Published on: 19th January 2026
Authored by: Urshita Sharma
D.M. Harish School of Law, Affiliated to HSNC University
Introduction
In the last decade, India has transitioned from a data-poor to a data-rich nation, fuelled by the “Digital India” mission and the proliferation of affordable smartphones. With over 800 million internet users, India generates a colossal footprint of digital personal data every second.[1] However, for years, this data existed in a legal vacuum, regulated only by the insufficient Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.[2]
The turning point in India’s privacy jurisprudence arrived with the landmark judgment of the Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017).[3] The nine-judge bench unanimously held that the “Right to Privacy” is a fundamental right emerging from Article 21 (Right to Life and Personal Liberty) of the Constitution. The Court explicitly mandated the government to enact a robust data protection regime. After several iterations, withdrawals, and public consultations; most notably the Personal Data Protection Bill, 2019, the Parliament finally enacted the Digital Personal Data Protection Act, 2023 (hereinafter “the Act”).[4]
The Act aims to establish a comprehensive framework for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such data for lawful purposes.[5] However, as with any legislative piece attempting to regulate the dynamic realm of technology, the Act has sparked intense debate regarding its exemptions for the state and the independence of its adjudicatory body. This article seeks to analyze the legal architecture of the DPDP Act 2023, examining its efficacy in safeguarding user rights while navigating the complex landscape of digital commerce and national security.
Key Definitions and Scope
To understand the impact of the new regime, it is essential to decode the specific nomenclature used in the Act. Unlike the GDPR which uses terms like “Data Subject” and “Controller,” the Indian law adopts a more user-centric vocabulary.[6]
Data Principal: This refers to the individual to whom the personal data relates. In the case of a child, it includes the parents or lawful guardian.[7]
Data Fiduciary: This is defined as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.[8] This entity is roughly equivalent to a ‘Data Controller’ under European law.
Significant Data Fiduciary (SDF): The Central Government may notify certain entities as SDFs based on factors like the volume of data they process and the potential risk to the rights of the data principal.[9] These entities face higher compliance burdens, including the appointment of a Data Protection Officer.
The scope of the Act applies to the processing of digital personal data within India. Crucially, it also has extra-territorial application. It applies to processing outside India if such processing is in connection with offering goods or services to Data Principals within the territory of India.[10]
Core Principles: Consent and Legitimate Use
The architecture of the DPDP Act 2023 is built upon the foundation of consent. Section 6 mandates that consent must be free, specific, informed, unconditional, and unambiguous.[11] This marks a departure from the ‘implied consent’ models seen in earlier drafts. The Data Fiduciary is now obligated to provide a clear ‘Notice’ preceding the request for consent, detailing exactly what personal data is being collected and the purpose thereof.[12]
However, the Act recognizes that obtaining consent is not always feasible. It introduces the concept of “Certain Legitimate Uses” (formerly termed ‘deemed consent’).[13] Under Section 7, data can be processed without explicit consent for specified purposes such as medical emergencies, compliance with court orders, or for employment purposes regarding safeguarding the employer from loss or liability.
Rights of the Data Principal To empower the individual, the Act enshrines a suite of rights under Chapter III. Foremost among these is the Right to Access, allowing individuals to request a summary of their personal data being processed.[14] Furthermore, the Act includes the Right to Correction and Erasure, enabling users to rectify inaccurate data or demand deletion once the purpose is served.[15] Interestingly, the Act also introduces the Right to Nominate, allowing a user to designate an individual to exercise their rights in the event of death or incapacity.[16]
Duties of the Data Principal
Duties of the Digital Citizen
A unique feature of the DPDP Act, which distinguishes it from global privacy laws, is the imposition of duties on the Data Principal. While rights are paramount, the legislature has introduced a framework of responsibility. Under Section 15, a Data Principal is obligated to comply with the provisions of all applicable laws while exercising their rights.[17]
Specifically, the Act prohibits individuals from impersonating another person while providing personal data for a specified purpose. Furthermore, it specifically targets the misuse of the grievance redressal mechanism. Data Principals are duty-bound not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board.[18]
Perhaps the most debated aspect of this section is the penalty. If a Data Principal is found to be in breach of these duties, they can be liable to pay a penalty of up to ₹10,000.[19] Critics argue that penalizing users in a data protection law, which is meant to protect users from powerful corporations might deter genuine complaints due to the fear of legal retribution. However, proponents argue this is necessary to prevent the flooding of the Data Protection Board with malicious complaints.
Global Context: DPDP Act vs. GDPR
Comparative Analysis: The Indian DPDP Act vs. The European GDPR
The European Union’s General Data Protection Regulation (GDPR) is often considered the “gold standard” for privacy laws worldwide. A comparative analysis reveals that while the Indian DPDP Act draws inspiration from the GDPR, it diverges significantly in approach and scope.
- Categorization of Data: The GDPR creates a distinct category for “Special Categories of Personal Data” (often called sensitive personal data), such as race, religion, and biometric data, which require stricter protection.[20] The DPDP Act, 2023, notably abandons this classification. It treats all personal data equally, applying the same security safeguards regardless of whether the data is a simple email address or sensitive financial information.
- Notification of Data Breaches: Under the GDPR, a Data Controller is required to report a breach only if it poses a risk to the rights and freedoms of individuals.[21] In contrast, the Indian Act is far more stringent regarding reporting. Section 8(6) mandates that a Data Fiduciary must intimate the Data Protection Board and each affected Data Principal of every personal data breach, regardless of the risk magnitude.[22] This “zero-threshold” reporting could lead to “notification fatigue” for users and an overwhelmed Board.
- Penalty Structure: The GDPR imposes fines based on global turnover (up to 4%), which can amount to billions of dollars for tech giants.[23] The DPDP Act caps the penalty at a fixed amount of ₹250 crore (approx. $30 million) per instance.[24] While substantial for domestic companies, legal scholars argue this cap might be insufficient to deter global technology conglomerates with trillion-dollar valuations.
Cross-Border Data Transfers
Navigating Cross-Border Data Flows
In a digital economy, data knows no borders. The 2019 draft bill had proposed strict data localization norms, requiring a copy of sensitive data to be stored in India. The 2023 Act has significantly liberalized this regime to facilitate the “ease of doing business.”
Section 16 allows for the transfer of personal data to any country or territory outside India, except those specifically “blacklisted” by the Central Government.[25] This is a shift from the “whitelisting” approach (where transfers are allowed only to trusted countries) to a “blacklisting” approach (transfers are allowed everywhere except restricted countries).
This liberalization is a boon for the Indian IT and BPO sector, which relies heavily on the free flow of data. However, it raises questions about the protection of Indian citizens’ data once it lands in a jurisdiction with weak privacy laws. The Act clarifies that if another law (like RBI regulations) mandates higher restriction or localization, that law will prevail.[26]
The Adjudicatory Mechanism
Institutional Framework: Board and Appeals
The enforcement of the Act relies on the Data Protection Board of India (DPB). Unlike a traditional regulator that actively monitors compliance, the DPB is envisioned as an adjudicatory body that acts on complaints.[27] Its primary functions include inquiring into data breaches, imposing penalties, and directing data fiduciaries to take urgent remedial measures.
The Act establishes a clear appellate hierarchy. Any person aggrieved by an order or direction of the Board may prefer an appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days.[28] This is a strategic move to utilize existing tribunal infrastructure rather than creating a new one from scratch. A further appeal against the TDSAT’s order lies directly with the Supreme Court of India.[29] This streamlined process aims to ensure swift justice, though the burden on the already over-encumbered TDSAT remains a practical concern.
Critical Analysis: The Price of Privacy?
While the Act is a welcome legislative milestone, it is not without its criticisms. The most contentious aspect lies in Section 17, which grants the Central Government broad powers to exempt any instrumentality of the State from the application of the Act in the interests of sovereignty, integrity, and security of the State.[30] Legal experts argue that such sweeping exemptions might fail the test of proportionality laid down in the Puttaswamy judgment, effectively allowing the State to be the judge, jury, and executioner of its own data practices.
Furthermore, the independence of the Data Protection Board of India (DPB) has been questioned. Under the Act, the Chairperson and members are appointed solely by the Central Government.[31] Given that the Government is one of the largest data fiduciaries in the country, this structure raises concerns about whether the Board can effectively hold the State accountable.
Finally, the penalty structure creates a “civil liability only” regime. While the Act imposes massive penalties reaching up to ₹250 crore for breaches,[32] it completely removes criminal liability (jail time) which existed in previous drafts. Critics argue that for wealthy technology giants, financial penalties might simply be treated as a “cost of doing business” rather than a genuine deterrent.
Conclusion: The Dawn of a New Digital Era
The enactment of the Digital Personal Data Protection Act, 2023, marks a watershed moment in India’s legal history. It signifies a decisive shift from a laissez-faire digital ecosystem to a regulated regime grounded in accountability. As analyzed, the Act is distinctively Indian in its ethos; it avoids the “cut-and-paste” approach of the GDPR, opting instead for a framework that prioritizes user duties alongside user rights, and favors a “blacklisting”” approach to cross-border transfers to boost the digital economy.
However, the Act’s success rests on a fragile balance. On one hand, it empowers the “Data Principal” with robust tools like the Right to Nominate and the Grievance Redressal hierarchy. On the other hand, it imposes controversial duties on citizens and grants the State significant exemptions that could arguably dilute the privacy mandate of Puttaswamy.
Ultimately, the DPDP Act serves as the skeleton of India’s privacy jurisprudence; the muscle and blood will come from the forthcoming rules and the judicial independence of the Data Protection Board. As India positions itself as a global data hub, this Act serves as the first line of defense, ensuring that in the race for digital innovation, the fundamental right to privacy is not the price paid for progress.
[1] Internet in India Report 2022, IAMAI & KANTAR (May 4, 2023).
[2] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
[3] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
[4] The Digital Personal Data Protection Act, 2023, No. 22 of 2023, Acts of Parliament, 2023 (India).
[5] Id. at Preamble.
[6] General Data Protection Regulation, Regulation (EU) 2016/679, Art. 4.
[7] The Digital Personal Data Protection Act, 2023, § 2(j).
[8] Id. at § 2(i)
[9] Id. at § 10.
[10] Id. at § 3(b).
[11] Id. at § 6(1).
[12] Id. at § 5(1).
[13] Id. at § 7.
[14] Id. at § 11.
[15] Id. at § 12.
[16] Id. at § 14.
[17] The Digital Personal Data Protection Act, 2023, § 15(a).
[18] Id. at § 15(c).
[19] Id. at Schedule.
[20] General Data Protection Regulation, Regulation (EU) 2016/679, Art. 9.
[21] Id. at Art. 33.
[22] The Digital Personal Data Protection Act, 2023, § 8(6).
[23] General Data Protection Regulation, Regulation (EU) 2016/679, Art. 83.
[24] The Digital Personal Data Protection Act, 2023, Schedule.
[25] Id. at § 16(1).
[26] Id. at § 16(2).
[27] Id. at § 27.
[28] Id. at § 29.
[29] Id. at § 33.
[30] Id. at § 17(2).
[31] Id. at § 19.
[32] Id. at Schedule.
