Authored By: Anuska Maity
Shri Shikshayatan College, Kolkata
INTRODUCTION :
The digital ecosystem is expanding rapidly as we know and it has transformed how every different individuals act , communicate, make interaction and transact. The rise of internet users and the digital platforms like fintech, e-commerce etc , data privacy or protection have become a major concern. The Digital Personal Data Protection Act (2023), tells about India’s first try or attempt to provide personal data and establish privacy. It was implemented six years after the Supreme Court, in K.S.Puttaswamy v. Union of India (2017) proclaimed privacy rights as a foundational and crucial right for everyone. This Act of Privacy balances two important objectives:
They are: (a) Maintaining privacy of an individual’s personal data and (b) Inclining with innovative and growth approaches in India’s economy. This article appraises in-depth knowledge on how The Digital Personal Data Protection Act focuses on privacy, its strengths, and disadvantages in a wider perspective.
Legal Framework:
The DPDPA 2023, creates a Framework for protection of every single individual. India depended on Information Technology Act , 2000 before the introduction of the Digital Personal Data Protection Act
ITA (2000) had its limitations. It was only safeguard to a few rules and regulations that wasn’t really useful to the
modern digital era today. The DPDPA establishes long-term goals on privacy that enhances how personal data is collected and stored.
In this Act lies a consent which requires data controllers to provide clear data management for the individuals.
It ensures accountability and notifies or indicates any problems, security concerns and lesser form of information storage and keeping records.
The Data Protection Board of India started a core framework that maintains compliance, disputes etc.
The central government focuses on regulating its independence. Some gaps that remain require future legislative improvement. The government grants exemption from any agency related to the state in order to comply with the legal requirements. Its effectiveness depends largely on how
its provisions are implemented, interpreted by courts, and balanced against constitutional safeguards. While it is a foundational step in India’s evolving privacy regime, significant gaps remain that may require future legislative refinement and judicial oversight.
KEY FEATURES OF THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023:
- Consent-Centric Framework
The Act places consent at the heart of data processing. Consent must be: (a)Free,
(b)Specific,
©Informed,
(d) Unambiguous
(e)Revocable.
This aligns with global privacy frameworks and empowers individuals to exercise control over their personal information. The Act also requires notices to be clear and accessible, avoiding dense, technical jargon that users commonly ignore.
RIGHTS OF DATA PRINCIPLES:
Individuals (data principals) enjoy several rights:
(a)Right to Information about how their data is processed
(b)Right to Access personal data
©Right to Correction and Erasure
(d)Right to Grievance Redressal
(e)Right to Nominate another person to exercise rights in case of death or incapacity
However, compared to international standards like the GDPR, the Act does not include: THE RIGHT TO DATA PROBABILITY:
(a)The Right to Object to automated decision-making:
These omissions limit individuals’ ability to maintain control over their digital identities.
(b)Obligations of Data Fiduciaries:
Entities that process personal data must:
Implement security safeguards,Prevent breaches,
Inform the Data Protection Board about breaches,
Erase personal data once its purpose is fulfilled, and conduct impact assessments and audits if classified as Significant Data Fiduciaries.
This promotes accountability and responsible data governance.
Data Protection Board of India:
The Act establishes a Data Protection Board to enforce compliance, inquire into breaches, and impose penalties. Unlike independent regulators in the EU or UK, the DPB is controlled by the government in terms of appointments and functioning, raising concerns about regulatory independence.
(A)High Penalties for Violations:
Penalties can range from ₹50 crore to ₹250 crore depending on the nature of the violation. This is intended to deter misuse of data and encourage serious compliance, especially among large digital platforms.
(B)Cross-Border Data Transfers:
The Act adopts an approach of “whitelisting”—data can be transferred to countries notified by the government. The absence of strict data localization requirements makes the law business-friendly and conducive to global trade.
© Processing of Children’s Data:
For individuals under 18:
Parental consent is mandatory
Behavioral tracking is restricted
Targeted advertising is prohibited
While intended to protect minors, the higher age threshold complicates digital access for teenagers who use online education, gaming, and social media platforms.
STRENGTHS OF DATA PROTECTION ACT:
(a)First broader perspective of legal framework:
This is the first act that provides a broader criteria of maintaining privacy among individuals and companies both.
(b)Protection of users:
Allows individuals to control how their data is used with maintainable rights such as access, correction.
© Promotion of Accountability with strong penalties:
The structural penalty promotes seriousness related to the protection of data .
(d) The simplex structure and business oriented:
The law is more advanced, shorter, simpler and broader compared to earlier drafts . It is easier to interpret now and reduces direct burdens for startups.
(e) Growth in the Digital Economy Sector:
This Act induces growth digitally and across
India in trade , e-commerce by removing strict
localisation and adopting transfer rules.
MAJOR LIMITATIONS AND CONCERNS:
While the Act marks significant progress, its effectiveness is undermined by several structural concerns.
- Broad State Exemptions:
The government may exempt:
any State agency, or
any class of data, on grounds such as national security, public order, or crime prevention. These terms are vague and grant sweeping powers to the State, which may lead to:
mass surveillance
intrusive data collection
weak accountability
This contradicts the spirit of Puttaswamy, which emphasized proportionality and necessity when restricting privacy.
2.Lack of Independent Regulator:
Unlike the GDPR’s Data Protection Authorities, India’s DPB is not independent. Government control over appointments raises concerns about: political influence,
conflict of interest, and inability to regulate state agencies effectively.
Regulatory independence is fundamental for a credible data protection regime. 3. Absence of Key Privacy Rights:
The Act excludes:
Right to Data Portability
Right to Object to automated processing
Full-fledged Right to be Forgotten
These gaps reduce the law’s effectiveness in safeguarding privacy in an era where algorithmic profiling and AI-based decisions dominate digital interactions.
5.Heavy Reliance on Consent:
In practice, consent fatigue is a real concern—users routinely accept terms without understanding them. Consent cannot be the sole basis for protecting privacy; stronger structural safeguards are needed.
6.Limited Scope:
The Act applies only to digital personal data. Offline data that is later digitized is covered, but sensitive non-digital information remains largely outside regulation.
7.Concerns Over Children’s Rights:
Setting the age of consent at 18 is higher than global standards (usually 13 or 16). This may: Restrict teenagers from accessing digital services increase compliance burden on businesses and lead to excessive data.
8.Lack of independent regulator:
The DPBI (Data Protection Board) will be constituted under the government, raising doubts over its independence and willingness to enforce the law rigorously, especially against powerful entities or state agencies.
9.Vague language and loopholes:
Terms like “legitimate state purpose,” “public order,” “security,” and “instrumentality of the state” are broadly defined — leaving space for subjective interpretation or misuse.
- Enforcement still untested:
Because the Act only recently became operational (with rules notified in Nov 2025), we don’t yet know how effectively the DPBI will act, or how proactive companies — or state agencies — will be in compliance.
CONCLUSION:
The Digital Personal Data Protection (DPDP) Act, 2023 stands as one of the most consequential developments in India’s legal and technological evolution, marking the country’s shift towards a structured, legally enforceable privacy regime. In an era where digital ecosystems permeate every aspect of personal, economic, and national life, data protection has become a critical pillar of democratic functioning and individual autonomy. Against this backdrop, the Act’s introduction fills a longstanding policy vacuum and represents a commendable attempt to harmonize India’s rapid digitisation with global expectations around privacy, accountability, and digital rights. Yet, a thorough evaluation reveals that while the DPDP Act is a strong foundational step, significant questions remain about its long-term effectiveness, balance of powers, and implementation integrity. To begin with, the Act’s strengths are notable and form an essential baseline for any modern data protection regime. It grants individuals a clearly defined set of rights, including the ability to access, correct, erase, and withdraw consent regarding personal data—many of which were unavailable or unenforceable under earlier frameworks. This shift empowers citizens by formally recognising them as “data principals” with agency and control over their data. The Act’s insistence on informed consent, notice-based data processing, purpose limitation, and data minimisation aligns India with established global standards such as the EU’s General Data Protection Regulation (GDPR). By mandating transparency in how personal data is collected and used, the DPDP Act promises to foster trust between users and digital service providers, which is critical for a thriving digital economy.
Another significant strength is the creation of the Data Protection Board of India (DPBI), the central enforcement body responsible for adjudicating breaches, managing compliance, and
imposing penalties. The Board’s existence provides an institutional mechanism for grievance redressal, making data protection not merely a theoretical right but a practically accessible one. Furthermore, the Act introduces stringent financial penalties—running into hundreds of crores—for data misuse, breaches, and non-compliance. These punitive measures are designed to deter negligence and compel both public and private entities to adopt robust data governance practices. In a country with hundreds of millions of internet users and rapidly expanding digital businesses, the presence of strong deterrents is essential.
However, despite these powerful features, the Act’s effectiveness is limited by several structural weaknesses, the most notable of which is the broad scope of exemptions granted to the central government and its agencies. The Act allows the government to exempt any of its instrumentalities from key provisions—including consent requirements, data storage limits, and transparency obligations—on grounds such as national security, sovereignty, or public order. These grounds, however, are vaguely defined and open to subjective interpretation. As a result, the government can potentially conduct large-scale data collection and processing without being bound by the safeguards that private entities must follow. This asymmetry risks undermining the fundamental right to privacy recognised by the Supreme Court in the Puttaswamy judgment and raises concerns about unchecked surveillance and limited accountability.
Implementation challenges add another layer of complexity. While large corporations may have the resources to comply with the Act’s data governance requirements, small and medium-sized enterprises (SMEs) could struggle with the technological and financial demands of compliance.
This could create uneven adoption across industries and hinder the law’s uniform application. Moreover, the Act’s effectiveness relies heavily on citizens’ awareness of their rights. Without widespread digital literacy, many individuals may remain unaware of the tools available to them, reducing the Act’s on-ground impact despite its legal strength.
Ultimately, the DPDP Act, 2023 is a robust foundation but not a complete or perfect answer to India’s privacy challenges. Its success will depend on how its provisions are interpreted by courts, how assertively the DPBI enforces regulations, and how responsibly the government uses its exemption powers. The Act needs strong institutional support, consistent enforcement, and public education to achieve its full potential. Over time, amendments may also be necessary to address loopholes, strengthen oversight, and ensure the law keeps pace with emerging technologies such as artificial intelligence, biometric surveillance, and cross-border data flows.
In conclusion, India’s new privacy regime is undoubtedly a progressive milestone, laying the groundwork for a more secure and citizen-centric digital future. Yet, its effectiveness remains contingent on balancing individual rights with state interests, strengthening regulatory independence, and fostering widespread awareness and compliance. The DPDP Act is not an endpoint but a significant beginning in India’s ongoing journey toward safeguarding privacy, fostering digital trust, and reinforcing democratic values in a rapidly evolving technological landscape.
CITATIONS:
1.Agarwal, Rahul. “Data Protection and the Indian State: Emerging Tensions Post-DPDPA 2023.” Indian Journal of Constitutional Law 15, no. 2 (2024): 112–136.
2.Basu, Anirudh. Privacy and the Digital State in India. New Delhi: Eastern Book Company, 2024.
3.Government of India. Digital Personal Data Protection Act, 2023, No. 22 of 2023. New Delhi: Ministry of Law and Justice, 2023.
4.Srinivasan, Arvind & Neha Sharma. “Comparing GDPR and India’s DPDPA: Convergence and Divergence.” International Data Protection Review 7, no. 2 (2024): 41–63.
5.Taneja, Harini. “Surveillance, State Power, and the Future of Privacy in India.” Economic & Political Weekly 59, no. 5 (2024): 34–40.
6.Chaudhary, Megha. “The Role of the Data Protection Board under the DPDPA 2023.” Journal of Governance & Public Policy 14, no. 2 (2024): 88–105.
