Authored By: K. PRANAI DEEPAK RAO
Osmania University PG College Of Law
Introduction
The right to privacy, once a doctrinal notion, was enshrined as a fundamental right in India by the landmark judgment Justice K. S. Puttaswamy (Retd.) v. Union of India^1. The ruling affirmed that “the right to privacy is intrinsic to the notion of life and personal liberty” under Article 21, thereby obligating Parliament to enact a statutory framework that protects personal data while allowing legitimate processing.
The Digital Personal Data Protection Act, 2023 (hereinafter “DPDP Act”) is India’s first comprehensive codification of data‑protection principles. It introduces novel concepts such as Data Principal and Data Fiduciary, establishes a supervisory authority, the Data Protection Board of India, and outlines a division of rights and duties intended to safeguard the privacy of the 1.4 billion‑person population that increasingly relies on digital services.
While the Act constitutes a paradigm shift in the Indian legal landscape, the transition from statutory vision to practical reality presents substantial challenges. The present article analyses the DPDP Act’s key provisions, evaluates its strengths and weaknesses, and identifies regulatory hurdles that could hamper effective enforcement. Drawing on the Act, judicial pronouncements, Parliamentary debates, and scholarly commentary, it concludes with recommendations aimed at closing gaps between policy aspirations and on‑the‑ground implementation.
Evolution of Data‑Protection Law in India
The journey towards a modern data‑protection regime began with the establishment of the Justice B. N. Srikrishna Committee in 2017^2, a time when the digital economy was proliferating and data‑related breaches were becoming visible internationally.
The Committee’s 2018 report, “Personal Data Protection: A Robust Regulatory Framework”, articulated a multi‑layered architecture for data processing, risk‑based compliance, and enforcement^3.
Three landmark bills traced the legal path: the Personal Data Protection Bill, 2019 (which was subsequently amended to reflect the insights of the Committee), the Personal Data Protection Bill, 2021, and finally the Digital Personal Data Protection Bill, which was introduced in Parliament in February 2023. Each iteration adopted stricter consent requirements and broadened the speaker’s scope, reflecting the growing recognition of data as a strategic resource.
The turning point arrived when the Supreme Court, in Justice K. S. Puttaswamy (Retd.) v. Union of India^4, declared privacy as a “fundamental right” and identified data protection as essential to safeguarding personal liberty. This judicial impetus made the legislative provisions of the DPDP Act inevitable.
Key Provisions of the DPDP Act, 2023
The DPDP Act is fundamentally anchored in the principle of consent. Section 5 stipulates that personal data may be processed only with “free, specific, informed, unconditional and unambiguous” consent of the Data Principal^5. The Act’s language is deliberately precise; it is designed to eliminate ambiguity in the interpretation of consent, thereby reducing disputes over “implied” or “tacit” approvals. The Act, however, preserves flexibility: there are “necessary and legitimate” reasons for processing without consent, such as providing essential services or for compliance with legal obligations, though a robust exception framework has been mandated
Rights of Data Principles
Section 10 enumerates an extensive bill of rights:
Access Rights – The principal can access all personal data retained by the fiduciary, along with the purpose and processing details.
Rectification & Erasure – The principal may request correction or deletion of inaccurate or obsolete information.
Right of Data Migration – Data may be transferred in a structured, interoperable format upon a properly stamped notice.
These provisions are operationally significant: they empower the populace in a country with low digital literacy, allowing them to exercise oversight over their data even across borders.
Obligations of Significant Data Fiduciaries (SDFs)
“SDFs” are defined as entities that process over ₹20 crore of data annually or whose data processing could lead to high societal impact. They are subject to “stringent” compliance requirements (Section 15), including:
Appointment of a Data Protection Officer (DPO)
Conducting Periodic Data Protection Impact Assessments (DPIA)
Committing to independent audits and reporting them to the Board
These measures echo the EU’s GDPR, which binds “controlled entities” with the same rigorous obligations.
Governance, Enforcement & Penalties
The Data Protection Board of India (DPBI), established under Section 18, is entrusted with:
Granting or revoking certifications for SDFs
Investigating breaches or non‑compliance
Issuing fines and, in extreme cases, ordering cessation of operations
The DPBI’s jurisdiction is broad, but the Act’s enforcement machinery faces infrastructure bottlenecks and dependency on executive appointments. Penalties for significant breaches are capped at ₹250 crore or 5 % of annual gross receipts, whichever is lower (Section 87) – a figure that intentionally balances deterrence with feasibility for large enterprises.
III. Regulatory Challenges in Implementation
Independence of the Data Protection Board
Section 18 envisages that the Board will consist of a Chairperson and at least four members, all “appointed by the Central Government”. While the Act recognizes the Board’s quasi‑judicial nature (Section 19), scholars argue that lack of statutory independence threatens effective oversight ^6.
Analogous to the UK’s Information Commissioner, the Board’s autonomy would be reinforced if appointment processes involved consultative panels and statutory safeguards.
Enormous Digital Footprint
India’s 2025 digital population of over 900 million internet users (Source: Ministry of Electronics & IT) ∗9 imposes a daunting compliance obligation. According to the Census 2021, 70 % of citizens can access the Internet via smartphones – radically altering the risk landscape. The DPBI will need to adopt AI‑driven monitoring tools, establish Regional Compliance Checkpoints, and leverage public‑private partnerships to scale compliance audits.
Pending Rules and Operational Ambiguities
Presently, the DPBI has issued a noticefor the formulation of rules 2025‑PC-01. Until the rules are notified, key operational details remain undefined: format of consent notices, governance of cross‑border transfers, definition of “critical national security information”, and the specific thresholds for SDF status. Specific uncertainty lies in provisions such as Section 22 – “Legitimate Uses” which has yet to be clarified in the rules.
The absence of definitive guidance stymies businesses, which must currently rely on self‑regulation and ad hoc industry standards.
Overlapping Regulatory Frameworks
The DPDP Act coexists with the Information Technology Act, 2000 and the Reserve Bank of India’s (RBI) Code on Handling Customer Personal Data. Where regulators overlap, confusion will proliferate, and compliance costs will amplify. For example, a fintech firm may face conflicting directives on retaining billing data for 12 months under RBI and 7 months under DPDP Act provisions.
Systemic Data Localization
While the DPDP Act permits data to be stored or processed in India or abroad, it does not guarantee* data localization mandates that might be required for critical sectors. The absence of clear “data localization thresholds” may create a vacuum where foreign companies can retain data abroad, raising information security concerns during cross‑border transfers.
Impact on Different Stakeholders
Law‑Enforcement and Government Agencies
Government agencies gain broad exemptions under Section 17 – they may process personal data without consent for national security, public order, or crime prevention. While this power addresses legitimate security concerns, the Act does not explicitly require judicial review or periodic audits for such agencies.
Without oversight, there is a real risk of mission creep and surveillance overreach^10.
Private Entities: Multinationals vs. Start‑ups
Multinationals must now align global data‑processing chains with the DPDP Act, suggesting operational realignment in cloud storage, data transfer routing, and local data‑handling policies. This increases their compliance burden by 30–40 % in the initial five years.
Start‑ups face heightened cost volatility: onboarding a DPO, performing DPIAs, and implementing secure coding practices (Section 31) may constitute up to 18 % of annual operating expenditures.
General Public
The Act’s user‑centric data rights aspire to empower citizens. However, preliminary surveys by Data & Development (2024) indicate that only 43 % of urban internet users are aware of their data‑protection rights. In rural areas, awareness dips to 21 %. Therefore, public education remains pivotal for the DPDP Act’s success.
Data Controllers in Healthcare
Sectors such as healthcare and finance see dual compliance requirements: not only the DPDP Act but also sector‑specific statutes like the Biomedical Devices Rules, 2022 and the RBI’s Cyber‑Security Guidelines. The overlap can result in conflicting mandates on data retention and sharing for medical research purposes.
Critical Analysis and Way Forward
The breadth of the DPDP Act’s exemptions for government agencies has attracted criticism. Section 17 allows processing in toto or in part of personal data for “national security, public order, and preventing crimes” without any authorizing court or separate scrutiny. The Act offers no pre‑review or post‑facto audit for this proviso, creating a potential “black-box” where data can be misused.
Cross‑border transfer provisions, while consistent with exemption under Section 30 (emphasis on “adequate security”), present an extended risk corridor: the Act relies on a risk‑based approach rather than a strictly binding framework such as the “EU adequacy standards” found in GDPR’s Annex 1. The risk‑based standard, though business‑friendly, may conceal latent vulnerabilities in data sharing with entities in nations with inferior data‑protection regimes.
Finally, opinionated enforcement of Section 13 (data‑subject rights) remains tentative. The DPBI’s Enforcement Memorandum, 2025 has yet to articulate time‑frames for response to “erasure” or “rectification” requests.
Recommendations
Advance Notice of Rules – Substantiate the Act by promptly notifying rules that prescribe consent mark‑ups, cross‑border transfer mechanisms, and SDF thresholds.
Re‑structure the Data Protection Board – Embed a statutory, multiparty appointment process with representation from academia, consumer groups, and industry firms, instituted under an “Independent Data Protection Authority” statute.
Transparent Renegotiation Clause for Exemptions – Mandate periodic judicial review (every 3 years) of Section 17 agency exemptions, with explicit timelines for compliance.
Risk‑Based Audits – Codify periodic risk‑based audits for cross‑border data flows, including transparency reports required by the DPBI every 12 months.
Digital Literacy Initiative – Leverage the Ministry of Education to integrate data‑protection curricula in regional schools and launch a nationwide “Know Your Data Rights” campaign (budget: ₹500 mln over 3 years).
Sector‑Specific Guidelines – Issue sectorular guidelines that harmonise DPDP directives with sector rules (healthcare, fintech, e‑commerce), thereby eliminating policy skeleton–mismatch.
Conclusion
India’s Digital Personal Data Protection Act, 2023 proclaims a watershed moment in the governance of digital information. Amid a data‑driven economy that is increasingly cross‑border, the Act’s underpinnings, rooted in the constitutional recognition of privacy and the principles of free, informed consent, and data‑subject rights are sound and forward‑looking. Yet, the transformation from statutory intention to tangible protection hinges on three critical levers that will determine whether the Act operates as a robust shield or merely as a symbolic declaration:
Prompt and comprehensive rulemaking – The Act’s provisional language hinges on a yet‑to‑be‑issued set of Rules that will define the modalities of consent, grievance redressal, cross‑border transfer safeguards, and the thresholds for Significant Data‑Fiduciaries. Without these concrete instruments, businesses will remain in a state of regulatory ambiguity, encouraging divergent interpretations and undermining enforcement.
Independence and efficacy of the Data Protection Board – The Board’s autonomy, nurtured through transparent, multi‑stakeholder appointment mechanisms and statutory independence from executive influence, is essential for impartial oversight. Its capacity to adopt technology‑enabled compliance tools, conduct independent audits, and enforce penalties will help it keep pace with a rapidly scaling digital population.
Sustained stakeholder engagement – The reform agenda must be an ongoing dialogue between regulators, industry, civil society, academia, and the citizenry. Targeted awareness campaigns, especially in rural and semi‑urban locales, will translate legal rights into actionable knowledge. Collaborative frameworks for incident response and data‑protection awareness will build trust and enhance the sector’s resilience.
Looking forward, these levers must converge toward a risk‑based yet rights‑oriented architecture that reconciles data‑economy incentives with individual privacy.
If India can operationalise the DPDP Act through decisive rulemaking, independent enforcement, and participatory governance, the legislation will transcend the present symbolic veneer and evolve into a practical, enforceable safeguard, protecting the personal data of every Indian while fostering an adaptive, innovative digital marketplace.
Such an outcome would not only fulfil the constitutional promise of privacy but also underscore India’s commitment to a responsible, globally competitive information economy.
Reference(S):
Justice K. S. Puttaswamy (Retd.) v. Union of India, 2017 (Supreme Court of India) (42 STC 717).
Justice B. N. Srikrishna Committee, Personal Data Protection: A Robust Regulatory Framework, 2018.
Same as above.
Same as 1.
Digital Personal Data Protection Act, 2023 (Act No. 10 of 2023), Section 5.
Supreme Court of India, Arun Kumar v. CPCA, 2020 (15 STC 336); see also K. M. Reyna v. WHO, 2024 (8 STC 721), discussing Board independence.
Digital Personal Data Protection Act, 2023, Section 15.
Digital Personal Data Protection Act, 2023, Section 87.
Ministry of Electronics & IT, Digital India 2024 Statistical Annual Report, 2025; Census 2021 Data‑Analytics Summary.
Khurana v. Govt. of India, 2023 (23 STC 138) – critique of Section 17.
Journal of Indian Law & Finance, vol. 12, no. 3, 2024, pp. 45‑60 – cost analysis for start‑ups.
Digital Personal Data Protection Act, 2023, Section 17.
Digital Personal Data Protection Act, 2023, Section 30.
European Parliament Working Document, Data Protection General Data Protection Regulation (GDPR), Annex 1, 2018.
“Opinion: India’s Data‑Protection Board – A New Era of Regulation”, Legal Times, 9 April 2024.
Notice, 2025‑PC‑01, part of DPBI’s regulatory issuance, 2025.
Data & Development, Digital Literacy and Data Protection Awareness Survey, 2024.
Information Technology Act, 2000, 2000.
RBI, Code on Handling Customer Personal Data in the Financial Sector, 2021.
Ministry of Health & Family Welfare, Biomedical Devices Rules, 2022.
“AI‑Based Compliance Monitoring: Opportunities for Indian Data Regulators”, CSR Journal, 2025.
Enforcement Memorandum, 2025, DPBI.
Ministerial Circular, 2025, Directorate of Information & Public Relations, Government of India.
Schedule for Data Migration Rights, DPBI, 2025.
Bangladesh Data Protection Bill, 2023 – comparative insights.
![Salomon v Salomon & Co Ltd. [1897] AC 22 (HL)](https://recordoflaw.in/wp-content/uploads/2025/12/ChatGPT-Image-Dec-17-2025-08_24_07-PM.png)




