Published on: 11th January 2026
Auhthored by: Priyanshu Fartyal
ABSTRACT
With the rapid growth of India’s digital ecosystem, opportunities have been created, but it has also raised serious concerns about personal data protection. After the Supreme Court recognized privacy as a fundamental right, the country introduced the Digital Personal Data Protection Act, 2023 (DPDP), India’s first law focused entirely on personal data regulation. This article tracks the development of India’s data protection framework. It starts with the limited safeguards under the IT Act, 2000, and the SPDI Rules, 2011, and leads up to the creation of the DPDP Act. It provides a critical review of the Act’s main provisions and regulatory design, and outlines key reforms needed to strengthen India’s privacy system.
INTRODUCTION
As per the definition on the Cambridge dictionary, digitalisation means the process of changing something, such as a document, to a digital form (a form that can be stored and read by computers), or the use of digital technology to do something. While the term considers the documents in a digital format, it is way broader than it is defined. The internet we use today, from our regular responsibilities, to schools, business, banks, and mostly every sector where there is a dependency on digital tools to perform every basic function, is in a way that comes under the scope of digitalisation. According to Statista, by October 2025, 6.04 billion individuals worldwide were internet users, accounting for 73.2% of the global population[1]. And with this dependency on the internet, the phrase “the data is the new oil” was first popularized by British Mathematician Clive Humby in 2006. The concept that sheds light on the economic value of the data is similar to oil. It is not only the backbone of business but also for government operations. Various tech giants, such as Google and Meta, rely almost entirely on user data for profit. However, the vast collection and monetisation of personal data have raised serious concerns regarding privacy and misuse. Incidents such as the Yahoo data breach (2013-14) and the Aadhar data breach (2018) have demonstrated how unregulated data handling can impact millions of people.
These developments have led to the urgent need for data protection frameworks worldwide, leading to the introduction of the landmark legislation Digital Personal Data Protection Act,2023 (DPDP) in India. This article analyzes the DPDP Act, 2023, situates it within the global protection landscape, and proposes reforms to address emerging challenges.
DATA PROTECTION: EVOLUTION IN INDIA
The digitization has transformed the lives of Indian citizens and governance. India, being one of the largest markets for the internet, has offered great opportunities but also led to greater challenges. In India, “Privacy” has been recognized as a Fundamental Right under Article 21 of the India Constitution. While the Right to Privacy is closely related to the protection of data, in this technological age, it has become very difficult to achieve. The conception of the right to privacy has carved out informational privacy as a distinct category, due to rapid technological advancements and the need to secure the digital lives of citizens. To address these emerging issues, India’s legal response has evolved in stages. The first step was the enactment of the Information Technology Act, 2000, which emerged as the primary legislation in India governing cyber activities.
The primary purpose of the IT Act was to grant legal recognition to electronic records and digital signatures, but it also introduced limited safeguards for personal data. Section 43A provides that where a body corporate deals with, or handles any sensitive personal data or information in a computer resource which it owns, controls, or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected[2]. Section 72A prohibits the disclosure of information obtained under a lawful contract without consent.[3]
In 2011, with the introduction of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, under Section 43A of the IT Act, there was a first attempt to have a structured framework for the protection of personal data. Rule 3 defined “Sensitive personal data” as an information of a person relating to password, financial information such as Bank account or credit card or debit card or other payment instrument details, physical, physiological and mental health condition, sexual orientation, medical records and history, Biometric information, or any of the information received under by corporate for processing, stored or processed under lawful contract or otherwise[4]. Further, Rule 4 provides for the corporation to provide a policy for privacy and disclosure of information. The rules also require the corporations to have reasonable security practices, such as the ISO/IEC 27001 standard.[5] While these Rules introduced key privacy principles, such as security safeguards, they remained limited in scope.
The change came in 2017 with the Supreme Court’s landmark judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017)[6], where a nine-judge bench ruled that the right to privacy is a fundamental right, and is protected as an intrinsic part of the right to life and personal liberty, which affirmed the Right to Privacy as a fundamental right under Article 21 of the Constitution. This judicial recognition acted as the constitutional foundation for modern data protection law in India.
The Justice B.N. Srikrishna Committee, 2017, was constituted and proposed a comprehensive data protection structure. The Committee’s 2018 report focused on principles such as data minimisation, purpose limitation, and the establishment of an independent regulatory authority. It laid the foundation for the Personal Data Protection Bill, 2019, which sought to create a rights-based framework inspired by global models like the GDPR.
These developments led toward the Digital Personal Data Protection Act, 2023, which represents India’s first dedicated statute on personal data protection.
KEY FEATURES OF DPDP ACT
The Digital Personal Data Protection Act is a legislation that frames out the rights and duties of Digital Nagrik (citizen), and also the obligations to use collected data lawfully by the data collectors (Data fiduciary). The act emphasizes the usage of personal data in a lawful manner, and transparent to the individuals.
For the first time in India’s legislative history, ‘her’ and ‘she’ have been used to refer to individuals irrespective of gender, which aligns with the empowerment of women philosophy. The Act is concise and SARAL, that is, Simple, Accessible, Rational, and Actionable Law, as it uses plain language and contains illustrations that make the meanings clear.
The act explicitly mentions, under section 6, that “on or before requesting a Data Principal (that is, the person to whom data relates) for her consent, a Data Fiduciary (that is, persons, companies, and government entities who process data) shall give to the Data Principal an itemised notice in clear and plain language containing a description of data to be collected and purpose for such collection.[7]
Section 8 of the Act provides that Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act.[8] Further, the Data Fiduciary shall protect personal data in its possession or under its control, and must take reasonable security safeguards to prevent personal data breaches. And in the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal intimation of such breach in such form and manner as may be prescribed.
Section 9 deals with the processing of personal data of children and a person with disability who has a lawful guardian; the act obligates the Data Fiduciary to obtain verifiable consent of such guardian before processing their data.[9]
The Act gives the right to access information about the personal data by the Data Principal from the Data Fiduciary upon requesting in a manner as prescribed, which includes a summary of personal data that is being processed, identities of all other Data Fiduciaries with whom the data has been shared, and any other information relating to the personal data.
Section 18 of the Act seeks to establish a Board to be called the Data Protection Board of India[10], which is there to direct any urgent remedial measures or directions in the event of any data breaches, to inquire into a complaint made by a Data Principal in respect of a data breach by a Data Fiduciary, or on reference by the Central Government or a State Government or, in compliance of the direction of the Court.[11]
The Act also provides for the provision of penalties. As per Section 33 of the Act, the Board may impose any such monetary penalty depending on the nature, gravity, and duration of breach, the type and nature of the personal data affected, and other reasonable matters.[12]
CRITICAL ANALYSIS
The Digital Personal Data Protection Act, 2023, is India’s first legislation that governs the processing of personal data. While the enactment is a significant shift from the narrow protections under the IT Act, 2000, and the SPDI Rules, 2011, it still raises several constitutional, structural, and policy concerns.
A major point of concern arises from the exemptions that are provided to the Central Government under Section 17. The provision allows the Central Government to exempt any of its institutions from most or all obligations of the Act on grounds such as national security, public order, or in the interest of India’s sovereignty. These grounds are drafted in broad and subjective terms. This is in contrast to the Supreme Court’s decision in K.S. Puttaswamy v. Union of India[13], which held that any restriction on privacy must satisfy the principles of legality, necessity, and proportionality, and must be backed by procedural safeguards. The Indian Government has been granted unregulated power, and in cases where appeals will be made to either the board or the tribunal against such arbitrary use of power, the impartiality in the decision also cannot be ruled out because the panel will consist of employees who will be appointed by the Indian Government.
The DPDP Act creates a Data Protection Board of India, which is an adjudicatory body appointed by and dependent upon the Central Government. Though the Board lacks investigative autonomy and rule-making power, it raises concerns about the security of personal data handled by the State itself. Comparatively, countries like the UK and Singapore emphasise independent regulators, which are missing in India’s model.
While the DPDP Act marks an important milestone in India’s data protection landscape, its design prioritises administrative efficiency and State interests over individuals’ privacy protection.
RECOMMENDATIONS
To strengthen India’s data protection framework, several reforms are essential.
First, the Act must have a provision that provides for the damages to the Data Principal whose personal data is misused or breached. Under the current legislation, penalties are payable to the State, and not to the affected data principal, leaving individuals without remedies. Introducing a similar provision as provided under Section 43A of the IT Act, which provides a Penalty and compensation for damage to a computer, computer system, etc.,[14] or Article 82 of the GDPR, that ensures accountability.[15]
The Act should also incorporate a Right to Be Forgotten. This right would allow individuals to request the deletion of personal data when its retention is no longer necessary or lawful. This is critical in an era where digital footprints exist indefinitely.
The rules for cross-border data transfers need strong protections. The Act currently permits transfers based on government notifications. Using a standard contract similar to the GDPR would help ensure that Indian citizens’ data is protected consistently around the world.
The protections granted to the State through broad “good faith” clauses should be limited. This immunity reduces transparency and goes against the fairness standards set in the Puttaswamy case. Exemptions should be linked to specific and tightly defined situations, which should be reviewed independently and within a set timeframe.
CONCLUSION
The Digital Personal Data Protection Act, 2023, is an important step in India’s efforts to create a clear privacy and data governance framework. It is a long shift from the limited protections provided in the IT Act, 2000, and the SPDI Rules, 2011, to a focused law that recognizes the importance of personal data in the digital economy.
The Act introduces key ideas such as obligations for data fiduciaries, clear consent processes, and a stronger penalty framework. However, a closer look shows that many of these provisions do not fully meet the constitutional vision of privacy outlined in K.S. Puttaswamy v. Union of India. State exemptions, the lack of an independent regulatory body, and limited rights for users reduce the protection that is offered to individuals.
As India develops its digital public infrastructure, the need for a strong data protection system becomes very important. Implementing a compensation system for data principals, recognizing rights like the right to be forgotten, ensuring safer cross-border data transfers, and limiting good faith protections.
Ultimately, the promise of the DPDP Act will only come true if its implementation is driven by transparency, accountability, and a commitment to protect citizens’ autonomy in this digital age.
References
[1] Digital Personal Data Protection Act, 2023 (India), Ministry of Law and Justice, August 11, 2023.
[2] Information Technology Act, 2000 (India), Ministry of Electronics and Information Technology.
[3] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, G.S.R. 313(E), April 11, 2011.
[4] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).
[6] PRS Legislative Research, Digital Personal Data Protection Bill, 2023: Highlights and Issues, https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023.
[7] Internet Freedom Foundation, Key Concerns with the Digital Personal Data Protection Act, 2023, https://internetfreedom.in/.
[8] Regulation (EU) 2016/679 (General Data Protection Regulation), European Parliament and Council, April 27, 2016, art. 82.
[9] Statista Research Department, Global Internet Penetration – October 2025, https://www.statista.com/.
[10] Yogesh V. Nayyar, Digital Personal Data Protection Act, 2023: Commentary and Analysis, Whitesmann Publishing.
[1] Statista, “Number of Internet and Social Media Users Worldwide 2025” (Statista, October 20, 2025) <https://www.statista.com/statistics/617136/digital-population-worldwide/?srsltid=AfmBOopHhLzuoA54OKS6_mIRauv-O3-6p3vctCVrgV0TFRT-1K3ktdLU> (accessed 15th November 2025)
[2] Information Technology Act 2000, s 43A
[3] Information Technology Act 2000, s 72A
[4] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, Rule 3
[5] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, Rule 4
[6] Justice K.S. Puttaswamy (Retd.) and Anr. vs. Union of India and Ors.(2017) 10 SCC 1
[7] Digital Personal Data Protection Act 2023, s 6
[8] Digital Personal Data Protection Act 2023, s 8
[9] Digital Personal Data Protection Act 2023, s 9
[10] Digital Personal Data Protection Act 2023, s 18
[11] Digital Personal Data Protection Act 2023, s 27
[12] Digital Personal Data Protection Act 2023, s 33
[13] Justice K.S. Puttaswamy (Retd.) and Anr. vs. Union of India and Ors.(2017) 10 SCC 1
[14] Information Technology Act 2000, s 43A
[15] General Data Protection Regulation (EU) 2016/679, art 82.
