Digital Personal Data Protection Act, 2023: A New Dawn for Privacy in India

Author: Deepak Kumar Gupta, United University, Prayagraj

To the Point

The Digital Personal Data Protection Act, 2023 (DPDPA) is India’s first comprehensive legislation focusing solely on digital personal data. It introduces a consent-based framework, grants statutory rights to individuals (Data Principals), imposes obligations on Data Fiduciaries, and establishes a Data Protection Board. While it seeks to balance privacy with national and commercial interests, its broad state exemptions and executive-controlled implementation have raised constitutional concerns.

Abstract

For the first time, India has a comprehensive, standalone legislation dedicated to protecting personal digital data. Enacted after years of deliberation and judicial prodding post-Justice K.S. Puttaswamy v. Union of India (2017), this Act seeks to balance individual privacy rights with the needs of innovation, national security, and ease of doing business. This article critically analyses the key features, legal implications, and potential shortcomings of the DPDPA, 2023, while evaluating its alignment with constitutional rights and international data protection standards such as the GDPR.

Use of Legal Jargon

Data Fiduciary: Any person, company, or entity that determines the purpose and means of processing personal data.
Consent Manager: A person registered with the Data Protection Board to act as a mediator for managing consent.
Personal Data: Any information regarding a person that can be linked to or associated with that information.
Significant Data Fiduciary: A fiduciary notified based on volume and sensitivity of data handled.

The Proof

Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1:
Held the right to privacy as intrinsic to the right to life and personal liberty under Article 21.
General Data Protection Regulation (GDPR):
The DPDPA borrows key concepts from GDPR but tailors them to Indian conditions, e.g., broad executive exemptions.
IT Act, 2000 vs. DPDPA, 2023:
The latter offers specificity, enforcement mechanisms, and accountability lacking in the earlier regime.


Case Laws

1. Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1
Held: Right to privacy is intrinsic to Article 21.
Relevance: Catalyst for the enactment of the DPDPA, 2023.
2. Puttaswamy (Aadhaar) v. Union of India, (2019) 1 SCC 1
Held: Aadhaar is constitutional, but usage must be limited.
Relevance: Emphasized proportionality and data minimization in state data collection.
3. Ritesh Sinha v. State of U.P, (2019) 8 SCC 1
Held: Individuals can be compelled to provide fingerprints.
Relevance: Outlined the boundaries of privacy within the realm of criminal law.
4. K.S. Puttaswamy (Retd.) v. Union of India (2021) – Pegasus Surveillance Matter
Pending final judgment, but underscored government accountability in surveillance practices.
Relevance: Highlights the tension between personal privacy rights and national security.
5. Selvi v. State of Karnataka, (2010) 7 SCC 263
Held: Narco-analysis and polygraph examinations violate the right to mental privacy.
Relevance: Privacy includes informational autonomy, forming a conceptual base for data protection.
6. Internet and Mobile Association of India v. RBI, (2020) SCC OnLine SC 275
Held: Restrictions must be reasonable and proportionate.
Relevance: Principle of proportionality applies to executive actions under DPDPA.

Conclusion

The enactment of the Digital Personal Data Protection Act, 2023 (DPDPA) marks a significant turning point in India’s legal approach to privacy, data governance, and digital rights. Coming in the wake of the Supreme Court’s landmark ruling in Justice K.S. Puttaswamy v. UOI (2017), which elevated the right to privacy to the status of a fundamental right under Article 21, the Act aims to offer legislative backing for that declaration by creating an extensive framework for governing digital personal data.
At its core, the Act introduces much-needed legal certainty and accountability in a landscape previously governed by the outdated provisions of the Information Technology Act, 2000, and the Sensitive Personal Data or Information (SPDI) Rules, 2011. For the first time, individuals (Data Principals) are given explicit rights—such as the right to access their data, seek correction, withdraw consent, and even nominate representatives in case of incapacity or death. On the other hand, Data Fiduciaries (private or public entities handling personal data) are held to legal standards regarding purpose limitation, data minimization, transparency, and breach notification.
The establishment of the Data Protection Board of India is another forward-looking institutional innovation. As a quasi-judicial body empowered to adjudicate breaches, impose penalties, and redress grievances, the Board provides a mechanism for enforcement, which was sorely lacking in prior regimes. Additionally, the framework for consent-based data processing, aided by Consent Managers, is designed to ensure that individuals have control over how their data is used—a principle deeply rooted in informational autonomy.
However, despite these laudable advancements, the DPDPA, 2023 has not escaped criticism. Foremost among these concerns is the broad power granted to the Executive to exempt any government agency from the application of the Act on grounds such as national security, sovereignty, or public order. The lack of judicial or parliamentary oversight over such exemptions threatens to reduce the right to privacy to a hollow promise, especially when data is processed by state agencies. In a democracy governed by the rule of law, executive discretion must be subject to constitutional checks and balances, particularly when it concerns the invasive potential of state surveillance.
Moreover, the absence of a distinct category for sensitive personal data—such as biometric, health, or financial data—further weakens the protective ambit of the law. The non-applicability of the Act to offline data, and the delegated nature of rule-making, leave key aspects of the data protection framework to be determined by the central government through subordinate legislation, raising concerns of over-centralization and vagueness.
In sum, the Digital Personal Data Protection Act, 2023 is an important milestone that puts India on the global map of countries with dedicated data protection laws. Its objectives are sound, and its structure borrows wisely from global best practices. Yet, the true measure of its success will lie in its implementation—through independent regulation, transparent rule-making, judicial scrutiny, and civic participation. For India’s digital future to remain democratic, inclusive, and secure, the promise of privacy must not be undermined by unbridled executive power. The Act must evolve to genuinely safeguard individual autonomy while fostering innovation and national interest.

FAQS

Q1. Who is considered a “Data Principal” under the Act?
A: A “Data Principal” is the individual to whom the personal data relates. For example, if your email or biometric data is being collected by a company, you are the Data Principal.

Q2. Who is a “Data Fiduciary”?
A: A Data Fiduciary is any person, company, firm, state body, or entity that determines the purpose and means of processing personal data.

Q3. What types of data are covered under the DPDPA?
A: The Act covers only digital personal data, i.e., data that is collected online or data collected offline but digitized later. It does not cover non-digitized (paper-based) data.

Q4. Does the Act classify or differentiate sensitive personal data?
A: No. In contrast to the GDPR, the DPDPA does not distinguish between sensitive and non-sensitive data types, an aspect considered a flaw in the protective framework.

Q5. What are the rights provided to a Data Principal under the Act?
A:
Right to access information about personal data processing
Right to correction and erasure of personal data
Right to withdraw consent
Right to grievance redressal
Right to nominate a representative in case of death/incapacity

Q6. What is a “Consent Manager”?
A: A Consent Manager is a platform or entity registered with the Data Protection Board of India to help Data Principals manage, give, and revoke their consents across multiple services or Data Fiduciaries.

Q7. Can the government process personal data without consent?
A: Yes. The Act allows the government to exempt itself or its agencies from one or more provisions of the law for purposes such as national security, public order, or sovereignty.

Q8. How is cross-border data transfer handled under the Act?
A: The Central Government may notify specific countries or territories where personal data may be transferred. There is no blanket restriction, unlike earlier proposals for data localization.

Q9. What is the penalty for non-compliance?
A: The Data Protection Board can impose monetary penalties up to ₹250 crore per instance of serious non-compliance.

Q10. Is there a timeline for grievance redressal?
A: Yes. Data Fiduciaries are required to respond to grievances within a reasonable time, and unresolved issues can be escalated to the Data Protection Board of India.


Q11. What is the structure of the Data Protection Board of India?
A: The Board is an independent, quasi-judicial body tasked with enforcing compliance, deciding cases, and imposing penalties. However, its composition and powers are to be notified by the Central Government.

Q12. Can minors give consent under the Act?
A: No. Data Fiduciaries must obtain verifiable parental consent before processing the data of children below the age of 18.

Q13. Is there any provision for data breach notification?
A: Yes. All Data Fiduciaries are required to notify the Data Protection Board and affected individuals in the event of a data breach.

Q14. Does the Act override other laws?
A: The DPDPA shall prevail in case of inconsistency with any other law regarding digital personal data, but does not affect criminal law or information required for law enforcement.

Q15. Does the Act apply retrospectively to past data?
A: The applicability of the Act to previously collected data will depend on whether such data is still being processed and whether it has been digitized.

Q16. Are there special obligations for large tech companies?
A: Yes. Such companies may be notified as “Significant Data Fiduciaries”, and must comply with enhanced obligations like data protection impact assessments, audits, and appointing a Data Protection Officer.