Published on: 23rd January 2026
Authored By: Dia Samani
Introduction
India’s digital landscape has expanded at extraordinary speed. The country now relies on digital platforms for communication, financial services, health systems, education, transport and essential governance processes. With each interaction, vast amounts of personal data are generated and stored. This data fuels innovation but also exposes individuals to profiling, commercial exploitation and state surveillance. Recognising the need for a structured legal framework that protects individuals while enabling digital growth, Parliament enacted the Digital Personal Data Protection Act, 2023 (DPDPA).
The statute attempts to guide India through a complex moment in its digital evolution. It is built on the idea that personal data is more than an economic resource. It is connected to autonomy, identity and democratic participation. Yet it is also clear that the Act has been shaped by administrative considerations, national security priorities and the desire to maintain a simplified compliance structure for industry. This dual orientation raises questions about whether the Act can genuinely advance informational privacy in a constitutional sense. Through a detailed analysis, this article evaluates the Act’s conceptual foundations, examines its provisions, and considers its practical and constitutional implications.
Background of Privacy Law in India
The trajectory of privacy jurisprudence in India has been inconsistent. In its early constitutional approach, the Supreme Court treated privacy narrowly and did not recognise it as a fundamental right. In M. P. Sharma v. Satish Chandra¹, the Court took a strict textual view and declined to read privacy into the Constitution. A similar stance surfaced in Kharak Singh v. State of Uttar Pradesh², where the Court again refrained from confirming privacy as a protected right. These decisions created a legal vacuum, allowing wide state surveillance and data collection without meaningful limitations.
Privacy entered Indian law meaningfully only with the landmark judgment in K. S. Puttaswamy v. Union of India³. The Court unanimously held that privacy is embedded within Article 21 and is central to dignity, autonomy and personal freedom. In recognising informational privacy as a constitutional interest, the Court acknowledged that modern technologies create risks that the Constitution must address. The proportionality standard laid down in the judgment requires that any restriction on privacy must have a legitimate aim, be necessary, follow the least restrictive alternative and balance competing interests fairly.
Before the DPDPA, statutory safeguards were fragmented. Section 43A of the Information Technology Act, 2000⁴ placed limited obligations on body corporates to maintain reasonable security practices. The SPDI Rules, 2011⁵ attempted to create a category of sensitive personal data, but lacked clear enforcement and did not apply to government entities. The Justice B. N. Srikrishna Committee Report⁶ highlighted these gaps and recommended a rights oriented legal framework, supported by an independent regulator. Although the final statute that emerged in 2023 is more streamlined and state centric than the committee proposed, the committee’s work laid essential groundwork for the recognition that India needed comprehensive privacy legislation.
Key Concepts and Provisions
The DPDPA adopts a structure that defines the roles of data principal, data fiduciary and data processor. The data principal is the individual whose data is being processed. The data fiduciary determines the purpose and means of such processing. The data processor acts only on instruction from the fiduciary.⁷ These definitions shape the legal relationships that govern the flow of personal data.
One of the most notable choices in the Act is the removal of sensitive data categories. Unlike earlier drafts, the DPDPA treats all personal data uniformly. The rationale for this simplification appears to be administrative efficiency and ease of compliance, especially for smaller organisations. However, the absence of heightened safeguards for medical, financial or biometric information has raised concerns about whether uniformity undermines meaningful protection.
The DPDPA places consent at the heart of data processing. Consent must be free, specific, informed and capable of being withdrawn.⁸ A notice must accompany any request for consent. This notice should communicate the purpose of collection in clear and accessible terms. Although the consent model appears strong, its effectiveness ultimately depends on the quality of the notice and the realistic ability of users to make informed choices within complex digital environments.
Alongside consent, the statute recognises legitimate uses where processing may occur without permission.⁹ These include state functions, medical or disaster emergencies, court orders and employment situations. Many of these are unavoidable, but the scope of state related exceptions raises concerns about whether the balance skews too heavily towards government interests.
Purpose limitation and storage limitation guide fiduciaries in their handling of data. Personal data must be used only for the reasons disclosed and must be deleted when the purpose has been fulfilled.¹⁰ This is a central privacy principle, yet its practical effectiveness depends on robust oversight and transparent implementation.
Children’s data receives protective measures. Processing requires verifiable parental consent, and activities such as targeted advertising or behavioural tracking that may harm a child’s well being are restricted.¹¹ The choice to set the age threshold at eighteen aligns with other Indian laws but places India above most international standards, which typically recognise lower thresholds for digital consent. This choice increases compliance requirements and may also inadvertently restrict teenagers’ access to beneficial digital spaces.
The Act empowers the government to designate certain entities as significant data fiduciaries when their scale or operations present heightened risk. These entities must appoint a data protection officer, undergo periodic audits and conduct impact assessments.¹² This risk based model introduces regulatory differentiation while maintaining uniform basic obligations across the sector.
Rights of Data Principals and Duties of Fiduciaries
The rights granted to individuals under the DPDPA are foundational. The right to information requires fiduciaries to disclose what data they process, why they process it and with whom it is shared.¹³ This right supports transparency and enables individuals to understand the implications of their interactions with digital systems. The right to correction and erasure allows individuals to update inaccurate data and request deletion of information that is no longer required.¹⁴ The right to grievance redressal requires fiduciaries to create accessible and reasonable mechanisms for addressing individual complaints.¹⁵ The Act also allows individuals to nominate another person to exercise their rights in case of incapacity or death.¹⁶ These rights collectively offer individuals some degree of control over their personal data.
However, the rights framework remains narrower than many global standards. The Act does not provide a right to data portability, which would allow individuals to move their data between platforms. It also does not include a distinct right to object to processing, a tool that is increasingly important in resisting automated profiling or behavioural analysis. Without such rights, individuals face limitations in navigating data dependent systems.
The Act also imposes duties on data principals. They must not suppress material information or submit false grievances.¹⁷ These duties are unusual in privacy statutes, which typically focus on protecting individuals rather than regulating their behaviour. There is a concern that these duties may discourage individuals from exercising their rights or raising concerns about misuse.
Fiduciaries must comply with data minimisation, accuracy, purpose limitation and security obligations.¹⁸ They must delete personal data once the purpose is complete and notify affected individuals and the Board when a breach occurs. Significant data fiduciaries have additional responsibilities, including appointing a data protection officer and undergoing compliance audits.¹⁹ This tiered model recognises that larger or higher risk entities require greater accountability.
Enforcement Mechanisms
The DPDPA establishes the Data Protection Board of India as the central enforcement body.²⁰ The Board’s primary function is adjudicatory. It can initiate inquiries, examine breaches, issue corrective directions and impose monetary penalties. Its decisions can significantly influence how the statute evolves.
Penalties under the Act can be substantial, reaching up to two hundred and fifty crore rupees for severe violations.²¹ The Board must consider factors such as gravity, duration, harm, intent and mitigation efforts. This approach introduces flexibility but also places significant responsibility on the Board to ensure consistent and fair enforcement.
Appeals from the Board’s decisions lie before the Telecom Disputes Settlement and Appellate Tribunal.²² While this offers judicial oversight, questions remain about whether a tribunal specialising in telecommunications disputes is equipped to handle complex privacy cases.
Concerns persist about the Board’s independence. Unlike global regulators under the GDPR, which operate with robust institutional autonomy, the DPDPA’s Board is closely aligned with the executive. Its effectiveness will depend on how it exercises its powers and whether it resists undue influence.
Challenges and Controversies
The most significant criticism of the Act concerns the scope of state exemptions. Section 17 permits processing without consent for national security, public order and law enforcement.²³ These categories are wide and do not include procedural safeguards such as independent approval, objective thresholds or proportionality assessments. After Puttaswamy, any intrusion upon privacy must be justified through a proportionality test. The Act’s broad exemptions risk creating pathways for unchecked surveillance unless interpreted cautiously.
Another challenge is the absence of sensitive data categorisation. Sensitive categories often require stricter controls because misuse can cause severe harm. Treating all data uniformly may unintentionally weaken protection in high risk contexts such as healthcare, financial services or biometric identification.
The rights framework is comparatively narrow. Without portability or objection, individuals have limited autonomy in interacting with dominant platforms. This limitation becomes significant in an environment shaped by algorithmic profiling, targeted advertising and recommendation systems.
The institutional design of the Board introduces uncertainty. Without clear independence, specialised expertise and adequate resources, enforcement may be uneven or ineffective.
Operational issues remain. Many provisions depend on future rulemaking. Delays or ambiguities in this process could create confusion. Smaller entities may struggle to implement requirements without clear guidance.
The age threshold for children, set at eighteen, may inadvertently limit access to digital tools used for education and social participation. While the intention is protection, the practical effect may be restrictive if not implemented with flexibility.
Comparative Perspective
A comparative look at global privacy frameworks reveals how the DPDPA fits within international trends. The GDPR is widely regarded as the gold standard of data protection.²⁴ It provides extensive rights, restricts processing through clearly articulated lawful bases and empowers independent supervisory authorities with investigative and enforcement powers. The DPDPA adopts many GDPR principles, such as minimisation and purpose limitation, but diverges in its limited rights structure and strong state exemptions.
In the United States, the California Consumer Privacy Act and the California Privacy Rights Act create safeguards centred on consumer autonomy.²⁵ These statutes allow consumers to opt out of data sales and require companies to disclose how data is used. Compared to these models, the DPDPA focuses more on fiduciary responsibility and less on user choice.
Singapore’s Personal Data Protection Act offers a simpler and more business friendly approach.²⁶ It prioritises consent, accountability and practical compliance. The DPDPA resembles the Singapore model more closely than the GDPR, reflecting India’s desire to strike a balance between regulation and innovation.
These comparisons show that the DPDPA is neither a maximalist rights framework nor a permissive corporate regime. It represents a hybrid model designed for a large, varied and rapidly digitising society. Its unique feature is the breadth of state exemptions, which places it closer to security focused jurisdictions.
Recommendations
For the DPDPA to become a strong and rights respecting privacy regime, several improvements are necessary. The most important reform concerns state exemptions. These should be clearly defined and tied to the proportionality standard established in Puttaswamy. Independent authorisation, transparent oversight and defined limits would prevent misuse and build trust.
Introducing sensitive data categories would align India with global norms and recognise that certain types of information require deeper protection. A tiered model can provide clarity without overwhelming smaller organisations.
Expanding the rights of data principals is essential. Rights to data portability, objection and structured erasure would strengthen individual autonomy. A broader rights framework also supports healthy competition and prevents excessive concentration of power in large platforms.
The age threshold for children should be reconsidered. A graded structure that recognises the evolving capacities of adolescents could protect minors without restricting access to beneficial digital tools.
Institutional reforms are critical. The Data Protection Board must operate with genuine independence, adequate staffing and technical expertise. Privacy regulation requires nuanced understanding of law, technology and human rights. A strong institution can shape responsible data practices and ensure consistent enforcement.
A phased implementation strategy, supported by detailed rules and clear timelines, would help industries transition smoothly. Capacity building programs for small organisations and public bodies can further support compliance.
Conclusion
The Digital Personal Data Protection Act, 2023 marks a significant moment in India’s data governance history. It provides the country with a long awaited legal foundation for protecting personal data and regulating digital interactions. The Act introduces important obligations for fiduciaries, creates enforceable rights for individuals and establishes a statutory enforcement mechanism. At the same time, unresolved tensions remain. Broad state exemptions, limited rights and questions about institutional independence raise concerns about whether the statute fully reflects India’s constitutional commitment to privacy.
The Act has the potential to evolve into a strong and trustworthy privacy framework. Its future will depend on careful rulemaking, judicial interpretation and institutional integrity. As India continues to expand its digital footprint, the challenge will be to ensure that personal data protection remains grounded in dignity, autonomy and democratic values while supporting innovation and economic growth. The DPDPA is an important step in this direction, but its real impact will depend on how the country chooses to build upon it.
Citations:
¹ M. P. Sharma v. Satish Chandra, AIR 1954 SC 300.
² Kharak Singh v. State of Uttar Pradesh, AIR 1963 SC 1295.
³ K. S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
⁴ Information Technology Act, 2000, Section 43A.
⁵ Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
⁶ Committee of Experts on Data Protection, Government of India, Report of the Justice B. N. Srikrishna Committee (2018).
⁷ Digital Personal Data Protection Act, 2023, Section 2.
⁸ Section 6.
⁹ Section 7.
¹⁰ Section 8.
¹¹ Section 9.
¹² Section 10.
¹³ Section 11.
¹⁴ Section 12.
¹⁵ Section 13.
¹⁶ Section 14.
¹⁷ Section 15.
¹⁸ Section 8.
¹⁹ Section 10.
²⁰ Section 17.
²¹ Schedule.
²² Telecom Regulatory Authority of India Act, 1997, Section 14.
²³ Digital Personal Data Protection Act, 2023, Section 17(2).
²⁴ Regulation (EU) 2016/679 (General Data Protection Regulation).
²⁵ Cal. Civ. Code Sections 1798.100 to 1798.199.
²⁶ Personal Data Protection Act 2012 (Singapore).
