Q4 - How does DPDPA interact with existing Indian laws (IT Act, RBI, IRDAI, SEBI, etc.)?
The Digital Personal Data Protection Act, 2023 (DPDPA) does not replace India’s existing legal and regulatory frameworks — instead, it is designed to complement and coexist with them. The DPDPA serves as an umbrella data protection law that applies across all sectors, while sectoral regulators such as the Reserve Bank of India (RBI), Insurance Regulatory and Development Authority of India (IRDAI), and Securities and Exchange Board of India (SEBI) continue to enforce industry-specific rules related to security, privacy, and information governance.
Comparison: DPDPA vs IT Act vs RBI vs IRDAI vs SEBI
| Aspect | DPDPA, 2023 | Information Technology Act, 2000 | RBI Regulations | IRDAI Guidelines | SEBI Cybersecurity Framework |
|---|---|---|---|---|---|
| Primary Focus | Personal data protection, consent, rights of individuals | Cybercrime, digital signatures, unauthorized access, data protection (limited) | Financial data security, payment data localization, IT governance | Confidentiality of policyholder data, IT & outsourcing oversight | Protection of investor data, system security, incident response |
| Scope of Coverage | All organizations processing personal data (public and private) | All entities handling computer resources or digital systems | Banks, NBFCs, payment companies, FinTechs | Insurance companies, brokers, TPAs, reinsurers | Stock brokers, exchanges, depositories, mutual funds |
| Key Regulator | Data Protection Board of India (DPBI) under MeitY | CERT-In and Ministry of Electronics & IT | Reserve Bank of India (RBI) | Insurance Regulatory and Development Authority of India (IRDAI) | Securities and Exchange Board of India (SEBI) |
| Core Obligations | Lawful processing, purpose limitation, consent, user rights, data breach reporting | Implement security practices, protect data from unauthorized access, report cyber incidents | Secure storage and processing of customer data, payment data localization, cyber audit reporting | Obtain explicit consent, secure outsourcing, incident management | Ensure investor data protection, incident reporting, annual cybersecurity audits |
| Rights of Individuals | Yes — right to access, correction, erasure, grievance redressal | Limited — not explicitly defined | No explicit individual rights (focused on institutional compliance) | Implicit consent rights for policyholders | Limited — focused on investor protection via intermediaries |
| Consent Requirements | Explicit, verifiable, purpose-specific consent required for processing | Not detailed (pre-DPDPA) | Customer consent for KYC and data sharing (as per RBI directions) | Written consent for sharing policyholder data | Disclosure-based consent in investor onboarding |
| Breach Notification | Mandatory to the Data Protection Board and affected individuals | Mandatory to CERT-In | Mandatory to RBI within defined timelines | Mandatory to IRDAI within 24 hours | Mandatory to SEBI immediately after detection |
| Data Localization | Permitted unless restricted by Government order | Not mandated | Mandatory for payment data (RBI 2018 Circular) | Encouraged for sensitive insurance data | Recommended for trading and KYC data |
| Penalties | Up to ₹250 crore depending on nature of breach | Compensation-based; lower financial penalties | Regulatory penalties, monetary fines, or license actions | Penalties under IRDAI Act and IT Act | Penalties, license suspension, or enforcement actions |
| Cross-Border Data Transfers | Allowed subject to conditions notified by Government | No specific regulation | Restricted for payment data | Allowed with safeguards and consent | Allowed under SEBI oversight and market data rules |
| Sector-Specific Application | All sectors (horizontal law) | All sectors (cyber law focus) | Financial sector (vertical law) | Insurance sector (vertical law) | Securities & capital markets (vertical law) |
| Overlap With DPDPA | — | Cyber incident reporting, security standards | Consent, retention, data protection obligations | Consent, data sharing, retention | Security and data breach reporting |
| Conflict Resolution | DPDPA prevails where higher data protection is provided | Harmonized through government notification | Must comply with both frameworks | Must comply with both frameworks | Must comply with both frameworks |
1. Relationship with the Information Technology Act, 2000
The DPDPA is meant to supersede overlapping provisions of the IT Act concerning data protection and privacy, while retaining the IT Act’s role in areas such as cybercrimes and digital contracts.
- Sections 43A and 72A of the IT Act — which previously governed compensation and penalties for data breaches — will eventually become redundant once the DPDPA is fully enforced.
- However, cybercrime offences, hacking, unauthorized access, and digital evidence provisions under the IT Act continue to apply.
- The DPDPA focuses on lawful processing, consent, and data rights, while the IT Act remains focused on security and criminal enforcement.
If a company’s database is hacked,
- The IT Act applies to prosecute the hacker and manage cybercrime reporting.
- The DPDPA applies to ensure the company had appropriate safeguards and consent mechanisms in place before the breach occurred.
2. Relationship with RBI Regulations (Banking & FinTech)
The Reserve Bank of India (RBI) already enforces stringent data security and localization norms, particularly for:
- Payment data (as per RBI’s 2018 circular on data storage).
- Customer privacy and confidentiality (as per the Banking Regulation Act and Master Directions).
The DPDPA adds another layer of accountability:
- Banks and FinTechs must now ensure lawful processing and consent in addition to data security.
- RBI’s data localization mandates remain valid — the DPDPA does not override them.
- Non-compliance with either framework can result in penalties under both DPDPA and RBI regulations.
The DPDPA governs how personal data is collected, shared, and erased.
RBI governs where financial data is stored and how it must be secured.
3. Relationship with IRDAI Regulations (Insurance Sector)
The Insurance Regulatory and Development Authority of India (IRDAI) mandates insurers to:
- Maintain confidentiality of policyholder information.
- Obtain explicit consent before sharing data with third parties.
- Follow strict outsourcing and IT security guidelines.
The DPDPA reinforces these duties:
- Consent and grievance-handling requirements under DPDPA now apply in addition to IRDAI’s circulars.
- Insurers must ensure their Consent Managers and third-party processors comply with both DPDPA and IRDAI guidelines.
An insurance company sharing customer data with a health analytics firm must comply with
➡️ IRDAI’s outsourcing norms, and
➡️ DPDPA’s consent and purpose limitation rules.
4. Relationship with SEBI Regulations (Securities & Capital Markets)
The Securities and Exchange Board of India (SEBI) mandates regulated entities such as brokers, depositories, and exchanges to:
- Maintain IT and cyber resilience frameworks.
- Ensure investor data confidentiality.
- Report cybersecurity incidents promptly.
The DPDPA complements SEBI’s framework by:
- Adding individual rights of Data Principals (investors, clients).
- Requiring lawful consent for personal data usage.
- Extending obligations for breach notification to the Data Protection Board of India in addition to SEBI.
5. Coexistence and Non-Derogation Clause
Under Section 29(4) and related interpretative principles of the DPDPA:
- The Act operates in addition to, not in substitution of, other sectoral laws.
- Where two laws conflict, the rule providing higher protection to personal data will prevail.
- The Central Government may issue harmonization guidelines to resolve overlaps between DPDPA and sectoral regulations.
6. Unified Oversight in Practice
| Area | Primary Regulator | DPDPA Role | Complementary Regulation |
|---|---|---|---|
| Cybersecurity & breaches | CERT-In / MeitY | Mandates breach notification to Data Protection Board | IT Act, CERT-In Directions (2022) |
| Banking & FinTech | RBI | Consent, retention, lawful use | RBI Master Directions, Payment Data Circular |
| Insurance | IRDAI | Consent, purpose limitation | IRDAI IT & Outsourcing Guidelines |
| Securities & Investments | SEBI | Lawful processing, grievance | SEBI Cybersecurity Framework |
| Data Protection & Privacy | Data Protection Board of India | Core privacy and rights enforcement | Applies to all sectors |
Compliance with RBI, SEBI, or IRDAI frameworks does not automatically ensure DPDPA compliance.
Organizations must map and align both regulatory obligations — particularly around consent management, retention, and breach reporting.
Referenced Provisions:
- Section 8 – General obligations of Data Fiduciaries.
- Section 33(1) – Penalties for non-compliance.
- Section 40(2) – Government rule-making powers for harmonization with other laws.
- Section 17(5) – Temporary exemptions for certain classes of Data Fiduciaries.
- Information Technology Act, 2000 (Sections 43A, 72A) – Security and compensation provisions (to be harmonized with DPDPA).