Authored By: Shivani Pandey
Mahatma Gandhi Kashi Vidhyapith
- Introduction
August 11, 2023 was not just another date on India’s legislative calendar. When the Digital Personal Data Protection Act — commonly called the DPDP Act — received Presidential assent that day, something shifted. Not dramatically, not overnight, but noticeably. India, a country with 1.4 billion people, a rapidly expanding digital economy, and a public data infrastructure that wealthier nations have quietly envied, was no longer simply watching how the world handled data governance. It was stepping in to help write the rules.
Data, by now, is not a new topic. For well over a decade, policymakers, technologists, and legal scholars have debated who really owns the information that people generate just by living their lives — buying groceries, messaging a friend, booking a doctor’s appointment. That data, in aggregate, is extraordinarily valuable. It can be monetized, profiled, traded, and in the wrong hands, weaponized. The question of who gets to decide what happens to it, and under what rules, has quietly become one of the defining policy contests of this era.
India’s answer to that contest is the DPDP Act. This article looks at what the Act actually does, how it fits into India’s constitutional tradition, where it succeeds and where it falls short, and how it stacks up against comparable laws abroad. It also offers a few targeted suggestions for how Parliament might strengthen the framework before its gaps become genuine liabilities.
- What the Act Actually Says
2.1 The Basic Architecture
At its core, the DPDP Act rests on a fairly intuitive premise: if you want to process someone’s personal data, you need a lawful reason. That reason can be the person’s consent, or it can be one of the recognized legitimate uses the statute identifies. Simple enough in principle — considerably more layered in practice.
The Act frames its regulatory relationships around two central characters. Data Fiduciaries are the entities — businesses, government bodies, platforms — that decide why and how data is processed. Data Principals are the people the data belongs to. Fiduciaries carry real obligations under this framework: keep data accurate, collect only what you actually need, and put security measures in place that are proportionate to the risks involved. Principals, on the other side, get a set of enforceable rights — the right to know what’s being done with their information, to ask for corrections or deletion, and to raise complaints when something goes wrong.
Enforcement sits with the Data Protection Board of India (DPBI), constituted under Section 18. The penalty numbers are serious — up to ₹250 crore for individual violations, and as high as ₹10,000 crore for systematic non-compliance. Whether those numbers will translate into actual enforcement with teeth remains to be seen, but Parliament clearly intended the regime to be more than symbolic.
Two features deserve specific mention. The Act requires verifiable parental consent before any entity can process a child’s data, and it flatly prohibits behavioural advertising targeted at minors. That’s a meaningful commitment in a country where children’s exposure to data-hungry platforms has grown faster than any regulatory framework could realistically keep pace with. The Act also creates a category of ‘Significant Data Fiduciary’ — entities that, because of their scale, the sensitivity of what they process, or national security implications, face an additional layer of obligations, including the appointment of a Data Protection Officer physically based in India.
On cross-border transfers, the Act takes an approach that diverges from the European model. Rather than requiring a formal finding that a destination country offers equivalent protections, the statute hands the central government power to publish a whitelist of approved jurisdictions. The practical flexibility of that approach is obvious. The accountability gaps are equally obvious, and the absence of any statutory criteria constraining how that power gets exercised has generated legitimate concern.
2.2 Constitutional Roots and Judicial Context
The DPDP Act did not arrive in a vacuum. Its constitutional scaffolding was erected in 2017, when a nine-judge bench of the Supreme Court ruled unanimously in Justice K.S. Puttaswamy (Retd.) v Union of India that privacy is a fundamental right — not a privilege, not a policy preference, but a right anchored in Articles 14, 19, and 21 of the Constitution. Crucially, the Court extended that right to informational privacy: people have a constitutionally recognized interest in controlling what happens to their personal information. Any state interference with that interest must satisfy the requirements of legality, legitimate aim, and proportionality.
Puttaswamy did two things for the DPDP Act. It exposed how inadequate the previous framework — a patchwork of Information Technology Act provisions and 2011 Rules — had become relative to constitutional requirements. And it set the analytical benchmark against which the Act’s most contested provisions, particularly the sweeping exemptions for state actors, now have to be judged. The judgment is not merely historical backdrop; it is active legal constraint that the DPBI, the courts, and Parliament itself cannot ignore.
At the regulatory level, the DPBI has not yet issued binding guidance on the Act’s more contested provisions — implementing rules were still in development as of mid-2026. MeitY’s draft Digital Personal Data Protection Rules 2025 have provided some useful signals, though. Among the more consequential: consent notices must be written in plain, accessible language, and must be available in all twenty-two of India’s scheduled languages. In a country with India’s linguistic diversity, that requirement is not a formality. It is a recognition that ‘informed consent’ means very little if the notice explaining it is incomprehensible to most of the people it nominally protects.
2.3 Strengths and Structural Problems
A fair assessment of the DPDP Act has to credit what it genuinely gets right before cataloguing what it gets wrong. The consent provisions are a real improvement over the 2011 Rules, under which users effectively surrendered their data rights by scrolling past terms and conditions they could not be expected to understand. The individual rights framework — access, correction, erasure, nomination of a representative — creates enforceable entitlements where the old regime offered little more than goodwill. Children’s data protections address documented patterns of exploitation that platforms had been getting away with for years. And a penalty regime scaled to the numbers Parliament chose is at least a credible starting point for deterrence.
The structural problems, though, are real. Section 17 is the most troubling. It authorizes the central government — by notification, not primary legislation — to exempt any state body from the Act’s requirements whenever it considers that necessary for national security, public order, or territorial integrity. There are no statutory criteria defining when that threshold is met. No independent body reviews the resulting exemptions. That creates an accountability gap that sits uncomfortably with the proportionality standard Puttaswamy demands, and which is likely to face constitutional challenge once the Act is in full operation.
A second gap is the absence of a distinct sensitive data category. Health records, biometric data, financial information, and data about religious belief or sexual orientation are not treated any differently from general personal data under the Act’s text. That’s a meaningful omission. Rules may partially address it, but clear parliamentary language would be more durable and more protective.
2.4 How India Compares: GDPR and Brazil’s LGPD
India’s DPDP Act shares obvious DNA with the GDPR — consent requirements, data minimization, individual rights, enforcement penalties. But the comparison only goes so far. The GDPR mandates data protection impact assessments for high-risk processing, requires privacy by-design as a default engineering standard, and operates through a network of independent national supervisory authorities. India’s framework, by contrast, concentrates regulatory authority in a single centralized board whose structural insulation from executive influence is, at best, uncertain.
On cross-border transfers specifically, the GDPR’s adequacy framework — whatever its own imperfections — at least involves a transparent assessment process with published criteria and independent oversight. India’s executive whitelist offers nothing comparable. That difference matters practically: it is one of the reasons EU adequacy negotiations with India have stalled on precisely this point.
Brazil’s LGPD is a more instructive comparison, perhaps, because it emerged from a similar context — a large, fast-developing economy with strong growth ambitions and a historically permissive approach to data regulation. The LGPD’s cross-border transfer provisions under Article 33 are notably more detailed than India’s, allowing transfers via adequacy decisions, standard contractual clauses, binding corporate rules, or explicit consent. India’s Act still lacks that kind of layered statutory framework. For multinationals trying to design global compliance programs, that absence creates real uncertainty.
Stepping back, the global data governance landscape has become genuinely fragmented. The GDPR, LGPD, China’s Personal Information Protection Law, and the DPDP Act all reflect different sovereign choices about the balance between individual rights, economic development, and state power. For any company operating across these jurisdictions, compliance has become an increasingly complex exercise in mapping which rules apply where and how conflicts between them get resolved. India’s Act adds one more layer to that map — one that is not yet fully drawn.
2.5 What Parliament Should Do Next
The DPDP Act’s gaps are correctable, but they will not correct themselves. Four reforms stand out as priorities.
First, Section 17 needs statutory guardrails. Parliament should define the criteria that must be met before an executive exemption can be granted, set a maximum duration after which exemptions must be reviewed, and establish an independent oversight mechanism — perhaps a parliamentary committee with appropriate security clearances — to scrutinize classified notifications. This is not an unusual arrangement; comparable democracies have built similar structures.
Second, the cross-border transfer regime needs a statutory foundation, not just executive discretion. Parliament should specify the factors that determine whether a destination country makes the whitelist — things like the existence of an independent supervisory authority, effective remedies for affected individuals, and meaningful limits on state access to transferred data. That would give businesses predictability, give trading partners a principled basis for dialogue, and give courts a framework for review.
Third, sensitive data categories should be defined in the Act itself. Health, genetic, biometric, financial, religious or political, and sexual orientation data should carry heightened protections and stricter transfer conditions. Leaving this to subordinate rules creates fragility — rules can be amended or repealed with far less parliamentary scrutiny than primary legislation.
Fourth, the DPBI’s structural independence needs reinforcement. Board members should be appointed through a transparent, publicly accountable process, with security of tenure sufficient to insulate them from political pressure. An adjudicatory body that appears susceptible to executive influence will struggle to command the credibility it needs — domestically and in international negotiations alike.
- Conclusion
The DPDP Act 2023 is a meaningful piece of legislation. That is not a backhanded compliment. India has spent decades without a serious data protection framework, and the Act represents a genuine commitment — grounded in constitutional principle and expressed in enforceable legal obligations — that citizens have rights over their own information. That commitment matters, for the 1.4 billion people it covers and for the international signal it sends.
But meaningful is not the same as finished. The Section 17 exemption problem is real, not theoretical. The whitelist approach to cross-border transfers is a political convenience that creates legal and diplomatic costs. The absence of a sensitive data category leaves some of the most personal information people generate without the stronger protections it warrants. None of these are unfixable — but they require Parliament’s continued attention, not just the good intentions of rule makers.
India’s position in the global data economy is unusual and, in some ways, genuinely interesting. It is large enough to set terms, ambitious enough to try, and constitutionally grounded enough to have a principled basis for doing so. The DPDP Act is the first serious expression of that posture. Whether it fulfills its promise will depend, in the end, on whether the institutions it creates operate with the independence they require — and whether Parliament is willing to do the harder legislative work still ahead.
Reference(S):
Legislation and Official Documents
Digital Personal Data Protection Act, 2023 (India). Act No. 22 of 2023. Received Presidential assent on 11 August 2023. Ministry of Electronics and Information Technology (MeitY). https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection %20Act%202023.pdf
Ministry of Electronics and Information Technology (MeitY). 2025. Draft Digital Personal Data Protection Rules, 2025.
Information Technology Act, 2000 (India). Act No. 21 of 2000. As amended by the Information Technology (Amendment) Act, 2008.
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Gazette of India Extraordinary, Part II, Section 3(i), 11 April 2011.
European Parliament and Council of the European Union. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation).
Personal Information Protection Law of the People’s Republic of China (PIPL). Adopted at the 30th Session of the Standing Committee of the 13th National People’s Congress on 20 August 2021. Effective 1 November 2021.
Cases
Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors. (2017) 10 SCC 1. Supreme Court of India. Judgment dated 24 August 2017Schrems v. Data Protection Commissioner, Case (Court of Justice of the European Union, 6 October 2015). [Invalidating the EU-US Safe Harbour framework.]
Data Protection Commissioner v. Face book Ireland Limited and Maximillian Schrems, Case (Court of Justice of the European Union, 16 July 2020).
Books and Book Chapters
Bhatia, Gautam. 2017. The Transformative Constitution: A Radical Biography in Nine Acts. New Delhi: HarperCollins India.
Cate, Fred H., and Viktor Mayer-Schönberger, eds. 2013. Notice and Consent in a World of Big Data. Oxford: Oxford University Press.
Datta, Monalisa. 2023. “India’s Data Protection Journey: From Puttaswamy to the DPDP Act.” In Data Governance in the Asia-Pacific, edited by Graham Greenleaf and Bertrand de la Chapelle. Singapore: Springer.
Greenleaf, Graham. 2021. Asian Data Privacy Laws: Trade and Human Rights Perspectives. 2nd ed. Oxford: Oxford University Press.
Journal Articles
Arora, Payal. 2019. “Decolonizing Privacy Studies.” Television & New Media 20 (4): 366–378. https://doi.org/10.1177/1527476418806092
Gurumurthy, Anita, and Nandini Chami. 2019. “Towards a Political Economy of Digital Data: A Perspective from the Global South.” Journal of Information Policy 9: 362–392. https://doi.org/10.5325/jinfopoli.9.2019.0362
Iyer, Mishi. 2023. “Children’s Data and the DPDP Act: Parental Consent, Behavioural Advertising, and Enforcement Gaps.”
Rathi, Vedant, and Rishab Bailey. 2024. “The Data Protection Board of India: Design, Independence, and Adjudicatory Legitimacy.”
Reports and Policy Documents
Internet Freedom Foundation (IFF). 2023. Analysis of the Digital Personal Data Protection Act, 2023. New Delhi: Internet Freedom Foundation. https://internetfreedom.in/analysis-dpdp act-2023
National Association of Software and Service Companies (NASSCOM). 2024. DPDP Act 2023:
Organization for Economic Co-operation and Development (OECD). 2022. Personal Data Protection Committee (PDPC), Singapore. 2021
![Salomon v Salomon & Co Ltd. [1897] AC 22 (HL)](https://recordoflaw.in/wp-content/uploads/2025/12/ChatGPT-Image-Dec-17-2025-08_24_07-PM.png)




