Emergence of the DPDP Act, 2023: An Aftermath of the Puttaswamy judgment

Abstract

The Supreme Court’s 2017 ruling in Justice K.S. Puttaswamy (Retd.) v. Union of India established the constitutional basis for India’s extensive data protection laws by recognizing privacy as a fundamental right. The Digital Personal Data Protection (DPDP) Act, 2023 was passed in response to this judgment in order to regulate digital personal data and create legally binding privacy rights. This essay critically evaluates the DPDP Act using the legality, necessity, and proportionality standards established in Puttaswamy. Although the Act establishes a framework for consent-based processing and codifies data rights, issues with extensive state exemptions, little regulatory autonomy, and enforcement gaps still exist. The article assesses whether the DPDP Act actually satisfies the Puttaswamy-envisioned promise of informational autonomy through doctrinal and constitutional analysis and suggests legislative changes to bring the law more in line with India’s democratic and privacy-driven constitutional values.

Introduction to the Digital Personal Data Protection (DPDP) Act, 2023

An important turning point in India’s regulatory path to protecting personal data in the digital era is the Digital Personal Data Protection Act, 2023. The Act, which was passed following years of discussion, several draft bills, and growing concerns about unregulated data processing, creates India’s first comprehensive legal framework devoted exclusively to the protection of digital personal data. Its main goal is to protect the information privacy of those who are known as “Data Principals” while simultaneously making sure that data-driven innovation and governance can proceed in an organized, responsible way.

The DPDP Act applies to the processing of any kind of personal data in digital form. Personal data would be data that can identify an individual. This would include their name, address, contact information, identity proof, etc. An organisation would collect several such categories of personal data from employees during their cycle of employment. Therefore, compliance with the DPDP Act is required for processing personal data collected by an organisation from its employees, in the capacity as a “data fiduciary”.^[1] Key concepts like consent-based processing, purpose limitation, data minimization, and user rights like access, correction, erasure, and grievance redressal are introduced by the DPDP Act. Additionally, it establishes a Data Protection Board to supervise compliance and specifies the obligations of “Data Fiduciaries.” Notably, the law’s language and scope are rather limited, concentrating on digital personal data while excluding offline and non-personal data. To put it briefly, the DPDP Act of 2023 aims to safeguard the fundamental right to privacy in the digital age.

The Puttaswamy Judgment

In the much-celebrated judgment of Justice K.S. Puttaswamy (Retd.) v. Union of India^[2], a nine-judge Constitution Bench of the Supreme Court of India held that the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution of India.^[3] The ruling specifically overturned earlier rulings that had previously denied the existence of a general right to privacy like the Judgment in M.P. Sharma v. Satish Chandra^[4]and Kharak Singh v. State of UP^[5].

One of the judgment’s most important contributions was the formulation of a three-part test to assess whether any state action restricting the right to privacy is lawful:

1. Legality: the action needs to be supported by the law,
2. Necessity: it must pursue a valid state goal as a matter of necessity,
3. Proportionality: the least invasive way to accomplish that goal must be used.

The Court emphasized the idea of “informational privacy,” acknowledging that every person has the right to manage how their personal information is gathered, used, and shared. By doing this, it recognized how big data, algorithmic profiling, and digital surveillance are becoming increasingly dangerous.

Furthermore, the ruling sent a strong message to the legislature, stating that in order to protect people’s autonomy in the digital age, a comprehensive data protection regime was essential. In order to demonstrate international best practices in data privacy, the Court even cited international frameworks such as the General Data Protection Regulation (GDPR) of the EU. Puttaswamy thus established a strong constitutional basis for India’s data protection. It grounded privacy in democratic principles, human dignity, and individual liberty rather than just acknowledging it as a right in theory. The ruling catalyzed legislative action and made it possible for India’s Digital Personal Data Protection Act, 2023, to be drafted.

The Emergence of the DPDP act, 2023

Due to India’s rapid growth in the use of internet, smartphones or similar gadgets and digital platforms, personal data such as location, browsing habits, communication metadata, and user preferences, is now being collected, processed, and monetized at a rate never seen before. The need to safeguard privacy in today’s highly digitally connected world goes well beyond physical areas to include online activities and the sharing of personal information via digital interfaces. Without a specific law to control these data flows, people were left open to abuse, monitoring, and profiling by the government and private organizations. The absence of a standalone act in reforming the protection of digital personal data was evident.

In 2011, It was the Justice A.P. Shah Committee which first recommended privacy legislation. Later on, the Justice K.S. Puttaswamy (Retd.) v. Union of India^[6] judgment establishing the fundamental right to privacy, paved the way for the emergence of India’s first ever standalone act on personal data protection.

After the Supreme Court’s landmark Puttaswamy judgment in 2017, the Indian government formed the Justice B.N. Srikrishna Committee^[7] to address data protection issues and recommend a legislative framework. The committee published its report and the draft Personal Data Protection Bill in July 2018, laying the foundation for comprehensive privacy regulations in India.

Following this, the bill went through multiple stages of legislative review. It was first introduced in Parliament in December 2019 and referred to a Joint Parliamentary Committee^[8], which submitted its recommendations in December 2021. A revised version of the bill, called the Data Protection Bill, 2021, emerged but was withdrawn in August 2022 due to various concerns and the need for further refinement. In 2023, the Ministry of Electronics and Information Technology released a new draft, now titled the Digital Personal Data Protection Bill. This bill was introduced in the Lok Sabha on August 3, 2023, passed by the Lok Sabha on August 7 and the Rajya Sabha on August 9, and received presidential assent on August 11, 2023, officially making it law of the land as the Digital Personal Data Protection Act, 2023.^[9]

Constitutional & Legal Analysis

The Digital Personal Data Protection (DPDP) Act, 2023 represents India’s most extensive legislative attempt to codify the constitutional right to privacy, as stated in the seminal Justice K.S. Puttaswamy (Retd.) v. Union of India case. In part, it aligns with the principles of informational autonomy and accountability by introducing a formal legal framework for the governance of personal data. A more thorough constitutional and legal analysis is necessary to determine whether the Act actually satisfies the Puttaswamy mandate.

Strengths of the DPDP Act

• Codification of Privacy: The DPDP Act converts the intangible fundamental right to privacy into legally binding rules. It formalizes the citizen-state and citizen-corporate data relationship by defining terms like data principal, fiduciary, and consent.
• Consent Framework: It echoes Puttaswamy’s focus on personal data control by institutionalizing the idea of informed consent. In accordance with the principle of informational self-determination, data fiduciaries are required to secure implicit, explicit, and voluntary consent.
• Accountability Mechanisms: Fiduciaries are subject to duties under the Act pertaining to security measures, purpose limitation, and lawful processing. Puttaswamy’s insistence on proportionality in state actions is reflected in these.

Shortcomings of the DPDP Act

• State Exemptions (Section 17): There are few strict protections for the wide range of government exemptions that permit data processing for public order, sovereignty, or national security. These carve-outs might not meet the Puttaswamy test’s proportionality and necessity requirements, thereby permitting unrestricted surveillance.
• Independence of the Data Protection Board (DPB): The executive has significant authority over the appointment and supervision of the DPB, which raises questions about institutional bias and a lack of functional autonomy. This runs counter to Puttaswamy’s emphasis on strong, autonomous regulatory systems.
• Enforcement and Data Localization: The Act’s deterrent power is limited by the lack of required data localization and lax penalty procedures. Both user trust and data sovereignty may be jeopardized by lax enforcement.
• Exclusion of Offline and Non-Personal Data: Although the digital scope makes sense, there are important gaps left by the exclusion of offline data and anonymized datasets, particularly in cases where corporate or state surveillance may use hybrid methods.

Applying the Three-Part Puttaswamy Test 

1. Legality: Although the Act establishes a framework for the law, some state actions are questioned due to its ambiguous exemptions.
2. Necessity: The requirement that data processing be necessary for a legitimate purpose is weakened by broad exemptions for ill-defined “state interests.”
3. Proportionality: The Puttaswamy-mandated proportionality standard is undermined by the absence of judicial or parliamentary oversight on exemptions and minimal user remedies.

Scope for improvement

While India’s digital governance has reached a turning point with the DPDP Act, 2023, more work is required to guarantee that it adheres to the constitutional values established in Puttaswamy. The following suggestions are meant to improve its practical and legal basis:

1. Modify Section 17 to give any government data processing activity more precise definitions, judicial supervision, and necessity-proportionality protections.
2. To guarantee DPB independence, reassemble the Data Protection Board with judicial or legislative participation in appointment processes and give it the authority to function without interference from the executive branch.
3. Expand Extend the Act’s coverage to include sensitive metadata, important offline data, and anonymized data that could still be re-identified.
4. To guarantee accountability for both state and private actors, establish timelines for grievance redressal and increase the penalties for infractions.
5. Require partial or sector-specific data localization, particularly in vital domains such as financial and health services.
6. Encourage campaigns for digital literacy and rights awareness to equip citizens with information about their data rights and available remedies.

Conclusion

It has been rightfully said that “The Digital Personal Data Protection Act, 2023 represents a landmark step in India’s legislative framework for data protection. Peers and pundits alike have touted this law as a contemporary disruption in the country’s burgeoning ecosystem of Information and Communications Technology; particularly, the cybersecurity sphere. It aims to provide panoptic safeguards for personal data, chaperone data influx-efflux elasticity, regulate data processing activities, and establish mechanisms for enforcement and redressal”.^[10] Although the DPDP Act establishes the basic framework for data privacy and ongoing judicial review, civil society involvement and legislative improvement will be necessary to guarantee that India’s data protection laws genuinely respect Puttaswamy’s constitutional spirit and satisfy the changing needs of the digital age.

Thus, it can be concluded that the Digital Personal Data Protection Act, 2023 marks a watershed moment in India’s journey toward a privacy-centric data protection regime. The constitutional principles upheld in Justice K.S. Puttaswamy (Retd.) v. Union of India, which acknowledged privacy as a fundamental right under Article 21, serve as its firm foundation.

References

^[1] Avik Biswas, Supratim Chakraborty, Sumantra Bose and Ivana Chatterjee, ‘Digital Personal Data Protection Act, 2023: A Ready Reckoner for Employers’ (2024) SCC OnLine Blog Exp 81

http://www.scconline.com/DocumentLink/BtDg6X5A accessed 20 July 2025

^[2] Justice K S Puttaswamy (Retd) v Union of India (2017) 10 SCC 1

^[3] Antony Moses and Palada Dharma Teja, ‘The “Grave” Issue of Privacy of the Deceased’ (2018) 5(1) Indian Journal of Law and Public Policy 1

http://www.scconline.com/DocumentLink/M65sCCZl accessed 20 July 2025

^[4] M.P. Sharma v. Satish Chandra, (1954) 1 SCC 385

^[5] Kharak Singh v. State of U.P., 1962 SCC OnLine SC 10

^[6] Justice K S Puttaswamy (Retd) v Union of India (2017) 10 SCC 1

^[7] PRS Legislative Research, ‘A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians (Summary)’ (27 July 2018)

 https://prsindia.org/policy/report-summaries/free-and-fair-digital-economy accessed 20 July 2025

^[8] The Wire Staff, ‘Data Protection Bill: Opposition MPs Say Parliamentary Committee Ignored Their Objections’ (The Wire, 28 November 2021)

https://m.thewire.in/article/politics/data-protection-bill-opposition-parliamentary-committee/amp  accessed 20 July 2025.

^[9] A&O Shearman, ‘India: Digital Personal Data Protection Act Receives Presidential Assent’ (A&O Shearman, 14 August 2023)

 https://www.aoshearman.com/en/insights/ao-shearman-on-data/india–digital-personal-data-protection-act-receives-presidential-assent accessed 20 July 2025.

^[10] Subhajit Saha and Surjashis Mukhopadhyay, ‘A New Age of Data Privacy Laws in India: Review of Digital Personal Data Protection Act, 2023’ (2024) 10(1) Indian Journal of Legal Studies 84.

http://www.scconline.com/DocumentLink/Ei4xTb4O accessed  20 July, 2025