Published On: February 17th 2026
Authored By: Mayank Pant
Symbiosis Law School
Abstract
The Digital Personal Data Protection Act of 2023 represents a watershed moment in India’s legislative history, marking the nation’s transition from a fragmented, sector-specific privacy regime to a unified statutory framework. This study examines the DPDPA and the newly notified Rules of 2025, identifying critical structural gaps that may impede effective implementation. The analysis focuses on two principal deficiencies: first, the absence of a “Joint Fiduciary” construct, which creates accountability ambiguities in multi-party ecosystems such as fintech platforms; and second, a transparency paradox wherein DPDPA provisions may inadvertently undermine the Right to Information Act, 2005. Evaluating these tensions against global benchmarks such as the GDPR, this paper proposes vital legislative and interpretive solutions, including a “Redaction-First” protocol and the formal recognition of shared fiduciary roles.[1]
Introduction: The Road to Statutory Privacy
The enactment of the Digital Personal Data Protection Act (DPDPA), 2023, represents a definitive conclusion to nearly a decade of judicial and legislative deliberation regarding the contours of informational privacy in India. Stemming from the constitutional mandate established in the landmark case of Justice K.S. Puttaswamy v. Union of India (2017),[2] the Act formally transitions the Indian legal landscape from a fragmented, sector-specific privacy approach to a centralized, statutory framework. This legislation is a significant stride for a country with close to 700 million active internet users, finally providing dedicated rules for the processing, storage, and transfer of digital personal data.
By establishing the dual pillars of ‘Data Principal’ rights and ‘Data Fiduciary’ obligations, the DPDPA seeks to balance individual digital autonomy with the operational requirements of a burgeoning digital economy. As the newly notified DPDP Rules, 2025, begin to operationalize this mandate, it becomes imperative to scrutinize how these provisions—particularly those concerning the centralization of data control—will reshape the compliance architecture for global and domestic entities alike.[3]
Legislative History: India’s Data Protection Journey
India’s path toward comprehensive digital data protection was a meticulous process shaped by judicial oversight and expert committee recommendations.
Foundational Mandate (2017):
The Supreme Court’s decision in the Puttaswamy judgment recognized the right to privacy as a fundamental right under Article 21 of the Constitution, establishing the constitutional imperative for a comprehensive data protection framework.[4] This landmark ruling created the foundational mandate for statutory data protection in India.
The Srikrishna Committee (2018):
The Justice B.N. Srikrishna Committee released its report titled “A Free and Fair Digital Economy,” which emphasized individual autonomy over personal information.[5] The Committee recommended explicit consent mechanisms for data processing and advocated for data localization requirements to ensure that Indian citizens’ data remained subject to domestic regulatory oversight.
Legislative Evolution (2019-2022):
The Personal Data Protection Bill introduced in 2019 was an expansive document that proved overly complex and was eventually withdrawn in 2022. This led to the drafting of a more streamlined Data Protection Bill based on principles-driven regulation, which ultimately became the DPDPA.[6]
Enactment and Operationalization:
Following the passage of the Act in August 2023, the Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules in November 2025, setting the stage for comprehensive implementation.[7]
Core Provisions and Statutory Principles
The DPDPA rests on seven core principles that guide the ethical handling of data: consent and transparency, purpose limitation, data minimization, accuracy, storage limitation, security safeguards, and accountability. The Act emphasizes that digital personal data should be used only for lawful, fair, and transparent purposes, restricting unauthorized use and vesting rightful ownership with data principals.
The Enforcement Mechanism: The Data Protection Board of India
A central feature of the Act is the establishment of the Data Protection Board of India, a specialized regulatory authority tasked with ensuring compliance and adjudicating violations. The Board possesses both supervisory and corrective powers, enabling it to conduct audits and mandate remedial measures.
To ensure robust enforcement, the Act prescribes substantial monetary penalties for non-compliance:
• ₹250 Crore: Maximum penalty for failure to maintain reasonable security safeguards to prevent a personal data breach.
– ₹200 Crore: Penalty for breaches concerning children’s data or failing to report a personal data breach to the Board.
– ₹50 Crore: For any other violation of the provisions of the Act or its associated Rules.
A Comparative Analysis: DPDPA vs. GDPR
1. Taxonomy and Categorization of Data
The General Data Protection Regulation (GDPR) employs a tiered approach to data classification, distinguishing between general personal data and “special categories” of personal data. Special categories include sensitive information such as health data, biometric data, and political opinions, which require enhanced protection and stricter processing conditions.
In contrast, the DPDPA adopts a uniform approach, treating all personal data equally regardless of sensitivity. The Act does not establish distinct categories requiring differential treatment, opting instead for a single regulatory standard applicable to all personal data.[8]
2. Legal Bases for Processing
The lawful grounds for data processing differ significantly between the two regimes:
The GDPR Model: The GDPR provides six legal bases for processing personal data, including “legitimate interests” (which offers considerable flexibility) and “contractual necessity.” This framework allows data fiduciaries multiple pathways to justify processing activities.
The DPDPA Model: The DPDPA emphasizes explicit consent as the primary legal basis for processing. Alternative grounds are limited to specific circumstances such as medical emergencies, state functions, or employment relationships. Notably, the Act does not recognize “contractual necessity” or “legitimate interests” as standalone justifications for data processing, requiring more explicit authorization.
3. Cross-Border Data Transfers
The approaches to international data flows are fundamentally different:
The GDPR “Whitelist” Model: The GDPR prohibits data transfers by default, permitting them only to jurisdictions deemed “adequate” by the European Commission or through specific safeguards such as Standard Contractual Clauses (SCCs).
The DPDPA “Blacklist” Model: The DPDPA permits data transfers to all jurisdictions unless the Central Government specifically restricts transfers to particular countries through official notification, creating a more permissive default position.
Critical Analysis: Identifying Structural Gaps
1. The Fiduciary Identity Crisis and the Absence of Joint Liability
A significant doctrinal gap exists regarding “Joint Fiduciaries”—entities that share decision-making authority and responsibility over data processing activities.[9] Current legal discourse identifies an “invisible risk” in India’s financial data ecosystems, particularly in Buy Now, Pay Later (BNPL) models, where both a lender and a payment aggregator may jointly influence data processing decisions.
Unlike the GDPR’s Article 26, which expressly recognizes joint controllers and establishes shared liability mechanisms, the DPDPA does not formally acknowledge shared fiduciary arrangements. This omission creates a situation where accountability may remain unallocated or duplicated across overlapping regulatory domains governed by entities such as the Reserve Bank of India (RBI) or the Insurance Regulatory and Development Authority of India (IRDAI). Without a framework for joint and several liability, fiduciaries may have incentives to evade responsibility, leaving data principals uncertain about whom to pursue in the event of a breach.
2. The Transparency Paradox: RTI vs. DPDPA
A second critical concern involves the potential misuse of DPDPA provisions as a “shield” by public authorities to deny legitimate access to information under the Right to Information Act, 2005.[10] Critics fear that public servants might invoke broad privacy exemptions to avoid democratic scrutiny of official conduct, such as taxpayer-funded travel or administrative decisions. This creates a tension wherein privacy protections might override the institutional transparency essential for governmental accountability—a situation where, as critics note, “the tail might wag the dog.”
Proposed Doctrinal and Policy Solutions
1. Recognizing Joint Fiduciary Relationships:
The Data Protection Board should exercise its interpretive authority under Sections 2(i) and 8 of the Act to clarify multi-party accountability scenarios. The Board should formally recognize Joint Fiduciary relationships through regulatory guidance, ensuring that all entities sharing decision-making authority over data processing bear individual and collective liability. This approach would harmonize Indian data protection standards with international best practices and provide clearer accountability frameworks.
2. The “Redaction-First” Protocol for Democratic Accountability:
To prevent the dilution of the RTI Act, a “Redaction-First” Protocol should be institutionalized. Information officers should be trained to navigate overlapping statutory frameworks, redacting only genuinely sensitive personal details while ensuring that information concerning the utilization of public funds and official conduct remains accessible. This balanced approach preserves democratic transparency while respecting legitimate privacy interests.
Conclusion and 2026 Outlook
By 2026, Indian data privacy governance will undergo a fundamental transformation, shifting from theoretical compliance to practical implementation—a transition toward “privacy by design” embedded in organizational architecture. As the government works toward full operationalization of the DPDPA framework, addressing the structural gaps identified in this analysis will be crucial to ensuring that the Act achieves its dual objectives of protecting individual privacy rights while fostering a vibrant digital economy.
The successful implementation of the DPDPA depends not merely on statutory text but on the development of robust interpretive frameworks, institutional capacity, and regulatory guidance that can navigate the complexities of modern data ecosystems. The Data Protection Board’s role in clarifying ambiguities—particularly concerning joint fiduciary relationships—and the government’s commitment to balancing transparency with privacy will determine whether India’s data protection regime emerges as a model for other developing economies or encounters the implementation challenges that have plagued complex regulatory frameworks elsewhere.
References
[1] Saket Surya, The Digital Personal Data Protection Bill, 2023, PRS Legislative Research (Aug. 3, 2023).
[2] Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 (India).
[3] Ministry of Electronics and Information Technology, Summary of the Digital Personal Data Protection Bill, 2023.
[4] Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 (India).
[5] Justice B.N. Srikrishna Committee, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (2018).
[6] Evolution of Digital Personal Data Protection Law in India, Manupatra.
[7] Digital Personal Data Protection Act, 2023, No. 22 of 2023, Gazette of India, Extraordinary, Part II, Section 1 (Aug. 11, 2023); Ministry of Electronics and Information Technology, Digital Personal Data Protection Rules, 2025 (notified Nov. 2025).
[8] India’s Digital Personal Data Protection Act, 2023 vs the GDPR: A Comparison, Latham & Watkins LLP (Dec. 2023).
[9] Shobit Goel, “Joint Fiduciaries under the DPDPA: The Invisible Risk in India’s Financial Data Ecosystems,” (2025) SCC Online Blog OpEd 138.
[10] S. Chandrasekhar & Aman Varma, “The Tale of Two Laws – Does the DPDPA Dilute the RTI Act?”, (2025) SCC Online Blog OpEd 115.
