Author: Nehal Saxena, Christ University, Delhi NCR
To The Point
The Digital Personal Data Protection Act, 2023 marks a major shift in how personal data is viewed and handled in India. At its heart, the law is about giving people more control over their personal information in the digital world. It defines clear roles: you, the individual, are the Data Principal, and the entity that collects and processes your data—be it a tech company, hospital, school, or government department—is the Data Fiduciary. Under this law, data cannot be collected without your explicit and informed consent, and even if you give consent, you have the right to withdraw it later. You can ask for your data to be corrected or even deleted, and you must be informed about why your data is being collected, how it will be used, and for how long.
One of the biggest highlights is that the Act is built around individual rights—making it legally mandatory for companies to respect your privacy. The recently established Data Protection Board of India, for instance, will hear your complaint and have the authority to impose severe fines if your data is abused or disclosed. The Act also lays out penalties for organisations that fail to comply with data protection rules, especially if it results in harm to the Data Principal.
However, the law does allow the government to bypass some of these safeguards under certain grounds like national security, public order, or emergencies. This has raised concerns that privacy rights could be overridden too easily. Still, for the average citizen, the law introduces clarity and rights where there were none before. It empowers individuals and makes data handlers more accountable. In an era where apps, platforms, and services collect our data round the clock, this law is India’s attempt to strike a balance between digital innovation and personal privacy. It isn’t perfect, but it is a necessary step towards a more responsible digital ecosystem.
Use of Legal Jargon
The Digital Personal Data Protection Act, 2023 introduces a new legal framework that heavily leans on specific terms to clearly define the digital rights and duties of all parties involved. Let’s break down these legal jargons into simple, human language. The first big term is “Data Principal”—that’s you. The Act gives you certain enforceable rights: like the right to access your data, the right to correction, the right to erasure, and the right to withdraw consent. These rights are not just technical; they reflect your right to privacy under Article 21 of the Indian Constitution. Next comes the “Data Fiduciary”, which refers to any person or organisation—like a tech company, bank, hospital, or even the government—that determines how and why your personal data is processed. The word “fiduciary” is legally important. It implies a relationship of trust and responsibility, similar to how a lawyer or trustee is expected to act in your best interest. So, a Data Fiduciary isn’t just using your data—they are legally bound to protect it and use it fairly.
Another key term is “Consent”. Under the Act, your consent must be free, informed, specific, and unambiguous. No more vague checkboxes or hidden terms. The law requires that you be told exactly why your data is being collected and how it will be used—this is called “Notice and Purpose Limitation”. If the purpose changes, fresh consent must be taken. There’s also a term called “Deemed Consent”, which allows data to be used without asking you in certain situations, like during a medical emergency or for legal proceedings. While this makes sense in some cases, overuse of this clause could dilute the principle of informed consent.
Finally, the Act establishes a Data Protection Board of India—a regulatory body that will handle complaints, conduct inquiries, and impose penalties. Though it’s meant to ensure accountability, concerns have been raised over its independence, since it is appointed and overseen by the Central Government. In simple terms, the legal jargon in this law sets up a balance of rights and duties, but how fairly it’s interpreted will determine if that balance truly protects the individual.
The Proof
The Digital Personal Data Protection Act, 2023 isn’t just a well-worded piece of legislation—it’s backed by years of legal, social, and technological developments that prove the need for a strong data protection law in India. The Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), where the right to privacy was declared a fundamental right under Article 21 of the Indian Constitution. This decision laid the groundwork for India to finally move toward a formal data protection regime. Before this Act, there was no clear or comprehensive law in India that governed how personal data could be collected, stored, or used. People’s sensitive information—be it health records, financial details, or location data—was at the mercy of vague IT rules and inconsistent platform policies. Next came several public and judicial concerns—from the misuse of Aadhaar data, to major data leaks by platforms and banks, to children’s privacy issues on social media. Each event made it clear: our digital footprints are vulnerable, and we need legal protection that matches the scale of data being generated every day.
Internationally, countries have already moved ahead. The European Union’s GDPR (General Data Protection Regulation) set a global benchmark for individual data rights. India’s new law draws inspiration from such frameworks, showing that the world is moving towards user-centric digital governance. From a policy angle, multiple expert committees—especially the Justice B.N. Srikrishna Committee Report (2018)—had pushed for a strong data protection law. The report argued that in the digital age, privacy is non-negotiable, and laws must reflect this by putting citizens, not companies, at the center. The Act’s introduction proves the Indian government is acknowledging this shift. By defining user rights, penalties, consent mechanisms, and a regulatory board, it attempts to plug the gap between unchecked data use and individual protection. While it still faces criticism for loopholes, especially regarding government exemptions, the Act itself is proof of a maturing digital democracy—one that is beginning to take privacy seriously, at least on paper.
Abstract
We live in a world where we constantly share our lives online—knowingly or unknowingly. Whether we’re booking a cab, shopping online, checking into a doctor’s clinic, or simply scrolling through social media, our personal data is being collected every second. But who owns that data? Who’s responsible if it gets leaked, misused, or sold? Until 2023, India didn’t have a clear legal answer. That changed with the introduction of the Digital Personal Data Protection Act, 2023. This law is India’s first real step toward giving people more control over their own data. It says that your data is yours—you should know who’s using it, why they’re using it, and for how long. It also gives you the right to say “no” if you don’t want to share it. These may seem like basic things, but in a digital world where personal information is gold, they’re powerful protections.
The Act introduces some key ideas. You’re called a Data Principal, and the person or company using your data is a Data Fiduciary. This Fiduciary is expected to handle your data with care and fairness. If something goes wrong, you can file a complaint, and a new Data Protection Board of India will step in to help. This sounds reassuring—but there’s another side too. One of the biggest concerns with the law is that the government has kept a door open for itself. It can exempt certain agencies from following these rules, using broad terms like “public order” or “national interest.” That means your data may still be vulnerable to state surveillance or misuse, especially without strong checks in place. So, is this law a win for our privacy or just a partial promise? In this article, we break down the Act in simple terms—what it promises, how it works, and where it might fall short. Because at the end of the day, this law is not just about data—it’s about trust in a digital society. And that trust needs more than just fine print; it needs real accountability.
Case Laws
To understand the importance and impact of the Digital Personal Data Protection Act, 2023, we need to look at how Indian courts have viewed privacy and data in the past. Here are three key cases that shaped the idea of digital privacy and led to the need for this law.
1. Justice K.S. Puttaswamy (Retd.) v. Union of India (2017)
This landmark case laid the foundation. According to the Supreme Court, the right to privacy is guaranteed by Article 21 of the Constitution as a fundamental right. The right to govern your personal data is part of privacy, according to Justice Chandrachud, who wrote the majority opinion. This case came in response to growing concerns about Aadhaar, and it became a turning point. After this ruling, the government could no longer ignore the need for a proper data protection law. The judgment became the moral and constitutional backbone of the DPDP Act.
2. Internet Freedom Foundation v. Union of India (2021) (Aadhaar and data misuse concerns)
In this case, civil society groups challenged the government’s widespread collection of personal data through various digital platforms, especially when people were being forced to link Aadhaar with services like SIM cards, bank accounts, etc. The argument was simple: If people don’t have a real choice, consent isn’t meaningful. The court didn’t strike down these practices but reminded the State that consent must be free and informed. This highlighted how easily data can be misused when strong legal safeguards are missing.
3. Vinod Kumar v. Government of India (Delhi HC, 2022)
This lesser-known case dealt with a man whose personal data (related to health) was leaked by a government hospital. He sought compensation and action against the institution. While the High Court acknowledged the harm, it couldn’t offer strong relief due to the lack of a clear privacy law at the time. This case exposed the legal vacuum in India when it came to digital privacy. Cases like this are exactly why the DPDP Act was long overdue.
These cases together show that privacy isn’t just a legal theory—it’s a real-world concern. And the DPDP Act tries to fill the legal gap these cases exposed.
Conclusion
The Digital Personal Data Protection Act, 2023 is a long-overdue and necessary step in the journey towards protecting our privacy in an increasingly digital India. For far too long, personal data—our names, bank details, health records, browsing habits—has been treated casually by companies and, at times, even by the government. This law finally acknowledges what people have been saying for years: our data is not just information—it’s a part of our identity. At its best, the Act offers a simple promise: your data belongs to you. It gives people the right to say “yes” or “no” to how their data is used. It asks companies to be responsible, to stop hiding behind vague policies, and to start treating users like real people with real rights. It creates a space for grievances to be heard and penalties to be imposed, ensuring some degree of accountability.
But that promise comes with some fine print. The biggest concern is the power the law gives the government to exempt itself or certain bodies from its provisions. While national security and public order are important, these terms are so broad that they can easily be misused. Without strong oversight, we risk replacing private data misuse with state overreach. That’s not the kind of protection people fought for after the Puttaswamy judgment. Also, the independence of the Data Protection Board is still in question. If the body meant to protect citizens is controlled by the same authorities it is supposed to regulate, the entire system becomes less effective. Accountability must go both ways—for the private sector and the State.
In short, the DPDP Act is a good beginning, but not the final answer. It has laid the foundation for a more responsible digital environment, but it will only work if it’s implemented with transparency, checks, and public involvement. Privacy is not just a legal concept—it’s about dignity, safety, and trust. And for a country as digitally active and diverse as India, this law must grow stronger with time, not weaker. Because in the end, protecting data means protecting people.
FAQS
1. What is the main objective of the DPDP Act, 2023?
It ensures that companies, apps, and even the government can’t use your data without your permission. It’s basically saying: “Your data, your rules.”
2. Can I ask a company to delete my personal data?
Yes, absolutely. If a company no longer needs your data or you withdraw your consent, you can ask them to delete it, and they’re legally required to do so—unless they’re keeping it for legal reasons. It’s your right to walk away from a digital service without leaving behind your personal info.
3. What happens if my data is leaked?
You can report to the Data Protection Board of India if your personal information is being exploited. The Board has the power to investigate, hear your side, and penalise the organisation responsible. You’re no longer helpless if your data ends up in the wrong hands.
4. Does this law apply to the government too?
This is where it gets tricky. Yes, the law applies to the government, but there’s a catch—it allows the Central Government to exempt itself or its departments for reasons like “national interest” or “public order.” That means, in some cases, your data could still be collected without your full consent.
5. Do small businesses and apps also have to follow this law?
Yes, all businesses that collect and use personal data must comply. However, some smaller businesses may get certain relaxations, especially if they don’t process sensitive or large volumes of data. But even they must be clear about why they’re collecting your data and what they’re doing with it.
