Home » Blog » Persistent Gaps in India’s Digital Personal Data Protection Framework: Addressing the Erosion of Information Privacy in the Age of Technology

Persistent Gaps in India’s Digital Personal Data Protection Framework: Addressing the Erosion of Information Privacy in the Age of Technology

Authored By: Soumil Roy

IILM University

INTRODUCTION

In an era where every click, transaction, and interaction generates personal data, the scale of information privacy erosion in India has reached alarming proportions. Recent reports indicate that the average cost of a data breach in India has surged to ₹220 million[1], while millions of records continue to be exposed through frequent cyberattacks. Despite the Supreme Court’s landmark recognition of the right to privacy as a fundamental right under Article 21 of the Constitution in Justice K.S. Puttaswamy v. Union of India (2017)[2], and the subsequent enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act)[3], meaningful protection remains elusive

The DPDP Act, along with the Digital Personal Data Protection Rules, 2025 notified in November 2025, represents India’s first comprehensive data protection legislation. However, its phased implementation— with the Data Protection Board established immediately but core obligations deferred until May 2027—combined with broad governmental exemptions and inadequate safeguards against emerging technologies such as artificial intelligence, leaves significant vulnerabilities intact.

This article argues that while the DPDP Act marks a legislative milestone in operationalizing the Puttaswamy vision, its structural weaknesses, delayed enforcement, and failure to adequately address technology-driven risks continue to undermine the fundamental right to informational privacy. It first outlines the constitutional and statutory framework, then analyses the key implementation and substantive gaps, and finally offers targeted recommendations for reform.

Main Body

The digital data protection Act 2023 is built on the promise of a “digital handshake.” By categorizing companies as “Data Fiduciaries,” the law implies a relationship of trust. Under the consent provisions[4], the power is theoretically shifted back to the individual, who must provide “clear and informed” consent before their data is processed. For the private sector, the stakes are finally real; with penalties reaching ₹250 crore [5]data protection is no longer a “backend issue” but a legal priority.

However, a formal legal framework does not always translate to actual digital autonomy. In practice, the Act struggles with “consent fatigue.” Most users, faced with complex privacy notices, simply click ‘accept’ to access essential services, turning “informed consent” into a mere procedural hurdle. While the Act mandates that companies delete data once its purpose is served[6], the lack of granular control for the user—especially regarding how their data is used to train AI models—suggests that while the law has caught up to the internet of yesterday, it remains a step behind the technologies of tomorrow.

Sovereignty vs. Privacy: The Section 17 Conflict

The most significant tension in the Act arises when the State shifts from being the protector of rights to a processor of data. While private entities face strict scrutiny, Section 17(2) provides the government with a broad “exit ramp.” [7]By invoking grounds like “security of the State” or “public order,” the Central Government can exempt its agencies from the very transparency it demands from others.

This creates a constitutional friction point. In Justice K.S. Puttaswamy v. Union of India, the Supreme Court cautioned that the State’s claim of “national security” is not a blank check to override privacy. The Court’s “Triple Test” [8]requires that any such interference must be necessary and, crucially, proportionate. By granting blanket exemptions instead of narrow, case-specific ones, the DPDP Act risks creating a lopsided ecosystem. Without independent judicial or parliamentary oversight over these exemptions, the “fundamental right” to privacy becomes a secondary concern whenever the State decides its own administrative convenience outweighs the citizen’s digital dignity.

The Algorithmic Frontier: AI and the Technological Gap

The “information privacy lack” is perhaps most evident in the Act’s silence on emerging technologies. While the DPDP Act is “technology-neutral” to avoid becoming obsolete, this neutrality creates a vacuum regarding Artificial Intelligence (AI) and Automated Decision-Making.[9] Currently, biometric data—the most intimate form of personal information—can be processed by state agencies under the broad exemptions previously discussed. Without specific “algorithmic accountability” rules, there is a risk that invasive AI systems, such as Facial Recognition, could be deployed without the individual ever knowing how their “digital twin” is being analyzed. To truly bridge the privacy gap, the law must evolve from merely protecting “stored data” to regulating the “active logic” of AI

III. Conclusion

The enactment of the digital personal data protection act is a significant milestone in India’s journey toward digital sovereignty. It provides a long-overdue statutory framework that, for the first time, codifies the principles of consent and accountability for data fiduciaries. However, as this article has argued, the Act’s broad government exemptions and silence on emerging AI risks threaten to reduce the fundamental right to privacy to a mere conditional entitlement.

To truly realize the vision of the puttaswamy judgment[10], the legal regime must evolve from a compliance-heavy statute into a robust, rights-centric shield. Legitimate state aims like national security must be balanced against individual dignity through transparent, proportionate, and judicially overseen measures. By bridging these legislative gaps and ensuring independent oversight, India can foster a digital economy that is not only innovative but also constitutionally resilient. The “digital handshake” promised by the law must be one of mutual trust, not one of mandated submission.

Reference(S):

Table of Cases

Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors., (2017) 10 SCC 1.

Vinit Kumar v Central Bureau of Investigation (2019) SCC OnLine Bom 3155.

Legislation

Constitution of India 1950, arts 14, 19 and 21.

Digital Personal Data Protection Act 2023 (No 22 of 2023).

Digital Personal Data Protection Rules 2025.

Reports and Secondary Sources

Justice B N Srikrishna Committee, a Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (Committee Report, 2018).

IBM Security, Cost of a Data Breach Report 2025 (2025).

United Nations General Assembly, the Right to Privacy in the Digital Age, UNGA Res 68/167 (18 December 2013).

[1] IBM, Cost of a Data Breach Report 2024

[2] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.

 [3] No 22 of 2023.

[4] Digital Personal Data Protection Act 2023, ss 5–8

[5] Digital Personal Data Protection Act 2023, s 33.

[6] Digital Personal Data Protection Act 2023, s 8(3).

[7] Digital Personal Data Protection Act 2023, s 17(2).

[8] Justice K S Puttaswamy (Retd) v Union of India (2017) 10 SCC 1, paras 297–300, 325 (per Chandrachud J)

[9] Digital Personal Data Protection Act 2023

[10] Puttaswamy (n 2)

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top