AUTHOR : Rimsha Wagle, a first year student at Dharmashastra National Law University
TO THE POINT
The DPDP Act, 2023 was notified on 11 August 2023 as India’s first comprehensive law regulating personal data . This legislation follows after the judgment by the Supreme Court of India in the case of Puttaswamy v. Union of India, where the Apex Court unanimously decided that informational privacy is a fundamental right under Article 21. The Act grants individuals (termed “Data Principals”) a suite of rights, including notice of data use, access to their data, correction and erasure of data, grievance redressal, and nomination of a representative . Data processing must generally be based on valid consent. Consent must be free, specific, informed and unambiguous, given by clear affirmative action . Notices to Data Principals must explain the purpose of processing, their rights and complaint mechanisms . “Data Fiduciaries” (those who determine the purpose and means of processing) must implement security safeguards, notify breaches to affected individuals and the Data Protection Board, and delete data when no longer needed or upon consent withdrawal . Significant Data Fiduciaries (handling large volumes of sensitive data) must appoint a Data Protection Officer and conduct impact assessments and audits . A new Data Protection Board of India is established as the enforcement authority. The Board adjudicates complaints and breaches online, issues directions and imposes penalties. The Board’s remit echoes Puttaswamy’s call for a “carefully structured regime” to protect personal data . Experts call the law “transformational” as it codifies notice, access and erasure rights and aligns India with global privacy norms. It represents a significant move towards a digital-rights framework in India.
USE OF LEGAL JARGON
Data Principal is the person that the personal data pertains to. Data Fiduciary refers to a person or an organisation that decides the way and the aim of processing the personal data (comparable to the “data controller” in GDPR ).Consent: A Data Principal’s free, specific, informed, and unambiguous permission for data processing. The Act requires consent to be given by a clear affirmative act. Data Protection Officer (DPO) is an officer based in India, responsible to the company’s management, and the person who acts as the contact point for compliance and grievance redressal. This role is mandatory for SDFs. Data Protection Board of India is a statutory body set to enforce through the Act. It operates online, conducts inquiries on complaints, and issues orders or penalties. Its decisions (after appeal to TDSAT and Supreme Court) are binding, and it can also refer cases to dispute resolution or recommend blocking recalcitrant services.
THE PROOF
The Digital Personal Data Protection Act, 2023 is a very important legal measure, which translates the abstract concepts of privacy into legal enforceable requirements and rights. It is not only an answer to the constitutional imperative or command which was issued as Justice K.S. Puttaswamy (Retd.).v. Union of India, coupled together with a cognizance of the necessity to control the growing amount of personal information being studied in the digital economy, . The DPDP Act only treats digital personal data when the data is gathered in a digital format or digitized later. Non-digitized, offline data remains outside the scope unless it is later digitized. This ensures that the Act is focused squarely on the digital realm, where the risk of surveillance, profiling, and misuse is highest. Moreover, the Act has extraterritorial application. Section 3(b) extends its application to any processing of digital personal data beyond India provided that the latter is in association with the offering of goods or service to Data Principals located in India.This inclusion is vital in today’s globalized digital economy, where tech giants and digital service providers may be based overseas but engage intensively with Indian data subjects. The foundation of the Act lies in its consent-centric architecture. Passive forms of consent, such as pre-ticked boxes or implied acceptance, do not suffice under the Act. This emphasis reflects a sharp break from the earlier culture of vague consent notices and blanket permissions. Now, a Data Fiduciary must ensure that: The purpose for which data is being collected is clearly communicated; The consent is revocable at any time; Consent is obtained afresh for each specific purpose of processing.
The Act enshrines a comprehensive bundle of rights for Data Principals, i.e., the individuals to whom the data pertains. These rights are substantive and procedural in nature, placing the individual at the center of the data protection framework.
The DPDP Act created a new body, the Data Protection Board of India as per Chapter V of the act. It is vested with quasi-judicial powers and operates as a specialized adjudicatory body. Its functions include: Inquiry into personal data breaches; Issuance of directions to Data Fiduciaries to remedy violations; Imposition of penalties for non-compliance; Hearing grievances filed by Data Principals. The Board is empowered to operate primarily in digital mode, allowing for efficient and technology-enabled adjudication. Appeals against the Board’s decisions lie with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) and thereafter to the Supreme Court, thus ensuring checks and balances.
The DPDP Act is not an isolated legislative measure but the legislative fulfillment of the privacy jurisprudence established in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), the Apex Court unanimously considered that the right to privacy in Article 21 of the Constitution, includes the right to possess and hold personal information and digital identity.
The DPDP Act is a codification of these principles, balancing individual autonomy with regulatory oversight. The creation of an independent Data Protection Board, though appointed by the executive, is a step towards institutional accountability, fulfilling the Puttaswamy court’s emphasis on “robust oversight mechanisms.”
ABSTRACT
The first comprehensive data-privacy law of the Digital Personal Data Protection Act, 2023 was passed in August 2023. This legislation responds to the Supreme Court’s Puttaswamy (2017) judgment that declared privacy including, informational privacy, a fundamental right . The Act establishes a consent-based regime where processing of digital personal data is permitted only for lawful purposes (generally valid consent or limited exceptions). It endows individuals with concrete data rights (notice, access, correction, erasure, grievance, nomination) and requires data controllers (“Data Fiduciaries”) to uphold these rights and secure data. Significant Data Fiduciaries must additionally appoint a Data Protection Officer and conduct privacy impact assessments. The Act also creates a Data Protection Board to enforce compliance by hearing complaints and imposing fines. Although the Act will take effect only on a government-notified date , its passage is seen as a pivotal step towards a robust “digital rights” era in India, translating the Puttaswamy principles into a statutory framework.
CASE LAWS
The DPDP Act rests on the jurisprudential foundation laid by Justice K.S. Puttaswamy (Retd.) v. Union of India (2017). In the historic case, a nine-judge Supreme Court bench unanimously held that the right to privacy is protected by the Constitution (specifically Article 21). Importantly, Puttaswamy recognized informational privacy as integral to this right and expressly urged the government to adopt a “carefully structured regime” for data protection . After Puttaswamy, privacy has figured in other rulings (e.g. Navtej Johar and Joseph Shine) , but none laid down detailed data-regulation norms. The DPDP Act translates the Court’s broad directive into concrete obligations and remedies, effectively giving statutory life to the fundamental privacy right recognized in 2017.
Other court decisions have also emphasized informational privacy (for example, the Aadhaar judgment in 2018), but Puttaswamy is the touchstone for this Act. By aligning with that case’s principles, the DPDP Act benefits from the Supreme Court’s insistence that privacy is a fundamental right of every individual, and that data protection is necessary to enforce it.
CONCLUSION
The Digital Personal Data Protection Act, 2023 is a landmark in India’s legal landscape. It shifts data privacy from policy drafts into hard law, signaling India’s commitment to protecting citizens’ informational rights in the digital age. The Act’s consent framework and individual rights mirror global best practices, and the new Data Protection Board provides a dedicated mechanism for enforcement. However, experts note that many details depend on forthcoming rules, and that certain broad exemptions (e.g. government and research uses) could limit the law’s scope. The law will come into force only after government notification , so its full impact will emerge over time. Nonetheless, its enactment alone represents a qualitative change: India now has a statutory “digital Bill of Rights” for personal data. In doing so, the DPDP Act gives substantive effect to Puttaswamy’s promise and ushers India into a new era of data protection and digital rights.
FAQs
What is the DPDP Act, 2023?
It is India’s first standalone data protection law, notified in August 2023. It regulates the processing of digital personal data, i.e. any personal data in digital form or digitized from offline sources. The Act applies to processing within India and also to foreign entities offering goods or services to Indian residents .
What are the consent requirements?
Processing of personal data under the Act generally requires consent from the Data Principal . Consent must be free (not coerced), specific (for a particular purpose), informed (the Data Principal must know what they are consenting to), unconditional, and unambiguous, given by a clear affirmative act. Data Fiduciaries must provide a plain-language notice when taking consent, explaining what data is collected and why, how to withdraw consent, and how to file a complaint. If consent is withdrawn, the fiduciary must delete the relevant data unless there is another lawful basis to retain it.
Who are Data Fiduciaries and what must they do?
A Data Fiduciary is any person or organization (public or private) that decides the purposes and means of data processing . Fiduciaries must process data lawfully and transparently. They must implement reasonable security safeguards to protect data, notify both the Data Principal and the Data Protection Board in case of a breach , and delete data once it is no longer needed for the original purpose. They must also appoint a grievance officer for principals to contact.
What is the Data Protection Board?
The Act creates a Data Protection Board of India, which functions like a regulator/enforcement agency. Anyone can file a complaint to the Board if a fiduciary violates the law or breaches data. The Board can then investigate the complaint online, direct the fiduciary to fix the issue, and impose monetary penalties for non-compliance. Appeals from the Board’s orders go first to the Telecom Disputes Settlement & Appellate Tribunal, and then to the Supreme Court. The Board does not draft policy rules itself, but it enforces the Act and can refer cases to alternative dispute resolution or recommend blocking of habitually non-compliant services.
When will the Act be in effect?
Although passed in 2023, the DPDP Act is not yet in force. The central government must notify the commencement date for different sections (including those setting up the Board) . Once notified, entities will have to comply within specified timelines.
