Authored By: Anamaya S P
The Kerala Law Academy Law College
Introduction
Data has been established as an extremely valuable resource in the modern era. The reliance on digital technology in India has been increasing, which makes data privacy of utmost importance for Indians. Right to privacy has been recognised by declaring it a fundamental right through the judgment of the Supreme Court of India in the case of Justice K. S. Puttaswamy (Retd.) v. Union of India. In this case, a nine-judge bench in the Supreme Court of India held that the right to privacy is fundamental for the right to life and personal liberty under Article 21 of the Constitution and necessary for human dignity, independence and freedom.[1]
As concerns have been increasing about protecting personal data, the need for legislation to ensure citizen rights has become urgent. Thus, based on these concerns, Parliament has legislated the Digital Personal Data Protection Act, 2023. In order to ensure the regulation of data processing, protect individuals from misuse of their personal data and hold accountability, thus protecting citizen rights. However, the development of new technologies raises issues regarding the adequacy of existing legislation. This paper will look at the development of data privacy in India and discuss how effective the Digital Personal Data Protection Act, 2023 has been.
Evolution of data privacy in India
Previously, India was using the Information Technology Act of 2000 to manage its privacy, and, eventually, those acts proved to be insufficient since those laws were meant to be applied to businesses working with sensitive information.[2] A need arose to introduce data protection laws that would address issues related to citizen privacy. An example of the emergence of such a need occurred after the Supreme Court ruling in the case of Justice K.S. Puttaswamy (Retd.) v. Union of India (2017). The major problem presented was whether privacy is a fundamental right under part three of the Constitution of India, and, eventually, the court made a significant ruling stating that privacy was a fundamental right under Article 21 of the Constitution, and this was one of the major changes made at the time.[3] However, even after that, there was no extensive law for the right to privacy, and this posed an issue. Following this particular event, it became evident that there was a need to create a legal instrument to ensure digital privacy in India, and, thus, recognising the importance of privacy nowadays, the Indian government developed the Digital Personal Data Protection Act, 2023. The law was introduced before the legislature on 3rd August, 2023, and enacted into an Act on 7th and 9th August and came into force on 11th August, 2023. Despite the Act providing the necessary framework for the modern era of India, there is still the issue of enforcing the necessary regulations to put the Act into action. In this regard, on 3rd January, 2025, the Ministry of Electronics and Information Technology published the DPDP rules which were finalised in a notification issued on 13th November, 2025.[4] These have made the act more operational and also provided the necessary clarity to comply with the regulations. These rules helped resolve some ambiguities surrounding the Act and put in place procedures for consent, notice obligations, data breach notifications and others that have made the data privacy regime operable.
Overview of the Digital Personal Data Protection Act, 2023
The Digital Personal Data Protection Act, 2023 is an act enacted by Parliament to regulate the processing of digital personal data in India. This act aims to protect individuals’ personal data and usage of such data for lawful purposes, and for the matters in relation thereto, this act provides obligations to a data fiduciary which include any person, company or organisation that decides why and how personal data is processed. Personal data includes any information that is used to identify an individual directly or indirectly. The act applies to the processing of digital personal data, both territorial and extraterritorial. It is extraterritorial when the processing relates to the offering of goods and services to the data principal who lives within India. Data principal is defined as an individual to whom the data pertains to who is within the territory of India. The act can only be applied to digital personal data and data that is collected offline, which will be digitised subsequently.[5]
Core provisions of the Digital Personal Data Protection Act, 2023
The DPDP Act provides several provisions for the protection of citizens’ privacy.
Consent-based data processing
Under the act, a data fiduciary has several obligations to be satisfied before the collection of data from the data principal.
The data fiduciary can access personal data only if the data principal has given consent for processing it; otherwise, it can be processed for any legitimate uses that are defined in the act. The data principal must be given notice before obtaining consent, and the consent must be given freely, specifically, and through positive action, which can be withdrawn anytime they want.[6]
Right of a data principal
A data principal has several rights that can be enforced by him such as right to access information from the data fiduciary which he have given consent to process his personal information, right to correction and erasure of the data, grievance redressal, the principal can nominate anyone to act on his behalf, transfer of data outside the territory the data principal also have to follow several duties and several exceptions exist.[7]
Data Protection Board of India and penalties
The Data Protection Board is a body created by the central government for the purpose of addressing violations of the act to ensure compliance and enforce provisions. If the data protection board of India finds that a person or entity has violated any provisions of the act, the board can impose a monetary penalty as per the schedule[8].
Obligations of a data fiduciary
The act imposes several obligations on the data fiduciary. The data fiduciary is responsible for the users’ data. The company must ensure that the data obtained is correct, complete, and updated, and they must protect the user’s data using security systems and with proper protection aids and many more. Larger companies have extra strict obligations.[9]
Overall, the act provides a comprehensive and effective framework for the protection and regulation of data processing in India, thereby enhancing the privacy rights of the act.
Critical analysis
Even though the act claims to be effective, several concerns exist regarding its implementation and effectiveness. The following are the key issues raised.
Government exemptions—Section 17 of the DPDP Act provides certain exceptions under which certain provisions of the Act will not apply to government functions, legal purposes, national security, research, and financial and corporate matters. The central government can exempt these state agencies and several data fiduciaries from exercising some parts of the act. Also, the central government has the power to grant temporary exemptions to any data fiduciary for a specified period, even though this provision makes the act flexible[10]; however, there is a higher chance of these provision leading to misuse of power which would lead to excessive collection of data violating the right to privacy recognized in Puttaswamy v. Union of India where the court held that any infringement of privacy must be proportional and not excessive.[11]
Effectiveness of consent mechanism -The DPDP Act provides a strong mechanism for obtaining consent from the data principal by the data fiduciary; however, there are certain concerns raised about the same. Users usually ignore the permission for consent by clicking “agree” without reading the consent due to excessive consent notice requirements and complex privacy policies. Section 9 of the act deals with the verification of parental consent for anyone under the age of 18, but the effectiveness lies in the problem of verifying whether the consent given is really from the parent.[12]
Limitation of applicability of the act – Section 3 of the DPDP Act covers the applicability of the act, and in the act, it defines that the act applies only to the processing of digital data and data that are collected offline that will be digitized later. This raises a major concern for normal data collected.[13]
Data protection board – The DPBI is a body created by the DPDP Act, which is responsible for the protection of personal data and ensuring compliance[14], for which the DPBI needs to be independent and should not be controlled by the government, but the act does not clearly ensure its independence, and most of its work is controlled by the government, which makes the board weak.[15]
Cross-border data transfer – Section 16 of the act deals with cross-border data transfer, where the central government can restrict the transfer of personal data to countries blacklisted[16], but the problem arises due to the lack of criteria for blacklisting countries and weaker protection for the transfer of data; this keeps business enterprises in a position of uncertainty and remains a subject of ongoing debate.[17]
Comparative analysis of the DPDP Act with the General Data Protection Regulation (GDPR)
The General Data Protection Regulation is a regulation enacted by the European Union that came into force in May 2018. This legislation is regarded as one of the most comprehensive data protection frameworks in the world. The DPDP Act is India’s first legislation made specifically for the protection of digital personal data, which draws influence from the GDPR framework; however, both the legislations have significant differences in their scope, applicability, and enforcement. The following is a comparison of India’s DPDP Act with EU privacy law.[18]
Scope – The DPDP Act applies to all data that is collected digitally and includes the personal data that are collected physically, which will be digitized later, making the implication of the legislation narrower. On the other hand, the GDPR applies to all forms of personal data irrespective of whether the data is being collected through physical means making the EU regulation more comprehensive and broader to deal with all forms of personal data.[19]
Applicability – GDPR applies widely outside Europe; it applies to any organization that processes the personal data of European citizens, irrespective of whether the organization is inside Europe or outside, while the DPDP Act applies extraterritorially when the processing of data relates to the offering of goods and services to people in India. This makes the GDPR more strict in applications.
Age of consent for minors – In Europe, under GDPR an individual can give consent for the processing of their data at the age of 16. However, this regulation allows the member states to lower the age of giving consent to 13, making the provision more flexible across the country. In contrast, in India, anyone below the age of 18 is considered a minor, and without guardian approval, they cannot access it, which limits teenagers from accessing it because of the stricter system requirements.
Rights of individuals – Under GDPR, individuals are referred to as “data subjects” and are granted broader rights like accessing their data, correcting mistakes, deleting data, limiting the processing of data, and data portability meaning the right of a data principal to receive their personal data from a service provider and transferring it to another service provider in a machine readable format, In contrast, under the DPDP Act, rights include accessing, correcting, and deleting data and grievance redressal, making the rights more basic than the rights provided in GDPR.[20]
Enforcement and regulatory authorities – Each EU country has an independent data protection authority where they can exercise their powers independently without government interference, while in India, the major authority is the Data Protection Board of India, which is not fully independent and works under government influence, which shows that GDPR authorities are more independent and powerful. In case of penalties, EU regulation provides very strict laws and heavy penalties when compared to the DPDP Act, which is more general, and strong enforcement actions are also imposed.
Effectiveness of enforcement – The effectiveness of their enforcement lies mainly in their authority in the GDPR. They have a strong and well-established authority that is independent and structured and monitors companies, investigates complaints, and imposes heavy penalties which forces the organization to comply with the rules strictly, whereas the DPDP Act is new and still developing; its enforcement and effectiveness depend on the functioning and independence of the Data Protection Board of India.[21]
Cross-border data transfer -the DPDP Act allows the transfer of data to any country except those countries banned by the central government, whereas GDPR allows the transfer of data only when the receiving country is proven to be safe for the protection of their data, which indicates that GDPR has stronger provisions for the protection of their data.[22]
Challenges in the implementation of the act
The DPDP Act has made a significant development in the digital privacy framework of India making a comprehensive provision for the protection of data protection and privacy rights however, its effective implementation poses several challenges. They are
Lack of digital literacy- A major challenge in implementing DPDP provisions is that many people do not understand consent compliance, which limits their ability to exercise their rights effectively.
Lack of awareness – People have limited awareness about their digital privacy rights and obligations which makes the act more difficult to perform.
Challenges in provisions – The complexity in understanding the provisions of the DPDP Act may pose a major threat to entrepreneurs.
Financial burdens – the implementation of the DPDP Act poses a financial burden, especially for small and medium enterprises as their establishment requires an amount of investment.[23]
Conclusion
In conclusion, the Digital Personal Data Protection Act 2023 has made a significant development in India’s digital data processing by establishing comprehensive provisions protecting digital privacy rights. As mentioned, the act introduces key provisions relating to consent data processing, rights of data principal and regulation. Thereby establishing a structured mechanism for its functioning. However, the analysis shows that even though the act seems to be productive several concerns are raised about its effectiveness and limitations which reduce the act from functioning to its full potential.
The concerns raised are the broad government exemption, lack of clarity in cross-border data transfer criteria and narrow individual rights when compared to the EU regulation indicating that the legislation has not yet become fully comprehensive and is still in development. In addition, issues relating to the effectiveness of the consent mechanism and the limited independence of the Data Protection Board of India also raise concerns regarding the implementation of the same.
To strengthen the framework, the establishment of an independent data protection board plays a vital role in ensuring transparency and effectiveness of the act, furthermore narrowing the powers granted to the government for exemption, expanding the application of the act to include physical data collected, providing clearer criteria for cross-border data transfer and broadening the individual rights making the act more relevant to today’s digital world. Overall, the development of the act depends on its effective implementation and the reforms taken to bridge the gap between privacy protection and technology advancement.
Reference(S):
Primary sources
Cases
Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).
Legislation
Information Technology Act, 2000(India).
Digital Personal Data Protection Act, 2023(India).
Secondary source
Journal articles
Sri Savithri Subbiah & A. Shanmuga Priyanga, A Comparative Study on GDPR and DPDP Act, 6 INT’L J. RSCH. PUB. & REV. 4578, 4578 (2025).
Prabhash Dalei, The Digital Personal Data Protection Act, 2023: A Legal Analysis in Light of Global Data Protection Standards, 11 INT’L J. L. 127, 127 (2025).
Vinay Tiravekar, Major Challenges Are Faced by Small Businesses Operating in Tier 2 and Tier 3 Cities in Adapting to Digital Platforms and Technologies, 7 INT’L RSCH. J. MODERNIZATION ENG’G TECH. & SCI. 7593,7593 (2025).
Internet sources
LexClaim, Tracing the Shift: The Evolution of Digital Personal Data Protection Frameworks, Lex Claim (Dec. 8, 2025), https://lexclaim.com/blog/2025/12/08/tracing-the-shift-the-evolution-of-digital-personal-data-protection-frameworks/
PRS Legislative Research, Digital Personal Data Protection Bill, 2023, PRS Legislative Research, https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023, (last visited Apr. 14, 2026)
Software Freedom Law Ctr., India, Data Protection Board of India: A Watchdog Without Teeth, SFLC.in (Feb. 5, 2025), https://sflc.in/data-protection-board-of-india-a-watchdog-without-teeth/
DPO India, Impact of DPDPA on Cross-Border Data Transfers, https://www.dpo-india.com/Blogs/impact-dpdpa-cross-border/,(last visited Apr. 14, 2026)
[1] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).
[2] Information Technology Act, 2000, § 43A (India).
[3] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).
[4] LexClaim, Tracing the Shift: The Evolution of Digital Personal Data Protection Frameworks, LexClaim (Dec. 8, 2025), https://lexclaim.com/blog/2025/12/08/tracing-the-shift-the-evolution-of-digital-personal-data-protection-frameworks/.
[5] Digital Personal Data Protection Act, 2023, § 2(i), (j), (t); § 3(a), (b) (India).
[6] Digital Personal Data Protection Act, 2023, §§ 4, 6, 7 (India).
[7] Digital Personal Data Protection Act, 2023, §§ 11, 12 (India).
[8] Digital Personal Data Protection Act, 2023, §§ 18, 33 (India).
[9] Digital Personal Data Protection Act, 2023, §§ 8, 9 (India).
[10] Digital Personal Data Protection Act, 2023, § 17 (India).
[11] PRS Legislative Research, Digital Personal Data Protection Bill, 2023, PRS Legislative Research, https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023,(last visited Apr. 14, 2026).
[12] Digital Personal Data Protection Act, 2023, §§ 6, 9 (India).
[13] Digital Personal Data Protection Act, 2023, § 3 (India).
[14] Digital Personal Data Protection Act, 2023, § 18 (India).
[15] Software Freedom Law Ctr., India, Data Protection Board of India: A Watchdog Without Teeth, SFLC.in (Feb. 5, 2025), https://sflc.in/data-protection-board-of-india-a-watchdog-without-teeth/.
[16] Digital Personal Data Protection Act, 2023, § 16 (India).
[17] DPO India, Impact of DPDPA on Cross-Border Data Transfers, https://www.dpo-india.com/Blogs/impact-dpdpa-cross-border/ (last visited Apr. 14, 2026).
[18] Sri Savithri Subbiah & A. Shanmuga Priyanga, A Comparative Study on GDPR and DPDP Act, 6 INT’L J. RSCH. PUB. & REV. 4578, 4581 (2025).
[19] Prabhash Dalei, The Digital Personal Data Protection Act, 2023: A Legal Analysis in Light of Global Data Protection Standards, 11 INT’L J. L. 127, 129 (2025).
[20] Prabhash Dalei, The Digital Personal Data Protection Act, 2023: A Legal Analysis in Light of Global Data Protection Standards, 11 INT’L J. L. 127, 129 (2025).
[21] Sri Savithri Subbiah & A. Shanmuga Priyanga, A Comparative Study on GDPR and DPDP Act, 6 INT’L J. RSCH. PUB. & REV. 4578, 4582 (2025).
[22] Prabhash Dalei, The Digital Personal Data Protection Act, 2023: A Legal Analysis in Light of Global Data Protection Standards, 11 INT’L J. L. 127, 130 (2025).
[23] Vinay Tiravekar, Major Challenges Are Faced by Small Businesses Operating in Tier 2 and Tier 3 Cities in Adapting to Digital Platforms and Technologies, 7 INT’L RSCH. J. MODERNIZATION ENG’G TECH. & SCI. 7593,7593 (2025).
