Published On: June 3rd 2026
Authored By: Sufiya Khan
Renaissance Law College
Abstract
As the digitization of the world grows faster, India’s dependence on digital infrastructure has made the privacy and protection of digital data a serious legal concern. To address this issue, a new law called the Digital Personal Data Protection Act, 2023 was enacted. This long-awaited Act responds to privacy concerns in this digital era. However, the provisions of the Act remain debatable as to whether this law genuinely protects individuals or merely creates a regulatory facade. This article argues that although the Act introduces a formal structure for digital data protection, it fails to fully realise the constitutional vision of privacy laid down in Justice K.S. Puttaswamy v. Union of India.[1] Instead, the Act favours state authority and reflects a cautious approach towards administrative convenience.
I. Introduction
Over the last decade, rapid digitization has made personal data quietly one of the most valuable resources. From social media usage to government welfare schemes, individuals constantly share data, often without fully examining how it will be used.
The Supreme Court’s decision in Justice K.S. Puttaswamy v. Union of India[1] marked a turning point by recognizing privacy as a fundamental right under Article 21 of the Constitution of India.[2] The judgment was not merely symbolic; it created an expectation that the State would build a strong legal framework to protect the privacy rights of individuals.
The Digital Personal Data Protection Act, 2023 attempts to serve this purpose. But when one carefully examines the provisions of the Act, a pressing question naturally arises: Does the Act truly empower individuals, or does it merely serve institutional interests? This article takes the position that the law, while important, stops short of being genuinely transformative.
II. Background and Legislative Journey
Before 2023, India did not have any dedicated digital data protection statute. Personal data was regulated by the Information Technology Act, 2000,[3] whose provisions were scattered, limited, and ineffective in dealing with modern data practices.
After the Puttaswamy judgment, multiple drafts were introduced by the government, each claiming to move closer to a comprehensive framework. Interestingly, earlier versions, especially the 2019 Bill, provided stronger protections for individuals. However, many of these safeguards were either diluted or removed entirely. This gradual shift is significant. It suggests that the final version of the law is not merely a data protection statute but also a policy compromise.
III. Key Features of the Act
3.1 Consent: Strong in Theory, Weak in Practice
The Act places significant emphasis on user consent. On paper, consent must be “free, informed, and specific”[4], which sounds ideal. However, the introduction of “deemed consent”[5] changes the picture considerably, as it allows data processing even without explicit permission. So, while the law talks about consent, it simultaneously creates multiple pathways to bypass it. This results in a situation where consent exists as a formality rather than a genuine safeguard.
3.2 Rights of Individuals: Present but Limited
The Act provides individuals with several rights, including:
– Access to their data
– Correction of inaccuracies
– Erasure under certain conditions[6]
At first glance, this seems sufficient. But when compared to global standards, these limitations become glaring. Important rights such as data portability are absent, which raises a basic concern: can users truly control their data if their rights remain restricted? The answer, arguably, is no.
3.3 Data Protection Board: A Question of Independence
The Act provides for the establishment of a Data Protection Board[7] to handle disputes and impose penalties, which is a necessary feature. However, the issue lies in the Board’s structure. Since the appointment of its members is controlled by the government, the Board’s independence becomes questionable. Enforcement without independence loses credibility.
3.4 Penalties: Strong on Paper
The Act imposes heavy penalties on violations,[8] which appears to create a deterrent effect. But enforcement is not just about penalties; it is about who imposes them and how fairly. If the regulator is not fully independent, the practical effectiveness of those penalties becomes uncertain.
IV. The Core Issue: State Power vs. Individual Privacy
4.1 Government Exemption: The Biggest Concern
One of the most debated provisions of the Act concerns the power given to the government to exempt its agencies from compliance. These exemptions are broad and vaguely worded. Terms such as “public order” and “security”[9] are open to both interpretation and misinterpretation.
In simple terms, the entity that holds the most data, including the most sensitive data, is the State. Yet the State is also the least regulated under this Act. This is a structural problem. What of the privacy rights of individuals against the State?
4.2 The Problem of Surveillance
Although the entire Act is premised on the right to privacy, it remains unclear how limits on State surveillance will actually be enforced. There is no clear safeguard ensuring that such actions stay within reasonable limits. This concern is heightened in a digital age where data collection is continuous and largely invisible to individuals.
4.3 Excessive Power with the Executive
Another serious concern is the broad rule-making power vested in the Government. Many important aspects are left to future rules, creating legal uncertainty. It also means that the actual impact of the law will largely depend on how the executive chooses to implement it.
V. Comparison with Global Standards
When India’s data protection framework is compared with the General Data Protection Regulation (GDPR)[10] of the European Union, the difference is quite noticeable, not just in wording but in overall approach and philosophy.
To begin with, consent under the DPDP Act is more flexible, particularly through the concept of “deemed consent.” In contrast, the GDPR treats consent as a central pillar of data protection: it must be explicit, specific, and capable of being withdrawn as easily as it is given. The Indian law allows multiple exceptions, making consent less meaningful in practice. In a way, this shifts the Act’s focus slightly away from the individual.
The scope of user rights is also comparatively narrower under Indian law. While the DPDP Act provides for basic rights such as access and correction, the GDPR goes much further, including rights such as data portability, restriction of processing, and a more developed right to erasure. These rights are not merely symbolic; they give individuals actual control over how their data moves and is used across platforms. The absence of such comprehensive rights in India creates a noticeable gap.
Another key distinction lies in the independence of regulatory authorities. Under the GDPR, supervisory authorities function with a much higher degree of autonomy, which strengthens enforcement and builds public trust. In India, the Data Protection Board operates within a framework where the executive plays a significant role in appointments and functions, raising legitimate concerns in cases where the State is itself involved.
It is also worth noting that the GDPR follows a rights-based approach, placing individual autonomy at the centre of its framework. The DPDP Act, on the other hand, adopts a more balanced or arguably State-centric approach, where privacy is one of several competing interests alongside governance and economic growth.
That said, it would be unrealistic to suggest that India should simply replicate the GDPR, given that the socio-economic context and the scale of digital penetration in India are significantly different. However, the comparison highlights an important point: it is possible to design a data protection regime that offers much stronger safeguards without completely sacrificing flexibility. In this sense, the GDPR serves as a benchmark that exposes the limitations of the current Indian framework.
VI. A Reality Check
At this stage, it becomes important to ask a grounded question: who benefits more from this law? The answer is not entirely straightforward, but a closer look at its structure provides some indication: the State.
For individuals, the Act does introduce a degree of protection that did not previously exist in a formal sense. There is now a recognised legal framework that acknowledges rights over personal data, along with a mechanism for grievance redressal. But the protections come with clear limitations. The scope of individual rights is comparatively narrow, and provisions like “deemed consent” reduce the level of real control a person can exercise. In short, individuals are protected, but only to a certain extent and often within boundaries defined by the State.
For businesses and digital platforms, the Act provides much-needed regulatory clarity. Instead of operating in a fragmented legal environment, companies now have a single framework outlining their obligations. This is particularly beneficial for start-ups and technology companies that rely heavily on data processing. The relatively flexible compliance requirements also make it easier for businesses to adapt without facing excessive regulatory burdens, thereby supporting economic activity and digital innovation.
The State’s position, however, is where the balance becomes most revealing. The government not only plays a central role in enforcement through the Data Protection Board but also retains the power to exempt its own agencies from key provisions of the Act. Such an arrangement raises serious concerns about accountability, particularly in areas involving surveillance and data collection.
Taken together, this distribution of benefits suggests that the Act does not operate purely as a rights-driven statute. Instead, it reflects a careful balancing exercise: one that attempts to accommodate individual privacy, economic growth, and State interests simultaneously.
VII. Suggestions for Improvement
If the objective of the Digital Personal Data Protection Act, 2023 is to serve as a genuinely effective privacy framework, certain structural and substantive reforms become necessary.
To begin with, government exemptions must be more narrowly defined. At present, broad and vague grounds allow excessive discretion to government agencies, which can potentially undermine privacy protections. Introducing safeguards such as judicial oversight would help ensure that such powers of the State are not misused.
Secondly, the independence of the Data Protection Board needs to be strengthened. A transparent and autonomous appointment process would enhance its credibility and ensure impartial enforcement, especially in cases involving State agencies.
Another important reform concerns the scope of deemed consent. While some flexibility is necessary, its current breadth risks weakening the very idea of informed consent as understood under the GDPR framework.
Furthermore, user rights must be expanded to include data portability and a more robust right to erasure. This would give individuals more meaningful control over their personal data. Finally, reducing reliance on executive rule-making is crucial. Key safeguards should be embedded in the statute itself rather than left to future discretionary rule-making. Together, these reforms would make the law more balanced, certain, accountable, and truly privacy-centric.
VIII. Conclusion
The Digital Personal Data Protection Act, 2023 is undoubtedly an important development in India’s legal landscape. The Act finally brings data protection into the mainstream of legal regulation and addresses concerns around digital personal data. In a country where personal data is continuously collected and processed, the enactment of a dedicated statute was a much-needed step.
However, importance should not be confused with adequacy. The mere presence of a law does not guarantee effective protection. A close reading of the Act reveals that while it establishes a framework, that framework is not sufficiently strong or comprehensive to address real-world privacy concerns. The Act recognizes privacy as a concern but does not fully secure it against competing interests, particularly those of the State. It introduces certain rights for individuals but limits their depth and practical enforceability.
So, is it a step forward? Yes, in terms of recognition and structure.
Is it enough? Not quite.
In that sense, the Act occupies an in-between space: a step forward, but also a missed opportunity to create a truly robust privacy regime.
References
[1] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).
[2] India Const. art. 21.
[3] Information Technology Act, No. 21 of 2000, India Code (2000).
[4] Digital Personal Data Protection Act, No. 22 of 2023, § 6, India Code (2023).
[5] Id. § 7.
[6] Id. §§ 11–13.
[7] Id. § 18.
[8] Id. § 33.
[9] Id. § 17.
[10] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), 2016 O.J. (L 119) 1.
