Author: Rashi Aggrawal, Manipal University Jaipur
TO THE POINT
The Digital Personal Data Protection Act( DPDPA), 2023, marks a significant legislative shift in India’s approach to data sequestration and protection. legislated on August 11, 2023, this law seeks to guard particular data while icing that digital invention and governance remain continued. Framed under the shadow of the corner Puttaswamy judgment( 2017) that upheld sequestration as a abecedarian right, the Act balances individual rights with state and commercial liabilities.
The Act defines “ particular data ” as any data about an existent who’s identifiable by or in relation to similar data. It introduces two crucial stakeholders Data Fiduciaries( realities determining the purpose and means of data processing) and Data Headliners( the individualities to whom the data relates). crucial vittles include concurrence- grounded data processing, rights of data headliners( similar as correction, erasure, grievance redressal), scores of data fiduciaries, and the establishment of a Data Protection Board of India. It also allows the government to exempt certain data or fiduciaries from compliance, raising enterprises over implicit abuse.
One of the most batted aspects is thecross-border data transfer allowance and government’s power to pierce data, which critics argue may compromise sequestration. still, the Act also includes strong safeguards against data breaches and authorizations data breach announcements to both druggies and the board. In substance, the DPDPA, 2023 is India’s first devoted digital data law. While it addresses the long- standing vacuum in sequestration legislation post the IT Act, it is n’t without review — particularly concerning state surveillance, vague immunity, and the lack of an independent data protection authority.
The success of this Act lies not just in its textbook, but in its prosecution.
USE OF LEGAL JARGON
Data star
A Data star is the individual to whom particular data relates. Under the Act, every citizen is a Data star who has the right to pierce, correct, and abolish their data, subject to conditions.
Data Fiduciary
A Data Fiduciary is any person, company, or government agency that determines the purpose and means of processing particular data.
Concurrence director
An reality registered with the Data Protection Board that enables Data Headliners to manage their concurrence for data processing efficiently and transparently.
Significant Data Fiduciary
A Data Fiduciary classified by the government grounded on factors like the volume of data reused or impact on public interests, and who has redundant compliance scores.
Data Protection Board of India
An independent nonsupervisory body established under the Act to insure compliance, arbitrate complaints, and correct violations.
Notice demand
Under Section 5, every Data Fiduciary must give a clear notice to the Data star explaining data collection purposes and processing styles.
Data Breach announcement
Obligatory suggestion to both the Data Protection Board and affected individualities in case of any data breach by the Fiduciary.
Right to Erasure
The right of a Data star to request omission of particular data once the purpose for which it was collected has been fulfilled.
Grievance Redressal Medium
Every Fiduciary must have a system allowing the Data star to lodge complaints and get timely resolution.
Purpose Limitation Data
It must be reused only for the purpose specified to the Data star at the time of collection.
Storage Limitation
Personal data should n’t be retained longer than necessary for the purpose for which it was collected.
Cross-border Transfer
The Act permits transfer of particular data outside India to certain notified countries, grounded on data protection acceptability.
THE PROOF
The push for a comprehensive data protection law in India began with the Supreme Court’s landmark judgment in Justice K.S. Puttaswamy v. Union of India (2017), where privacy was declared a fundamental right under Article 21. Following this, the Justice B.N. Srikrishna Committee submitted a draft bill in 2018. After several iterations, public consultations, and withdrawals (notably the 2019 draft), the Digital Personal Data Protection Bill, 2023 was introduced and passed in August.
The DPDPA provides a legal framework in line with global standards like the EU’s GDPR, focusing on consent, data minimization, transparency, and accountability. However, critics argue that certain clauses—particularly those allowing government exemptions—mirror surveillance-like provisions and may dilute individual rights.
Moreover, the lack of an independent appointment mechanism for the Data Protection Board raises concerns about executive overreach. Despite these, the Act is a milestone in regulating India’s booming digital ecosystem and aims to build trust in online transactions, fintech, and e-governance.
It is the first law that defines rights of individuals, obligations of organizations, and provides for penalties up to ₹250 crore for non-compliance, showing that India is finally serious about data privacy.
ABSTRACT
The Digital Personal Data Protection Act, 2023 (DPDPA) marks a landmark moment in India’s journey towards recognizing and enforcing digital privacy rights. With the rise of internet usage, e-commerce, fintech, and artificial intelligence, the need to safeguard personal data from misuse, profiling, and breaches became urgent. The Act attempts to strike a delicate balance between empowering individuals over their data and ensuring that technological innovation and governance are not stifled.
At its core, the DPDPA is built on the principle of consent-driven data processing. It defines stakeholders clearly—Data Fiduciaries, who control data use, and Data Principals, who own the data. The rights of the latter include access, correction, portability, and erasure. There’s also provision for a Consent Manager and the creation of the Data Protection Board of India for regulation and dispute resolution.What makes this law globally relevant is its partial alignment with the EU’s GDPR, though it also reflects unique Indian policy concerns like digital public infrastructure and government access.
However, the Act has raised red flags due to sweeping exemptions given to the State, lack of Parliamentary oversight, and vague definitions of ‘public interest’.
Notably, the law does not apply retroactively and excludes non-automated offline data processing. It also allows cross-border transfers to countries notified by the Central Government, a move that’s both progressive and controversial.
The Act’s success will depend on robust rule-making, enforcement mechanisms, and judicial interpretations over time. While it is a step in the right direction, India’s journey toward full data sovereignty and individual privacy protection still has miles to go.
The DPDPA represents a beginning—a much-awaited one—in India’s digital constitutionalism. Its interpretation and implementation will define whether the Indian citizen is truly the master of their own data.
CASE LAWS
Justice K.S. Puttaswamy v. Union of India( 2017)
This corner case declared the right to sequestration a abecedarian right under Composition 21. It laid the foundation for unborn data protection laws in India and told the drafting of the DPDPA. The court emphasized instructional sequestration and the need for legal safeguards.
Aadhaar Case( Puttaswamy II, 2018)
While upholding Aadhaar’s indigenous validity, the Supreme Court confined its use to essential government services, buttressing the sequestration doctrine and need for statutory data protection mechanisms.
Internet Freedom Foundation v. Union of India( 2023)
This ongoing PIL challenges certain vittles of the DPDPA for being arbitrary and violative of sequestration rights, especially the immunity granted to government bodies.
Anuradha Bhasin v. Union of India( 2020)
Though not directly on data protection, the court emphasized the significance of internet access and free speech, laterally buttressing the significance of guarding digital data in a popular setup.
Gobind v. State of M.P.( 1975)
An early case that suggested at sequestration as a indigenous right, setting the philosophical base for Puttaswamy and unborn legislations like DPDPA.
People’s Union for Civil Liberties v. Union of India( 1997)
PUCL challenged the telephone tapping procedures. The SC laid down safeguards and honored the significance of guarding communication sequestration.
Shreya Singhal v. Union of India( 2015)
Struck down Section 66A of the IT Act, reaffirming the significance of guarding digital expression and sequestration.
Naz Foundation v. Govt. of NCT( 2009)
Though primarily a case on sexual exposure, it honored instructional sequestration as critical, laying root for sequestration justice.
Binny Ltd. v. V. Sadasivan( 2005)
Held that indeed private realities can be brought under public law scores when acting in a public capacity — applicable for interpreting data fiduciary scores.
R Rajagopal v. State of Tamil Nadu( 1994)
Honored the right to sequestration as implicit in Composition 21, particularly in cases involving publication of particular information without concurrence.
Selvi v. State of Karnataka( 2010)
Held that involuntary narco- analysis violates Article 20( 3) and sequestration rights, showing the significance of concurrence in particular data running.
Union of India v. Assn. for Popular Reforms( 2002)
Honored the right to know and pierce information, applicable in discrepancy to the right to circumscribe access to particular data.
CONCLUSION
The Digital Personal Data Protection Act, 2023 is a watershed moment in Indian digital legislation. It finally gives legal recognition to data privacy, long considered essential in the post-Puttaswamy legal landscape. With digitization at the core of economic and governance models, the law attempts to put individuals at the center of data processing through informed consent, accountability, and regulatory mechanisms.
Yet, like any ambitious legislation, the DPDPA is not perfect. While it introduces crucial rights such as the right to erasure, correction, and grievance redressal, it also provides broad exemptions to the government. This creates a chilling effect on the privacy ecosystem. Critics argue that the law lacks independence in enforcement due to the executive-controlled Data Protection Board, and ambiguity in terms such as “public interest” and “national security” may be misused.
The success of this Act lies in its implementation framework—the effectiveness of subordinate legislation, administrative capacity of the board, and cooperation of private stakeholders. It also requires public legal awareness, especially in Tier-II and Tier-III cities where digital literacy is still evolving.
Going forward, amendments, judicial scrutiny, and active civil society engagement will be key to transforming this law from text to transformation. The courts, especially the Supreme Court, may play an instrumental role in ironing out constitutional inconsistencies.
In conclusion, the DPDPA is not the destination, but a bold beginning. It offers a legislative scaffold upon which a truly privacy-respecting data ecosystem can be built. For India, with its demographic scale and digital ambition, this Act is both a responsibility and an opportunity—to lead by example in the global data economy.
FAQs
What is the Digital Personal Data Protection Act, 2023?
It is a law enacted to regulate the collection, storage, and processing of personal data in India, aiming to safeguard individual privacy.
Who is a Data Principal under the Act?
A Data Principal is the individual whose personal data is being processed, and who has rights under the Act.
What are the rights of a Data Principal?
They include the right to access, correct, erase, and know who is processing their data and for what purpose.
What is a Data Fiduciary?
It refers to any person, company, or state agency that determines how and why personal data is processed.
Does the Act apply to government bodies?
Yes, but the Act allows the government to exempt its agencies from compliance for national security and other reasons.
What are Significant Data Fiduciaries?
These are entities handling large volumes of data or sensitive information and are subject to enhanced compliance requirements.
Can personal data be transferred outside India?
Yes, to countries notified by the government, provided certain safeguards are met.
Is consent necessary for processing data?
Yes, informed consent is central to lawful data processing under the Act.
What is the Data Protection Board?
It is the regulatory body created under the Act to oversee compliance and adjudicate disputes.
What are the penalties for non-compliance?
Penalties can go up to ₹250 crore depending on the nature and gravity of the violation.
Does the Act cover offline data?
Only automated and digital personal data processing is covered; non-automated offline data is excluded.
How is the Act different from GDPR?
While inspired by GDPR, the DPDPA offers broader exemptions to government agencies and lacks independent regulatory appointments.
