member commission | Data Protection Board (leaner) |
| Right to data portability | Included | Not explicit |
| Non-personal data | Included in JPC version | Excluded entirely |
| Legal bases | Multiple legal bases for processing | Consent + legitimate use only |
| Complexity | 98 sections, very detailed | 44 sections, principle-based |
What Was Dropped
Sensitive Personal Data Categories: The PDP Bill had detailed categories โ health, financial, sexual orientation, caste, religious belief, biometric, genetic, and transgender status. DPDP dropped all of these, treating all personal data equally (for now). This simplifies compliance but potentially reduces protection for truly sensitive data.
Data Portability: The PDP Bill explicitly included the right to data portability โ allowing users to download their data in a machine-readable format and transfer it to another service. DPDP doesnโt include this right explicitly, though it may be addressed in subsequent rules.
Social Media Obligations: The 2019 Bill had specific provisions for social media intermediaries, including voluntary user verification. These were entirely removed from DPDP.
What Was Simplified
The entire structure: 98 sections became 44. Complex provisions were replaced with principle-based requirements that will be fleshed out through rules and DPB guidance. This makes the law more flexible but less prescriptive.
Enforcement: Instead of a large, multi-member Data Protection Authority, DPDP creates a smaller Data Protection Board focused on adjudication. This is intended to be nimbler but has raised concerns about capacity.
Why This Matters
The evolution from PDP Bill to DPDP Act tells you how the government thinks about data protection:
- Simplicity over comprehensiveness โ DPDP is intentionally simpler
- Digital-first โ offline data is excluded, for now
- Rules will fill gaps โ many details will come through subordinate legislation
- Industry-friendly approach โ the removal of data localization and sensitive data categories reduces compliance burden
- Iterative approach โ expect updates and additional rules as enforcement matures
Confused by the differences?
Dual compliance is tricky. Our experts can help you navigate both DPDP Act 2023 vs PDP Bill 2019: What Changed? and DPDP requirements.
Book Strategy Call