Author: Ayushi Raj, Himachal Pradesh National Law University, Shimla
To the Point
The Digital Personal Data Protection Act, 2023 (DPDP Act) marks a pivotal moment in India’s legislative journey toward a comprehensive data privacy regime. Enacted in the aftermath of the Supreme Court’s landmark decision in Justice K.S. Puttaswamy v. Union of India (2017)—which recognised the right to privacy as a fundamental right under Article 21—the Act establishes a legal framework for the collection, processing, storage, and protection of digital personal data. Drawing significantly from international instruments such as the European Union’s General Data Protection Regulation (GDPR), the DPDP Act aims to strike a careful balance between individual autonomy and economic development. It facilitates the expansion of India’s digital economy while also acknowledging the intrinsic value of privacy in a democratic society. Nevertheless, the law has not escaped critique; scholars and civil society actors have raised concerns over the scope of state exemptions, lack of transparency in regulatory mechanisms, and the centralised control exercised by the executive in implementation and enforcement.
Use of Legal Jargon
The DPDP Act introduces a new lexicon of legal terminology critical to understanding the evolving data protection ecosystem in India. At the core is the Data Fiduciary, defined as any individual, company, or entity that determines the purpose and means of processing personal data. The Data Principal is the person to whom the data relates and is vested with key rights including access, correction, erasure, and grievance redressal. To manage these rights effectively, the Act provides for Consent Managers—neutral entities that assist individuals in granting, managing, and withdrawing consent. Additionally, the Act introduces the concept of Significant Data Fiduciaries, who are subject to enhanced compliance obligations based on the nature and scale of data handled, risk to data principals, and impact on critical infrastructure or national interest. The Data Protection Board of India is established as a statutory regulatory authority responsible for overseeing compliance, adjudicating disputes, and imposing penalties. Notably, the Act allows data to be processed without consent under a category termed Legitimate Uses, which includes instances such as national security, legal compliance, and public interest. While operationally necessary, this exception has been criticized for being overly broad and susceptible to misuse.
The Proof
The Digital Personal Data Protection Act, 2023 received the assent of the President of India on August 11, 2023, following its passage in Parliament. This legislative milestone is constitutionally anchored in Justice K.S. Puttaswamy v. Union of India [(2017) 10 SCC 1], where the Supreme Court articulated privacy as an integral facet of the right to life and personal liberty. The DPDP Act incorporates globally accepted principles such as informed and specific consent, purpose limitation, storage limitation, and accountability. Among its key features are robust rights for Data Principals, including the right to data correction, erasure, portability, and the nomination of legal representatives in the event of incapacity or death. The Act also provides for the establishment of a centralized Data Protection Board, tasked with monitoring compliance, resolving grievances, and levying penalties where necessary. Another notable provision permits cross-border data transfers to countries notified by the central government, reflecting a pragmatic stance toward global data flow. However, the legislation has attracted criticism for its sweeping exemptions granted to government entities, which allow for data to be processed without consent in cases related to sovereignty, national security, or public order. These exceptions have raised significant concerns among legal experts and digital rights advocates regarding the potential for overreach and lack of accountability.
Abstract
The Digital Personal Data Protection Act, 2023 is a landmark addition to India’s digital legal infrastructure, signifying a shift from fragmented sectoral regulations to a cohesive data protection framework. Enacted in response to constitutional and international developments that underscore the importance of privacy, the Act aims to empower individuals through codified rights over their personal data while placing binding obligations on entities engaged in data processing. Its alignment with global norms—particularly the GDPR—demonstrates India’s commitment to ensuring responsible data governance in an increasingly interconnected world. However, the Act is not without its critics, who point to its heavy reliance on executive discretion, the limited independence of its regulatory authority, and the absence of robust remedies for affected individuals. This article critically examines the provisions of the DPDP Act in light of judicial precedent, comparative international standards, and the emerging challenges of the digital age, offering insights into its potential impact on India’s constitutional values and digital economy.
Case Laws
Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1
This landmark nine-judge bench judgment by the Supreme Court of India held that the right to privacy is a fundamental right protected under Article 21 of the Constitution. The decision laid the constitutional foundation for enacting data protection legislation by recognizing privacy, including informational privacy, as intrinsic to personal liberty and dignity. It also emphasized that any interference with privacy must meet the test of legality, necessity, and proportionality, making it the jurisprudential backbone of the Digital Personal Data Protection Act, 2023. The judgment has since been repeatedly invoked in data rights litigation and policy discussions.
People’s Union for Civil Liberties (PUCL) v. Union of India (1997) 1 SCC 301
In this earlier privacy-related case, the Supreme Court addressed the issue of telephone tapping and held that the unauthorized interception of communications without adequate procedural safeguards amounts to a violation of the right to privacy. The Court stressed the importance of prior authorization and proportional state action, creating a precedent for regulating state surveillance activities. The principles from this case support the argument that digital data interception and collection must be legally justified, thereby reinforcing the need for statutory data protection measures like the DPDP Act.
Girish Ramchandra Deshpande v. Central Information Commissioner (2013) 1 SCC 212
This case concerned the disclosure of personal information under the Right to Information (RTI) Act. The Supreme Court ruled that information which relates to the personal life of an individual and has no relation to public interest cannot be disclosed unless there is an overriding public interest. The ruling recognized the individual’s right to control the dissemination of their personal information and has since been cited in arguments involving data privacy and the protection of sensitive personal information under emerging data protection laws.
Anuradha Bhasin v. Union of India (2020) 3 SCC 637
Although primarily concerned with internet shutdowns in Jammu and Kashmir, this judgment reaffirmed constitutional principles of proportionality and procedural fairness in restricting access to the internet and digital platforms. The Court held that indefinite restrictions on internet services are unconstitutional and must be based on necessity and subject to judicial review. While the case did not deal directly with data protection, its emphasis on proportionality in regulating digital rights is relevant to the enforcement standards under the DPDP Act, particularly concerning data processing and government exemptions.
Internet Freedom Foundation v. Union of India (2022, Pending)
This ongoing litigation challenges the legality of certain government surveillance measures and the lack of robust data protection mechanisms. Filed by the Internet Freedom Foundation and other digital rights groups, the case raises concerns about the arbitrary use of state power to access and store personal data without consent or judicial oversight. The litigation has become a focal point for public debate on the need for comprehensive data protection legislation, strengthening the case for the DPDP Act and pushing for more transparent and accountable implementation practices.
Conclusion
The Digital Personal Data Protection Act, 2023 signifies a major turning point in India’s legislative landscape, giving legal recognition to the individual’s right to informational privacy. Rooted in constitutional principles affirmed by the Supreme Court in Justice K.S. Puttaswamy v. Union of India, the Act aspires to balance personal autonomy with digital innovation. It introduces mechanisms for informed consent, empowers individuals with rights such as data access, correction, and erasure, and sets obligations for entities handling personal data. Drawing from global standards like the GDPR while tailoring its approach to domestic needs, the Act attempts to provide a unified framework for data governance in India. It marks a move toward transparency, accountability, and user-centric data practices.
However, despite its strengths, the Act’s efficacy will depend heavily on its implementation. The wide-ranging exemptions granted to government bodies, the lack of independence in the constitution of the Data Protection Board, and the absence of clear provisions for individual compensation raise valid concerns about potential overreach and insufficient redress mechanisms. Additionally, the executive’s unchecked rule-making powers could dilute the protective intent of the legislation. Moving forward, India must prioritize transparency, institutional independence, and judicial oversight in enforcing this law. Amendments should also address current gaps—such as safeguards around cross-border data transfers and stronger remedies for violations. The DPDP Act is a critical foundation, but its true potential will be realized only through vigilant interpretation, active civil engagement, and a commitment to upholding the democratic values it seeks to protect.
FAQS
Q1. What is the objective of the Digital Personal Data Protection Act, 2023?
The primary objective of the DPDP Act is to provide a legal framework for the protection of digital personal data, ensuring that individuals (Data Principals) have autonomy over how their data is collected, processed, stored, and shared. It seeks to balance privacy rights with the need to enable innovation, ease of doing business, and government functions.
Q2. Who are Data Principals and Data Fiduciaries under the Act?
A Data Principal is the individual to whom the personal data relates. A Data Fiduciary is any entity or person who determines the purpose and means of processing this data. Significant Data Fiduciaries are a subset of these entities, subject to enhanced compliance due to their scale or impact.
Q3. Is consent mandatory under the DPDP Act?
Yes, consent is central to the DPDP framework. Personal data must be processed only with the free, specific, informed, and unambiguous consent of the Data Principal, except in certain “legitimate use” scenarios permitted under the Act (e.g., for national security or legal compliance).
Q4. What rights does the Act confer on individuals?
The Act grants individuals several rights, including the right to access their personal data, the right to correct and erase data, the right to nominate a representative in case of death or incapacity, and the right to grievance redressal through a Consent Manager or the Data Protection Board.
Q5. How will violations of the Act be addressed?
Violations of the Act will be handled by the Data Protection Board of India, which has quasi-judicial powers. The Board can impose penalties, issue directions to fiduciaries, and ensure compliance. However, the absence of a direct right to compensation remains a point of critique.
