Published On: August 19th 2025
Authored By: Divyanshi Singh
Bharati Vidyapeeth New Law College Pune
Abstract
India’s legal path towards data protection has been long overdue; with the passage of the Digital Personal Data Protection Act, 2023, the nation at last has a system meant to link personal privacy and the changing digital environment. After the Supreme Courts acknowledgment of the right to privacy as a fundamental right, the need of a specific law governing personal information was felt strongly as data grows central to governance, business, and daily life. The fundamental elements of the 2023 law are discussed in this article together with the difficulties around its execution and how it compares against international data protection systems such as the European Union’s GDPR. It also considers the larger constitutional and social effects of this novel legislation in the Indian setting.
Introduction
India’s rapid growth of digital technologies over the last ten years has resulted in a remarkable surge in the amount of personal information being gathered and handled across industries. Every online purchase, social media post, or digital service interaction leaves behind a path of personal data, much of which is used sometimes ethically, sometimes not for profiling, targeted advertising, and surveillance. India was among the few significant economies without a specific data protection legislation until 2023.
Emerging from years of discussion, many drafts, and public review, the Digital Personal Data Protection Act (DPDP Act) was adopted in August 2023. This growth is intimately related to the constitutional development of the right to privacy in India; it is not merely legal. Emphasizing that informational privacy is a part of the right to life under Article 21, the historic judgment in Justice K. S. Puttaswamy v. Union of India in 2017 [1] served as a constitutional nudge.
Tracing the Origins and Core Structure of the DPDP Act, 2023
India’s encounter with data protection laws has been a saga of both aspiration and conservatism. The Union Government appointed the B. N. Srikrishna Committee to look at data privacy concerns in 2017, hence starting the official process. This move came against growing worries over personal privacy, especially after the Supreme Court acknowledged the right to privacy as a basic one. The 2018 comprehensive report by the committees recommended a robust legal framework based on principles including data reduction, storage limitation, purpose restriction, and individual control over one’s information. Furthermore stressed was the need of establishing an autonomous agency to check compliance.
Successive legal efforts, in the form of the 2019 and 2021 draft Personal Data Protection Bills, nevertheless drew sharp criticism. These drafts were charged with leaning too heavily in favor of the State, giving wide exemptions to government agencies, and lowering oversight mechanisms. Consequently, both editions were finally pulled.
As a more simple and targeted legislation, the Digital Personal Data Protection (DPDP) Act, 2023 was presented. Unlike earlier versions, this addresses only digital personal data and seeks to strike a practical compromise between upholding personal privacy and enabling innovation in India’s fast expanding digital economy. Though it seeks to clarify the legal scene, public and academic debate still depends on the legacy of earlier drafts and the issues they highlighted.
The DPDP Act fundamentally regulates any personal information kept in digital format or digitized after collection. It covers not just data processing within Indian Territory but also activities by foreign companies that target Indian consumers—for example, via the distribution of items or digital services.
Understanding the fundamental ideas of the rules operation is essential for grasping it:
The person who owns the personal data is known as the Data Principal. This in effect includes every person whose data is being gathered, stored, or processed.
The entity—be it an individual, a corporation, or a government agency—which decides the why and how of personal data processing is data fiduciary.
Under the Act, consent must be free, explicit, knowledgeable, and founded on positive action. Blanket or inferred approval is ineffective; people have to be explicitly informed of how their information will be used.
The Act also establishes Significant Data Fiduciaries (SDFs), entities that process high volumes or sensitive forms of personal data. Given their capacity to impact great numbers of users, these organizations are liable for increased responsibilities including appointing Data Protection Officers and performing regular influence evaluations.
The Act’s structural skeleton is created from these definitions and clauses. Although the DPDP Act seems modest in its wording, it ushers a conceptual change in how personal data is regarded in India—from a commercial commodity to something fundamentally connected to personal dignity and constitutional rights.
Main Characteristics of the Act
1. Consent as the foundation
The law depends on consent, needed before any personal information can be gathered or handled. This permission has to be linked to a particular goal; the data principal has the right to withdraw it anytime. Maybe in several languages, the language of consent notices needs to be straightforward and easy to read.
2. Processing Without Authorization
The Act permits data processing without express authorization in a few circumstances. These are classified as legal uses, including where the data is given willingly or where processing is needed for state welfare plans, legal duties, or during crises.
3. Rights of Individuals
Data principles now have several entitlements:
Access to the summary of data under processing.
Right to correction, updating, and deletion of personal data.
The right to correction of grievances.
Right to nominate another person to exercise these rights in the event of the individual’s death or incapacity
4. Obligations of Data Fiduciaries
Companies that manage data are compelled to:
Limit the collection to required information.
Put in place suitable security measures.
Declare incidents of data breaches.
Once the goal is reached, stop keeping personal information.
5. Indian Data Protection Board of Regulation Body
The Act creates a Data Protection Board in place of a statutory Data Protection Authority (as suggested in prior drafts). Its responsibility comprises monitoring compliance, investigating violations, and issuing instructions. However, the central government’s role in appointing members calls into question the independence of this Board.
6. Data movement outside India
Cross-border data transfers are by default allowed under the Act unless the government flags some nations as prohibited destinations. This represents a change from earlier plans calling for data localization.
7. Governmental Exclusions
Section 17 of the law—which permits the central government to exempt its agencies from significant clauses if it is felt essential for national security, public order, or similar interests—is among the most controversial features of the law. This causes unrestrained surveillance anxieties.
Legal and Constitutional Consequences
The DPDP Act appears at first look to adhere with the constitutional standards established by the Puttaswamy decision. It stresses informed consent and offers a means of redress. The absence of significant limitations on state surveillance and the dearth of an independent regulator, however, could lead to unequal intrusion on personal privacy. Moreover, since the law grants broad discretion to the central government, it brings up questions about possible misapplication—especially in a nation where surveillance technologies are already prevalent and mostly uncontrolled.
Comparing Viewpoint: GDPR vs. DPDP Act, 2023
Introduced by the Digital Personal Data Protection Act, 2023, India’s data protection mechanism has certain parallels to the European Union’s General Data Protection Regulation (GDPR), regarded as the world gold standard in data privacy. But a more in-depth analysis shows significant variations in individual rights, institutional structure, enforcement methods, and breadth.
The most basic difference is in the range of applicability. The GDPR applies to structure manual processing of personal data—for example, physical records contained inside a filing system—as well as automated digital processing. Conversely, the DPDP Act limits itself exclusively to digital personal data—that is, data gathered or digitized in electronic format. Although this more limited scope may make implementation easier, it could omit important forms of data managed in India in hybrid or offline formats.
Regulatory oversight is another big point of difference. Each member state creates an autonomous Data Protection Authority in line with the GDPR to handle enforcement and adjudication. These authorities are intended to work independent of executive direction, so guaranteeing fairness. Conversely, the Data Protection Board of India is created under the DPDP Act and its members and chairperson are nominated by the Central Government. This brings up questions about institutional autonomy and might restrict the Boards capacity to act independently, especially in situations involving state actors.
Regarding personal rights, the GDPR gives data subjects a strong array of safeguards. These include the right to data portability, the right to object to processing, the right to be forgotten, and the right to restrict processing under certain conditions. The DPDP Act grants some of these rights—such as the right to access, rectify, and erase personal data—but it does not give for data portability or the right to object, which are vital in increasing information independence and user agency.
Another field where the two systems diverge is in cross-border data transfers. Strict restrictions are imposed by the GDPR on foreign data transfers; guarantees that data stays protected even outside the European Economic Area call for mechanisms like adequacy decisions, standard contractual clauses (SCCs), or binding corporate rules (BCRs). Conversely, the DPDP Act takes a more open attitude: cross-border transfers are usually permitted unless the Central Government expressly forbids them by notification. Although this enables worldwide commercial operations, it might jeopardize privacy protection when information is transferred to nations with lax data security policies.
Regarding penalties, both systems are intended to be deterrent in nature. Depending on which is greater, the GDPR carries penalties of up to 20 million or 4% of the worldwide yearly turnover of the firm. Though substantial in the Indian situation, the DPDP Act allows financial penalties of up to 250 crore (around $28 million), which may not be appropriate for large multinational corporations.
In essence, the DPDP Act differentiates itself from the GDPR by its somewhat gentler attitude on enforcement, limited individual rights, and government domination of regulatory instruments even while it aims to bring India closer to worldwide standards on data protection. Arguably, the Indian approach gives industry compliance and administrative efficiency top priority over strict rights-based protections. Although it might be more flexible for small enterprises and developing countries, it runs the risk of failing to guarantee complete informational self-determination and regulatory independence.
Challenges and Implementation Concerns
1. Regulatory Infrastructure
The Data Protection Board is still not ready to become completely functional as of mid-2024. Questions still exist regarding its staffing, degree of independence, and speed of response to breaches or complaints.
2. Public Perception
Educating people about their rights under the revised law presents a serious obstacle. The promise of privacy will stay mostly on paper without enough knowledge.
3. Industry Readiness
Meeting compliance standards might prove challenging, especially for startups and smaller businesses. To guarantee a seamless execution, clear guidelines and support systems will be required.
4. Surveillance Loopholes
A major problem is that government agencies may be excluded from the fundamental protections of the law without judicial review. It may conflict with constitutional ideas unless under additional court review, hence challenging the notion of privacy as a privilege.
Socio-Legal Implications and the Road Ahead
Beyond its specific legislative goals, the Digital Personal Data Protection Act, 2023 points to a more fundamental cultural and legal change in India’s stance on privacy and information management. The law encourages companies, government agencies, and civil society toward more responsible and moral data-handling policies by officially acknowledging that people own rights over their personal information. For many Indians—particularly those in rural and semi-urban areas who are experiencing digital life for the first time—this Act can be a source of dignity and empowerment, so enabling them more say over how their data is used. This pledge, however, will only become true if rights awareness and enforcement systems are significantly expanded across many socio-economic situations.
Simultaneously, the concentration of regulatory authority in the Union government creates questions in a federal structure like India, where state administrations also play major roles in digital governance, especially through public service distribution and welfare programs. The DPDP Act may lead to friction or imbalance in Centre-State relations if it is not properly protected.
Looking ahead, many actions must be taken to guarantee that the Act reaches its maximum potential. First, the Data Protection Board has to be given institutional independence from executive influence to be able to serve as an objective and reliable watchdog. Second, to guard against abuse, the Acts broad exemption powers—especially those enabling government agencies to circumvent data protection rules—must be improved and subject to legislative or court supervision. Third, significant investment in capacity building spanning the public and private sectors is necessary, including training courses for IT workers, attorneys, and data protection officers. Simultaneously, data literacy initiatives must be started to inform residents of their legal rights and remedies, therefore guaranteeing that the law is practically practical at the grassroots level rather than just symbolic.
At last, the Act has to be harmonized with current industry-specific laws—finance, health, and telecommunications among others—as well as with constitutional principles of justice, proportionality, and accountability if it is to function efficiently inside India’s convoluted legal scene. Only then can the DPDP Act become a really rights-respecting and future-ready legal system.
Conclusion
A significant first step in updating India’s approach to digital governance is the Digital Personal Data Protection Act of 2023. It establishes essential protections for personal data, provides companies with clarity, and reaffirms the constitutional importance of privacy. Still, much depends on the way laws are implemented, the independence of its enforcement agencies, and the readiness of courts and civil society to hold power responsible for all of its potential. The Indian data protection path is only beginning, and the coming few years will reveal if the legislation is a symbolic reform or a transforming one.
References
- Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.[1]
- Digital Personal Data Protection Act, 2023, No. 22, Acts of Parliament, 2023 (India).
- Ministry of Electronics & Information Technology, “Draft Digital Personal Data Protection Bill, 2022,” https://www.meity.gov.in.
- N. Srikrishna Committee Report (2018), https://prsindia.org/files/policy/policy_committee_reports/Data_Protection_Bill_Final.pdf.
- Regulation (EU) 2016/679 (General Data Protection Regulation).
- Apar Gupta, “The Constitutional Case for Data Protection in India,” Indian Journal of Law and Technology, Vol. 15 (2019).
- Ujwala Uppaluri, “From Consent to Control: Interrogating India’s Data Bill,” NLS Business Law Review, Vol. 5 (2022). Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 S.C.C. 1 (India).
