Authored By: Neeraj Jain
Siksha O Anusandhan National Institute of Law
Introduction
One of the new milestones in the emerging trend of data privacy practices in India is the Digital Personal Data Protection (DPDP) Act, 2023[1], which is the first comprehensive data privacy legislation in India in the digital era. Adopted almost ten years into the ongoing debate and after going through several versions of bill versions, it aims at empowering individuals, and at the same time allowing lawful data processing toward economic and social purposes.
Legislative Evolution and Context
The process of reaching the DPDP Act dates back to the landmark decision of the Supreme Court in 2017 on Justice K.S. Puttaswamy (Retd.). v. Union of India[2], who made the right to privacy a fundamental right in the constitution in article 21. This judgment struck down the major aspects of the Information Technology Act, 2000, especially the Sensitive Personal Data or Information Rules, 2011, on the grounds that they do not have a sound legal foundation and leaves the citizens to random state surveillance.
Before 2023, India did not have a specific data protection law, using sector-specific regulations, such as the data localization requirements in payment regulations by the RBI and its electronic health record standards by the Health Ministry. It was laid down by the Justice B.N. Srikrishna Committee report of 2018, and then the Personal Data Protection Bill, 2019. Nonetheless, the issue of government overreach, data localization requirements and state exemptions spurred its rescission in 2022. The proposed Digital Personal Data Protection Bill, 2023, which is minimally revised, easily sailed through both the Houses of Parliament, with Presidential assent being given on August 11, 2023.
Scope, Applicability, and Core Definitions
The jurisdiction of the DPDP Act is also narrow: it only regulates the so-called digital personal data, or any data concerning a recognizable individual in electronic form. This does not include non-digital data, anonymized (where re-identification is not possible) information and non-personal (aggregate) data. The person whose data is processed is called the Data Principal, and the decision-maker on the purpose and method of processing is referred to as the Data Fiduciary (and is usually a business or other organization), and intermediary is called the Data Processor and carrying out the instructions of the fiduciary[3].
Extraterritorial jurisdiction applies to foreign proceedings against residents of India even in cases were directed to foreign countries such as Google and Meta. Exemptions excavate personal/domestic use, journalistic uses, state purposes to national security, to enforce legal rights, and to prevent crime, and privacy is compromised with the interest of the population. Most importantly, the Act has force of law over other laws, which could override the inconsistent provisions of the IT Act or sector regulations.
Consent Framework: The Cornerstone of Compliance
The very foundation of legal processing is consent, which must be free, specific, informed, unconditional and unambiguous, withdrawable. Notices in English or Eighth Schedule languages should be itemised and include information about the information gathered, its purpose of use, and rights and remedies-distinctly outlining where the use of such in the law is considered lawful and lawful that is, legitimate use of personal data must not require consent.
The purposes that are reasonably anticipated by the principals (e.g. e-commerce order fulfilment), voluntary exchange of data or state-anxious disclosures are considered legitimate uses. Data minimization is imposed by storage limitation which requires erasing after finding the purpose or withdrawing consent[4]. Fiduciaries have a responsibility as they must demonstrate compliance with consent, and accuracy, limitation of security, and purpose are responsibilities which are continuous.
Obligations for Significant Data Fiduciaries
Central Government informs Significant Data Fiduciaries (SDFs) depending on the volume of data, sensitivity or systemic risk – propose huge tech companies or health aggregators. SDFs will have to designate a Data Protection Officer (DPO) in India, carry out periodical Data Protection Impact Assessments (DPIA), as well as independent audits. DPIAs are assessments of risks to rights and freedoms, requiring mitigation of high-risk processing[5].
Other tasks involve designation of consent managers (actors to mediates consents), and child specific protection. Notifications about breaches should convey the message to principals promptly (without unnecessary delay) and the DPB within the outlined deadlines in plain language. Failure to comply will harm its reputation as well as impose fines.
Rights Empowering Data Principals
Data Principals have strong rights: they have their right to access and data processing information, right to correct errors, and right to erase (right to be forgotten), and right to nominate successors in case of post-death/incapacity exercise. Revocation of consent will proceed and result in erasure with the exception of the legal conditions requiring retention to be undertaken. Redressal of grievance is divided into several stages: to the fiduciary, and then to DPB whenever this has not been resolved within the time frame[6].
The responsibilities of principals prevent malpractice – forbidding misleading complaints, or suppressing materials, and liable to a fine of up to 10000. Not all rights are absolute; they can be refused when they pose a threat to other people, or when they are not legal.
Heightened Safeguards for Children and Vulnerable Groups
Developmental vulnerabilities are acknowledged by the Act, requiring verifiable parental consent of children under 18, prohibiting tracking, behavioural surveillance or target advertising. The processing should not be detrimental to the welfare of the child and the guardians have the choices of representation on behalf of the minors[7]. This is in line with international standards such as COPPA but one that fits the young Indian population in the digital world.
Cross-Border Data Flows and Exemptions
Transfer to Foreign countries is liberalized- allowed to all countries except restricted ones which are listed by the government, contrary to the previous fears of localization. Only explicable by written prescription of the Central Government, government and law enforcement are embarked on by exception, which prevents arbitrary imposition[8]. The judges are still not able to do much; there is still fear of the proportionality test brought by Puttaswamy.
Institutional Machinery: The Data Protection Board
he DPB which is constituted by the Central Government is an independent body of inquiry, enforcement as well as appeals and it is represented by a chairperson and expert members. It is able to provide direction on compliance, issue fines after hearing (up to 250 crore), and come up with codes of practice. Appeals are submitted to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), and the High Courts. They mention that there is a possibility of executive pressure in the choices of the officers, which GDPR did not have in case of its truly independent bodies[9]. Effective enforcement is dependent on the capacity-building of the Board.
Global Comparisons and Uniqueness
In contrast, GDPR has no data portability, limits on automated decision-making, and offline data, but DPDP focuses on feasibility by omitting these aspects. It is similar to Brazil on consent-centricity and reduces fines (compared to 4% turnover of GDPR). No direct liability of processor fiduciaries is majorly liable. The model of the digital economy is more focused on digital economy expansion as opposed to maximalism in India.
Business Implications and Challenges Ahead
The issue of compliance requires updated privacy policies, consent management systems, and DPIA systems, which become unwieldy to SMEs but make the liabilities of large corporations clearer. Fintech, edtech and e-commerce need to evolve quickly, with industry codes as a way of voluntary facilitation in line with EU adequacy decisions. The advantages are consumer confidence, FDI attraction, and a decline in breach litigation. Impairments include: delays in the rule making process, operationalization of the DPB, and inter-regulatory compatibility (with RBI), and judicial review of exemptions. The problem of capacity disparities in the SMEs and uniformity in enforced ranks large. Gaps could be bridged through active adoption through self-regulation in the industry[10].
Future Outlook
The DPDP Act makes India a global leader in data privacy in the Global South, both innovative and securing more than 1.4 billion people. The implementation of the Privacy-by-design ecosystem could be instigated with a full implementation by the middle of 2026 and affect the global standards[11].
Reference(S):
[1] Digital Personal Data Protection Act, No. 22 of 2023 (India).
[2] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 S.C.C. 1 (India).
[3] Press Note, President Gives Assent to Digital Personal Data Protection Bill, 2023, PIB, https://pib.gov.in/PressReleasePage.aspx?PRID=1951000 (Aug. 11, 2023) (official enactment notice).
[4] Justice B.N. Srikrishna (Chair), Comm. of Experts, A Free & Fair Digital Economy: Protecting Privacy, Engaging Citizens Responsibly (2018), https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
[5] The Digital Personal Data Protection Bill, 2023, PRS India, https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023
[6] Data Protection Impact Assessment Guidelines Under DPDP Act, NASSCOM (2025), https://nasscom.in/knowledge-center/publications/dpdp-dpia-guidelines
[7] Annual Report on Data Breaches in India 2025, Indian Comput. Emergency Res. Team (CERT-In), https://www.cert-in.org.in/PDF/Annual_Report_2025.pdf
[8] Digital Personal Data Protection Act, 2023: Key Features and Implications for Data Privacy in India, LexComply, https://lexcomply.com/blog/digital-personal-data-protection-act-2023-key-features-and-implications-for-data-privacy-in-india/
[9] Summary – The Digital Personal Data Protection Act, 2023, Data Security Council of India, https://www.dsci.in/files/content/documents/2023/DSCI%20Summary-DPDP%20Act,%202023.pdf
[10] Digital Personal Data Protection Act, 2023, Wikipedia, https://en.wikipedia.org/wiki/Digital_Personal_Data_Protection_Act,_2023
[11] The Digital Personal Data Protection Act, 2023 – A Legal Analysis, 11(3) L. J. Rsrch. & Analysis 1 (2025), https://www.lawjournals.org/assets/archives/2025/vol11issue3/11064.pdf
