Author: Vaishnavi Shukla, Arya Kanya degree college Constituent college of University of Allahabad, Prayagraj
To the point
The Digital Personal Data Protection Act (DPDPA) 2023 – India’s landmark legislation establishing a comprehensive framework for safeguarding personal digital data. The Digital Personal Data Protection Act, 2023, came into effect on August 11, 2023. This legislation governs the processing of digital personal data, aiming to strike a balance between individuals’ right to privacy and the legitimate need to process such data for lawful and necessary purposes, along with related matters. India, home to one of the world’s largest populations and a major global economy, has introduced a new personal data protection law. Officially published in the Gazette in August 2023, the law is set to come into effect in 2024.
The Act safeguards digital personal data information that can be used to identify an individual by outlining key provisions, including: The responsibilities of Data Fiduciaries, which include individuals, companies, or government bodies that handle personal data through activities such as collection, storage, or other forms of processing; The rights and responsibilities of Data Principals, referring to the individuals to whom the personal data pertains; and The imposition of financial penalties in cases where these rights, responsibilities, or obligations are violated.
As India rapidly evolves into one of the world’s largest digital economies, the Digital Personal Data Protection Act (DPDPA) seeks to modernize the country’s approach to data governance. The law aims to bring India’s data protection framework in line with international standards, carefully balancing the privacy rights of individuals, commercial interests, and concerns related to national security. Introduced against the backdrop of increasing incidents of data breaches and unauthorized surveillance, the Act underscores the urgent need for comprehensive legal safeguards.
The DPDPA sets out a structured legal regime for the collection, processing, and storage of personal data, granting individuals more control over how their information is used. At the same time, the law has triggered debates regarding its provisions for government exemptions and the practical challenges of enforcement. This article provides a detailed overview of the Act’s key features, compares it with global data protection laws, assesses its implications for both businesses and consumers, and discusses the controversies and future directions surrounding this landmark legislation.
Major Features of the DPDP Act, 2023 The DPDPA incorporates several core principles aimed at protecting personal data and regulating its handling. A key element of the legislation is its inclusive definition of personal data, which covers any information that can be used to directly or indirectly identify an individual. This includes names, contact details, financial records, and biometric identifiers, ensuring a broad scope of protection.
A significant pillar of the Act is its focus on consent-driven data processing. Entities must obtain clear and informed consent from individuals before collecting or using their data. People must also be told why their data is being collected and how it will be utilized. The law gives individuals the authority to withdraw their consent at any point, thus reinforcing personal control over data usage.
The Act also provides distinct rights to data principals (the individuals whose data is being processed). These include the right to access their own data, correct inaccuracies, and request the deletion of data that is outdated or no longer needed. To ensure accountability, the legislation mandates that data fiduciaries implement grievance redressal mechanisms, allowing individuals to report concerns or complaints about the misuse of their personal data. For organizations that handle data referred to as data fiduciaries the law imposes several important responsibilities. These include principles such as minimizing the data collected to what is strictly necessary, limiting how long data is stored, and promptly notifying users and authorities in the event of a data breach. These safeguards are designed to enhance trust and reduce the likelihood of misuse.
However, the DPDPA also grants certain exemptions to government bodies. In cases involving national security, public order, or legal investigations, government agencies may process personal data without seeking prior consent. While intended to serve public interest, these provisions have raised concerns among privacy advocates who warn that such broad exemptions could lead to misuse and unchecked surveillance.
Use of legal jagron
Nevertheless, the DPDPA provides specific exemptions for government authorities.
Rights Conferred Upon Data Principals
The legislation formalizes several enforceable rights for individuals, including:
The Right to Access personal data processed by fiduciaries;
The Right to Rectification and Erasure of inaccurate or obsolete data;
The Right to Grievance Resolution, mandating fiduciaries to establish internal complaint-handling systems;
The Right to Nominate a representative for exercising rights posthumously or upon incapacity.
State Exemptions and Rule-Making Powers
Under Section 17, the Central Government may, by notification, exempt public agencies from the Act’s provisions if deemed necessary in the interest of sovereignty, public order, or security of the State. While these exemptions are framed within a legal threshold, critics contend that they may lead to unfettered executive discretion and potentially undermine the proportionality doctrine laid down in Justice K.S. Puttaswamy (Retd.) v. Union of India.
Institutional Mechanism and Adjudicatory Powers
The DPDPA creates the Data Protection Board of India, vested with quasi-judicial authority to conduct inquiries into alleged contraventions, adjudicate disputes, and impose civil penalties. The Board functions in a manner akin to a statutory tribunal, with powers comparable to those conferred upon a civil court under the Code of Civil Procedure, 1908, for summoning records and examining witnesses.
Sanctions and Enforcement
The statute prescribes graded monetary penalties for non-compliance, which may extend up to ₹250 crore for serious breaches. These pecuniary deterrents are intended to foster a compliance culture and ensure responsible data stewardship among fiduciaries.
The Proof
The Digital Personal Data Protection Act (DPDPA), 2023 represents a timely and essential legislative response to the complexities of India’s evolving digital ecosystem, where vast quantities of personal information are continuously being collected, transmitted, and processed. This law arises from a constitutional mandate rooted in the fundamental right to privacy, which the Supreme Court of India declared as implicit within Article 21 in its landmark ruling in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017). The Court emphasized that individuals must retain autonomy over their personal data and its usage in a digitally networked society.
The Act’s primary objective is to institutionalize a comprehensive legal structure that governs the lawful processing of digital personal data, promoting core principles such as fairness, accountability, and transparency. In the absence of specific legislation prior to this enactment, individuals and entities were left vulnerable to unauthorized data use, profiling, surveillance, and frequent breaches of digital privacy. The DPDPA addresses this vacuum by establishing clear rights for individuals and codified responsibilities for entities that manage or process personal data.
Furthermore, the DPDPA aligns India’s data protection standards with internationally recognized norms, most notably those articulated under the European Union’s General Data Protection Regulation (GDPR). By embedding principles like explicit consent, purpose limitation, data minimization, and user rights, the Act seeks to bolster public trust in digital services and foster a data protection regime compatible with global interoperability. This harmonization is critical for ensuring India’s eligibility for international data exchange frameworks and promoting foreign investment in its growing digital economy.
A notable strength of the Act is its attempt to balance individual liberties with legitimate state interests. While it introduces a strong privacy framework, it also grants conditional exemptions to government agencies for purposes such as national security, public order, and criminal investigations. These exemptions, though contentious, are designed to operate within legal limits and are subject to constitutional safeguards, especially those related to necessity and proportionality.
Additionally, the Act establishes a regulatory oversight mechanism in the form of the Data Protection Board of India, which is empowered to investigate violations and impose significant monetary penalties up to ₹250 crore for non-compliance. This introduces an element of deterrence and encourages organizations to adopt privacy-by-design approaches and robust data protection protocols . The DPDPA, 2023 is not merely a policy instrument but a constitutional necessity and a forward-looking legislative tool. It strengthens India’s position in the global digital landscape by reinforcing user autonomy, enhancing data security, and ensuring that technological innovation does not come at the cost of personal privacy. By embedding legal accountability in digital interactions, the Act lays the foundation for a trustworthy and inclusive digital future.
The introduction of the Digital Personal Data Protection Act, 2023 is not arbitrary; it is backed by compelling constitutional, technological, legal, and global factors. This law represents a timely and essential intervention to secure personal data in India’s increasingly digitized environment. The points below outline the justification for its implementation:
1. Grounding in Constitutional Principles and Judicial Precedent: A crucial impetus for this law comes from the Supreme Court’s 2017 ruling in Justice K.S. Puttaswamy v. Union of India, which affirmed the Right to Privacy as a fundamental right under Article 21. The judgment explicitly called for a legal structure to safeguard personal data. As a result, the government was constitutionally obligated to frame a legislative mechanism that upholds and protects individuals’ informational privacy in the digital realm.
2. Lack of a Specific Data Protection Law: Before the DPDPA, data protection in India relied on provisions within the Information Technology Act, 2000, notably Sections 43A and 72A. However, these were insufficient — lacking clarity on definitions, weak on enforcement, and outdated for addressing contemporary digital threats. The DPDPA fills this legislative void by creating a dedicated, clear, and enforceable law to govern personal data handling in both private and public domains.
3. Rising Digitalization and Technological Penetration: India has emerged as a global digital hub, with more than 850 million internet users and widespread adoption of digital platforms across sectors like finance, healthcare, education, and governance. As digital dependency grows, so do the risks related to unauthorized data use, profiling, and breaches. The Act seeks to balance innovation and technological progress with the right to informational self-determination.
4. Bridging India with International Privacy Norms: The DPDPA aligns India with leading international frameworks, such as the EU’s General Data Protection Regulation (GDPR). This alignment enhances India’s credibility in international data-sharing agreements, boosts the confidence of global investors, and supports Indian companies seeking to operate in jurisdictions with strict privacy standards.
5. Strengthening Individual Rights and Consent:
> The legislation equips individuals referred to as data principals with several rights:
>The ability to access personal data held by data processors
>The right to correct or delete inaccurate or outdated information
>Mechanisms for filing complaints and seeking redress
>The right to appoint a nominee to act on their behalf in cases of incapacity or death
These rights create a rights-based legal environment where individuals are not passive data subjects but active participants in data governance.
6. Defining Duties of Data Fiduciaries: The Act introduces clear obligations for entities (data fiduciaries) that collect and manage personal data. These include adhering to principles of lawful processing, ensuring data is collected only for necessary purposes, and maintaining robust security measures to prevent misuse or leakage. Moreover, the establishment of a Data Protection Board of India serves as a regulatory body to oversee compliance and address violations.
7. Enhancing Confidence in Digital Governance :Initiatives like DigiLocker, Aadhaar, UPI, and CoWIN form the backbone of India’s digital public infrastructure. For citizens to meaningfully engage with these services, there must be a sense of security and confidence that their personal data is protected. The DPDPA bolsters public trust, ensuring transparency in how personal data is processed and safeguarded.
8. Combating Digital Threats and Misuse of Data:The frequency and complexity of cyber threats ranging from data breaches and phishing to identity theft have increased dramatically. The DPDPA acts as a legal safeguard, ensuring that entities report data breaches in a timely manner, take preventive steps, and face penalties for negligence or non-compliance. This helps establish a culture of responsibility and deterrence in the digital space.
Abstract
In today’s digital landscape, personal data has become a highly valuable asset. As more individuals share sensitive information online through digital platforms and services, ensuring the privacy and security of such data has become a pressing concern. The Digital Personal Data Protection Act (DPDPA), 2023, passed by the Indian government, introduces a comprehensive legal framework aimed at protecting the personal data of individuals across the country. This guide explores the types of data covered by the law and the broader implications of India’s latest data protection regime.
The DPDPA 2023 is a pivotal piece of legislation that strengthens data privacy rights in India. Officially implemented on September 1, 2023, the Act applies to all entities domestic or foreign that handle or process the personal data of individuals located in India. Its objective is to ensure that digital interactions and services respect individuals’ right to privacy and manage data with accountability and transparency.
Definition of Personal Data under the DPDPA
According to the Act, personal data refers to any information that is connected to a real person and enables their identification—either directly or indirectly—using specific markers such as names, identification numbers, geolocation, or digital identifiers. The law takes a broad view of personal data and includes the following types of information:
Full name, residential address, phone numbers, and email addresses
Date of birth and gender
Banking and financial information, such as account details and card numbers
Digital activity, including browsing patterns and search history
Social media interactions, including shared content and messages
Location information, such as GPS coordinates or mobile-based tracking data
Scope of Data Protection under the Act: The DPDPA safeguards personal data that is handled within India, regardless of where it was originally collected. Additionally, the law extends its jurisdiction to cases where personal data of Indian citizens is processed outside India, ensuring global applicability when Indian data subjects are involved.
However, the Act outlines specific exclusions where it does not apply. These include:
Data processing carried out for national security or law enforcement purposes
Information collected and used solely for journalism, literary work, or creative expression
Data used for personal or domestic purposes (e.g., maintaining family photo albums, private address books, etc.)
Abstract
India’s dynamic digital transformation has reached a pivotal juncture with the enactment of the Digital Personal Data Protection (DPDP) Act, 2023. Initially introduced as the DPDP Bill, 2022, the legislation was approved by the Union Cabinet on July 5, 2023, and subsequently tabled during the Monsoon Session of Parliament beginning July 20. The Bill progressed swiftly through both houses receiving approval in the Lok Sabha on August 7 and in the Rajya Sabha on August 9 before obtaining Presidential assent on August 11, 2023. With this final approval, it was formally established as the Digital Personal Data Protection Act, 2023 (view official Gazette notification). However, the Act is yet to come into force, pending notification from the central government.
The DPDP Act now forms a critical part of India’s broader digital regulatory framework, alongside the Digital India Bill and the draft Indian Telecommunication Bill, 2022. Together, these initiatives mark a significant step toward establishing comprehensive governance and protection of personal data in India’s rapidly expanding digital ecosystem.
The Digital Personal Data Protection Act (DPDPA), 2023, marks a landmark moment in India’s legal landscape, aiming to safeguard individuals’ privacy in the digital era. Officially enforced on September 1, 2023, the Act applies to all organizations public and private that collect, manage, or process personal data of Indian citizens.
The legislation governs the handling of personally identifiable information by both government bodies and private enterprises in the course of delivering goods and services. Such data is often used to personalize user experiences through targeted marketing, service customization, and product recommendations. However, unchecked or irresponsible use of this information can pose serious risks undermining the fundamental right to privacy and potentially leading to consequences such as financial loss, reputational damage, or unfair profiling of individuals. The Digital Personal Data Protection Act outlines valid grounds for processing personal data and defines the rights individuals have to ensure their information is protected. It governs data usage both online and offline within India and also applies to the processing of data related to goods or services offered outside India.
Moreover, the Act lays the groundwork for future legislation, including the proposed Digital India Act and sector-specific data protection regulations. It aims to strike a balance between facilitating collaboration with international businesses and safeguarding sensitive personal information. Notably, this is India’s first national law to use gender-specific pronouns such as “she” or “he” when referring to individuals, reflecting a more personalized and human-centric approach to data protection.
Case laws
1.Syngenta India Ltd. vs. Union of India (1 July, 2009)
In this landmark case, Syngenta India Ltd. challenged a decision by the Indian government regarding the registration of a pesticide product, Emamectin Benzoate 5% SG, which was also manufactured by a competitor, Jaishree Agro Industries Ltd. Syngenta had originally submitted proprietary data during its own registration process and objected to the regulatory authority’s subsequent approval of the same product for another company.
The crux of Syngenta’s argument was based on the concept of “data exclusivity”. The company contended that the government had unfairly relied on its confidential data when granting product registration to its competitor, and such use violated Article 39.3 of the TRIPS Agreement, which protects against the unfair commercial use of proprietary data. They also referred to recommendations from the Reddy Committee Report, which had suggested stronger protection for regulatory data.
However, the Delhi High Court, presided over by Justice S. Ravindra Bhat, rejected the petition. The court observed that Syngenta was essentially seeking a policy declaration under the guise of a legal challenge something outside the judiciary’s domain. Justice Bhat clarified that Article 39.3 of TRIPS does not mandate exclusive rights over regulatory data, nor does it prevent governments from relying on such data for public regulatory purposes. The court emphasized that TRIPS requires protection against “unfair commercial use,” not complete exclusivity.
Terming the petition as speculative and outside the scope of judicial review, the court dismissed it and imposed costs on Syngenta, signaling disapproval of the attempt to use the legal system to influence regulatory policy.
2. Justice K. S. Puttaswamy (Retd.) v. Union of India (2017): A Landmark Judgment on the Right to Privacy
This historic case emerged in response to the Government of India’s rollout of the Aadhaar scheme, which required individuals to provide biometric and demographic data to access welfare schemes and government services. Justice K. S. Puttaswamy, a retired judge of the Karnataka High Court, filed a writ petition challenging the constitutional validity of Aadhaar, arguing that it violated an individual’s right to privacy, especially in the absence of a robust legal framework for data protection.
The government’s position rested on earlier Supreme Court decisions in M.P. Sharma (1954) and Kharak Singh (1962), which had held that the Indian Constitution does not explicitly guarantee a right to privacy. Therefore, the State argued, there was no legal barrier to collecting and using biometric data for welfare delivery. To address this fundamental issue, a nine-judge Constitution Bench of the Supreme Court of India was convened. On August 24, 2017, the Court delivered a unanimous verdict that fundamentally reshaped Indian constitutional law. It held that the Right to Privacy is a fundamental right, inherent in Article 21 (Protection of Life and Personal Liberty), and closely linked to Articles 14 (Right to Equality) and 19 (Freedom of Speech and Expression).
The Court emphatically overruled the earlier decisions in M.P. Sharma and Kharak Singh, declaring them outdated and inconsistent with contemporary democratic values. It asserted that privacy is essential to human dignity, personal autonomy, and freedom in a digital society. The judgment extended the concept of privacy beyond physical spaces to include informational privacy, granting individuals the right to control their personal data.
However, the Court also clarified that the right to privacy is not absolute. It may be restricted by the State, but only under strict conditions:
1. There must be a legitimate aim or public interest,
2. Any limitation must be proportionate to the need, and
3. It must follow due process.
This ruling not only addressed concerns over Aadhaar but also laid the constitutional foundation for future data protection laws in India—most notably, the Digital Personal Data Protection Act, 2023, which was later enacted to regulate personal data in the digital age.
Justice K. S. Puttaswamy v. Union of India (2017) affirmed that the right to privacy is a constitutionally protected fundamental right. It represents a transformative moment in Indian legal history and remains the cornerstone of India’s data protection and privacy framework.
FAQs
Q1. Which law currently regulates digital personal data in India?
Answer:
India currently regulates digital personal data through the Digital Personal Data Protection Act, 2023. This law establishes a comprehensive framework for the processing, protection, and privacy of personal data. It overrides certain provisions and rules under the earlier Information Technology Act, 2000, marking a significant shift towards a dedicated data protection regime in the country.
Q2. When was the DPDP Act enacted?
Answer:The Digital Personal Data Protection Bill was introduced in the Lok Sabha on August 3, 2023. It was passed by the Lok Sabha on August 7 and by the Rajya Sabha on August 9, 2023. The Bill received Presidential assent on August 11, 2023, officially becoming law. This marked a major development in India’s data protection regime, bringing long-awaited regulatory clarity to digital privacy.
Q3. What is considered “Personal Data” under the DPDP Act?
Answer:Under the DPDP Act, “Personal Data” refers to any data about an individual that can be used to identify that person, either directly or indirectly. However, anonymised data which cannot identify an individual does not qualify as personal data under this Act.
Refrence
1.The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) (India), published in The Gazette of India, Extraordinary, Pt II, 11 August 2023, available at https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf.
2.‘DPDP Act, 2023 and DPDP Rules, 2025’, Drishti IAS Daily Updates (5 June 2025) https://www.drishtiias.com/daily-updates/daily-news-analysis/dpdp-act-2023-and-dpdp-rules-2025.
3.‘Data Privacy Laws in India: DPDPA 2023, IT Act 2000 & More’, TheLegalSchool.in (blog, date not specified) https://thelegalschool.in/blog/data-privacy-laws-in-india accessed 7 August 2025.
IndianKanoon, Search results for “data protection” https://indiankanoon.org/search/?formInput=data%20protection accessed 7 August 2025.
