India DPDP Act
Definition
The Digital Personal Data Protection Act 2023 (DPDP Act) is India's comprehensive data protection law, governing how personal data (including biometric data collected during eKYC) is processed, stored, and protected.
Key Provisions for eKYC
| Provision |
Impact on eKYC |
| Consent |
Must obtain free, specific, informed consent before processing personal data |
| Purpose limitation |
Data collected for eKYC can only be used for that stated purpose |
| Data minimization |
Collect only data necessary for verification |
| Storage limitation |
Retain only as long as necessary (subject to AML retention requirements) |
| Data fiduciary obligations |
eKYC providers are "data fiduciaries" with accuracy, security, and erasure obligations |
| Data processor obligations |
Third-party eKYC vendors must process data only as instructed |
| Cross-border transfer |
Allowed except to countries specifically restricted by government notification |
| Breach notification |
Notify Data Protection Board and affected individuals of breaches |
| Children's data |
Special protections for minors — verifiable parental consent required |
DPDP vs Aadhaar Act Interplay
| Aspect |
Aadhaar Act |
DPDP Act |
| Scope |
Aadhaar authentication specifically |
All personal data processing |
| Consent |
Purpose-specific consent for Aadhaar |
Broad consent framework |
| Data sharing |
Only yes/no response (no raw data) |
Data minimization principle |
| Retention |
Aadhaar logs retained by UIDAI |
General retention principles |
Penalties
| Violation |
Maximum Penalty |
| Non-compliance |
Up to ₹250 crore (~$30M) per instance |
| Failure to notify breach |
Up to ₹200 crore (~$24M) |
| Children's data violations |
Up to ₹200 crore (~$24M) |
Key Takeaways
Summary
- DPDP Act applies to all eKYC processing in India — biometric collection requires consent
- Purpose limitation means eKYC data can't be repurposed (e.g., for marketing)
- Cross-border transfers are permitted by default (unlike GDPR) except to restricted countries
- AML retention (5 years) continues to apply — DPDP doesn't override RBI/PMLA requirements
- Penalties up to ₹250 crore — significant for eKYC providers serving Indian banks
Related Articles