Published on: 22nd January 2026
Authored By: Ritwaj Chaturvedi
Law centre II, Faculty of Law, University of Delhi
Abstract
This paper digs into India’s Digital Personal Data Protection (DPDP) Act, 2023, and takes a close look at what it actually means for healthcare—where privacy and good care are always in a bit of a tug-of-war. It walks through how India’s Supreme Court has shaped the idea of privacy over the years, from cases like Kharak Singh and Govind to PUCL and, most importantly, the Puttaswamy judgment. These decisions set the ground rules for how the DPDP Act works. The paper breaks down the main points of the Act: consent, purpose limitation, data minimization, security, transparency, and accountability. Then it lines them up against global standards like the GDPR to see how they compare. By pulling in real-life feedback from people working in healthcare—through workshops and interviews—it shines a light on the challenges that come up, especially when dealing with emergencies, telemedicine, using health data for research, or when doctors need to share info with each other. One thing that stands out is the risk of one-size-fits-all rules. The paper argues that healthcare needs regulations that understand the messy, real-world situations doctors and patients face—not blanket policies that slow things down when time matters most. In the end, while the DPDP Act is a big step forward for privacy in India, making it work in hospitals and clinics will take more than just passing the law. The paper calls for clearer exceptions, better cybersecurity, smarter compliance rules, and more teamwork across the system, so patients’ rights stay protected without getting in the way of good care.
Introduction
Technology moves fast. Every day, more and more data get created, collected, and passed around. That’s great for progress, but it’s also a headache when it comes to protecting people’s privacy. It’s no surprise that governments everywhere are scrambling to come up with new laws to keep personal data safe. India, with its huge online population, jumped in too. In 2023, it rolled out the Digital Personal Data Protection Act. This law isn’t just another piece of paperwork it sets out the rules for how both public and private organizations handle, store, and transfer our personal data. The Act borrows key ideas from global human rights agreements, like Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil & Political Rights with the goal to bring India’s privacy standards in line with the rest of the world. But laws don’t exist in a vacuum. Technology keeps changing, and so do the risks to our privacy. That’s why it’s important to look at this Act closely, especially through the lens of our Constitution and the fundamental right to privacy. This paper digs deep into the Act, comparing it with the famous GDPR and considering input from the parliamentary committee. The idea is to see how well the Act actually protects individual privacy and meets constitutional standards in today’s digital world. By breaking down the Act’s key points and their impact, this study hopes to add something meaningful to the ongoing debate about data protection. In the end, it’s all about figuring out how to balance the buzz of new tech with the need to protect our most basic rights.
Historical background
The Constitution of India, as originally drafted, didn’t mention the Right to Privacy at all. You won’t find it anywhere in Part III, where all the Fundamental Rights are laid out. But things changed pretty quickly. In 1954, just four years after the Constitution kicked in, the Supreme Court had to tackle the idea of privacy for the first time in the MP Sharma vs Satish Chandra case.[1] Here, the Court said police powers of search and seizure under the Criminal Procedure Code weren’t limited by any Right to Privacy mainly because that right just didn’t exist in the Constitution.[2] This was different from how the US handled things with its Fourth Amendment, which specifically protects people from random searches and seizures. A few years later, in 1962, the Supreme Court took up Kharak Singh vs State of UP.[3] The case looked at police surveillance rules for repeat offenders under the UP Police Regulations. This time, the Court sort of nodded to the idea of privacy, saying that the liberty and dignity of a person under Article 21[4] gets violated if the police show up at your house every night. But the judges stopped short of saying police surveillance itself broke any right to privacy, since the Constitution still didn’t actually recognize that right. So, in the end, the Court took the police’s side. Things started to shift in 1975 with the Govind vs State of MP case.[5] The Supreme Court borrowed the “compelling state interest” test from landmark US cases like Griswold vs Connecticut and Roe vs Wade.[6] Now, the Court said the Right to Privacy is part of Article 21, but the government can interfere untill there’s a big enough public interest at stake. Fast forward to 1997, and the PUCL vs Union of India case better known as the telephone tapping case came along.[7] The Supreme Court made it clear: people have a right to privacy when it comes to their phone calls. The government can only listen in if there’s a proper legal process.[8] The Court even laid down specific rules for how surveillance should work, putting some real limits on how the authorities can use their power. Then came the landmark K.S. Puttuswami vs Union of India case in 2012. [9]Justice K.S. Puttuswami, retired from the Karnataka High Court, challenged the Aadhar scheme, which collected people’s biometric and personal data for unique ID numbers. Other petitions questioned different parts of the Aadhar project, so the Supreme Court had a lot to consider. By 2015, the big question was front and center: Is the Right to Privacy a fundamental right or not? Back in the MP Sharma case, a big bench had said no, while smaller benches in later cases had said yes. Finally, in 2017, a nine-judge bench of the Supreme Court made history they all agreed that the Right to Privacy is, indeed, a fundamental right under Article 21. Of course, it’s not an unlimited right; reasonable restrictions still apply. But that decision set the record straight, once and for all.
Key Principles of the DPDP Act, 2023
The Digital Personal Data Protection (DPDP) Act, 2023, stands on seven core principles that drive lawful and responsible data use. Law, business, and individual privacy—these priorities come together in the Act’s design. Start with Consent, Lawfulness, and Transparency. No data collecting behind closed doors, data fiduciaries need explicit, informed consent, and they have to spell out why they want your data and how they’ll use it. That’s how you get real fairness and transparency. Purpose Limitation takes this further. Data collected for one reason can’t quietly be used for another, unless you give fresh consent. No hidden repurposing. Data Minimization keeps things tight. Collect only what’s actually needed. That means less data lying around, so privacy risks and unnecessary exposure shrink. Data Accuracy matters, especially in sectors like finance and healthcare. Data fiduciaries have to keep information up to date and correct. If there’s a mistake, individuals can ask for a fix. With Storage Limitation, organizations can’t just keep personal data forever. Once they don’t need it, they have to erase it—lowering the risk of breaches or unauthorized access. Reasonable Security Safeguards mean data fiduciaries must step up: encrypt data, control access, and use other real security measures to ward off cyber threats. Accountability is the last piece. Organizations must keep records, follow protection norms, and answer for any breaches. The Data Protection Board of India (DPBI) makes sure these rules stick, investigating violations and imposing penalties when needed.
All these principles work together to create a strong system. Individual privacy stays protected, but digital innovation and economic growth aren’t stifled. The Act lines up with global standards like the GDPR, making sure India’s approach is thorough and up to date.
Key Provisions of the DPDP Act, 2023
The DPDP Act, 2023, lays out India’s rules for handling personal data, who can use it, how, and under what circumstances. The Act spells out who it applies to, what rights individuals (data principals) have, what obligations organizations (data fiduciaries) must meet, the powers of the regulatory authority, special protections for children, rules on cross-border data transfers, and when exemptions kick in. The goal is to protect individual privacy while letting the digital economy make responsible use of personal data.
Applicability
The DPDP Act casts a wide net. It covers almost any situation where personal data gets processed in India. Any digital personal data collected in India falls under this law. Even offline data that’s later digitized counts, so the law keeps pace as more of life moves online.
But the Act doesn’t stop at India’s borders. If a company offers goods or services to people in India, even if the data’s processed somewhere else, it still falls under this law. This point is key for dealing with multinational companies handling Indian citizens’ data from abroad. The Act’s global reach lines up with standards like the European Union’s GDPR, making sure India’s data protection rules are both strong and modern.
The Human Stakes of Digital Data in Healthcare
Digital technology has reshaped healthcare in India. Doctors and researchers—and just regular people, now depend on smartphones and messaging apps to share health records, X-rays, diagnoses, and urgent updates. This speed really can save lives. Picture a rural doctor sending a scan to several specialists at once, getting instant advice that changes how they treat a patient in critical condition. But every bit of this personal health data carries weight. Every test, every clinic visit, it all gets folded into someone’s life story, their vulnerabilities, their hopes—now digitized and stored. The article doesn’t ignore this tension. Technology is indispensable, yes, but each data point stands for a real person who deserves respect and protection.
With the Digital Personal Data Protection Act of 2023, India made a clear promise to protect data privacy. The law spells out who does what: ‘data principals’ (patients and individuals), ‘fiduciaries’ (hospitals, clinics), and ‘processors’ (those who store or analyze the data). The core goal is simple—keep patient information safe, make sure consent matters, and stop misuse or careless disclosure.
But here’s where things get tricky for medical professionals. The rules around digital privacy now mix with the daily realities of healthcare, and it’s not always a clean fit. The Act wants informed consent for sharing data, which sounds fair. Yet emergencies and quick expert consults don’t always allow time for formalities. Doctors end up second-guessing themselves. What if they act fast and break the law by accident? The penalties are serious—meant to prevent real abuse, but they might also scare people away from the kind of collaboration that saves lives.[10]
Exploring the “Gray Areas” with Compassion
The article draws on workshops with doctors, lawyers, and policy makers to dig into these gray zones : Is it illegal to WhatsApp a patient’s scan to a specialist for a second opinion if time is running out? What if someone’s medical data, gathered for treatment, later turns out useful for research or for improving future guidelines? Do the same rules apply to informal doctor-to-doctor chats as to massive hospital databases?
The answer, the authors argue, has to be flexible. The law can’t be one-size-fits-all. Healthcare workers need room to act in the patient’s best interest, without fear, while still honoring confidentiality and patient rights.[11]
Actionable Recommendations: Striking the Balance
So, what actually helps? The article lays out practical, human-centered steps to make DPDPA work better for healthcare:
Contextual Exemptions: The law already allows exceptions for emergencies or public health needs. But these exceptions should clearly cover routine situations too, telemedicine, referrals, follow-up calls, where the patient’s well-being comes first.
Cybersecurity Capacity: Hospitals and clinics shouldn’t just rely on legal protections. They need strong cybersecurity systems. Reporting breaches quickly and running regular risk checks should be required, but penalties have to fit the realities doctors face—the urgency, the pressure.
Consent and Anonymization in Research: If data collected for treatment gets used in research, pseudonymization and review board approval should be the norm. This way, science moves forward, but privacy doesn’t get left behind.
Shared Liability in AI Research: As AI tools use more patient data, the law must recognize that tech teams, not just doctors, share the duty to protect privacy.
Nationwide Training and Sensitization: Every healthcare worker, not just managers, needs ongoing training. Workshops shouldn’t just tell people what to do, but why it matters—because behind every dataset is a person.[12]
Infrastructure and Investment: India needs a real push to give both public and private providers the resources to guard health data, especially given the country’s size and diversity.
Learning from Global Peers
The article looks outward, too, at global examples like the European Union’s GDPR. By comparing how DPDPA handles consent, liability, special cases like research or emergencies, and enforcement, it keeps India in conversation with the world. There’s humility here—India as both a leader and a learner when it comes to protecting privacy.:
Conclusion
The Digital Personal Data Protection Act 2023 stands as a pivotal step in India’s ongoing effort to safeguard personal privacy in an age defined by rapid technological expansion yet its true significance emerges when examined against the lived realities of sectors like healthcare where data driven decision making carries direct human consequences. While the Act draws strength from foundational constitutional principles solidified by landmark judgments such as Puttaswamy and echoes global standards like the GDPR its effectiveness ultimately depends on nuanced implementation that respects both individual rights and the practical demands of medical practice. As this paper shows rigid consent requirements high stakes liabilities and ambiguous gray areas can leave healthcare professionals uncertain and hesitant in situations that demand swift collaborative action. The way forward therefore lies in calibrated reforms clearer contextual exemptions stronger cybersecurity capacity ethically governed research pathways shared accountability in AI driven systems and continuous nationwide training to ensure every stakeholder understands both the legal framework and the human dignity it seeks to protect. If approached with sensitivity adaptability and sustained investment the DPDP Act can evolve into a robust trust building framework that protects personal data without stifling innovation ultimately positioning India as both a responsible leader and a thoughtful learner in the global digital landscape.
[1] M.P. Sharma v. Satish Chandra, AIR 1954 SC 300.
[2] Diksha Bhati, Critical Analysis of the Digital Personal Data Protection Act, 2023, INT’L J. L. & LEGAL RES. BLOG (Nov. 18, 2023, 10:00 AM), https://www.ijllr.com/post/critical-analysis-of-the-digital-personal-data-protection-act-2023.
[3] Kharak Singh v. State of U.P., AIR 1963 SC 1295.
[4] INDIA CONST. art. 21.
[5] Govind v. State of M.P., (1975) 2 SCC 148.
[6] Griswold v. Connecticut, 381 U.S. 479 (1965).
[7] People’s Union for Civil Liberties (PUCL) v. Union of India, (1997) 1 SCC 301
[8] Joint Parliamentary Committee on the Personal Data Protection Bill, 2019, Report (Dec. 2021).
[9] K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
[10] World Health Organization, WHO Guidance for Digital Health Interventions (2019).
[11] Justice B.N. Srikrishna Committee, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (2018).
[12] Graham Greenleaf, Global Data Privacy Laws: 2017 Survey, 145 Privacy Laws & Bus. Int’l Rep. 10 (2017).
