Protecting Privacy in the Digital Age: An Analysis of India’s Digital Personal Data Protection Act, 2023 with Comparative Insights from Ethiopia

Abstract

In this article I examine the development of personal data protection frameworks in India and Ethiopia in response to expanding digital governance. In India the landmark case for the recognition of privacy as a fundamental right was the Justice K.S. Puttaswamy v Union of India and it laid the groundwork for the Digital Personal Data Protection Act, 2023, which establishes a consent based regulatory regime. On the other hand in Ethiopia, the enactment of the Personal Data Protection Proclamation No. 1321/2024 marks the country’s first comprehensive data protection law. So in this article I will evaluate both frameworks and highlights key legal challenges and comparative lessons.

Introduction

It is a fact that in our daily lives, digital technologies are everywhere from the apps we use to communicate, to the online services that make routine tasks easier. But we can’t also deny that our personal information is constantly being collected, stored, and sometimes misused. This makes data protection not just a legal issue, but something that affects our autonomy and privacy as individuals.

Looking at India and Ethiopia offers an interesting perspective on how countries in the Global South are responding to these challenges. India has built a strong foundation for protecting personal data, especially after the courts recognized privacy as a fundamental right, leading to the Digital Personal Data Protection Act, 2023. On the other hand Ethiopia introduced the new Personal Data Protection Proclamation No. 1321/2024 it is a major step forward  especially as the country expands digital identity programs.

This article explores how both countries manage personal data, how effectively individuals’ rights are safeguarded, and the real world challenges in enforcing these laws. By comparing their approaches, the paper aims to identify lessons each country can learn from the other and to consider whether these legal frameworks are ready for a world increasingly driven by data.

Evolution of Data Protection in India

As we know the evolution of data protection in India has been largely shaped by constitutional interpretation, judicial developments and gradual legislative responses to technological changes. In the previous years the Indian Constitution did not explicitly recognise a right to privacy. when we see the M.P. Sharma v. Satish Chandra (1954)[1] case the Supreme Court rejected the existence of a constitutional right to privacy, a position later repeated in Kharak Singh v. State of Uttar Pradesh (1963)[2] where privacy was denied explicit constitutional protection. This decisions clearly reflected their was a narrow understanding of personal liberty under Art 21 of the Indian Constitution.

The transformation on such understandings started with Gobind v. State of Madhya Pradesh (1975) case, where the Court acknowledged that privacy is an implied right under Article 21 and which is subjected to reasonable restrictions[3] But this restriction remained tentative and lacked doctrinal clarity. After this, for several years data protection in India developed indirectly through sector specific laws the most well known is the Information Technology Act, 2000. Sections 43A and 72A  along with the SPDI (Sensitive personal data or Information) Rules, 2011 they introduced limited obligations concerning data security and and confidentiality but this measures were  contractual and compensatory rather than rights-based[4]

Even if we say the Gobind case having transformation on the acknowledgment of court on privacy. The critical transformation was really  occurred by the landmark judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017). Where A nine-judge bench unanimously affirmed thee right to privacy as a fundamental right under Articles 14, 19, and 21 of the Constitution in which it overrules M.P. Sharma and Kharak Singh to that extent[5]The Court explicitly linked privacy to informational autonomy and dignity, laying the constitutional foundation for a comprehensive data protection regime.

After that was happened in the Puttaswamy case the Justice B.N. Srikrishna Committee Report (2018) articulated the need for a dedicated data protection law grounded in constitutional values[6] well this This ultimately culminated in the enactment of the Digital Personal Data Protection Act, 2023, marking India’s transition from fragmented, sectoral regulation to a unified statutory framework for digital personal data protection[7]

Digital Personal Data Protection Act, 2023 its Key features and strengths

As India introduced the Digital Personal Data Protection Act, 2023 (DPDPA) it provides a comprehensive framework for protecting personal data, defining data principals and data fiduciaries and emphasizing consent, accountability and individual rights[8]The act builds  on the supreme court’s recognition of privacy as a fundamental rights in K.S Puttaswamy v.Union of India,[9] replacing the fragmented provisions of the IT Act, 2000 and SPDI Rules

When we see the core provision the Act defines personal data broadly as any information about an identifiable individual in digital form, applying uniformly to all types of data to ensure consistance protection[10] when it comes to the scope it is domestic and extraterritorial which is covering processing linked to offering goods or services to Indian data principals. Transfers outside India are generally unrestricted unless notified by the government. Processing is allowed only on the basis of free, specific, informed consent or other legitimate purposes, with erasure required once the purpose is fulfilled or consent is withdrawn[11]

The other one is on Fiduciary Obligations ( indicated on the Chapter II of the DPDP Act 2023)[12] so Data Fudiciaries must implement security safeguards, notify breaches to the Data Protection Board, and maintain grievance mechanisms. Significant Data Fiduciaries (SDFs) will also  appoint Data Protection Officers in India and conduct impact assessments. when it comes to the consent managers they  provide platforms for principals to manage consents in an interoperable and accountable manner. Fiduciaries remain fully responsible even when data is processed by third-party processors[13]

What are the Key strengths

On assessing the DPDP Act 2023, it has its own strengths from that we can list some of them which are:

• Accessibility in which Notices must be in English or any constitutional language[14]
• Protection of children: Processing data of minors under 18 requires verifiable parental consent; tracking, behavioral monitoring, or targeted ads are prohibited[15]
• Data Protection Board: The Board enforces compliance through inquiries, mediation, and penalties of up to ₹250 crore, while the government retains rule making authority[16]
• Right to erasure: Data principals can request deletion post-consent withdrawal, extending even to processors and search engines, supporting the “right to be forgotten”[17]

Overall, the DPDP Act is a landmark legislation, balancing individual privacy rights with the demands of India’s growing digital economy and aligning with global standards.

Gaps and Concerns Under the Digital Personal Data Protection Act, 2023

Even if we discussed on the above that the DPDP Act, 2023 represents a major legislative step toward regulating personal data processing in India, it had several gaps remain when assessed against comparative and normative data protection standards. One of the significant limitation concerns the restricted material scope of the Act.The DPDP Act applies only to to digtal personal data or data that is subsequently digitised, thereby excluding personal data processed exclusively in manual form. So this narrow scope leaves large segments of personal data particularly within public administration and smaller private intities outside the protective framework which undermining the comprehensive privacy protection[18]

The other concern that arises from the Act is the Act’s  uniform treatment of all categories of personal data. when we relate the recommendation of the Justice B.N. Srikrishna Committee with the EU GDPR  the DPDP Act does not distinguish between ordinary personal data and sensitive personal data such as health, biometric, or genetic information.The absence of heightened safeguards for sensitive data increases the risk of serious harm to data principals and weakens substantive privacy protection[19]

We also can see that the DPDP Act also  provides broad exemptions to the State, particularly under Section 17  which empowers the Central Government to exempt its instrumentalities from key obligations on grounds such as sovereignty, public order, or prevention of offences. Even if the need for national security is exceptions is recognized the lack of explicit proportionality standards, procedural safeguards, and independent oversight raises concerns of potential misuse and excessive State surveillance. we can get this approach departs from the constitutional emphasis on necessity and proportionality articulated in Puttaswamy v. Union of India[20]

Thirdly, Institutional design presents another critical weakness. The Data Protection Board of India  although it is  vested with adjudicatory and enforcement powers it lacks structural independence due to executive control over appointments and service conditions. This will be contrasted with the Justice Srikrishna Committee’s recommendation for an independent data protection authority and diverges from international best practices  where supervisory authorities function autonomously to ensure effective enforcement[21]

When we see it from rights-based perspective the DPDP Act offers a limited catalogue of data principal rights. The core rights that are known such as data portability, the right to object to processing, safeguards against automated decision making, and a fully articulated right to be forgotten are either absent or significantly diluted. Additionally the imposition of statutory duties and penalties on data principals marks a departure from globally accepted rights-centric models, potentially shifting responsibility away from powerful data fiduciaries[22]

The last point that we raise is that he Act remains largely silent on the governance of emerging technologies, particularly artificial intelligence and algorithmic decision making. The absence of provisions that are adressing transparency, explainability, and human oversight limits the Act’s capacity to respond to future privacy risks in an increasingly automated digital ecosystem[23]

Data Protection Framework in Ethiopia its Legal Status and Challenges

When it comes to our country, Ethiopia In 2024 which is recently enact the personal Data Protection Proclamation No. 1321/2024 (PDPP 2024). Before this development, the protection of personal data was fragmented across constitutional provisions, civil law and sector specific instruments, offering limited and inconsistance safeguards[24]Recognizing the growing risks associated with with digitalization and data driven governance, the Ethiopian government initiated reforms that culminated in the adoption of a comprehensive data protection framework[25]  

The first thing that can be raised when we talk about the PDPP 2024 is that it establishes a rights-based legal regime grounded in the constitutional right to privacy[26] It applies broadly to personal data processing conducted within Ethiopia or involving processing infrastructure located in the country[27]The proclamation also defines personal data as information relating to an identified or identifiable natural person and expressly limits its scope to natural persons, excluding legal entities[28]The Data subjects are granted a range of enforceable rights from that we can list some of them which are  right to be informed, access, rectification, erasure, objection, and data portability, with certain rights surviving for a limited period after death[29]These protections closely reflect international standards especially those found in the EU General Data Protection Regulation (GDPR)[30]

The other one is that the PDPP 2024 also imposes clear obligations on data controllers and processors which are  registration requirements, consent based processing, applying principles of lawfulness, fairness, transparency, and data minimisation, as well as mandatory breach notification within seventy two hours[31]The proclamation then also establishes the Ethiopian Communications Authority (ECA) as an independent supervisory authority, addressing a long-standing institutional gap in Ethiopia’s privacy framework[32]

As we have discussed on the above,  Even if there are strengths we can’t say it is perfect due to the fact that there are challenges remains.The Proclamation emphasizes data localization, requiring domestic storage of personal data while permitting cross-border transfers only under strict conditions, raising concerns regarding implementation capacity and compliance costs. Moreover, the expansion of Ethiopia’s digital identity regime (Fayda ID) intensifies data governance risks, particularly in relation to consent, biometric data processing, and the potential exclusion or profiling of vulnerable groups[33] Ensuring effective enforcement, institutional independence, and rights protection in practice will therefore be critical to the success of Ethiopia’s new data protection framework[34]

Comparative Analysis Between India And Ethiopia

Firstly as India and Ethiopia now both operate under comprehensive data protection laws their regulatory functions and structural choices reflect that they have differences. India’s Digital Personal Data Protection Act, 2023 emerged from extensive constitutional litigation, particularly the recognition of privacy as a fundamental right in Justice K.S. Puttaswamy v. Union of India, and reflects a gradual evolution from sectoral regulation to codified protection[35] But when it comes to our proclamation which is the PDPP 2024 by contrast It represents a more recent and decisive shift from fragmented protections to a unified statutory regime.

The second one is that in terms of rights protection both frameworks recognize core data subject rights such as access, erasure, and consent-based processing. However, Ethiopia’s PDPP 2024 adopts a broader rights catalogue, including explicit data portability and posthumous data protection, aligning more closely with the GDPR model[36] India’s DPDP Act, while comprehensive, adopts a comparatively restrained rights-based approach and allows wider executive discretion through statutory exemptions.

Thirdly, with regards to Institution both countries establish supervisory bodies, But their designs differ.India’s Data Protection Board operates under significant executive influence. On the other hand Ethiopia’s designation of the ECA as an independent authority reflects a stronger commitment, at least formally, to regulatory autonomy[37] At the same time, Ethiopia’s strong emphasis on data sovereignty and localization contrasts with India’s more flexible cross-border data transfer regime[38] Fourth, Both jurisdiction face common challenges that are arising form digital identity systems which are Aadhaar in India and Fayda ID in Ethiopia particularly regarding consent, biometric data processing, and risks of exclusion or discrimination[39]

Over all The comparative experience suggests that while Ethiopia has rapidly aligned its legal framework with international standards, both countries must prioritise effective enforcement and safeguards to ensure that data protection laws translate into meaningful privacy protection in practice[40]

Conclusion 

Over all, the emergence of comprehensive data protection laws in India and Ethiopia reflects a growing constitutional and regulatory commitment to privacy in the digital age. While India’s DPDP Act, 2023 benefits from strong judicial foundations, concerns remain regarding exemptions and enforcement. Ethiopia’s PDPP 2024 represents a significant legal milestone but faces implementation and institutional capacity challenges. A comparative analysis demonstrates that effective data protection requires not only robust legislation but also independent oversight and rights-oriented enforcement mechanisms. Strengthening these elements is essential for safeguarding personal data in both jurisdictions.

REFERENCES

Cases

• Gobind v State of Madhya Pradesh (1975) 2 SCC 148
• Justice KS Puttaswamy (Retd) v Union of India (2017) 10 SCC 1
• Kharak Singh v State of Uttar Pradesh (1964) 1 SCR 332
• MP Sharma v Satish Chandra (1954) SCR 1077

Legislation

• Constitution of the Federal Democratic Republic of Ethiopia 1995
• Digital Identification Proclamation No 1284/2023 (Ethiopia)
• Digital Personal Data Protection Act 2023 (India)
• General Data Protection Regulation (EU) 2016/679
• Information Technology Act 2000 (India)
• Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (India)
• Personal Data Protection Proclamation No 1321/2024 (Ethiopia)

Government and Committee Reports

• Justice BN Srikrishna (Chair), A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (Committee Report, Government of India 2018)
• World Bank Group, Environmental and Social Review Summary: Appraisal Stage (2023)

Journal Articles

• Alibeigi A, ‘Bridging the Gap: Assessing India’s Digital Personal Data Protection Act in Light of the EU GDPR’ (2025) 6 SN Computer Science 855
• Naithani P, ‘Analysis of India’s Digital Personal Data Protection Act, 2023’ (2023) 67(5) International Journal of Law and Management 543
• Sharma A, ‘Transforming Data Privacy: An Analysis of India’s Digital Personal Data Protection Act 2023’ (2023) 6 International Journal of Law Management and Humanities 1841

Discussion Papers

• Musoni M, Domingo E and Ogah E, Digital ID Systems in Africa: Challenges, Risks and Opportunities (ECDPM Discussion Paper No 360, 2023)

Online Sources

• DataGuidance, ‘Ethiopia – Data Protection Overview’ (October 2023) https://www.dataguidance.com/notes/ethiopia-data-protection-overview
• DataGuidance, ‘Ethiopia: Summary’ (24 July 2024) https://www.dataguidance.com/jurisdiction/ethiopia
• National ID, ‘Fayda for Ethiopia’ (2023) https://id.gov.et/

[1]M.P. Sharma v Satish Chandra (1954) SCR 1077

[2]Kharak Singh v State of Uttar Pradesh (1964) 1 SCR 332.

[3]Gobind v State of Madhya Pradesh (1975) 2 SCC 148.

[4]Information Technology Act 2000, ss 43A, 72A; Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.

[5]Justice K.S. Puttaswamy (Retd.) v Union of India (2017) 10 SCC 1, paras 180–181.

[6]Justice B N Srikrishna Committee, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (Government of India 2018) 1–5.

[7]Digital Personal Data Protection Act 2023.

[8]Paarth Naithani, ‘Analysis of India’s Digital Personal Data Protection Act, 2023’  67(5) International Journal of Law and Management 543, 544.

[9]K.S. Puttaswamy v Union of India (2017) 10 SCC 1.

[10]Aniket Sharma, ‘Transforming Data Privacy: An Analysis of India’s Digital Personal Data Protection Act’ (2023) 6 Int’l JL Mgmt & Human 1841.  1842

[11]Sharma (n 3) 1845–1847.

[12]Digital Personal Data Protection Act 2023, ss 4-10

[13]Naithani (n 1) 547- 550.

[14]Digital Personal Data Protection Act 2023, s 5(3).

[15]Digital Personal Data Protection Act 2023, s 9.

[16]Digital Personal Data Protection Act 2023, ss 27–33.

[17]Digital Personal Data Protection Act 2023, s 12.

[18]Ali Alibeigi, ‘Bridging the Gap: Assessing India’s Digital Personal Data Protection Act in Light of the EU GDPR’ (2025) 6 SN Computer Science 855, 6–7.

[19]Justice B N Srikrishna Committee, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (Government of India 2018) 90–94.

[20]Digital Personal Data Protection Act 2023, s 17; Justice KS Puttaswamy (Retd) v Union of India (2017) 10 SCC 1, paras 180–181.

[21]Justice B N Srikrishna Committee (n 19) 101–104; Ali Alibeigi (n 18) 9–10.

[22]Ali Alibeigi (n 18) 10–11.

[23]Justice B N Srikrishna Committee (n 19) 32–34.

[24]Data Guidance, ‘Ethiopia – Data Protection Overview’ (October 2023) https://www.dataguidance.com/notes/ethiopia-data-protection-overview

[25]Data Guidance, ‘Ethiopia: Summary’ (24 July 2024) https://www.dataguidance.com/jurisdiction/ethiopia

[26]Personal Data Protection Proclamation No 1321/2024, preamble. 

[27]PDPP 2024, art 3. 

[28]PDPP 2024, art 2(2) and art 2(9). 

[29]PDPP 2024, art 23(1&2)

[30]GDPR, ch 3. 

[31]PDPP 2024, arts 8, 33, 43–44. 

[32]PDPP 2024, art 22.

[33]Digital Identification Proclamation No 1284/2023, arts 4, 11, 17; Melody Musoni, Ennatu Domingo and Elvis Ogah, ‘Digital ID Systems in Africa’ (2023) ECDPM Discussion Paper No 360, 1–5. 

[34]Constitution of the FDRE (1995), arts 25–26; PDPP 2024, art 9(3). 

[35]Justice K.S. Puttaswamy (Retd.) v Union of India (2017) 10 SCC 1; Digital Personal Data Protection Act 2023. 

[36]PDPP 2024, ch 3; GDPR, ch 3. 

[37]Justice B N Srikrishna Committee, A Free and Fair Digital Economy (2018) 101–104; PDPP 2024, art 22. 

[38]PDPP 2024, art 20; DPDP Act 2023. 

[39]World Bank Group, ‘ESRS Appraisal Stage’ (2023) 3; National ID, ‘Fayda for Ethiopia’ (2023). 

[40]Musoni, Domingo and Ogah (n 33) 4–5.