Data Privacy and Protection in India: Analyzing the Digital Personal Data Protection Act, 2023

Introduction

India’s Digital Personal Data Protection Act, 2023 (the “DPDP Act”) is a defining legislative moment in the country’s digital history. It is the statutory response to the constitutional recognition of privacy in Puttaswamy (2017), to the challenges of a data-driven economy, and to decades of debate over how to protect individuals’ informational autonomy in an environment of relentless collection and algorithmic processing. The DPDP Act introduces a consent-based legal architecture for “digital personal data,” establishes duties for data fiduciaries, creates special rules for large-scale processors and children’s data, and sets up an administratively constituted Data Protection Board for enforcement. Yet the statute also contains broad state exemptions and extensive delegated rule-making powers that raise legitimate concerns about balance, oversight and potential misuse.^[1]

This article provides a descriptive and critical account of the DPDP Act. It explains the statute’s principal architecture, places it in legislative and constitutional context, compares it with international norms, evaluates its potential impact on rights and governance, and proposes targeted reforms and implementation priorities. The goal is practical and normative: to show how the Act can become a credible instrument of protection without unnecessarily hampering legitimate public and commercial uses of data^[2].

Core Architecture: Scope, Actors and Legal Bases

At the statute’s core is a relatively narrow concept: the DPDP Act protects digital personal data — information in digital form or digitised from analogue sources. This technical focus aligns the law with everyday digital services, from e-commerce to mobile health apps, but it also creates a gap: purely analog databases or paper records are not governed directly by the Act. In practice, however, many of those records are being digitised, and the Act’s reach will therefore expand with India’s digitalisation.

The Act organises relationships among three categories of actors familiar from global privacy law: the data principal (the individual to whom the data pertains), the data fiduciary (the entity that determines the purposes and means of processing) and the data processor (the entity that processes data on the fiduciary’s instructions). Framing the duty-holder as a “fiduciary” is purposeful: it imposes on the corporate actor a heightened duty of care and prioritises the principal’s interest in privacy as a matter of public law. ^[3]The statute requires fiduciaries to provide notice, obtain meaningful consent for processing, ensure data accuracy and adopt reasonable security safeguards. It further places primary legal liability on fiduciaries for processing done by processors, a strictness that encourages more cautious vendor selection and contractual discipline.

Legally, the DPDP Act is consent-centric. Processing is lawful when the data principal provides free, informed, specific and unambiguous consent, or when the Act’s limited catalogue of “legitimate uses” applies. These legitimate uses include public functions, emergencies, legal obligations, and certain inter-agency sharing by the State. Notably absent is a broad ‘legitimate interests’ ground akin to the GDPR: Indian law thus forces many commercial actors to either secure express consent or carefully invoke enumerated exceptions. This choice foregrounds individual agency but complicates routine commercial processing — for instance, where contractual necessity or system optimisation, rather than explicit consent, previously sufficed.^[4]

Rights and Protections: Access, Correction, Erasure and Children

The DPDP Act grants data principals a set of core rights: notice, access to summaries, correction, erasure, and recourse to grievance mechanisms. A distinctive addition is a nomination right, permitting individuals to nominate another person to manage or access their data in circumstances of incapacity or death — a pragmatic rule for estates and legacy concerns in a digital age.

Child-protection rules receive particular attention. The Act requires parental consent for the processing of minors’ data, forbids targeted advertising and profiling of children, and restricts tracking practices involving minors. These measures reflect a global momentum to safeguard children in online environments. Their effectiveness will depend, however, on clear definitions (who counts as a child in particular platforms), on how parental consent is verified, and on robust enforcement against covert profiling.

Importantly, the Act’s rights are functional rather than absolute: exceptions for legal compliance, public interest and security exist, and the breadth of those exceptions will largely determine the real-world strength of the rights framework. The Act’s design thus invites institutional guardrails — judicial review, transparency reporting and independent oversight — to prevent erosion of core protections.^[5]

Significant Data Fiduciaries (SDFs): Targeting Systemic Risk

The DPDP Act introduces the notion of Significant Data Fiduciaries (SDFs): entities or classes designated by the government for their scale, sensitivity or potential impact on sovereignty, economy or public order. SDFs carry additional obligations — periodic audits, impact assessments (where prescribed), appointment of an India-based contact officer or Data Protection Officer, and higher compliance thresholds.

This targeting is sensible: large platforms and critical infrastructure providers create systemic risks that modest startups do not. By calibrating obligations to scale and impact, the law seeks regulatory proportionality. The risk, however, rests in discretionary designation. The criteria for SDF classification are delegated to rules and administrative decision-making; if used opaquely, this power could be weaponised for competitive pressure or political control. Clear, rules-based criteria and a transparent, consultative designation process would reduce uncertainty and improve legitimacy.

Enforcement, Remedies and Institutional Design

The DPDP Act establishes a Data Protection Board (DPB) charged with investigations, remedial orders and penalty imposition. Unlike the independent supervisory authorities of EU Member States, the DPB is institutionally closer to the executive. It can impose financial penalties, direct corrective action and, in extreme cases, direct blocking of access to services.

A notable absence is a statutory private right of action for damages; private redress in India will largely rely on administrative processes and existing civil remedies outside the DPDP Act (for example, tort claims or constitutional petitions). This enforcement architecture shifts the focus toward administrative enforcement and regulatory discretion. Such a design can deliver efficiency when regulators act robustly and impartially; conversely, it risks leaving affected individuals dependent on public enforcement choices.

Crucially, the DPB’s technical capacity will determine the law’s effectiveness. Investigating algorithmic systems, verifying data breach reports, and conducting forensic audits demand specialised skills and funding. Thus, implementation is as important as statute-making: resourcing the DPB and embedding judicial review will be essential to translate formal rights into live protection.

State Exemptions and the Tension with Surveillance

A central controversy of the DPDP Act is its treatment of state access. The statute authorises rule-based exemptions for government agencies on grounds like sovereignty, public order and security. While most democracies allow some form of state access for legitimate law enforcement and national security, the Indian law provides broad delegated authority that may permit significant intrusions without the traditional procedural checks — such as prior judicial authorisation — expected in mature rule-of-law systems.

The practical effect is a tension: the law formally guarantees privacy rights yet simultaneously enables substantial state access to private data in the name of security or public interest. The balance between privacy and security is not new, but the institutional mechanisms protecting privacy (independent oversight, publication of access statistics, judicial authorisations) are pivotal. Without transparent reporting of state access, adequate judicial safeguards, and narrow, proportionate grounds for intrusion, exemptions risk becoming sweeping powers that hollow out statutory protections. Public confidence in the law — and in the government’s privacy stewardship — depends on procedural restraint and transparency.^[6]

International Comparisons: GDPR, CCPA and Other Models

Comparatively, the DPDP Act occupies a middle position. It is more rights-oriented than many U.S. sectoral regimes and closer in aspiration to the GDPR, but it departs from the European model in significant respects. The GDPR rests on multiple lawful bases for processing (including contractual necessity and legitimate interests), a highly independent supervisory architecture, and comprehensive enforcement powers. India’s statute prioritises consent, embeds broader executive discretion, and relies on an administrative Board with weaker independence.^[7]

From a practical standpoint, this matters for transnational compliance. Global firms operating in India must reconcile DPDP’s consent thresholds — and the potential for state exemptions — with GDPR’s adequacy and enforcement regime. Similarly, the absence of a private right of action and the DPB’s limited proactive supervisory role make India’s enforcement landscape different from jurisdictions where litigation adversarially develops norms.

Practical Impact on Businesses and Civil Society

For businesses, the DPDP Act imposes concrete tasks: privacy audits, consent redesign, breach preparedness, contract renegotiation with processors, and mapping of data flows. The law’s extraterritorial claims mean foreign companies with significant Indian users will need India-specific compliance tracks. For startups, the statute’s lighter obligations compared to the 2019 draft may reduce early compliance burdens, but the potential for SDF designation creates an uncertain compliance cliff: a small company’s rise to scale could trigger substantial new obligations.

Civil society’s role is likely to intensify. In many contexts, public-interest litigation and NGO advocacy catalyse enforcement, transparency and interpretive development of data law. The DPDP Act’s administrative enforcement model means that civic oversight, transparency reporting and media scrutiny will be important complements to formal adjudication.^[8]

Strengths, Weaknesses and the Road Ahead

Strengths. The DPDP Act codifies rights and duties where none existed comprehensively before. It moves India into the mainstream of jurisdictions that recognise a statutory privacy baseline, clarifies many expectations for industry, and signals a legislative commitment to personal data protection that will support trust in the digital economy.

Weaknesses. The Act’s structural weaknesses are real. A consent-dominant model is ill-suited to all modern processing scenarios. Broad state exemptions and delegated rule-making risk undermining protections. The DPB’s lack of full independence and limited rule-making authority constrains proactive supervision. Finally, the deferral of technical specifics to subordinate rules concentrates power in the executive to define the statute’s practical boundaries.

The road ahead. The DPDP Act must be implemented with principled rule-making, judicial vigilance, and capacitated regulators. Targeted reforms would improve the law: clarifying and narrowing exemptions, introducing additional legal bases for processing (with safeguards), enhancing the DPB’s independence and technical ability, defining transparent SDF criteria, and mandating public reporting on government access requests.

Recommendations (Summarised)

1. Narrow exemptions and require judicial oversight for non-routine state access; publish periodic transparency reports on government requests and data disclosures.
2. Strengthen regulatory independence and capacity by making the DPB operationally autonomous and technically resourced for algorithmic audits and breach forensics.
3. Introduce additional lawful bases (e.g., contractual necessity; legitimate interests with safeguards) to reflect commercial realities while protecting rights.
4. Set clear criteria and appeal routes for SDF designation to avoid arbitrary or competitive misuse.
5. Mandate rule-making consultation with civil society and industry to craft workable subordinate rules that respect privacy and innovation.
6. Increase public awareness and judicial training so courts and citizens can enforce rights and interpret the statute in a rights-consistent manner.

Conclusion

The DPDP Act is a milestone that puts India on a firmer footing in the global move toward statutory privacy protection. It recognises the centrality of informational dignity in the digital era, sets out practical fiduciary duties, and offers novel institutional and procedural devices. Yet the statute’s ultimate value will depend on how the State configures its exemptions, how rapidly and independently the DPB acts, how judicial bodies interpret the balance between privacy and security, and how robustly civil society engages in oversight.

If implemented with care, the DPDP Act can be an engine of trust for India’s digital economy and a guardian of constitutional rights. If not, it risks codifying a formal set of rights that are readily overridden by executive discretion. The coming years will show whether the law matures into a rights-affirming regime or becomes a technical instrument that masks broad state access. For scholars, practitioners and policymakers, the imperative is clear: guard the law against dilution; resource the institutions that enforce it; and keep the debate about privacy alive in India’s democratic life.

[1] Digital Personal Data Protection Act, 2023 (No. 22 of 2023) (India).

[2] Justice K.S. Puttaswamy (Retd) v Union of India (2017) 10 SCC 1

[3] Personal Data Protection Bill, 2019 (as introduced) (Government of India)

[4] Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR)

[5] California Consumer Privacy Act (CCPA) 2018; California Privacy Rights Act (CPRA) 2020.

[6] Ministry of Electronics & Information Technology (MeitY), Digital Personal Data Protection Rules (relevant rules and notifications)

[7] N. Couldry & U. A. Mejias, The Costs of Connection: How Data Is Colonizing Human Life and Appropriating It for Capitalism (Stanford University Press 2019)

[8] Srikrishna Committee Report (Report of the Committee of Experts on a Data Protection Framework for India, 2018)