Data Privacy and Protection in India: Analyzing the Digital Personal Data  Protection Act, 2023

Introduction

Data privacy has emerged as a critical concern in India’s rapidly expanding digital economy.  With over 950 million internet users and a flourishing digital services market, vast quantities  of personal data are collected and processed by both private companies and government  agencies. Unchecked data processing can lead to serious harms – financial fraud, identity  theft, reputational damage, and invasive profiling of individuals. Recognizing these risks, the  Supreme Court of India in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017)  unanimously affirmed that privacy is a fundamental right under the Indian Constitution,  declaring that “the right to privacy is protected as an intrinsic part of the right to life and  personal liberty under Article 21.”

Following the Puttaswamy decision, the government initiated a multi-year effort to craft a  data protection law. A Committee of Experts chaired by Justice B.N. Srikrishna released a  report and draft bill in 2018, proposing an expansive privacy framework inspired by the EU’s  General Data Protection Regulation (GDPR). A revised Personal Data Protection Bill was  introduced in Parliament in 2019, but after extensive Joint Parliamentary Committee  deliberations, that bill was withdrawn in 2022 amid concerns it imposed excessive  compliance burdens. In early August 2023, after more than five years of debate, the Indian  Parliament finally enacted the Digital Personal Data Protection Act, 2023 (DPDP Act). The  DPDP Act 2023 is India’s first cross-sectoral privacy law and represents a significant  milestone in recognizing individuals’ rights over their personal data while enabling the data driven economy to continue to grow.

This article provides an overview of the new Act’s provisions, critically analyzes its key  features (such as consent requirements, obligations of data fiduciaries, penalties and  enforcement mechanisms, cross-border data rules, and the role of the Data Protection Board),  compares India’s framework with those in the European Union and United States, and  discusses the challenges in implementation along with potential reforms.

Overview of the Digital Personal Data Protection Act, 2023 Scope and Application

The DPDP Act, 2023 governs digital personal data, meaning any personal data collected  online, or offline data that is subsequently digitised. It applies to data processing within India  and also to entities outside India if they offer goods or services to individuals in India. This  gives it extraterritorial reach. The Act specifically excludes purely offline data that is never  digitised and also excludes publicly available data made accessible by the individual or under  legal obligation.¹

¹ The Digital Personal Data Protection Act, No. 22 of 2023, §§ 2(g), 3(a)–(b), Gazette of India (Aug. 11, 2023).

Definitions and Key Concepts

The Act defines “personal data” as any data about an identifiable individual, termed a “Data  Principal”. The entity determining the purpose and means of data processing is termed a  “Data Fiduciary”. ²These fiduciaries are expected to act in a trust-based relationship, in the  best interest of the data principal. Notably, the law does not distinguish between sensitive and  non-sensitive data, treating all personal data equally.

Consent and Legitimate Uses

The Act requires personal data to be processed only for a lawful purpose, and primarily on  the basis of the individual’s consent. Consent must be free, specific, informed, unconditional,  and based on a clear affirmative action. There are certain legitimate uses where consent is not  needed, such as for legal obligations, medical emergencies, disaster relief, judicial functions,  or government welfare services. However, the Act does not provide open-ended lawful bases  like “legitimate interest”, which exist in laws like the GDPR.

Rights of Data Principals

The Act confers key rights upon individuals, including:

• Right to access information about how their personal data is being processed. • Right to correction and erasure of inaccurate or unnecessary personal data. • Right to grievance redressal through a structured mechanism.
• Right to nominate another person to exercise their rights in case of death or incapacity.

However, the Act does not include the right to data portability or the right to be forgotten,  which are recognised in many international data protection regimes.³

Obligations of Data Fiduciaries

Data Fiduciaries must:

• Provide clear and accessible notices before collecting data.
• Ensure data accuracy and relevance.
• Delete personal data once its purpose is fulfilled or consent is withdrawn. • Implement reasonable data security safeguards.
• Notify the Board and affected individuals in case of a data breach.
• Set up a grievance redress mechanism.

² DPDP Act, §§ 2(i), 2(n).

³ DPDP Act, §§ 11–14; Regulation (EU) 2016/679 (General Data Protection Regulation), arts. 20–21, 2016 O.J. (L  119) 1.

The government may designate certain entities as “Significant Data Fiduciaries”, who have  additional obligations such as appointing a Data Protection Officer and conducting regular  audits and impact assessments.⁴

Children’s Data

Processing the data of children (under 18) requires verifiable parental consent. Data  fiduciaries are also prohibited from tracking, behavioural monitoring, or targeted advertising  directed at children. However, the government may relax these provisions in future for low risk services.

Critical Analysis of Key Provisions

1. Consent Framework vs. Government Exemptions

While the Act rightly places consent at the core of personal data processing, it simultaneously  allows several broad exemptions for government agencies. For example, government  functions related to national security, public order, or state benefits can bypass consent  requirements.⁵ This weakens the consent-driven model and raises concerns of mass  surveillance or data misuse by state entities. Additionally, the lack of independent oversight  over such exemptions dilutes the constitutional promise of informational privacy.⁶

2. Absence of Sensitive Data Classification

Unlike earlier drafts and international frameworks such as the GDPR, the DPDP Act does not  differentiate between general and sensitive personal data (like biometric or financial data).  ⁷Treating all personal data equally might simplify compliance, but it fails to provide  heightened protection where the stakes are higher. For example, health or caste-related data  could lead to greater harm if leaked, yet no special safeguards are mandated for such  information.

3. Lack of Portability and Erasure Rights

The omission of the right to data portability and an explicit right to be forgotten limits  individual autonomy and control. Data portability allows users to switch between service  providers more easily, promoting competition and user empowerment. Similarly, the right to  be forgotten provides individuals with the power to remove outdated or harmful personal data  from public platforms. Without these rights, users in India are left with fewer remedies  compared to those available under GDPR-like regimes.

4. Broad Rule-Making and Delegated Powers

The Act grants sweeping powers to the executive to frame rules on almost every provision,  including defining the scope of obligations, exemptions, and enforcement mechanisms⁸. 

⁴ DPDP Act, §§ 5, 8, 10, 13.

⁵ Digital Personal Data Protection Act, No. 22 of 2023, §§ 7(b), 17(2), Gazette of India (Aug. 11, 2023). ⁶Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 S.C.C. 1 (India).

⁷ Draft Personal Data Protection Bill, 2019, Bill No. 373 of 2019, § 3(36) (India) (withdrawn); Regulation (EU)  2016/679 (General Data Protection Regulation), art. 9, 2016 O.J. (L 119) 1.

⁸ DPDP Act, §§ 40–42.

There is also provision for the government to exempt entire classes of data fiduciaries or  relax requirements for certain sectors. ⁹Such wide discretion may lead to arbitrary exemptions  and inconsistent application of privacy norms, especially if not backed by public consultation  or judicial review.

5. Institutional Independence and Enforcement

The creation of the Data Protection Board is a positive step toward institutional oversight.  However, its autonomy is questionable, as the appointment and removal of members remain  under government control.¹⁰ This could compromise its impartiality, particularly in cases  involving government agencies. Moreover, the absence of a robust investigative wing or suo  motu powers limits its potential to be a proactive regulator. ¹¹True accountability may be hard  to achieve if the Board functions more like a grievance redressal forum than a strong data  protection authority.

Comparative Perspectives: India, EU, and US Data Protection Frameworks

India’s Digital Personal Data Protection Act, 2023, marks a pivotal shift in the country’s  digital governance regime. To better understand its strengths and limitations, it is useful to  compare it with two major international approaches: the European Union’s General Data  Protection Regulation (GDPR) and the more fragmented framework of the United States.

India and the European Union (GDPR)

The European Union’s GDPR is globally recognised as the gold standard for data protection  laws. Both the GDPR and India’s DPDP Act are built around core principles such as consent,  accountability, and the rights of data subjects. However, the Indian law is notably more  streamlined and consent-centric. The GDPR permits multiple lawful bases for data  processing, such as performance of a contract, legitimate interests, and compliance with legal  obligations. In contrast, the DPDP Act relies heavily on user consent, offering a narrower set  of exemptions where consent may be bypassed. ¹²Further, the GDPR offers a wider set of  rights to individuals—including the right to data portability, the right to object to processing,  and the right to restrict processing—all of which are absent in the DPDP Act. This means that  the European framework affords greater individual autonomy and flexibility.

Additionally, the GDPR distinguishes between general and sensitive personal data,  prescribing stricter safeguards for the latter. The DPDP Act, however, does not classify data  in this manner, treating all personal data under a single standard. While this may reduce  administrative burden, it also risks insufficient protection in high-risk contexts like health or  financial data.A significant point of divergence is enforcement structure. The GDPR is  enforced by independent Data Protection Authorities across member states, whereas India’s  Data Protection Board is appointed and overseen by the central government. This raises 

⁹ DPDP Act, § 17(5).

¹⁰ DPDP Act, § 19(1)–(3).

¹¹ Vidushi Marda, India’s Data Protection Bill: A Step Forward, but Concerns Remain, Carnegie India (Aug. 14,  2023).

¹² Regulation (EU) 2016/679 (General Data Protection Regulation), art. 6, 2016 O.J. (L 119) 1.

questions about institutional independence and regulatory effectiveness in the Indian  context.¹³

India and the United States

Unlike India and the EU, the United States does not have a comprehensive federal data  protection law. Instead, it relies on sector-specific statutes such as HIPAA, COPPA, and  GLBA, along with state-level legislation like the California Consumer Privacy Act (CCPA).¹⁴

The U.S. framework is predominantly market-driven and allows significant discretion to  businesses in their data practices. Consent mechanisms are often implicit or opt-out based,  contrasting sharply with India’s model of prior, informed consent. Furthermore, enforcement  is usually reactive, handled by general consumer protection bodies like the Federal Trade  Commission.

Another key difference lies in constitutional treatment. Privacy in the U.S. is not formally  recognised as a fundamental right in the context of personal data held by private actors. In  India, however, the right to privacy has been explicitly declared as a fundamental right under  Article 21, following the Supreme Court’s landmark ruling in the Puttaswamy case.

The U.S. approach provides limited and uneven protection, varying from one sector or state  to another. In contrast, the DPDP Act, like the GDPR, seeks to create a uniform national  framework. That said, India’s law is still evolving and may be seen as a middle path—more  comprehensive than the American system, yet less rigorous than the European regime.

Challenges and the Way Forward

While the Digital Personal Data Protection Act, 2023 is a landmark development, its effective  implementation faces several practical and structural challenges.

1. Implementation Infrastructure

The successful rollout of the DPDP Act depends on establishing robust institutional  mechanisms. The Data Protection Board must not only be set up swiftly but also staffed with  independent, technically skilled professionals. Without proper autonomy and operational  capacity, the Board may function as a formality rather than a proactive regulator.¹⁵

2. Public Awareness and Digital Literacy

For the law to be meaningful, individuals must be aware of their rights and how to exercise  them. In a country with large digital and literacy gaps, outreach and education are critical.  Otherwise, the law risks protecting only the digitally literate or urban population, leaving  rural and vulnerable users unprotected.¹⁶

¹³ Digital Personal Data Protection Act, No. 22 of 2023, § 19, Gazette of India (Aug. 11, 2023). ¹⁴ Cal. Civ. Code § 1798.100 et seq. (West 2023).

¹⁵ Digital Personal Data Protection Act, No. 22 of 2023, § 19, Gazette of India (Aug. 11, 2023). ¹⁶ Report of the Committee of Experts on Data Protection (Srikrishna Committee Report) 20–22 (2018).

3. Private Sector Readiness

Startups, SMEs, and even large organisations will need to overhaul data policies, consent  mechanisms, and security infrastructure to ensure compliance. While the law allows the  government to relax obligations for smaller entities, clarity on thresholds and transition  timelines is urgently needed.¹⁷

4. Risks of Executive Overreach

The Act provides significant rule-making and exemption powers to the central government.  Without judicial or parliamentary oversight, these powers could undermine the rule’s spirit  and create uneven protections. Transparent procedures and mandatory consultation processes  should be institutionalised to check executive discretion.¹⁸

5. Interplay with Other Laws

India’s digital governance framework is in flux. The proposed Digital India Act, sectoral  regulations (like those of RBI or TRAI), and the DPDP Act must be harmonised to avoid  confusion or regulatory overlap. A coordinated, layered regulatory approach would enhance  clarity and enforceability.

Conclusion

The Digital Personal Data Protection Act, 2023 is a significant leap forward in India’s  journey toward establishing a comprehensive data privacy regime. For the first time, India  has enacted a dedicated law that places individual consent, purpose limitation, and  organisational accountability at the heart of personal data governance. In doing so, the Act  brings Indian law closer to international standards and reflects the growing importance of  protecting citizens’ digital rights in an increasingly data-driven world.

However, the Act is also emblematic of the compromises inherent in regulating complex  digital ecosystems. While it introduces strong consent requirements and codifies core data  rights, it simultaneously empowers the state with broad exemptions and delegates  considerable rule-making authority to the executive. The absence of key rights such as data  portability and the right to be forgotten, the lack of a sensitive data classification, and the  limited institutional independence of the Data Protection Board have invited valid criticism  from legal scholars, privacy advocates, and civil society organisations.

Yet, the Act must be viewed as a dynamic starting point, not a final solution. Its true  effectiveness will depend not just on the text of the law, but on how it is implemented,  interpreted, and enforced. This includes the government’s willingness to consult stakeholders  while framing rules, the judiciary’s readiness to test executive powers against constitutional  principles, and the capacity of individuals to assert their rights in practice. Moreover,  technological realities will continue to evolve—with artificial intelligence, biometric  surveillance, and cross-border cloud computing presenting new challenges that may require  complementary regulations or future amendments.

¹⁷ DPDP Act, § 17(5).

¹⁸ Ajoy Kumar Banerjee v. Union of India, (1984) 3 S.C.C. 127 (India).

As India aspires to become a global leader in digital governance and innovation, it must  ensure that economic growth does not come at the cost of individual autonomy. Upholding  privacy as a fundamental right means going beyond formal compliance—it demands a culture  of transparency, responsibility, and respect for human dignity in the digital sphere.

In sum, the DPDP Act is a foundational milestone. It symbolises India’s commitment to  balancing innovation with privacy, and state power with citizen protection. The coming years  will determine whether this balance is sustained, recalibrated, or undermined. But by  embedding constitutional values at the heart of digital policy, India has taken a decisive and  commendable step forward.