Digital Personal Data Protection Act, 2023: Strengths, Gaps, and Future Implications

Abstract

The rapid expansion of digital technologies in India has intensified the collection and processing of personal data, raising serious concerns regarding privacy, surveillance, and misuse of information. The recognition of the right to privacy as a fundamental right under Article 21 of the Constitution in Justice K.S. Puttaswamy (Retd.) v Union of India marked a constitutional turning point, necessitating a comprehensive data protection framework. In this context, the enactment of the Digital Personal Data Protection Act, 2023 represents India’s first dedicated legislative attempt to regulate digital personal data.

This article critically examines the DPDP Act, 2023 with the objective of assessing its effectiveness in safeguarding informational privacy while balancing the interests of the State and the digital economy. It analyses the evolution of data protection law in India, the scope and key features of the Act, and its compliance with constitutional principles such as proportionality, reasonableness, and institutional accountability. The article further highlights significant gaps within the framework, including broad government exemptions, limited individual rights, and the absence of an independent regulatory authority. Through a comparative perspective and impact analysis, the study argues that while the DPDP Act lays a foundational framework for data governance, it falls short of fully realising the constitutional vision of privacy. The article concludes by proposing reforms aimed at strengthening rights protection, accountability, and enforcement in India’s data protection regime.

Keywords: Digital Personal Data Protection Act, Right to Privacy, Article 21, Data Governance, Informational Privacy, Constitutional Law

Introduction

India’s increasing reliance on digital technologies has transformed the manner in which personal data is generated, stored, and utilised. Digital platforms now permeate everyday life—ranging from governance and financial services to education, healthcare, and social interaction. While this digital expansion has undoubtedly enhanced efficiency and accessibility, it has simultaneously exposed individuals to new forms of vulnerability, including large-scale data breaches, intrusive surveillance, and unauthorised profiling.

For a considerable period, India lacked a dedicated legislative framework to regulate personal data protection. The legal regime was fragmented and largely inadequate to address the complexities of a data-driven economy. This gap acquired constitutional significance following the Supreme Court’s landmark decision in Justice K.S. Puttaswamy (Retd.) v Union of India, wherein the right to privacy was recognised as an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution.[1]. The Court’s recognition of informational privacy imposed a positive obligation upon the State to ensure that personal data is not subjected to arbitrary or disproportionate interference.

In this constitutional backdrop, the enactment of the Digital Personal Data Protection Act, 2023, represents a crucial legislative development. The Act seeks to regulate the processing of digital personal data while attempting to balance individual privacy interests with the State’s developmental and security objectives. However, despite its importance as India’s first standalone data protection legislation, the Act has generated considerable debate regarding the adequacy of its safeguards and its conformity with constitutional principles.

This article critically examines the DPDP Act, 2023, by tracing its legislative evolution, analysing its scope and key features, and evaluating its constitutional validity. It further identifies structural gaps within the framework and assesses its future implications for India’s digital governance landscape.

Evolution of Data Protection Law in India

Prior to the constitutional recognition of privacy, India’s approach to data protection was largely piecemeal. The Information Technology Act, 2000, along with the Sensitive Personal Data Rules, 2011, offered limited protection by imposing compensation-based liability for negligence.² These provisions neither addressed State surveillance nor provided comprehensive rights to individuals.

A decisive shift occurred with the Supreme Court’s ruling in Puttaswamy, which affirmed that privacy encompasses informational autonomy and decisional freedom. [2]The Court also articulated a proportionality framework requiring legality, necessity, and procedural safeguards for any privacy-infringing action. In response, the Government constituted the Justice B.N. Srikrishna Committee, which proposed a rights-based data protection framework in 2018.

Subsequent legislative attempts—the Personal Data Protection Bills of 2019 and 2022 reflected a gradual dilution of safeguards, culminating in the enactment of the DPDP Act, 2023. The present Act consciously adopts a simplified and principle-based approach, emphasising regulatory ease and innovation, albeit at the cost of reduced institutional and procedural protection.

Scope and Applicability of the DPDP Act, 2023

The DPDP Act applies exclusively to digital personal data, including data initially collected in non-digital form but later digitised[3].  Unlike earlier drafts, the Act does not distinguish between sensitive and non-sensitive data, thereby adopting a uniform standard of regulation.

Territorially, the Act extends to data processing within India and applies extraterritorially where such processing relates to offering goods or services to individuals in India. Importantly, the Act applies to both private entities and government agencies. However, the power of the Central Government to exempt its agencies from the Act on grounds such as public order and national security raises concerns regarding unchecked executive discretion.

Key Features and Strengths of the DPDP Act, 2023

One of the Act’s most notable features is its consent-centric framework. Personal data may be processed only upon obtaining free, informed, and unambiguous consent from the data principal.  Consent is revocable, reinforcing continuous individual control over personal data.

The Act statutorily recognises rights of data principals, including the right to access information, correction, erasure, and grievance redressal. While narrower than international standards, these rights mark a significant improvement over the previous legal vacuum.

The Act also imposes defined obligations on data fiduciaries, including reasonable security safeguards and mandatory breach notifications. The introduction of Significant Data Fiduciaries allows for proportionate regulation based on risk. Additionally, the establishment of the Data Protection Board of India provides a dedicated forum for adjudication and enforcement, supported by a stringent penalty regime.

Constitutional Analysis of the Digital Personal Data Protection Act, 2023

The constitutional legitimacy of the Digital Personal Data Protection Act, 2023 must be examined primarily through the framework established by the Supreme Court in Justice K.S. Puttaswamy (Retd.) v Union of India, where the right to privacy was recognised as a fundamental right under Article 21. The Court clarified that privacy is not merely a negative right against State interference but also imposes a positive obligation upon the State to protect individuals against non-State actors in an increasingly digital society.  Consequently, any data protection legislation must satisfy constitutional requirements of legality, necessity, proportionality, and procedural safeguards.

At the threshold, the DPDP Act satisfies the requirement of legality, as restrictions on informational privacy are imposed through a duly enacted statute. The Act also pursues legitimate State objectives, including national security, prevention of crime, and facilitation of digital innovation. However, the constitutionality of the Act cannot be assessed solely on legislative intent; rather, it depends on whether the means adopted are proportionate and accompanied by adequate safeguards against abuse.

The proportionality doctrine articulated in Puttaswamy requires that restrictions on privacy must be necessary and the least intrusive means available to achieve the intended objective.  In this regard, the DPDP Act raises serious concerns. Section 7 empowers the Central Government to exempt its agencies from the application of the Act on broad grounds such as sovereignty, public order, and prevention of offences. These exemptions are neither narrowly tailored nor subject to procedural safeguards such as prior judicial authorisation, periodic review, or demonstrable necessity.

The Supreme Court’s decision in Anuradha Bhasin v Union of India[4] emphasised that restrictions on fundamental rights must be proportionate, temporary, and subject to judicial scrutiny. The DPDP Act’s exemption framework, which allows blanket exclusions without oversight, arguably fails this constitutional test. By vesting extensive discretion in the executive, the Act risks enabling surveillance practices that undermine informational autonomy.

Further constitutional concerns arise from the institutional design of the Data Protection Board of India. Although the Board performs adjudicatory functions affecting fundamental rights, its appointment and functioning remain under executive control. The absence of statutory guarantees of independence undermines its credibility as a neutral regulator. In Madras Bar Association v Union of India[5], the Supreme Court underscored that adjudicatory bodies must be insulated from executive influence to preserve the separation of powers. The DPDP Act’s failure to incorporate such safeguards weakens its constitutional robustness.

Major Gaps and Criticisms

The DPDP Act has attracted criticism for prioritising administrative convenience over substantive rights protection. The most significant concern is the breadth of government exemptions,[6] which potentially allows unrestricted processing of personal data by State agencies. Without transparency or accountability mechanisms, these exemptions risk diluting the constitutional guarantee of privacy into a discretionary privilege.

Another structural weakness is the absence of an independent Data Protection Authority. Globally, independent regulators play a crucial role in monitoring compliance, issuing binding directions, and balancing competing interests. The DPDP Act’s reliance on an executive-controlled adjudicatory board limits regulatory oversight and may discourage individuals from seeking redress, particularly in cases involving State actors.

The Act’s limited rights framework further constrains individual autonomy. Unlike comprehensive regimes such as the GDPR, the DPDP Act does not explicitly recognise the right to data portability or a substantive right to be forgotten. These omissions restrict individuals’ ability to exercise meaningful control over their digital identities, especially in contexts involving large digital platforms.

Protection of children’s data also remains inadequate. While the Act mandates parental consent for processing children’s data, it does not sufficiently address risks posed by behavioural targeting, profiling, or algorithmic manipulation.  In a digital environment increasingly shaped by artificial intelligence, consent-based safeguards alone are insufficient to protect vulnerable users.

Comparative Perspective

A comparative analysis with the European Union’s General Data Protection Regulation (GDPR)[7] reveals the relative weakness of India’s data protection framework. The GDPR establishes an independent supervisory authority, mandates strict purpose limitation, and recognises a broad spectrum of enforceable rights. Enforcement under the GDPR is backed by strong institutional autonomy and significant penalties, ensuring regulatory credibility.

In contrast, the DPDP Act adopts a minimalist, executive-centric approach that prioritises flexibility over rights enforcement. While India’s socio-economic conditions justify a calibrated regulatory model, the absence of institutional independence and robust procedural safeguards may undermine international confidence in India’s data governance regime. This could have implications for cross-border data flows and digital trade in the long run.

Impact on Stakeholders

For individuals, the DPDP Act introduces baseline protections and enhances awareness regarding data processing practices. However, weak enforcement mechanisms and limited rights reduce its practical effectiveness. The lack of transparency in government exemptions further erodes public trust.

For businesses and start-ups, the Act offers regulatory clarity and ease of compliance. Its principle-based structure reduces operational burden and supports innovation. However, uncertainty regarding future judicial interpretation of broad provisions may create compliance risks.

For government agencies, the Act consolidates regulatory authority and provides operational flexibility. At the same time, this may enhance administrative efficiency, but excessive discretion without accountability risks constitutional challenges and public resistance.

Future Implications and Recommendations

To align the DPDP Act with constitutional principles, several reforms are necessary. Government exemptions must be narrowly defined and subjected to judicial or parliamentary oversight. The establishment of an independent Data Protection Authority is essential to ensure impartial enforcement. The rights framework should be expanded to include data portability and erasure, particularly in cases involving large-scale profiling.

Judicial interpretation will play a decisive role in shaping the future of India’s data protection regime. Courts must ensure that the Act is read in harmony with the proportionality doctrine and privacy jurisprudence developed in Puttaswamy and subsequent cases.

Conclusion

The Digital Personal Data Protection Act, 2023 marks a significant yet incomplete step towards safeguarding informational privacy in India. While it establishes a foundational framework for data governance, its effectiveness depends on future legislative refinement and constitutional adjudication. A rights-oriented, accountability-driven approach is essential to ensure that privacy remains a meaningful constitutional guarantee rather than a symbolic promise.

References

[1] Justice KS Puttaswamy (Retd) v Union of India (2017) 10 SCC 1.

[2] Information Technology Act 2000, s 43A.

[3] Digital Personal Data Protection Act 2023, s 2(n)

[4] Anuradha Bhasin v Union of India (2020) 3 SCC 637.

[5] Madras Bar Association v Union of India (2021) 7 SCC 369.

[6] DPDP Act 2023, s 11.

[7] Regulation (EU) 2016/679 (GDPR).