Authored By: Naukhaiz Aftab
Sankalp Institute of Law
Abstract
India’s Digital Personal Data Protection Act, 2023, is a landmark attempt at inclusive data protection regulations. However, DPDPA’s principle-based approach has led to many opacities that risk undermining its effectiveness. This article examines six critical grey areas, such as conceptual opacities in key definitions, enforcement gaps in regulatory oversight, cross-border transfer uncertainties, sectoral implementation challenges, AI governance blind spots, and excessive delegated authority. These limitations create compliance vagueness for businesses and organisations while providing meaningful data protection principles. Through virtual analysis with an international framework, this article claims that crucial reform is necessary to realise the Digital Personal Data Protection Act’s privacy protection objective while enabling India’s digital economic growth.
Introduction
The privacy law of India, the Digital Personal Data Protection Act, 2023, develops from an appreciation that personal data has become the “new oil” of the digital economy. While the Act plays a vital role in protecting data and privacy, its lean structure and reliance on future rules have created substantial grey areas that challenge effective implementation. These unclear or grey areas not merely affect technical compliance but fundamental questions about the balance between an individual’s right to privacy and legitimate business interests in India’s fast-digitising economy.
Conceptual and Structural Ambiguities
Public Interest
Possibly the biggest problem with the DPDPA is the unclear idea of “public interest” in Section 7. This part of the law lets government groups use a person’s private information without their permission for things like “keeping India safe” or “keeping things in order”. But it does not mention what a true public interest is. This lets government groups do almost anything they want with data.
This idea of public interest is not mentioned in any other privacy regulations. For instance, the GDPR under Article 6(1)(e) says that using data for public interest must be “needed to do a public task” and must be backed by a clear law. On the other hand, DPDPA seems to put the government’s ease over a person’s rights.
Important Data Handlers
The law’s way of finding Important Data Handlers shows a big weakness. Section 10 talks about things like “volume and sensitivity of personal data” and “risk to rights of data principal”. But it does not give any clear numbers or ways to figure these things out. This makes it a very hard problem for businesses that are not sure if they have to follow the bigger rules, like getting a data protection officer and having regular checks.
The lack of clear rules is a huge problem because of the big burden on these important data handlers. Companies might be put in this group without a good reason and have to pay a lot of money to follow the rules, while other companies might not have to because the words are not clear.
Harm
The DPDPA’s failure to clearly define the word “harm” represents the critical gap in the framework. Since this idea is used to decide which groups are Significant Data fiduciaries in Section 10 and how much to fine them in Section 33, not having a clear meaning makes the law hard to use. Groups cannot truly know their risk or put in place the right protections if they do not know what harm is.
This missing meaning is very different from other clear data regulations that give good advice on how to see harm. This helps with fair rule enforcement and gives companies clear rules to follow.
Enforcement and Oversight Deficiencies
Data Protection Board of India
The Data Protection Board of India is not independent enough, which makes it hard to believe it can do its job well. The member on the board is appointed by government leaders, and the selection committee is made up only of government workers. This is very different from what the Justice Srikrishna Committee suggested, which was to have independent people choosing who gets to be on the Board.
The Board’s lack of independence is a big problem because government groups are also big handlers of data under this law. Without independence from the Board, it cannot truly keep an eye on the very groups that control its power and how it works.
Grievance Redressal Timeline Vacuum
The law does not have any rules for how fast grievance complaints can be solved. This could mean very long waits for people trying to get their rights fixed. Even though there are draft rules that suggest a six-month time for looking into things, the law itself does not have these time limits. This makes the law weaker when it comes to protecting people’s privacy rights. Other countries’ laws usually have clear time limits for answering people’s requests and for looking into things.
TDSAT’s Jurisdictional Mismatch
The Telecom Disputes Settlement and Appellate Tribunal’s (TDSAT) job of hearing appeals is a bad match. The TDSAT does not have the right knowledge in privacy law and data protection because it was created for problems with phone companies. With 3,448 cases already waiting to be heard, this group already has too much work and will have even more with new data protection appeals.
This choice shows a bigger habit in India of using groups that are already there instead of making new, specific ones for new kinds of problems.
Cross-Border Data Transfer Uncertainties
The Adequacy Framework Absence
No Clear Framework for Data Transfer
The DPDPA uses a hard rule for sending data to other countries, without saying why or how a country might be put on a no-go list. Section 16 says the central government says which countries are restricted, but it doesn’t say how or why these choices are made. This makes things hard for big organisations that need to send data across countries, because they cannot guess what will happen next.
Without a way to say a country is good enough, like the GDPR’s Article 45, legal international data transfers are not clear. Companies don’t have a simple way to follow the rules for sending data across borders. This could slow down India’s part in the world’s digital work.
Extraterritorial Enforcement Gaps
While the law says it can be used for foreign groups that handle Indian people’s private data, it doesn’t have a way to make them follow the rules. It doesn’t talk about how to make foreign groups obey the law or how to work with other countries’ rule-makers. This could create holes in the law for problems that happen between countries.
Sectoral Application Challenges
Regulatory Coordination Confusion
The DPDPA’s interaction with sectoral regulations creates significant uncertainty despite the supremacy clause in Section 38. Businesses that work with money and have to follow rules from the RBI might have problems with the DPDPA’s rules about where data must be kept and how to get permission. There are no clear ways for the Data Protection Board and other groups that make rules to work together, which makes following the rules hard and might let some businesses find ways to get around them.
Children’s Data Protection Implementation Gaps
The law’s parts about keeping children’s data safe are good in theory but don’t have clear directions on how to do it. Section 9 says a parent’s permission must be checked, but it doesn’t say how to check a person’s age or prove they are the child’s parent. The draft rules for 2025 proposed verification methods raise concerns about effectiveness, particularly given widespread false age reporting by minors online.
The small fine of ₹10,000 for giving wrong information seems too little to stop people from breaking the rules, which could weaken the whole idea of keeping children safe.
Technical Standards Vacuum
The DPDPA doesn’t have any technical rules for making data anonymous or for using fake names. This makes it unclear how much data is truly safe. Groups that want to make data anonymous to use it for other things don’t have good advice on what to do. This could lead to them not protecting data well enough, and people’s private information might still be easy to find.
AI and Automated
Algorithmic Accountability Absence
The DPDPA says nothing about checking algorithms, which is a big thing that is missing in India’s economy that is driven by AI. Unlike Article 22 of GDPR, which talks about making decisions with computers, this law does not give people any clear rights or protections when algorithms are used on their data.
Recent events show how big this problem is: an NBFC’s AI tool wrongly put over 17,000 people who were not rich into a high-risk group. This shows the clear need for ways to keep an eye on algorithms. The law’s failure to deal with these kinds of situations leaves people in a weak place when a computer makes a wrong or unfair decision about them.
Transparency Rights Deficit
The lack of a right to know why an automated decision was made goes against what is happening all over the world, which is a move towards open algorithms. This problem is especially bad in things like money services and health care, where computer decisions have a big effect on people’s lives but are not clear to the people they affect.
Rulemaking and Delegated Authority Concerns
Excessive Delegation Problems
The DPDPA gives power to make rules for 25 different things to other groups, and it also gives away a lot of other power. This means the law’s full effect will not be known for a long time, and things like how to get permission, what to do when data is lost, and what Important Data Handlers must do are still not clear.
Government Discretion Without Safeguards
The law gives a lot of power to the government without good ways to make sure it is used fairly. For example, Section 17’s power to make exceptions has no rules for making sure the exceptions are right or for a court to check them. This might let the government use this power in an unfair way. This huge giving of power may go against the rules of the country that guide how power can be used.
Stakeholder Impact Assessment
These unclear parts of the law hurt many people. Businesses don’t know for sure how to follow the rules and might be punished for trying to understand parts that are not clear. The small and medium enterprise, especially have a hard time with the unclear rules and the compliance cost to follow them. People are not sure about their rights and how to fix problems, and the people who make sure the rules are followed don’t have good directions for doing their job in the same way for everyone.
This unclear situation makes people less sure about putting money into India and might stop new ideas from growing in India’s digital world. The companies from other countries have a hard time dealing with India’s unsure rules when compared to other countries’ clear laws.
Recommendations for Urgent Reform
Clarify vague definition.
The needs to quickly give clear definition on what words like “harm”, “public interest“, and “Important Data Handlers” mean. This should be done with detailed rules and clear explanations.
Changes to the Law
The government should think about changing the law to deal with the need for checking on algorithms, giving people rights for decisions made by computers, and setting technical standards for making data anonymous.
Making the Board Stronger
The Data Protection Board should be made more independent by changing how its members are chosen and by making other changes that give it the power to make its own decisions.
Working Better with Other Countries
India should create rules to decide which countries are good enough to send data to, while still keeping control over how its own data is managed.
Conclusion
The Digital Personal Data Protection Act, 2023, is a good step for India to protect private information, but it has some big problems that might stop it from working well. These uncertain parts are not just small technical mistakes but are deep problems that could stop the law from reaching its two goals, which are keeping people’s private information safe and helping the digital economy grow.
The unclear parts of the law create a situation where things are not sure instead of being clear, which is needed to follow the rules and make sure they are followed. Without a quick fix from clear rules and changes to the law, the DPDPA might become another example of a law that wanted to do good but did not protect people well and put a heavy weight on businesses to follow its rules.
The problems are bigger than just following rules; they are about how people around the world see India’s ability to govern its digital world. As India wants to be a leader in the digital world, how well its data protection law works will greatly change how other countries see its ability to make rules and its promise to protect private rights. Fixing these unclear parts with a full set of changes is not just important for protecting private information but also for keeping India’s digital economy strong in a world that is more and more connected.
Reference(S):
- in, ‘Data Protection Board of India: A watchdog without teeth’ (SFLC.in, 4 February 2025) https://sflc.in/data-protection-board-of-india-a-watchdog-without-teeth/accessed 30 August 2025.
- DPO India, ‘Significant Data Fiduciary under DPDA 2023’ (DPO India, 1 June 2025) https://dpo-india.com/Blogs/significant-data/accessed 30 August 2025.
- NLIU Law Review, ‘Guarding The Data Frontier: Navigating Cross-Border Data Transfer under Digital Personal Data Protection Act’ (NLIU Law Review, 22 October 2024) https://nliulawreview.nliu.ac.in/blog/guarding-the-data-frontier-navigating-cross-border-data-transfer-under-digital-personal-data-protection-act/accessed 30 August 2025.
- DPO Club, ‘Decoding the Nuances of Verifiable Parental Consent under the DPDPA’ (DPO Club, 1 July 2025) https://dpoclub.in/blog/decoding-the-nuances-of-verifiable-parental-consent-under-the-dpdpaaccessed 30 August 2025.
- Deccan Herald, ‘DPDPA gaps delay privacy promise’ (Deccan Herald, 20 August 2025) https://www.deccanherald.com/opinion/dpdpa-gaps-delay-privacy-promise-3689968accessed 30 August 2025.
- NLIU-CLT, ‘Demystifying Gaps in the Digital Data Protection Act 2023’ (NLIU-CLT, 3 June 2025) https://clt.nliu.ac.in/?p=961accessed 30 August 2025.
