Data Privacy and Protection in India: Analyzing the Digital Personal Data Protection Act, 2023

ABSTRACT

The Digital Personal Data Protection Act, 2023 (DPDP Act) marks a significant milestone in India’s data protection framework, culminating nearly a decade of efforts to protect citizens’ digital rights. This article provides a critical analysis of the Act’s provisions, scope, and implications for data fiduciaries, data principals, and the wider digital economy. By comparing it with international frameworks and evaluating practical implementation challenges, this article discusses that while the Act lays a strong foundation for data protection, its effectiveness will ultimately rely on robust enforcement mechanisms and adaptable regulatory oversight.

INTRODUCTION

The rapid growth of India’s digital economy, which includes “1,002.85^[1] million internet subscribers reported during April–June 2025”, internet users and a thriving technology sector, has created the need for a comprehensive legal framework to regulate the processing of personal data. “The Digital Personal Data Protection Act, 2023”, which was enacted on August 11, 2023, aims to address this need by establishing rights and obligations related to the processing of digital personal data. This legislation comes in response to the Supreme Court’s landmark decision in “Justice K.S. Puttaswamy (Retd.) v. Union of India is (2017) 10 SCC 1”^[2], which recognized privacy as a fundamental right and spurred legislative action on data protection. The DPDP Act is India’s first dedicated data protection law, setting itself apart from previous sector-specific regulations by taking a comprehensive approach to digital personal data. This article will analyze the key provisions of the Act, examine its alignment with constitutional principles, evaluate its position in comparison to international frameworks, and assess potential implementation challenges that may arise in practice.

HISTORICAL CONTEXT AND LEGISLATIVE EVOLUTION

India’s journey toward comprehensive data protection legislation has involved multiple iterations and extensive consultations. “The Justice B.N. Srikrishna Committee”,^[3] established in 2017, submitted the Personal Data Protection Bill in 2018, which underwent significant revisions. The subsequent Personal Data Protection Bill, introduced in Parliament in 2019, was ultimately withdrawn in August 2022 to allow for a new approach. The Data Protection and Digital Privacy (DPDP) Act adopts a more streamlined framework than its predecessors, consisting of 44 sections organized into nine chapters. This concise structure reflects a deliberate choice to establish principles-based regulation instead of rigid rules, with considerable rule-making authority delegated to the Central Government. Critics argue that this approach may lead to regulatory uncertainty, while supporters believe it provides the necessary flexibility for an evolving digital landscape.

SCOPE AND APPLICABILITY

Territorial Jurisdiction: “The Data Protection and Digital Privacy (DPDP) Act 2023”^[4] has a broad territorial scope, applying to the processing of digital personal data within India. Importantly, it also covers processing carried out outside India if it pertains to offering goods or services to data subjects within India. This extraterritorial application is similar to the approach taken by the “European Union’s General Data Protection Regulation (GDPR”^[5]), positioning India as a jurisdiction with regulatory authority over cross-border data flows that impact its citizens. However, these extraterritorial provisions raise concerns regarding enforcement mechanisms against foreign entities that do not have a physical presence in India. To address this, the Act includes requirements for certain entities to appoint a representative in India. Nonetheless, the practical effectiveness of such requirements has yet to be tested.

Definitions and Key Concepts: “Under section 2 (t) of the act” defines the “personal data” as any information related to an individual who can be identified through that data.  However “Digital personal data” specifically refers to personal data that exists in digital form. Importantly, the Act does not cover personal data that individuals make publicly available themselves or data found in government records that are accessible to the public. This creates exemptions that should be carefully examined for their potential implications. The term “processing” is defined under section  “2 clause(x)” which include any automated actions taken on digital personal data, such as collection, storage, usage, and deletion. This extensive definition ensures that all stages of the data lifecycle are comprehensively addressed.

RIGHTS OF DATA PRINCIPALS

The Act establishes essential rights for data principals, representing a substantial advancement in the protection of individual digital autonomy;

1. Right to Information: Data principals have the right to access information about the personal data collected about them and the purposes for which this data is processed. This right supports transparency principles, allowing individuals to make informed decisions about data sharing. However, the Act offers limited guidance on the level of detail and format of the information that should be provided. This is where additional subordinate legislation will be essential.
2. Right to Correction and Erasure: The Act grants individuals the right to correct any inaccurate or misleading personal data about themselves and to request the deletion of data when there is no longer a lawful reason for processing it. These provisions are in line with international best practices; however, challenges may arise during implementation, especially in situations involving distributed or backup systems where data erasure can be technically complex.
3. Right to Grievance Redressal: The Act gives individuals the right to correct any inaccurate or misleading personal information about themselves and to request the deletion of data when there is no longer a legal reason for processing it. These provisions align with international best practices; however, challenges may arise during implementation, particularly in cases involving distributed or backup systems, where data erasure can be technically complex.
4. Right to Nominate: The Act grants data principals the right to designate another individual to exercise their rights in the event of death or incapacity. This provision addresses digital inheritance concerns, although its interaction with succession laws requires further clarification.

OBLIGATIONS OF DATA FIDUCIARIES

The Act establishes significant responsibilities for data fiduciaries, defined as entities that determine the purposes and methods for processing personal data;

1. Lawful Processing and Purpose Limitation: Data fiduciaries must process personal data for lawful purposes for which consent has been obtained and must not retain data beyond the period necessary for such purposes. The principle of purpose limitation prevents function creep and unauthorised secondary uses of data.
2. Data Security Measures: Fiduciaries must implement reasonable security safeguards to prevent personal data breaches. While the Act does not prescribe specific technical measures, it requires notification to the Data Protection Board and affected data principals in the event of breaches likely to cause harm. The risk-based approach to breach notification represents a pragmatic balance between transparency and avoiding notification fatigue.
3. Accuracy and Completeness: Data fiduciaries are responsible for ensuring the accuracy and completeness of personal data processed, especially when inaccurate data could harm the data principals. This obligation imposes affirmative duties on entities to maintain data quality throughout the data processing lifecycle.
4. Obligations of Significant Data Fiduciaries: The Act creates a new category called “Significant Data Fiduciary” for organizations that process a large volume of personal data or handle data with significant risk potential, as determined by the Central Government. Entities in this category are subject to additional obligations, which include appointing Data Protection Officers, conducting Data Protection Impact Assessments, and implementing enhanced security measures. This risk-based regulatory approach aligns with international frameworks while allowing for flexibility in adapting requirements based on actual risk profiles.

CONSENT ARCHITECTURE

The Act establishes consent as the primary legal basis for processing personal data, defining it as a freely given, specific, informed, and unambiguous indication of the data subject’s wishes. Consent must be obtained through a clear affirmative action and should be as easy to withdraw as it is to give. Importantly, the Act allows for the processing of children’s data (individuals under 18 years old) only with verifiable parental consent, ensuring enhanced protections for minors. However, there are still significant gaps in practical mechanisms for age verification and parental consent in digital settings.

The Act also acknowledges specific “legitimate uses” that allow data processing without consent under certain conditions, such as government functions, medical emergencies, and research purposes. These exemptions must be interpreted carefully to avoid undermining consent requirements.

EXEMPTIONS AND DEROGATIONS

The Act contains several exemptions that have attracted scholarly criticism:

1. Government Exemptions: The Central Government has the authority to exempt any government agency from the provisions of the Act if deemed necessary for reasons of sovereignty, territorial integrity, security, maintaining friendly relations with foreign states, or ensuring public order. This broadly worded provision raises concerns about potential executive overreach and the lack of adequate safeguards for surveillance activities.
2. Processing for State Functions: Processing personal data for legitimate state purposes, such as national security and legal proceedings, is exempt from certain regulations. While these exemptions serve valid state interests, their broad application may undermine individual privacy rights without adequate oversight mechanisms.
3. Small Business Exemptions: Entities identified as “small businesses” may receive exemptions from certain provisions, acknowledging concerns about compliance burdens for smaller enterprises. However, the criteria for classifying small businesses and the scope of exemptions are still subject to government notification.

INSTITUTIONAL FRAMEWORK: The Act establishes the Data Protection Board of India as the main regulatory authority responsible for implementation and enforcement. The composition of the Board, which includes a Chairperson and members appointed by the Central Government, raises concerns about its independence, especially since there are no provisions in place to protect it from executive influence. The Board is empowered to inquire into breaches, issue directions, and impose penalties. However, its adjudicatory functions are subject to limited appeal rights, potentially constraining judicial oversight of regulatory decisions.

PENALTIES AND ENFORCEMENT

The Act establishes specific penalties are outlined for various offenses, including failure to implement security safeguards, breaches of confidentiality, and the failure to erase data. Importantly, penalties do not apply to data principals which acknowledges that individuals should not be penalized for exercising their rights or for filing complaints. However, there are concerns about whether the penalty amounts are proportionate and if they will serve as adequate deterrents for large technology companies.

COMPARATIVE ANALYSIS

1. Comparison the GDPR with DPDP Act is inspired by the GDPR; however, there are notable differences between the two. Unlike the GDPR, which consists of a comprehensive 99 articles, the DPDP Act has a more concise framework. The principles of data minimization and privacy by design, clearly highlighted in the GDPR, are not as explicitly stated in the Indian legislation. Furthermore, while the GDPR establishes an independent supervisory authority, there are ongoing concerns about the independence of the Data Protection Board.
2. Comparison with Other Frameworks In comparison to California’s Consumer Privacy Act (CCPA), the Digital Personal Data Protection (DPDP) Act offers fewer consumer rights, especially in terms of data portability and the option to opt-out of data sales. Similar to India’s legislation, “Singapore’s Personal Data Protection Act^[6]” follows a consent-based framework but includes more comprehensive provisions regarding cross-border data transfers.

CRITICAL ASSESSMENT AND IMPLEMENTATION CHALLENGES

1. Regulatory Uncertainty: Act delegates significant rule-making authority to the executive, resulting in regulatory uncertainty. Key elements such as consent management procedures, breach notification timelines, and security standards are pending subordinate legislation. This regulatory gap may hinder compliance planning for data fiduciaries.
2. Enforcement Capacity: The effectiveness of the Act largely depends on the institutional capacity of the Data Protection Board. Considering the scale of India’s digital economy and the expected number of complaints and investigations, there are concerns about whether the Board will have sufficient resources and personnel to carry out its functions effectively.
3. Cross-Border Data Transfers: The Act takes a relatively permissive stance on cross-border data transfers, allowing such transfers to countries or entities as designated by the Central Government. Unlike the GDPR, which relies on thorough assessments of recipient countries’ data protection standards for adequacy decisions, the Indian framework offers limited transparency about the criteria for approving these transfers.
4. Balancing Innovation and Protection: India aims to become a leader in the digital economy by balancing data protection with the need for innovation. Excessively strict regulations may hinder technological development, while insufficient protections could compromise individual rights. The Act adopts a principles-based approach to address this challenge, but its effectiveness remains to be demonstrated.

CONCLUSION

The Digital Personal Data Protection Act, 2023 is a significant milestone in India’s data governance framework, establishing fundamental principles for protecting individual privacy in an increasingly digital society. The Act indicates that strong data protection is not opposed to economic development; instead, it is essential for the sustainable growth of the digital ecosystem.

However, the actual impact of the Act depends on more than just its written provisions. Effective implementation requires several key actions;

• The creation of comprehensive subordinate legislation to fill regulatory gaps;
• The establishment of a well-resourced and genuinely independent Data Protection Board;
• The development of industry capabilities for compliance through guidance and technical assistance;
• Judicial interpretation that aligns data protection with constitutional principles; and
• Ongoing legislative reviews to address emerging challenges, such as artificial intelligence, automated decision-making, and advancing surveillance technologies.

The success of the Act will ultimately be measured not by its theoretical framework but by its practical effectiveness in safeguarding individual digital autonomy while supporting India’s aspirations for a digital economy. As implementation progresses, continuous engagement with stakeholders, empirical assessments of regulatory outcomes, and adaptable governance will be essential for realizing the Act’s transformative potential.

ENDNOTES

^[1] Satellite Internet in India The Future of Internet Above Us Posted On: 23 SEP 2025 https://www.pib.gov.in/PressNoteDetails.aspx?NoteId=155262&ModuleId=3

^[2] “Justice K.S. Puttaswamy (Retd.) v. Union of India is (2017) 10 SCC 1”, https://www.scobserver.in/cases/puttaswamy-v-union-of-india-fundamental-right-to-privacy-case-background/

^[3] The Justice B.N. Srikrishna Committee https://prsindia.org/policy/report-summaries/free-and-fair-digital-economy

^[4] The Data Protection and Digital Privacy (DPDP) Act 2023 https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf

^[5] European Union’s General Data Protection Regulation (GDPR) https://gdpr-info.eu/

^[6] Singapore’s Personal Data Protection Act https://sso.agc.gov.sg/Act/PDPA2012