Author Ahana Banerjee St Xavier’s University
To the point
In today’s digital world, where every app we use and every website we visit silently collects our personal data, the right to privacy is no longer a luxury — it’s a necessity. From sharing our location to storing our Aadhaar number, Indians leave behind a digital footprint every day. Yet, until recently, there was no dedicated law in India that gave citizens control over how their personal data is used, stored, or shared. The Digital Personal Data Protection Act, 2023, passed by Parliament in August 2023, marks a historic shift in India’s approach to data governance. After years of public debate, Supreme Court rulings (especially Justice K.S. Puttaswamy v. Union of India, 2017), and comparisons with international frameworks like the EU’s General Data Protection Regulation (GDPR), India has finally laid down a comprehensive law to define consent, purpose limitation, data fiduciaries, and user rights. This article explores the key features of the DPDP Act, including the rights it gives individuals—such as the right to access, correct, and erase personal data—as well as the obligations it imposes on companies, platforms, and even the government. It also examines the balance the Act tries to strike between individual privacy and state or business interests, and the gaps that still remain—particularly around enforcement, exemptions for government bodies, and digital literacy. At its core, the DPDP Act is not just about data—it’s about power, trust, and control in the digital age. And for a country with over 800 million internet users, understanding this law isn’t optional. It’s essential. A key innovation in the Act is the creation of the Data Protection Board of India, which will function as the quasi-judicial authority to enforce compliance and impose penalties. The Act also introduces graded penalties, including fines up to ₹250 crore for data breaches, misuse, or failure to protect user data. Notably, the Act applies not only to Indian entities, but also to foreign companies processing Indian users’ data. However, the Act has also drawn criticism for broad government exemptions, lack of clarity on data localization, and concerns over independence of the enforcement mechanism. This article aims to critically evaluate the DPDP Act, comparing it with global standards like the EU’s GDPR, and questioning whether the law is strong enough to truly protect privacy in a digital-first democracy.
Use of Legal Jargon
The Digital Personal Data Protection Act, 2023 introduces a new legal vocabulary to address how personal data is handled in India’s digital ecosystem. At the heart of the Act lies the term “personal data”, which refers to any data about an individual who can be identified directly or indirectly through such information. Entities that determine how and why this data is processed are called “data fiduciaries”, while the individuals whose data is being processed are known as “data principals”. A foundational requirement of the law is “consent”, which must be free, specific, informed, unconditional, and unambiguous. The Act prohibits companies from using or sharing personal data beyond the purpose for which it was collected—a concept known as “purpose limitation”. It also introduces the “right to be forgotten”, which allows individuals to request the erasure of their data once the purpose of its use has been fulfilled or consent has been withdrawn. The Act also provides for the establishment of the Data Protection Board of India, a regulatory body with quasi-judicial powers to enforce compliance and impose penalties for breaches related to data security, failure to respond to data principal requests . The law uses the term “legitimate use” to refer to specific situations where data may be processed without consent—such as compliance with legal obligations, or in emergencies related to health and safety. However, a controversial provision is the “government exemption clause”, which allows the Central Government to exempt any of its agencies from the law for reasons such as national security or public order—raising questions about checks and balances. These legal terms are essential to understanding the new rights and responsibilities introduced by the DPDP Act, and how it aims to balance individual privacy with economic and state interests in a digital society. Another important term in the law is “legitimate use,” which allows data to be processed without consent in specific situations like medical emergencies or legal compliance. However, the “government exemption clause” gives the Central Government wide powers to exempt its agencies from the Act on grounds such as national security—leading to debates around transparency and misuse. By using a legal framework grounded in accountability, consent, and user rights, the Act aims to bring India closer to global data protection standards while also creating a much-needed vocabulary for digital trust.
The Proof
The court in the historic case of Justice K.S. Puttaswamy v. Union of India (2017) used Article 21 of the Constitution. The legal basis for calling for an all-encompassing data protection framework in India was established by this decision.
It gained real momentum after the Supreme Court’s landmark judgment in The right to privacy was established as a fundamental right protected by Article 21 of the Constitution by the court in the landmark case of Justice K.S. Puttaswamy v. Union of India (2017).
The need for such a law became more urgent as India’s digital landscape exploded. With over 850 million internet users and one of the world’s fastest-growing app markets, personal data has become a highly valuable—and vulnerable—commodity. High-profile breaches such as the Aadhaar data leak (2018), the Air India breach (2021) affecting 4.5 million users, and incidents involving mobility and fintech platforms have highlighted how unprotected Indian user data has been. In response to growing public concern, the government introduced multiple drafts of a data protection bill between 2018 and 2022, each evolving through expert committee recommendations, parliamentary scrutiny, and public debate. The final version—the Digital Personal Data Protection Act, 2023—was passed in August 2023 and officially notified on August 11, 2023. It marked India’s first-ever law dedicated solely to digital privacy and data protection. As per the law, data fiduciaries must ensure user consent, prevent data misuse, and notify the Data Protection Board of any breach. This brings India in line with global efforts to protect digital rights—though critics point out that broad government exemptions and limited independence of the enforcement board could undermine its effectiveness. India’s DPDP Act comes at a time when data is both an economic asset and a human rights issue, and its enforcement will be a defining test of how seriously the country values privacy in the digital era. Multiple large-scale data breaches—including the Aadhaar leak, the Domino’s India data breach, and cyberattacks targeting Air India, Mobikwik, and BigBasket—have exposed millions of users’ personal and financial data. These incidents have highlighted severe regulatory and enforcement gaps in the earlier IT Act-based regime. The DPDP Act, 2023 introduces a consent-based, rights-oriented framework, requiring entities to process personal data only for legitimate purposes, and with informed user consent. The introduction of the Data Protection Board of India, empowered to investigate complaints and impose penalties up to ₹250 crore, reflects the government’s intent to deter negligent or exploitative data practices. Despite its limitations, the DPDP Act is a landmark step toward aligning India’s legal infrastructure with international privacy standards such as the EU’s General Data Protection Regulation (GDPR) and presents a promising framework to protect digital rights in one of the world’s largest internet economies.
Abstract
The rise of digital infrastructure in India has dramatically transformed how personal data is collected, stored, and monetized—often without the knowledge or meaningful consent of individuals. Recognizing the urgent need for legal safeguards, the Indian Parliament enacted the Digital Personal Data Protection Act, 2023, marking a foundational shift in the country’s approach to data governance. Rooted in the principles established by the Supreme Court in Justice K.S. Puttaswamy v to the Union of India (2017), which upheld the right to privacy as a basic right, the Act seeks to establish a framework that strikes a balance between preserving individual liberty and permitting the lawful use of data by both public and commercial entities.
. This article examines the key provisions of the DPDP Act, including the definition of personal data, the role of data fiduciaries, the establishment of the Data Protection Board, and the introduction of enforceable rights for data principals, such as consent, correction, and the right to erasure. It also addresses penalties for non-compliance, ranging up to ₹250 crore, and the procedural obligations imposed on entities handling data. While the Act represents a significant legislative achievement and aligns India closer to global standards such as the EU’s GDPR, it has also drawn criticism—particularly for the broad exemptions granted to government agencies, the potential lack of independence in enforcement mechanisms, and the challenges of implementation in a diverse, digitally divided society. This article provides a critical evaluation of the DPDP Act’s strengths, shortcomings, and implications for privacy, accountability, and trust in the digital age. While the DPDP Act is a critical step toward safeguarding digital dignity, it is not without controversy. The wide exemptions given to government agencies, the potential lack of independence of the enforcement board, and the challenge of making data rights accessible to every citizen remain areas of concern. Still, the Act offers a much-needed legal foundation for India’s 800+ million internet users to demand greater transparency, choice, and protection in the digital world.
Case Laws
- Justice K.S. Puttaswamy v. Union of India (2017)
This landmark judgment by a nine-judge bench of the Supreme Court laid the foundation for data privacy in India by declaring the right to privacy as a fundamental right under Article 21 of the Constitution. The case arose during the challenge to the Aadhaar biometric system, but its broader outcome went far beyond Aadhaar—it recognized that every individual has a constitutional right to control their personal information. This ruling directly influenced the government’s obligation to frame a comprehensive data protection law, which eventually led to the Digital Personal Data Protection Act, 2023. - Internet and Mobile Association of India v. Reserve Bank of India (2020)
Though not a direct privacy case, this judgment by the Supreme Court addressed the balance between data governance and individual rights. The Court struck down the RBI’s 2018 circular banning cryptocurrency transactions, stating that the decision lacked proportional justification. The case reiterated that data-related restrictions must pass tests of necessity and proportionality, reinforcing constitutional principles that also apply to privacy and digital regulation frameworks like the DPDP Act. - Anuradha Bhasin v. Union of India (2020)
In this case concerning internet shutdowns in Jammu & Kashmir, the Supreme Court recognized freedom of speech and expression over the internet as a fundamental right. While the core issue was access to the internet, the judgment indirectly supported the broader idea that digital rights—including privacy and access to digital infrastructure—are extensions of fundamental rights. It further strengthened the argument for a structured, rights-based approach to digital governance in India.
Conclusion
The Digital Personal Data Protection Act, 2023 marks a long-awaited milestone in India’s legal journey toward protecting digital rights. In a country where personal data is processed by thousands of private and public entities daily, the Act seeks to bring structure, transparency, and accountability to a space that was previously governed by outdated or fragmented rules. By recognizing user consent, data fiduciary obligations, and the role of a regulatory body, the Act attempts to align India with global standards of privacy protection, such as those seen in the EU’s GDPR.
However, while the law provides a strong foundation, it is far from flawless. Broad exemptions for government agencies, the potential lack of independence of the Data Protection Board, and the challenges of enforcement across a digitally diverse population raise important concerns. In practice, the real test of the DPDP Act will lie in how it is implemented, interpreted by courts, and understood by the public.
To ensure that this legislation truly empowers individuals and upholds the constitutional right to privacy, there must be ongoing efforts in public awareness, digital literacy, institutional transparency, and judicial oversight. The DPDP Act is not the final word on data protection in India—it is the beginning of a new legal and cultural framework that must evolve alongside technology. In the digital age, privacy is not a privilege—it is a fundamental necessity, and this law is a crucial step toward securing it. the true effectiveness of the law will depend not just on the text, but on how well it is enforced. While the Act introduces penalties and a regulatory board, its broad exemptions for the government and lack of clarity on enforcement mechanisms raise valid concerns. For a country with over 800 million internet users, protecting data can’t be a matter of symbolic reform—it must translate into real safeguards and accessible redress for all. The DPDP Act is a crucial first step, but it’s just the beginning. As technology evolves, so must the law. To truly protect digital rights, India must continue building a culture of privacy—one that values transparency, accountability, and the dignity of its citizens in the online world.
FAQS
1.Describe the 2023 Digital Personal Data Protection Act.
The DPDP Act is India’s first all-encompassing law created especially to protect personal information online. It lays down clear legal obligations for how personal data must be collected, stored, and used by both private entities and government organizations. The law ensures that individuals (called Data Principals) have control over their information and mandates that Data Fiduciaries (companies, apps, websites, etc.) use that information only with consent and for clear, lawful purposes. This Act fills a crucial gap in Indian legislation that had become outdated in the face of rapid digital growth.
2. What kind of data does the Act protect?
The Act protects “personal data”, which means any information that relates to an identifiable individual. This includes names, email addresses, mobile numbers, Aadhaar numbers, financial details, IP addresses, and even location data. Whether it’s given during online shopping, medical consultation, or a government registration, the Act ensures that such data is not misused, overshared, or stored without proper justification. Sensitive personal data, though not defined separately in the final version of the Act (unlike in earlier drafts), is still covered under general data protection responsibilities.
3. What rights does the Act give to individuals?
The DPDP Act empowers users with key rights over their personal data, putting individual autonomy at the center of data regulation. These include:
- The right to correction and erasure (to fix errors or delete data when it’s no longer needed)
- The right to withdraw consent at any time
- The right to grievance redressal through the Data Protection Board of India
These rights aim to give individuals transparency and control—something Indian users have lacked until now.
4. Are there penalties for companies that misuse data?
Yes. The Act introduces strict monetary penalties for data fiduciaries who fail to comply. The fines can go up to ₹250 crore per instance, especially for:
- Failing to secure user data
- Not responding to user data requests
- Processing data without proper consent
- Not notifying the authorities in the event of a data breach
These penalties are designed to encourage companies to treat data protection seriously—not just as compliance, but as a duty to users.
5. Can the government access data under this law?
Yes, and this is one of the most debated aspects of the Act. The Central Government has the power to exempt its own agencies from certain provisions of the law under grounds like national security, public order, or emergencies. Critics argue that such broad exemptions could lead to unchecked surveillance and weaken the very privacy protections the Act is meant to offer. Although the Act attempts to balance national interest with individual rights, this clause remains controversial and could impact public trust in the law’s fairness and independence.
