DATA PRIVACY AND PROTECTION IN INDIA: ANALYZING THE DIGITAL PERSONAL DATA PRETECTION ACT,2023

Introduction

In the, recent years India has witnessed a huge shift towards the digitalization, with a significant rise in digital transaction, internet users and data-driven governance. This digital revolution while fostering innovation and convenience. Has also led to an exponential increase in the volume of personal data being collected, and stored and processed by the public and private entities alike. However, the absence of a comprehensive legal framework that governs the personal data has left individuals vulnerable to data breaches, unauthorized surveillance, and misuse of their personal information.

The need for a legal framework became desperate following the supreme court’s landmark ruling in Justice K.S. Puttaswamy V. Union of India, where the court unanimously recognized the right to privacy as a fundamental right under Article 21 of the Constitution of India^[1] the court ruling made it clear that it was important to create a legal framework to protect the privacy of the digital age.

The parliament enacted the Digital Personal Data Protection Act, 2023 making a pivotal movement in India’s data protection regime. The act seek to regulate individual personal data in a manner that respects their privacy while enabling lawful and secure data use for legitimate purposes.

Background

India’s journey towards establishing a legal framework for data protection has been gradual and slow, shaped largely by judicial intervention and international development, for many years India lacked a data protection law, instead relying on fragmented provision in the Information Technology Act, 2000. However, these were limited in scope, because it primarily addressed data security rather than data privacy as a substantive right.

A significant turning point came with the Supreme Court’s decision in Justice K.S. Puttaswamy (Retd.) v. Union of India, where the Court held that the right to privacy is a fundamental right intrinsic to life and personal liberty under Article 21 of the Constitution.^[2] the Court emphasized that informational privacy, which is the ability of individuals to control the sharing of personal data, requires strong protections against unfair actions by the state or private entities. This ruling sparked discussion about personal data protection in India and led the government to start legislative efforts in this area.

Following the judgment, the Ministry of Electronics and Information Technology (MeitY) constituted the Justice B.N. Srikrishna Committee, which submitted its report and a draft Personal Data Protection Bill in 2018.^[3] The report supported a rights-based data protection law inspired partly by the European Union’s General Data Protection Regulation (GDPR). It aimed to balance the interests of the state, industry, and individuals.

Subsequent iterations of the Personal Data Protection Bill—introduced in 2019 and revised in 2021—faced criticism for granting excessive exemptions to the state and were eventually withdrawn in 2022.^[4] In 2023, the Government of India introduced and passed a simpler version called the Digital Personal Data Protection Act, 2023. This act aims to fix the problems of earlier drafts and allows for more flexibility in future rule-making.

Key Definitions and Scope

The Act introduces precise terminology governing data relationships:

• Data Principal: The individual to whom personal data relates. For minors (<18 years) and persons with disabilities, this extends to parents/legal guardians.^[5]
• Data Fiduciary: Entities determining purpose and means of data processing (e.g., businesses, government agencies).^[6]
• Significant Data Fiduciary (SDF): Entities designated by the government based on data volume/sensitivity, national security risks, or electoral impact^[7].
• Consent Managers: Registered intermediaries enabling data principals to manage consent through accessible platforms.^[8]

Jurisdiction extends to:

1. Digital data processed within India
2. Non-digital data subsequently digitized
3. Processing outside India related to goods/services offered in India

Consent Framework and Legitimate Uses

Processing requires free, informed, specific, and unambiguous consent obtained after transparent notice detailing purpose and data types^[9]. Consent withdrawal must be as accessible as grant mechanisms. The Act permits processing without consent for “legitimate uses” including:

• Voluntary data sharing by individuals
• Government benefits/services
• Medical emergencies
• Employment-relate processing^[10].
  For children, verifiable parental consent is mandatory, with prohibitions against tracking, behavioral monitoring, or targeted advertising directed at minors

Rights and Obligations

Data principals possess:

• Right to access processing information
• Correction and erasure rights
• Nomination rights for posthumous/incompetency scenarios
• Grievance redress mechanisms^[11].
  Concurrently, they must refrain from false complaints or impersonation, with violations attracting fines up to ₹10,000^[12].

Data fiduciaries must:

• Ensure data accuracy and security
• Implement storage limitation (erase post-purpose fulfillment)
• Notify the Data Protection Board (DPB) and affected individuals of breaches^[13].
  SDFs face enhanced obligations: appointing India-based Data Protection Officers, conducting periodic audits, and performing Data Protection Impact Assessments^[14].

Cross-Border Transfers and Exemptions

The Act permits international data transfers except to government-restricted jurisdictions, adopting a “negative list” approach^[15]. This contrasts with GDPR’s adequacy requirements, offering operational flexibility.

Critical exemptions allow government agencies to bypass provisions for:

• National security and public order
• Crime prevention/investigation
• Research/archival purposes^[16]5.
  These broad exemptions lack clear oversight mechanisms, raising concerns about potential misuse.

The Data Protection Board of India (DPB) serves as the primary enforcement body, adjudicating violations and imposing penalties. Its members are appointed by the central government, with decisions appealable to the Telecom Disputes Settlement Tribunal^[17]. The DPB determines penalties considering:

• Breach nature, gravity, and duration
• Data sensitivity
• Mitigation efforts
• Proportionality of fines

Concerns:

1. Regulatory Independence: DPB appointments by the central government risk compromising autonomy^[18].
2. Exemption Ambiguity: Vague national security exemptions lack judicial oversight mechanisms^[19].
3. Compensation Gap: Penalties fund government coffers rather than compensating affected individuals^[20].
4. Implementation Delays: Rules for SDF classification and consent managers remain pending as of 2025^[21].

Conclusion

The DPDPA 2023 marks a watershed in India’s digital governance, creating foundational rights while acknowledging state security imperatives. Its success hinges on balanced rulemaking addressing exemption clarity, DPB independence, and reasonable compliance timelines. As implementation progresses, the Act must evolve to bridge protection gaps while maintaining India’s digital growth trajectory. The framework establishes baseline accountability but requires robust judicial scrutiny to prevent governmental overreach, ultimately testing India’s commitment to its constitutional privacy guarantees.

 

References

^[1]  Justice K.S. Puttaswamy V. Union of India, (2007) 10 S.C.C. 1.

^[2]  Justice K.S. Puttaswamy V. Union of India, (2007) 10 S.C.C. 1.

^[3] Justice B.N. Srikrishna Comm., A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (2018), https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf.

^[4] Press Release, Press Info. Bureau, Government Withdraws Personal Data Protection Bill, 2019 (Aug. 3, 2022), https://pib.gov.in/PressReleasePage.aspx?PRID=1847812.

^[5] CookieYes, India’s DPDP Act Explained: The Latest Guide for Compliance, CookieYes Blog (2025).

^[6] CookieYes, India’s DPDP Act Explained: The Latest Guide for Compliance, CookieYes Blog (2025

^[7] CookieYes, India’s DPDP Act Explained: The Latest Guide for Compliance, CookieYes Blog (2025).

^[8] CookieYes, India’s DPDP Act Explained: The Latest Guide for Compliance, CookieYes Blog (2025).

^[9] Carnegie Endowment for International Peace, Understanding India’s New Data Protection Law, Carnegie Endowment (2023).

^[10] CookieYes, India’s DPDP Act Explained: The Latest Guide for Compliance, CookieYes Blog (2025).

^[11] CookieYes, India’s DPDP Act Explained: The Latest Guide for Compliance, CookieYes Blog (2025).

^[12] CookieYes, India’s DPDP Act Explained: The Latest Guide for Compliance, CookieYes Blog (2025).

^[13] Carnegie Endowment for International Peace, Understanding India’s New Data Protection Law, Carnegie Endowment (2023).

^[14] Carnegie Endowment for International Peace, Understanding India’s New Data Protection Law, Carnegie Endowment (2023).

^[15] Carnegie Endowment for International Peace, Understanding India’s New Data Protection Law, Carnegie Endowment (2023).

^[16] Carnegie Endowment for International Peace, Understanding India’s New Data Protection Law, Carnegie Endowment (2023).

^[17] Kaur et al., Challenges and recommendations for enhancing digital data protection in India, PMC (2025).

^[18] The Attorneys, Understanding the Digital Personal Data Protection Act, 2023: Legal Impact for Indian Businesses, The Attorneys (2025).

^[19] Carnegie Endowment for International Peace, Understanding India’s New Data Protection Law, Carnegie Endowment (2023).

^[20] Kaur et al., Challenges and recommendations for enhancing digital data protection in India, PMC (2025).

^[21] CookieYes, India’s DPDP Act Explained: The Latest Guide for Compliance, CookieYes Blog (2025)