Safeguarding the Digital Self: An Inquiry into India’s Digital Personal Data Protection Act, 2023

Abstract

Imagine a world where every tap, swipe, and click you make is silently recorded, stored, and analyzed—sometimes without your knowledge, let alone your consent. In an age where data has become more valuable than oil, the digital footprints we leave behind have become both assets and vulnerabilities. As India steps into the era of comprehensive data governance, the question looms large: can a single piece of legislation safeguard a billion digital selves?

Definition

Data privacy refers to the protection of personal information from unauthorized access, use, or disclosure. It ensures that individuals maintain control over their personal data—who collects it, how it’s used, and for what purpose. Data protection laws seek to codify these principles into enforceable rights and responsibilities for data principles and fiduciaries alike^[1].

Introduction

In 2017, the supreme court of india in Justice K.S. Puttaswamy v. Union of India^[2] set a groundbreaking precedent by recognizing the right to privacy as a fundamental right under article 21³. This ruling established the foundation for India’s data protection journey, underscoring that privacy is an essential aspect of individual dignity, autonomy, and freedom. It emphasized the pressing requirement for a comprehensive framework to govern data transfers in an era of rapid digitalization.

Over the past decade, the growth of India’s digital economy—fueled by e-governance platforms, fintech, social media, and digital health services—has led to unprecedented volumes of personal data being generated and processed. This significant increase in data usage has not only created new possibilities but has also allowed for the misuse of personal information, invasion of privacy, and infringement on individual autonomy. Multiple data breach incidents, such as those related to Aadhaar^[3] and private companies^[4], highlighted significant shortcomings in India’s data governance framework. 

In order to tackle these concerns, the government initiated a multi-year consultative process that eventually led to the implementation of the Digital Personal Data Protection Act, 2023. This legislation, regarded as India’s first comprehensive and standalone data privacy law, seeks to strike a careful balance between protecting individual rights and fostering innovation, economic growth, and national security.

The Backbone of Digital Rights: Unpacking the Architecture of the DPDP Act, 2023

Evolution Through Justice and Jurisprudence

The DPDP Act, 2023, is the outcome of a lengthy and intricate legal process, influenced by court decisions, committee proposals, and public input. Its origins can be traced back to the Information Technology Act, 2000, and the subsequent SPDI Rules, 2011^[5]—both of which were deemed insufficient in the context of algorithmic profiling, artificial intelligence, and cross-border data transfers. 

Two significant legal cases serve as the foundation for the DPDP Framework, shaping its principles and guidelines. 

• In the landmark case of Justice k.S. Puttaswamy v. Union of India (2017)^[6], a nine-judge constitutional bench judgment acknowledged the right to privacy as a fundamental right enshrined in article 21. The court recognized that safeguarding informational privacy is crucial for preserving personal freedom and dignity. Justice Chandrachud’s comments emphasized the pressing requirement for a comprehensive framework to regulate data protection and privacy.
• The Supreme Court, in the widely known cryptocurrency judgment (Internet and Mobile Association of India v. Reserve Bank of India (2020))^[7], stressed the importance of proportionality and necessity when the state imposes restrictions on digital freedoms. Although not specifically related to data privacy, this case had a

significant impact on the changing regulations and interventions in the digital realm. 

As a result of these decisions, the Justice B.N. Srikrishna Committee^[8] was formed in 2017 to suggest a set of laws for safeguarding personal data. In its 2018 report, the organization highlighted the importance of individual consent, holding data fiduciaries accountable, and protecting data principals’ rights. The DPDP Bill went through multiple revisions before it was officially passed in 2023. 

The act acknowledges critical justice-oriented principles

• Fairness in data processing,
• Transparency of fiduciaries,
• Right to grievance redressal for principals,
• And the establishment of a quasi-judicial body—the Data Protection Board of India under Section 18—to ensure accountability and access to justice.

It also incorporates comparative legal insights from various global data protection frameworks, while customizing its provisions to suit India’s distinct demographic and technological landscape. The addition of penalties for non-compliance (section 33), the establishment of formal consent managers (section 7), and the recognition of user rights (section 11) indicate a transition from a permissive to a rights-oriented approach in digital governance^[9]. 

Moreover, real-life data breaches, like the Air India data breach in 2021^[10]—which exposed the personal information of around 4.5 million passengers—highlight the pressing necessity for strong enforcement measures. The breach originated from a cyberattack on SITA, air india’s third-party passenger service system (PSS) provider, which impacted data collected over nearly a decade (august 2011 to february 2021). Compromised information included names, passport numbers, contact details, ticketing and travel data, and frequent flyer program information. Despite the exposure of credit card numbers, no CVV data was compromised. Alarmingly, air india was informed in march–april 2021 but made the breach public only in may, reflecting a significant delay in breach notification—an issue the DPDP Act must urgently address through stricter timelines and clearer third-party liability. This incident emphasizes the significance of holding not only data custodians, but also data processors, responsible—something the DPDP Act aims to address in sections 37 and 38^[11].

Where Rights Collide: Dissecting Legal Tensions in the Digital Realm

Decoding the Core Legal Conflicts

The main legal concern addressed by the Digital Personal Data Protection Act, 2023, is finding a balance between safeguarding individuals’ privacy rights and allowing the state and corporations to process personal data for legitimate purposes. Although the act aims to grant individuals greater control over their digital identities, it also grants the government broad exemptions, leading to worries about unchecked surveillance and the erosion of constitutional protections. 

One of the major concerns is the possibility of the executive branch exceeding its authority. Section 17(2) of the act grants the central government the authority to exempt ‘any organization or entity’ from specific provisions, including purpose limitation, data minimization, and storage restriction. If this exception is not properly regulated, it could undermine the fundamental right to privacy, particularly when there is no independent oversight in place. 

One of the significant concerns is the structural independence and effectiveness of the data protection board of India. Despite being intended as a regulatory body under Section 18, the board’s members and chairperson are appointed and controlled by the central government, leading to concerns about its impartiality when dealing with disputes involving state authorities.

Furthermore, the act’s exclusion of categories like sensitive personal data,’ its absence of regulations on algorithmic profiling, and the absence of a clear right to data portability or erasure indicate missed chances to align with international standards. These omissions have consequences for justice in the digital realm, as individuals are left with few legal options to address sophisticated data-driven harms such as discrimination, automated decision-making, and targeted misinformation. 

The act also establishes responsibilities for data principals under Section 15 to avoid misusing rights or filing false complaints. Although this encourages responsibility, it may unintentionally place an additional burden on regular individuals and discourage the filing of genuine complaints, especially in a nation with low digital literacy and limited access to legal assistance. 

Ultimately, the DPDP Act legal framework reflects a fundamental tension—between fostering a digital economy and safeguarding digital justice. The success of this tension hinges on how it is resolved in the implementation, enforcement, and future interpretation by the courts^[12].

Bridging the Gap: India’s Data Law on the Global Stage

Lessons from Across the Borders

A comparative analysis highlights both the strengths and weaknesses of India’s Digital Personal Data Protection Act, 2023. Internationally, the gold standard for data protection

has been established by the European Union’s General Data Protection Regulation (GDPR), which came into effect in 2018^[13]. 

The DPDP Act draws inspiration from the gdpr, incorporating principles like consent, purpose limitation, and accountability. However, it falls short in terms of providing specific details and mechanisms for enforcement. 

• Consent: GDPR emphasizes “freely given, specific, informed, and unambiguous” consent (Article 4). The DPDP Act under Section 6 requires consent to be “free, specific, informed, unconditional and unambiguous,” aligning closely, though enforcement mechanisms in India remain nascent.
• Sensitive Data: GDPR distinguishes between personal and sensitive data (e.g., biometric, health, religious beliefs). The DPDP Act makes no such categorical distinction, potentially undermining protections in high-risk processing.
• Right to be Forgotten & Data Portability: Both are expressly guaranteed under GDPR (Articles 17 and 20, respectively). The DPDP Act does not include either, leaving gaps in individual control over personal data.
• Exemptions: The GDPR allows limited exemptions under strict conditions, with oversight by independent authorities. In contrast, Section 17 of India’s law permits blanket exemptions to government bodies without the same procedural safeguards.
• Regulatory Autonomy: The EU’s Data Protection Authorities (DPAs) operate independently of political control. India’s Data Protection Board, though quasi-judicial under Section 18, is entirely appointed and supervised by the central government, undermining institutional independence^[14].

In contrast to the United States, other countries have taken a sector-specific approach, such as HIPPA for health data^[15] and COPPA for children’s data^[16], which has faced criticism for its lack of consistency and enforcement gaps. India’s comprehensive approach is more in line with international standards in theory. 

In China, the Personal Information Protection Law (PIPL)^[17] imposes strict regulations on cross-border data transfers and prioritizes the protection of national data. In contrast to India’s DPDP Act, which lacks clarity on localization and cross-border norms. 

Compared to its regional counterparts, India’s legal framework for personal data protection is more advanced than Pakistan’s pending personal data protection bill^[18] and more comprehensive than Sri Lanka’s personal data protection act of 2022^[19], which lacks robust enforcement mechanisms. 

In summary, the DPDP Act falls somewhere in between the strictness of GDPR and the lack of regulation in non-regulated systems. It is an ongoing project—with the potential to bring about significant change if executed with transparency, accountability, and responsiveness to judicial interpretation and feedback from civil society.

From Law to Justice: Recommendations for a Secure Digital India

Closing the Gaps for a Safer Digital Future

To address the unresolved legal issues and strengthen the Act’s implementation, the following reforms are essential:

1. Implementing a system of checks and balances (section 17): establish a judicial or parliamentary committee to assess and validate exemptions provided to state authorities. This would guarantee that exceptions do not become the standard and that constitutional protections are upheld^[20].
2. Enhancing the autonomy of the data protection board (section 18): revise the appointment process to incorporate the perspectives of the judiciary or an independent commission. To ensure impartiality in disputes involving state actors, it is crucial to grant the board financial and functional autonomy^[21].
3. Reintroducing ‘Sensitive Personal Data’ Categories: establish and safeguard categories like biometric, health, financial, and religious data. This would align the law with global standards and strengthen safeguards in high-risk data processing.
4. Adding Rights to Erasure and Portability: establish explicit provisions that empower individuals to delete their data and move it seamlessly between different platforms. This empowers users and fortifies their digital independence.
5. Addressing Algorithmic Bias and Profiling: implement measures to prevent automated decision-making and ai profiling. Require fiduciaries to be transparent about how algorithms analyze data and offer the option to opt-out mechanism.
6. Simplifying Citizen Grievance Mechanisms: Create a tiered complaint structure that facilitates prompt resolution, provides legal aid assistance, and employs regional languages to enhance accessibility for ordinary citizens.
7. Clarity on Data Localization and Cross-Border Transfers: The act mandates government notification for cross-border transfers, but it is crucial to establish clear conditions and reciprocity frameworks to prevent any confusion or uncertainty.
8. Public Awareness and Digital Literacy: The success of any data protection system relies on the active involvement and understanding of the general public. Government and civil society organizations should work together to organize widespread digital literacy campaigns, educating citizens about their rights under the DPDP Act.

“The law is only the skeleton; its soul lies in implementation,” remarked Justice B.N. Srikrishna in a public interview. The Act must not become a symbolic statute—it must be an enforceable commitment to privacy.^[22]

With these measures, the Digital Personal Data Protection Act, 2023 can evolve from a foundational statute into a dynamic instrument of digital justice. As data continues to shape economies and democracies, India must ensure that its legal regime protects not just information—but the human being behind it.

Conclusion: The Soul of Digital India Lies in Its Data Laws

As India progresses in its digital transformation, the Digital Personal Data Protection Act, 2023 is not just a legal milestone—it is a moral compass guiding the nation towards responsible data handling. It signifies the state’s recognition that every piece of personal data holds the value and importance of the person it belongs to. However, the effectiveness of a law depends on its proper implementation, and the significance of a right is determined by its enforcement. 

The future years will determine whether India can establish a digital democracy based on trust, transparency, and accountability. It will necessitate not only administrative determination and judicial watchfulness but also an educated populace that advocates for improved safeguards. In this modern age, privacy is not a luxury—it is a fundamental requirement for the exercise of freedom^[23]. 

Whether the DPDP Act becomes a means of empowerment or a tool for surveillance will depend on the decisions India makes in the present. The world is observing. And more importantly, so are over a billion online users.

References

^[1] Digital Personal Data Protection Act 2023

^[2] Justice K.S. Puttaswamy (Retd.) and Anr. v Union of India and Ors (2017) 10 SCC 1 ³ Constitution of India, Art 21

^[3] Aadhaar data leak incident (2018), see Rachna Khaira, ‘UIDAI Leaks: Over 1 Billion Aadhaar Details Exposed’ The Tribune (Chandigarh, 4 January 2018) https://www.tribuneindia.com/news/archive/nation/the-great-aadhaar-leak-523361 accessed 20 June 2025.

^[4] Air India Data Breach (2021), see Tech Desk, ‘Air India Suffers Data Breach, Personal Data of

Passengers Leaked’ Indian Express (Delhi, 22 May 2021) https://indianexpress.com/article/technology/tech-news-technology/air-india-data-breach-leak-passenger-data-leaked-7328227/ accessed 20 June 2025.

^[5] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.

^[6] Justice K.S. Puttaswamy (Retd.) and Anr. v Union of India and Ors (2017) 10 SCC 1

^[7] Internet and Mobile Association of India v Reserve Bank of India (2020) 10 SCC 274

^[8] Justice B.N. Srikrishna Committee, A Free and Fair Digital Economy: Protecting Privacy,

Empowering Indians (Committee of Experts on Data Protection Framework for India, Government of India, 2018)

^[9] Digital Personal Data Protection Act 2023, ss 7, 11, 18, 33.

^[10] Tech Desk, ‘Air India Suffers Data Breach, Personal Data of Passengers Leaked’ The Indian

Express (Delhi, 22 May 2021) https://indianexpress.com/article/technology/tech-news-technology/air-india-data-breach-leak-passenger-data-leaked-7328227/ accessed 20 June 2025.

^[11] Digital Personal Data Protection Act 2023, ss 37–38.

^[12] Digital Personal Data Protection Act 2023, ss 15, 17(2), 18

^[13] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L119/1 (GDPR).

^[14] Digital Personal Data Protection Act 2023, ss 6, 17, 18

^[15] Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 USC §1320d

^[16] Children’s Online Privacy Protection Act of 1998 (COPPA), 15 USC §§6501–6506

^[17] Personal Information Protection Law of the People’s Republic of China, adopted at the 30th Meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021, effective 1 November 2021.

^[18] Pakistan Personal Data Protection Bill 2021 (draft), Ministry of Information Technology and Telecommunication (Pakistan)

^[19] Sri Lanka Personal Data Protection Act, No 9 of 2022

^[20] Digital Personal Data Protection Act 2023, Section 17.

^[21] Digital Personal Data Protection Act 2023, Section 18.

^[22] Justice B.N. Srikrishna, quoted in Smriti Kak Ramachandran, ‘Law Must Not Remain a “Skeleton”, Says Justice Srikrishna on India’s Data Protection Bill’ The Hindu (New Delhi, 29 December 2022) https://www.thehindu.com/news/national/law-must-not-remain-a-skeleton-says-justice-srikrishna-on-indians-data-protection-bill/article66322794.ece accessed 20 June 2025.

^[23] Justice K.S. Puttaswamy (Retd.) and Anr. v Union of India and Ors (2017) 10 SCC 1 [297] (Chandrachud J)