Published On: March 15th 2026
Authored By: Puja Kumari
Faculty of Law, University of Allahabad
Abstract
In this contemporary digital era, the booming digital economy has made everything increasingly dependent on digital data and e-services. It has become vital to take crucial measures for the prevention and security of personal data, which has now emerged as a valuable and sensitive asset. To address this need, the Parliament enacted the Digital Personal Data Protection Act, 2023 (DPDP Act), marking a landmark step in India’s data governance landscape. This article examines the constitutional foundation, key legal provisions, institutional framework, and broader significance of the DPDP Act, 2023 and the Digital Personal Data Protection Rules, 2025.
Introduction
Our everyday activities such as online banking, digital payments, social networking, online education, and healthcare services require individuals to share personal information. This increasing digital engagement, however, also heightens the risk of fraud, misuse of data, unauthorised surveillance, profiling, and identity theft.
India’s rapidly expanding digital economy, accompanied by a steadily growing internet user base, necessitated the adoption of a comprehensive legal framework for data protection. Earlier laws failed to adequately address or manage large-scale data processing, and also lacked proper implementation by both private entities and the State. To bridge this gap, the Parliament enacted the Digital Personal Data Protection Act, 2023 (DPDP Act). This Act received Presidential assent in August 2023 and gained operational clarity only after the notification of the Digital Personal Data Protection Rules, 2025, which laid down the procedural and compliance mechanisms.[1] The implementation of the DPDP Act, 2023 plays a crucial role in transforming privacy from a constitutional principle into an enforceable legal right.
A major contribution to the development of this legislation was made by the Justice B.N. Srikrishna Committee, which was constituted to prepare a draft framework and subsequently recommended more than 80 amendments to strengthen data protection in India.
I. Constitutional Foundation of Data Protection in India
The constitutional basis for data protection in India lies in Article 21 of the Constitution of India, 1950, which guarantees the right to life and personal liberty. The scope of Article 21 has expanded over time through judicial activism and the interpretive approach of the courts concerning the rights of individuals. In the context of data protection, the ambit of Article 21 was significantly broadened by the Hon’ble Supreme Court in the landmark case of Justice K.S. Puttaswamy v. Union of India,[2] wherein a nine-judge constitutional bench unanimously recognised the Right to Privacy as a fundamental right, holding it to be a coherent and inherent component of the basic fundamental rights guaranteed under Part III of the Indian Constitution.
The Court observed that privacy includes informational privacy, meaning that individuals have the right to control their personal data based on their own discretion. This control is fundamentally governed by the consent of the individual, the data principal, and such consent may be revoked at any time. The judgment emphasised that in a digital society, unchecked collection and processing of personal data can seriously threaten human dignity and autonomy. It further held that the State has a positive obligation to enact laws that govern and protect individuals from violations of privacy, misuse of data, and identity theft, while maintaining a clear articulation of the duties and rights of both data principals and data fiduciaries. This judgment directly paved the way for the enactment of the DPDP Act.
II. Pre-DPDP Legal Framework and Its Limitations
Before the enactment of the DPDP Act, data protection in India was governed primarily by two legal instruments: the Information Technology Act, 2000 and the Sensitive Personal Data or Information Rules, 2011. These rules required companies handling specific categories of sensitive personal data to comply with certain security practices. However, the framework suffered from significant limitations:
1. It applied only to limited categories of sensitive data;
2. Enforcement mechanisms were weak;
3. Individual rights were poorly defined; and
4. There was no independent regulatory authority.
III. Key Legal Provisions of the DPDP Act, 2023
Scope and Applicability
Under Section 3, the Act applies to digital personal data processed within India, and also to data processed outside India if it relates to offering goods or services to individuals in India. It covers both online and offline data processing where the data is subsequently digitised.
Consent-Based Processing
Section 6 mandates that personal data may be processed only with the free, informed, specific, and unambiguous consent of the data principal. Consent must be preceded by a clear notice explaining the purpose of data collection, and data principals retain the right to withdraw consent at any time, thereby directing data fiduciaries to cease processing.
Rights of Data Principals
The Act grants the following enforceable rights to data principals:
1. Right to access or obtain information about personal data (Section 11);
2. Right to correction and erasure (Section 12);
3. Right to grievance redressal (Section 13);
4. Right to withdraw consent at any time; and
5. Right to nominate a representative.
These rights empower individuals and strengthen informational self-determination.
Duties of Data Fiduciaries
Data fiduciaries are required to:
1. Limit data collection to lawful or legitimate purposes;
2. Implement reasonable security safeguards (Section 8);
3. Report personal data breaches to the Data Protection Board;
4. Use data only for the specific purposes for which consent was obtained;
5. Comply with the Act and the Rules framed thereunder;
6. Retain data only for as long as necessary and erase it upon withdrawal of consent or upon fulfilment of the stated purpose; and
7. Appoint Data Protection Officers where required.
Penalties
The Act prescribes significant monetary penalties extending up to Rs. 250 crores, thereby introducing a strong deterrent mechanism against violations by data fiduciaries.[3] Additionally, the Act imposes a penalty of up to Rs. 10,000 on data principals who furnish false or misleading information to data fiduciaries.
IV. Digital Personal Data Protection Rules, 2025
The DPDP Rules, 2025 operationalise the Act by detailing consent procedures, breach reporting timelines, and safeguards for children’s data. The Rules also provide for a phased implementation, allowing organisations sufficient time to align their compliance frameworks. They further recommend the establishment of a Data Protection Board to facilitate the redressal of grievances raised by individuals.
V. Institutional Framework: Data Protection Board of India
The Data Protection Board of India has been established as a quasi-judicial authority with powers to inquire into violations, impose penalties, and ensure compliance. This institution enhances accountability and provides individuals with a dedicated forum for grievance redressal. The Board comprises three members: one Chairperson and two other members appointed by the Government of India.
VI. Comparative and Analytical Perspective
Compared to the European Union’s General Data Protection Regulation (GDPR), the DPDP Act adopts a flexible and pragmatic approach. While the GDPR is highly detailed and compliance-intensive, India’s law prioritises core principles without imposing excessive regulatory burdens. This approach reflects India’s socio-economic realities and places individual welfare at the centre of its data governance model.
The DPDP Act marks a progressive shift towards rights-based digital governance. However, concerns remain regarding broad State exemptions and the effectiveness of enforcement mechanisms. Notably, the Act grants the State significant exemptions from its provisions, which raises questions about accountability and the potential for differential treatment. In a democratic framework committed to transparency and the rule of law, this asymmetry merits careful legislative and judicial scrutiny. The true success of the Act will ultimately depend on transparent implementation, robust institutional oversight, and an active judiciary willing to give teeth to the rights it guarantees.
VII. Conclusion
The implementation of the Digital Personal Data Protection Act, 2023, operationalised through the 2025 Rules, represents a landmark development in India’s digital legal landscape. By translating the constitutional guarantee of privacy into enforceable rights, the Act strengthens individual autonomy and promotes accountability among data fiduciaries. While challenges persist, particularly regarding State exemptions and enforcement capacity, the DPDP framework lays a solid foundation for protecting digital rights in India’s evolving digital economy.
Bibliography
A. Statutes and Rules
1. The Constitution of India, 1950.
2. Digital Personal Data Protection Act, No. 22 of 2023.
3. Digital Personal Data Protection Rules, 2025.
4. Information Technology Act, No. 21 of 2000.
5. Right to Information Act, No. 22 of 2005 (as amended).
B. Books
1. M.P. Jain, Indian Constitutional Law (8th ed., LexisNexis 2018).
2. V.N. Shukla, Constitution of India (13th ed., Eastern Book Company 2019).
3. Durga Das Basu, Commentary on the Constitution of India (LexisNexis 2016).
C. Reports and Committee Papers
1. Justice B.N. Srikrishna Committee, Report of the Committee of Experts on Data Protection Framework for India (Ministry of Electronics and Information Technology, 2018).
2. Ministry of Electronics and Information Technology, Government of India, Explanatory Note on the Digital Personal Data Protection Act, 2023.
D. Journal Articles and Research Papers
1. Apar Gupta, “Understanding India’s Digital Personal Data Protection Act,” Economic and Political Weekly (2023).
2. Prashant Reddy T., “Data Protection Law in India: Promise and Pitfalls,” Indian Journal of Law and Technology (2024).
3. Usha Ramanathan, “A Deep Dive into India’s Data Protection Regime,” Seminar Magazine (2023).
[1] Digital Personal Data Protection Rules, 2025, Gazette of India, Ministry of Electronics and Information Technology.
[2] Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
[3] Digital Personal Data Protection Act, No. 22 of 2023, sec. 33.
