Reassessing India’s Digital Personal Data Protection Act, 2023: Implementation Challenges and Constitutional Privacy Concerns

Abstract

This article critically evaluates the implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act) during the 2024–2025 period, assessing whether its enforcement structure adequately protects the constitutional privacy rights recognized in Puttaswamy. Through a comparative study with the General Data Protection Regulation (GDPR), the article identifies major challenges including insufficient institutional independence of the Data Protection Board, overly vague State exemptions under Section 7, and enforcement gaps that undermine informational privacy guarantees.

I. Introduction

India stands as the world’s largest digitally connected democracy, with more than 886 million active internet users as of 2024.[1] This digital transformation, driven by initiatives such as Digital India and the Unified Payments Interface (UPI), has significantly changed how personal data is collected and processed across sectors. India has emerged as a global leader in real-time digital payments, with 46% of worldwide transactions originating from UPI in 2022.[2] However, this surge in data processing has exposed millions of individuals to significant privacy risks, making robust data protection constitutionally vital.

A landmark turning point in Indian jurisprudence arrived with Justice K.S. Puttaswamy (Retd.) v. Union of India (2017),[3] in which the Supreme Court recognized privacy as a fundamental right under the Constitution. The Court held that privacy is inherent to Article 21 and established a threefold proportionality test for any State action infringing upon privacy: legality, legitimate aim, and proportionality. This judgment provided the constitutional foundation for comprehensive data protection legislation.

Consequently, Parliament enacted the Digital Personal Data Protection Act, 2023 (DPDP Act)[4] in August 2023. Implementation has been substantially delayed, however, with the DPDP Rules notified only in November 2025[5] and full compliance obligations postponed until May 2027. These delays, compounded by structural deficiencies in the Act, raise a critical question: whether the DPDP Act’s implementation architecture adequately protects informational privacy in accordance with Puttaswamy standards. This article analyses the legal and operational challenges during the 2024–2025 implementation phase, focusing on three issues: the independence of the Data Protection Board, vague State exemptions under Section 7, and weak accountability frameworks for data fiduciaries. Through an in-depth comparative analysis with the GDPR, this article evaluates whether India’s regime strikes a proper balance between digital innovation and the protection of fundamental rights.

II. Evolution of Data Protection Jurisprudence in India

A. Pre-Puttaswamy Framework
Before the Puttaswamy judgment, the Indian Constitution did not specifically recognize privacy as a fundamental right. Earlier decisions of the Supreme Court, principally the eight-judge bench in M.P. Sharma v. Satish Chandra[6] (1954) and the six-judge bench in Kharak Singh v. State of Uttar Pradesh[7] (1964), had declined to accord constitutional protection to privacy. Data protection was fragmented across sectors and governed primarily by the Information Technology Act, 2000 (IT Act)[8] and its subordinate legislation.

Section 43A of the IT Act provided limited safeguards by imposing liability on corporate entities for negligent data security practices, while Section 72A criminalized the unauthorized disclosure of personal information obtained during lawful contracts. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules)[9] defined sensitive personal information and required consent-based processing.

Nevertheless, significant deficiencies persisted: applicability was limited to electronic data processed by private sector entities (excluding government agencies), comprehensive enforcement mechanisms were absent, and independent regulatory oversight was entirely lacking. The framework was reactive rather than preventive, emphasizing post-violation penalties rather than ex-ante safeguards, and it failed to establish a rights-based approach to data protection.

B. Puttaswamy v. Union of India (2017)
India’s privacy law was fundamentally transformed by the unanimous ruling of a nine-judge bench in Justice K.S. Puttaswamy (Retd.) v. Union of India.[3] The Court held that the right to privacy is protected by Part III of the Constitution and is fundamental to the right to life and personal liberty under Article 21. This ruling expressly overturned the conflicting decisions in M.P. Sharma and Kharak Singh. Significantly, the Court identified informational privacy as a core component of the fundamental right to privacy, affirming that individuals must have control over their personal data and the ability to determine when, how, and to what extent such information is shared with others.

Justice D.Y. Chandrachud, writing for the majority, articulated a functional threefold proportionality test to govern any State action that violates the right to privacy. Under this framework, such action must: (i) have a direct legal basis; (ii) pursue a legitimate State objective consistent with the criteria of Article 14; and (iii) ensure proportionality, meaning that the measure adopted must bear a rational nexus to the objective sought and employ the least restrictive means available.

This proportionality standard carries profound implications for data protection regulation. Any legal provision permitting the processing of personal data without consent, or granting exemptions to State agencies, must withstand scrutiny under each prong of this test. The Puttaswamy judgment thus transformed privacy from a policy concern into a constitutionally protected right, establishing a rigorous standard against which all subsequent data protection legislation must be assessed.

C. Legislative Developments Post-Puttaswamy
Following the Puttaswamy ruling, the Union Government constituted a Committee of Experts on a Data Protection Framework for India in August 2017, chaired by Justice B.N. Srikrishna. The Committee submitted its report, titled A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians,[10] in July 2018, along with a draft Personal Data Protection Bill, 2018.

The Srikrishna Committee proposed a comprehensive, rights-oriented data protection regime. Its recommendations included the establishment of an independent Data Protection Authority with broad regulatory and enforcement powers, the recognition of strong data principal rights such as access, correction, portability, and erasure, and the imposition of fiduciary obligations on entities processing personal data. Significantly, the Committee warned against vague State exemptions and emphasized the need for narrowly tailored limitations when processing personal data for governmental or welfare purposes, given the inherent power imbalance between citizens and the State.

The Government subsequently introduced a revised version as the Personal Data Protection Bill, 2019,[11] which was referred to a Joint Parliamentary Committee. The Bill attracted sustained criticism for weakening individual rights, broadening exemptions available to the State, and undermining the independence of the proposed regulatory body. Citing the need to revise the framework comprehensively, the Bill was withdrawn in August 2022 and replaced with a simplified Digital Personal Data Protection Bill. Following public consultation, the Digital Personal Data Protection Act, 2023 was finally enacted.

The Srikrishna Committee’s detailed, rights-centric model reflects a steady departure from the final Act, which prioritizes administrative efficiency and compliance flexibility, often at the expense of robust enforcement mechanisms.

D. Relevance for Current Analysis
This constitutional and legislative history forms the foundation for assessing the DPDP Act’s implementation. The doctrine of proportionality articulated in Puttaswamy serves as the constitutional lens through which provisions such as the State exemptions under Section 7 must be evaluated, while the Srikrishna Committee’s recommendations function as a normative benchmark illustrating the gap between the original vision for data protection and the final framework. An appreciation of this evolution is necessary to determine whether the DPDP Act’s implementation architecture fulfils the constitutional mandate of informational privacy or reflects weakened protections falling short of the guarantees established in Puttaswamy.

III. Overview of the Digital Personal Data Protection Act, 2023

A. Structural Framework
The Digital Personal Data Protection Act, 2023[4] constitutes India’s first consolidated legislative framework governing personal data protection, comprising 44 sections arranged across seven chapters. The Act’s primary objective is the processing of digital personal data in India, including information initially collected offline but subsequently digitized. Purely non-digitized personal data, however, falls outside its scope, a digital-centric legislative choice that leaves certain categories of data unregulated. The Act also has extraterritorial application, extending to foreign entities that process personal data of Indian data principals in connection with offering goods or services within India.

Unlike previous legislative proposals, the DPDP Act does not categorize personal data according to sensitivity. Instead, all personal data receives equal regulatory treatment, which reduces compliance burdens but risks overlooking the heightened risks associated with sensitive data. Implementation is centralized through the Data Protection Board of India, with appellate jurisdiction vested in the Telecom Disputes Settlement and Appellate Tribunal and, ultimately, the Supreme Court.

B. Core Rights and Obligations
The DPDP Act establishes consent as the primary legal basis for data processing. Section 6 permits processing only upon the valid consent of the data principal or for the specific purposes enumerated under Section 7. Consent must be free, informed, specific, unconditional, and unambiguous, expressed through a clear affirmative action, and capable of being withdrawn with the same ease as it was granted. Data fiduciaries are required to issue a notice beforehand outlining the nature and purpose of data collection, the rights available to data principals, and grievance redressal mechanisms. The burden of proving valid consent rests with the fiduciary.

Chapter III confers key rights upon data principals, including the right to information about data processing activities, the right to correct, complete, update, and erase personal data, the right to grievance redressal, and the right to appoint a representative in cases of death or incapacity. Certain restrictions apply, particularly when data is shared with law enforcement or other authorized agencies. Collectively, these rights aim to enhance individual control over personal data.

Section 8 imposes significant obligations on data fiduciaries to ensure that data processing is conducted in an accurate, secure, and lawful manner. Fiduciaries must implement reasonable security measures, notify the Data Protection Board and affected individuals of personal data breaches, and erase data once its intended purpose has been fulfilled or consent has been withdrawn. Entities classified as significant data fiduciaries are subject to additional compliance obligations, including the appointment of a Data Protection Officer, independent audits, and data protection impact assessments.

C. Exemptions and Institutional Mechanism
Section 7 of the Act provides for multiple exemptions from consent requirements, including processing for legal compliance, employment purposes, medical emergencies, and the provision of State benefits or services. Additional exemptions under Section 17 authorize the Central Government to exempt certain processing activities or State instrumentalities on grounds of sovereignty, security, public order, or research purposes.

The Data Protection Board of India, established under Section 18, functions as the primary enforcement authority. Its members are appointed by the Central Government through a selection process led by senior executive officials. Although the Board possesses adjudicatory powers, including the ability to investigate violations and impose penalties of up to Rs. 250 crore, concerns persist regarding its functional independence, given executive control over appointments, tenure, and administrative support.

IV. Implementation and Enforcement Challenges (2024–2025)

A. Rule-Making and Operational Delays
Although the DPDP Act was passed in August 2023, its practical implementation has been markedly slow, with prolonged procedural delays undermining legal certainty and compliance preparedness. The complementary DPDP Rules, essential to the statute’s operation, were notified only in November 2025[5] after extended consultations. For over two years, data fiduciaries were left without clarity on critical compliance elements such as notice formats for consent, breach reporting timelines, and minimum security standards.

These delays have been compounded by the government’s phased implementation strategy. While the Data Protection Board was established in November 2025, core compliance obligations relating to consent formation, data erasure, and rights enforcement are not scheduled for enforcement until May 2027. As a result, data principals remain unable to meaningfully exercise their legal rights, and data processing continues largely under the older and deficient framework of the Information Technology Act, 2000. This extended transition has created a regulatory vacuum that directly undermines the DPDP Act’s stated objective of timely and effective data protection.

B. Data Protection Board of India
Concerns regarding the independence and efficacy of the Data Protection Board have emerged as a central enforcement challenge. Unlike supervisory authorities under the GDPR, which are statutorily required to function independently of executive control,[12] the Board’s appointment process is dominated by the Central Government. Members are selected through a committee led by senior executive officials and serve a short two-year tenure with the possibility of reappointment. This structure raises serious concerns that regulatory oversight, particularly over governmental data processing, may be compromised.

Notably, the Srikrishna Committee had recommended the involvement of the Chief Justice of India or a judicial nominee in the selection process to safeguard institutional independence, a recommendation that was not incorporated into the final Act.[10] The absence of financial and administrative autonomy comparable to regulators such as SEBI or the Competition Commission of India further increases the risk of regulatory capture. As of January 2026, the Board has remained largely inactive, with minimal enforcement actions taken, reinforcing concerns about the gap between its formal structure and effective regulatory oversight.

C. Section 7 Exemptions and Constitutional Scrutiny
The scope of exemptions available to the State under Sections 7 and 17 raises serious constitutional concerns when examined against the proportionality standards established in Puttaswamy. Section 7(c) permits consent-free processing for broadly framed purposes such as sovereignty, integrity, and security of the State, while Section 17(2) allows blanket exemptions for State instrumentalities.

Although these provisions satisfy the legality requirement and may pursue legitimate aims, they fall short of the proportionality requirement by failing to mandate least-invasive methods, independent authorization, or periodic review. By contrast, the Supreme Court in Justice K.S. Puttaswamy v. Union of India (the Aadhaar judgment)[13] upheld State data processing only subject to strict safeguards including purpose limitation, data minimization, and sunset clauses. The DPDP Act’s exemptions function without comparable checks, creating the risk of expansive and unchecked governmental surveillance inconsistent with constitutional privacy guarantees.

D. Accountability Deficiencies
The enforcement framework under the DPDP Act does not adequately prioritize remedies for affected individuals. Although the Board may impose monetary sanctions, the Act does not provide data principals with a private right of action to directly claim compensation for data protection breaches. Victims of data breaches are instead required to rely on the Board’s adjudicatory process, with judicial remedies largely limited to constitutional writ petitions.

This approach contrasts sharply with jurisdictions such as the European Union, where Article 82 of the GDPR provides a statutory right to compensation for both material and non-material harm.[14] In the Indian context, this enforcement gap risks leaving many privacy breaches inadequately remedied, particularly where the alleged violator is a State entity subject to limited Board oversight.

E. Practical Issues with Consent
The Act’s heavy reliance on consent as the foundation of lawful data processing raises practical difficulties. The requirement that consent be free, informed, and specific may, in practice, produce consent fatigue, causing users to mechanically accept requests without genuine comprehension. Although the Act prohibits dark patterns, effective enforcement remains challenging in the absence of detailed regulatory guidance and given the Board’s limited monitoring capacity.

Additionally, the structural power imbalance between individuals and large data fiduciaries means that consent is frequently obtained in circumstances where refusal would deny access to essential services. This raises broader concerns about whether a consent-based framework genuinely empowers data principals or merely formalizes existing power imbalances under the guise of legal compliance.

V. Constitutional Concerns and Judicial Role

A. Article 21 Implications
The DPDP Act’s implementation raises critical concerns regarding compliance with Article 21 as interpreted in Justice K.S. Puttaswamy v. Union of India.[3] The Supreme Court held that informational privacy is a core element of personal liberty, requiring individuals to have meaningful control over their personal information and mandating that any State interference meet strict constitutional thresholds.

Certain provisions of the Act strain these guarantees. Sections 7(b), 7(c), and 17(2) permit consent-free data processing by the State for broadly framed purposes such as sovereignty, security, and public order. These undefined purposes confer wide executive discretion and risk legitimizing expansive surveillance. This stands in direct contrast to the Aadhaar judgment,[13] where State data collection was upheld only by virtue of strict safeguards involving purpose limitation, data minimization, and restrictions on data sharing. The DPDP Act contains no comparable substantive or procedural limitations.

The absence of independent oversight over governmental data processing is equally problematic and is contrary to Puttaswamy‘s emphasis on procedural guarantees as a critical element of proportionality. Furthermore, sustained delays in rule-making and the limited functioning of the Data Protection Board have created a regulatory vacuum in which data principals cannot effectively exercise their statutory rights, rendering Article 21 protections largely illusory during the transitional period.

B. Article 14 Concerns
The Act also raises equality concerns under Article 14[15] due to a potential imbalance in treatment between private data fiduciaries and State entities. While private entities are subject to extensive compliance obligations and monetary penalties, State functionaries benefit from broad exemptions under Sections 7 and 17. Given the State’s coercive authority, this asymmetry amplifies rather than mitigates privacy risks. Although national security may justify limited differentiation, the absence of narrowly tailored standards, procedural safeguards, or temporal limits renders the classification potentially arbitrary. Such unchecked authority erodes the guarantee of equality before the law.

C. Judicial Role
These constitutional vulnerabilities expose the DPDP Act to judicial scrutiny under Articles 32 and 226.[16] Courts are likely to apply the proportionality test developed in Puttaswamy, under which the broad exemptions may fail the least restrictive means requirement. Judicial intervention, through the narrow interpretation of exemptions, enforcement of institutional independence, and constitutional remedies for privacy violations, may therefore prove pivotal in preserving informational privacy during the Act’s execution phase.

VI. Comparative Analysis: GDPR and Global Standards

A. Regulatory Independence
A fundamental difference between the General Data Protection Regulation (GDPR)[17] and the DPDP Act lies in the institutional independence of enforcement authorities. Under Article 52 of the GDPR, supervisory authorities are required to act with full independence, expressly excluding external intervention or instruction. Member States are obligated to ensure that these authorities have adequate financial, technical, and human resources, including separate public budgets and control over staffing.

By contrast, the Data Protection Board of India is appointed entirely by the executive, lacks a transparent or independent selection process, and possesses no financial autonomy. Short and renewable tenures further entrench executive influence, particularly in circumstances where the Board is expected to regulate governmental data processing. This structural dependence raises critical questions about the Board’s capacity to serve as an effective check on State surveillance and data misuse.

B. Enforcement and Remedies
The GDPR adopts a robust, rights-oriented enforcement mechanism absent from the DPDP framework. Article 82 of the GDPR entitles individuals to seek compensation as a right for both material and non-material harm resulting from data protection breaches.[14] This private enforcement channel operates concurrently with administrative enforcement, reinforcing accountability and deterrence.

The DPDP Act, by contrast, provides no statutory compensation remedy. Victims must rely on the Data Protection Board or resort to constitutional writ jurisdiction, creating enforcement gaps particularly significant where violations involve State functionaries that the Board may be institutionally constrained from scrutinizing effectively.

C. State Surveillance Safeguards
While Article 23 of the GDPR permits restrictions on data principal rights for legitimate State interests, such restrictions must be narrowly tailored, proportionate, and accompanied by safeguards against abuse.[18] The DPDP Act’s Sections 7 and 17, however, permit extensive exemptions without independent authorization, procedural checks, or transparency requirements, enabling expansive surveillance with diminished accountability.

D. Lessons for India
The GDPR model suggests several reforms necessary for India’s data protection regime: ensuring genuine institutional independence of the Data Protection Board, introducing a private right to compensation for affected individuals, and constraining State exemptions through judicial oversight and transparency obligations. These measures would better align India’s framework with constitutional privacy guarantees while preserving legitimate State functions.

VII. Conclusion

The Digital Personal Data Protection Act, 2023 represents a significant step in India’s data protection framework; however, its implementation phase reveals structural weaknesses that undermine the constitutional guarantee of informational privacy recognized in Puttaswamy. Prolonged rule-making delays and phased enforcement have produced a regulatory vacuum in which data principals are unable to meaningfully exercise their legal rights. More fundamentally, the Act prioritizes administrative convenience through a government-controlled Data Protection Board, broad State exemptions under Sections 7 and 17, and the absence of private compensation remedies.

Assessed against the Puttaswamy proportionality framework, these exemptions fail to employ the least restrictive means for achieving legitimate State objectives, while the asymmetry between public and private entities raises serious concerns under Article 14. Comparative analysis with the GDPR further underscores the absence of institutional independence and effective enforcement safeguards. The path forward requires constitutional realignment through statutory reform or judicial intervention, ensuring that India’s data protection regime meaningfully protects privacy as a constitutional right in the digital era.

References

[1] INTERNET & MOBILE ASS’N OF INDIA & KANTAR, INTERNET IN INDIA REPORT 2024 (2024), https://www.iamai.in/research/reports.
[2] RESERVE BANK OF INDIA, ANNUAL REPORT ON PAYMENT SYSTEMS 2022–23 (2023), https://www.rbi.org.in/Scripts/AnnualReportPublications.aspx.
[3] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).
[4] Digital Personal Data Protection Act, No. 22 of 2023, INDIA CODE (2023).
[5] MINISTRY OF ELECS. & INFO. TECH., GOV’T OF INDIA, DIGITAL PERSONAL DATA PROTECTION RULES, 2025 (Notification, Nov. 13, 2025).
[6] M.P. Sharma v. Satish Chandra, AIR 1954 SC 300 (India).
[7] Kharak Singh v. State of Uttar Pradesh, AIR 1963 SC 1295 (India).
[8] Information Technology Act, No. 21 of 2000, INDIA CODE (2000).
[9] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (India).
[10] COMM. OF EXPERTS UNDER THE CHAIRMANSHIP OF JUSTICE B.N. SRIKRISHNA, A FREE AND FAIR DIGITAL ECONOMY: PROTECTING PRIVACY, EMPOWERING INDIANS (Ministry of Elecs. & Info. Tech., Gov’t of India 2018), https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf.
[11] Personal Data Protection Bill, 2019, Bill No. 373 of 2019, Lok Sabha (India) (withdrawn); see also JOINT PARLIAMENTARY COMM., REPORT ON THE PERSONAL DATA PROTECTION BILL, 2019, Bill No. 373 of 2019 (2021), https://prsindia.org/files/bills_acts/bills_parliament/2019/Joint_Committee_Report_on_the_Personal_Data_Protection_Bill_2019.pdf.
[12] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 2016 O.J. (L 119) 1 art. 52 [hereinafter GDPR].
[13] Justice K.S. Puttaswamy v. Union of India, (2019) 1 SCC 1 (India) (Aadhaar judgment).
[14] GDPR art. 82.
[15] INDIA CONST. art. 14.
[16] INDIA CONST. arts. 32, 226.
[17] GDPR, supra note 12.
[18] GDPR art. 23; EUROPEAN DATA PROT. BD., GUIDELINES 10/2020 ON RESTRICTIONS UNDER ARTICLE 23 GDPR, Version 2.0 (2021), https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-102020-restrictions-under-article-23-gdpr_en.