Author: Gautam Tomar, Bharati Vidyapeeth University Pashchim Vihar East
TO THE POINT
The Digital Personal Data Protection Act, 2023 (the “DPDP Act”) is a watershed moment in India’s data governance landscape, representing a substantial legal step towards securing individuals’ personal data. Enacted with the dual objective of protecting informational privacy as a fundamental right and facilitating seamless digital economic growth, the Act attempts to strike a delicate balance between national security imperatives, economic development priorities, and the demands of a rapidly evolving global digital ecosystem. This article critically analyses the DPDP Act’s key provisions, underlying legislative intent, constitutional foundations, and practical implications for Indian jurisprudence, public governance, and private business compliance frameworks. It further examines how this statute positions India on the global stage as a jurisdiction committed to data sovereignty while aspiring to align with international standards such as the EU’s General Data Protection Regulation (GDPR).
USE OF LEGAL JARGON:-
The DPDP Act, 2023, ushers in a novel vocabulary into India’s data protection regime, introducing specialised terms such as ‘Data Fiduciary’ (entities determining the purpose and means of processing personal data), ‘Significant Data Fiduciary’ (entities handling large volumes or sensitive categories of data warranting enhanced compliance), ‘Data Principal’ (the individual to whom the personal data relates), ‘Purpose Limitation’ (restricting data use strictly to the stated objective), ‘Processing’ (any operation performed on personal data), ‘Cross-border Data Transfer’ (movement of personal data outside Indian territory), and ‘Consent Manager’ (an authorised entity enabling Data Principals to manage their consent preferences efficiently).
According to Justice K.S. Puttaswamy (Retd.) v. Union of India, Article 21 of the Indian Constitution guarantees the right to life and personal liberty, which includes the right to privacy. With regard to need, proportionality, legitimate state interest, and the general test of reasonableness, these terms show how the Act conforms with fundamental constitutional principles. The Act aims to create a clear regulatory language that facilitates efficient implementation and judicial interpretation by embracing such legally exact and globally consistent words..
THE PROOF:-
The Digital Personal Data Protection Act, 2023 was officially included into India’s data protection framework on August 11, 2023, after successfully passing both houses of parliament, receiving presidential approval, and being published in the Official Gazette.By creating a significantly more thorough and rights-based legal framework, this law essentially supersedes and replaces the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 insofar as there are any inconsistencies.
The Act represents India’s legislative fulfilment of the constitutional mandate laid down by the Supreme Court in the landmark case of Justice K.S. Puttaswamy (Retd.) v. Union of India(2017) 10 SCC 1, wherein the Court unanimously affirmed the right to privacy as a fundamental right inherent within Article 21 of the Constitution. By enacting this statute, the legislature has sought to translate the judicial recognition of informational privacy into a codified legal framework that ensures accountability, transparency, and protection against arbitrary data processing, thereby strengthening India’s democratic and constitutional commitment to privacy in the digital age.
ABSTRACT:-
The Digital Personal Data Protection Act, 2023, enacted by India, constitutes a comprehensive and rights-based legislative framework designed to safeguard the personal data of individuals while facilitating the growth of India’s digital economy. The Act governs the processing of personal data by both public authorities and private entities, ensuring that such processing is conducted in a lawful, fair, and transparent manner. It further enables cross-border transfer of personal data, albeit subject to restrictions and safeguards to protect national security, public order, and India’s strategic interests.
A significant institutional reform under this Act is the establishment of the Data Protection Board of India, envisaged as an independent adjudicatory and regulatory authority vested with powers to enforce compliance, adjudicate breaches, and impose graded monetary penalties reaching up to ₹250 crore depending on the nature and gravity of the contravention. The legislation mandates that data processing must be consent-based, reflecting the principle of informational self-determination, while providing for specific exemptions in contexts such as national security, scientific research, statistical purposes, and performance of state functions, thereby attempting to balance individual rights with collective state interests.
Moreover, the Act incorporates a dedicated children’s data protection regime, imposing stringent obligations on data fiduciaries to protect minors’ personal data. It strengthens the rights of Data Principals by empowering them to seek correction, erasure, and grievance redressal pertaining to their personal data held by Data Fiduciaries. The Act entrenches critical data protection principles such as purpose limitation (restricting data use to the specific purpose collected for) and storage limitation (prohibiting indefinite retention).
While the DPDP Act has been widely lauded for establishing data sovereignty, enhancing accountability, and aligning India’s data protection standards with global best practices such as the EU’s GDPR, it has also attracted critique for the broad discretionary exemptions accorded to the state under Clause 17, raising constitutional concerns regarding potential infringements upon privacy and personal liberty. Its ultimate impact will depend on subordinate legislation, judicial scrutiny, and the operational efficiency of the Data Protection Board in upholding the delicate balance between security, innovation, and individual privacy rights.
CASE LAWS
1. Justice K.S. Puttaswamy (Retd.) vs. Union of India (2017), 10 SCC 1 In this historic nine-judge bench decision, the Supreme Court unanimously decided that the right to privacy is closely tied to the right to life and personal liberty guaranteed by Article 21 of the Constitution. The court recognised privacy as a constitutionally protected fundamental right that encompasses informational privacy, bodily integrity, and decisional autonomy.This ruling laid the constitutional foundation for the enactment of a comprehensive data protection regime in India, culminating in the DPDP Act, 2023, to ensure that personal data processing by state or private actors does not infringe upon individual autonomy and dignity.
2. Anuradha Bhasin v. Union of India (2020) 3 SCC 637
In this case, dealing with internet shutdowns in Jammu & Kashmir, the Supreme Court emphasised the principles of proportionality, necessity, and reasonableness while imposing restrictions on fundamental rights. Although the direct issue related to internet access, the Court’s articulation of the proportionality doctrine has had a profound indirect impact on data regulation jurisprudence, underscoring that any restriction on informational privacy or data access must pass constitutional scrutiny based on necessity, legitimacy, and minimal impairment.
3. People’s Union for Civil Liberties (PUCL) v. Union of India (1997) 1 SCC 301
This judgment addressed the legality of telephone tapping under the Telegraph Act, highlighting that surveillance and interception of communications impinge upon the right to privacy unless backed by procedural safeguards and reasonable restrictions. The Court’s observations in PUCL have served as jurisprudential groundwork for developing informational privacy protections in India, reinforcing that unauthorised collection or surveillance of personal data violates the fundamental right to privacy.
4. WhatsApp LLC v. Competition Commission of India, 2022 SCC OnLine Del 1720
In this case, the Delhi High Court upheld the Competition Commission of India’s investigation into WhatsApp’s updated privacy policy, which permitted extensive data sharing with Facebook. The Court stated that data sharing policies of digital platforms must withstand scrutiny not only under competition law but also under data protection and privacy frameworks, emphasising the growing judicial recognition of the intersectionality of consumer welfare, data privacy, and market competition regulation in India’s digital economy.
CONCLUSION
The Digital Personal Digital Protection Act of 2023 is definitely India’s bold and strategic step towards building a sovereign digital economy, with the goal of governing personal data processing in a way that empowers individuals while encouraging innovation and economic success. Its architecture reflects a desire to align with global data protection standards, particularly the European Union’s General Data Protection Regulation (GDPR), which will strengthen India’s position in cross-border digital trade and data governance frameworks.
However, the Act’s broad and sweeping exemptions accorded to government instrumentalities, particularly under Clause 17, have raised significant constitutional and ethical concerns. Critics argue that these provisions, if left unchecked, may undermine the very fundamental right to privacy that the legislation purports to protect, creating potential avenues for arbitrary state surveillance and disproportionate data processing in the name of national security or public order.
The true test of the DPDP Act, 2023, therefore, lies not merely in its textual promises but in its judicial interpretation, pragmatic implementation, and the robustness of subordinate legislation and regulatory guidelines framed under its ambit. It is through vigilant adjudication by constitutional courts and accountable enforcement by the Data Protection Board of India that the Act will either emerge as a bulwark safeguarding informational privacy and digital autonomy, or risk being reduced to a regulatory instrument that legitimises state overreach into citizens’ personal data.
In this crucial moment, the ball squarely lies in the court of implementation, which will determine whether India’s data protection regime becomes a model of democratic rights-based governance or another missed opportunity in the march towards digital constitutionalism.
FAQS
Q1. What is the purpose of the DPDP Act, 2023?
To protect personal data of individuals, regulate processing, and ensure accountability of Data Fiduciaries.
Q2. Is this applicable to data processed outside of India? Yes, as long as the processing involves offering Indian data principals goods or services.
Q3. What are Significant Data Fiduciaries?
Entities notified by the government based on data volume, sensitivity, and potential harm, subject to stricter compliance.
Q4. How does it affect businesses?
It mandates transparency, consent mechanisms, data protection impact assessments, and cross-border transfer compliance.
Q5. Is there any exemption for government agencies?
Yes. Clause 17 provides exemptions on grounds of national security, public order, and sovereignty, subject to reasonableness.
Q6. What is the penalty for non-compliance?
Graded penalties up to ₹250 crore based on the nature of breach, with additional liabilities under civil and criminal laws if applicable.
