Authored By: Shruti Dwivedi
Dr. D. Y. Patil Law College, Pune
Abstract
In a digital world where memory is not a privilege but a permanent trace, privacy is not about secrecy any longer it is about power. As in 2023 India enacted the Digital Personal Data Protection Act, the promises made in Justice K.S. Puttaswamy v. Union of India resound with renewed vigor in the current digital landscape, putting India’s legislative actions regarding consent, autonomy, and the ominous “Right to Be Forgotten” under the microscope. The Act seeks to institutionalize informational privacy in a digital society. The Government of India enacted the Act in 2023 in light of rising personal data breaches and the absence of sufficient legislative frameworks, while the Act is a long overdue step towards data protection in India, it also bears scrutiny against the constitutional standards achieved in Puttaswamy. This article examines the DPDP Act through constitutional and policy lenses—tracing its legal framework, judicial underpinnings, and key criticisms. It further evaluates the Act’s exemptions, the role of the Data Protection Board, and the absence of critical safeguards such as the Right to Be Forgotten. Finally, it assesses recent developments and suggests reforms to ensure that India’s data protection regime aligns with its constitutional promise of liberty, dignity, and democratic accountability.
Introduction
In 2012, Justice K.S. Puttaswamy (Retd.), a former judge of the Karnataka High Court, filed a writ petition before the Supreme Court, and challenged the constitutional validity of the Aadhaar scheme, on the basis that collection and storing personal and biometric information without legal safeguards is a violation of the right to privacy. On 24 August 2017, the nine-judge Constitution Bench of the Supreme Court unanimously held that the right to privacy is a fundamental right under Article 21 (Right to Life and Personal Liberty), and also aligned with Articles 14 and 19 of the Constitution of India. The bench establishing that privacy is interconnected with human dignity and liberty. The summary judgment written by Justice D.Y. Chandrachud explained that privacy is not an elitist concept, but a basic right that stems from the dignity of the individual. The court established a threefold test ( legality, necessity and proportionality) for any restriction on privacy. This case opened discussions on data protection, surveillance, bodily autonomy, and informational privacy.
In the digital age, where information never truly disappears, privacy has evolved from a question of secrecy to one of control and power. The rapid expansion of digital infrastructure in India has created serious questions about data privacy and autonomy over one’s personal information. The Ministry of Electronics and Information Technology set up a committee in July 2017 to study issues of data protection. It was chaired by retired Supreme Court judge Justice B. N. Srikrishna. The committee submitted the draft version of Personal Data Protection in July 2018. The report was later modified several times by the Government of India and, after receiving the approval of central cabinet, the draft legislation was tabled in the Parliament of India on 11 December 2019. After it received criticism from stakeholders, opposition and experts the bill was withdrawn from the Parliament of India on 3 August 2022. On 11 August 2023, Draupadi Murmu, President of India has given assent to the Digital Personal Data Protection Bill, 2023 which made it the Digital Personal Data Protection Act, 2023.
The DPDP act, 2023
The DPDP Act aims to regulate the processing of digital personal data by both public and private actors. It creates the rights of persons as data principals, imposes obligations on data fiduciaries, and features a consent based architecture, which requires that data may only be collected or processed when a data principal’s freely given and informed consent has first been received. Essentially, the Act presents data principals with rights of access, rectification, updating and erasure of personal data, while also allowing the appointment of nominees to exercise these rights in case of incapacity or death.
However, these rights are not absolute. Still of grave concern in particular is Section 17 of the Act, which gives the Central Government power to exempt any state agency from the provisions of the Act in the interest of efficiency, sovereignty, integrity and public order. This dilutes any protection the Act might have provided and undermines the relationship between the data fiduciary and the data principal. While some of these exceptions may seem linked to practical administrative necessity, they have heavily caveated wording that should raise alarm.
The notion of deemed consent allows collection of data from the person to whom the data is related for providing subsidies, benefits, services, certificates, licenses, and permits by the government, for compliance with any judgment or order issued under existing laws, for responding to a medical emergency involving a threat to life, for providing health services during a threat to public health, for providing services during a disaster or breakdown of public order, and in the context of employees to prevent corporate espionage, maintain confidentiality etc. Some think that this clause undermines the informed consent concept and gives too much leeway to data fiduciaries. Under DPDPA, there is no differentiation between personal information and sensitive personal information. The DPDPA treats all identifiable personal data as data of the same weight. Moreover, the DPDPA purposely excludes non-digitized personal data from its coverage. Complete exclusion is not reasonable as data fiduciaries should be responsible in how they collect, manage and destroy non-digitized data, as they would online. It is important to recognize and include in the law non digitized data so that there is a level playing field between digital and physical actors and the non digital actors and consumers are offered the greatest degree of protection and accountability between online and offline data fiduciaries.
The Exception Dilemma – A Blessing or A Curse
The exclusion of personal data collection for the enforcement of any legal right / claim is drafted too broadly, and omission of safeguards or minimum standards for data nation within the digital process, such as identification, retention or destruction amounts to creating consent without explicit and informed consent. Legal claims are a valid ground for data processing, but ambiguity about what a legal “right” or “claim” entails can lead to personal data being mishandled without proper consent or safeguards. It allows private parties to avoid essential protections afforded under the Act.
By the same token, the exemption afforded to courts, tribunals or regulatory authorities to process personal data when performing their judicial, quasi-judicial, or supervisory functions may appear reasonable at first blush. That said, it still compromises the data principal’s right to be informed and the principle accountability- pivots around any data framework that respects privacy.
Even more troubling is the blanket exemption that allows for the processing of personal data in the context of prevention, detection, investigation, or prosecution of any offence or contravention of any law. The exemption effectively establishes an alternate regime and regularity for law enforcement that is untethered from statutory controls or prior oversight. With no requirement for prior authorization, audit controls, or post-event scrutiny, this exemption is very easily convertible into a paradigm for mass surveillance and state overreach and is a clear affront to the privacy guarantees articulated in Puttaswamy.
The Act makes explicit that Indian entities may process foreign personal data sourced pursuant to contracts with foreign parties. The Act, thus, takes a request for proposal approach to data use without consideration for it’s central purpose of protecting personal data for data principals and thereby, ignores the consensus on data sovereignty and ethical processing standards. When financial profiling occurs without consent, or independently of any guards of transparency and fair process, it potentially infringes upon privacy in ways that have the potential to lead to discrimination, reputational harm or coercion. The very notion of privacy as a right, described through the concepts of necessity, proportionality and safeguards, is violated, if these exemptions are broadly defined, not transparently enforced and not monitored in a meaningful way. If there is no recalibration, the Act’s promise of data principals having agency is nothing more than a promise.
The Data Protection board
Among DPDP’s institutional features is the formation of a Data Protection Board (DPB), with the authority to adjudicate breaches and complaints regarding personal data. The Digital Personal Data Protection Board (DPB) is established under Section 18 of the DPDP Act, 2023. Its composition, appointment, and removal are covered under Sections 18 to 27 of the Act. The Minister of State for Information Technology has stated that the Board is not, in fact, a regulatory authority, and its role is primarily to adjudicate after the violation happens. While this levitation has occurred and demonstrates the government’s acknowledgment of the significance of data protection, narrowing the authority of the Data Protection Board to adjudicate and not regulate raises intense concerns.
First, the Board’s lack of regulatory power as it relates to entities collecting and processing personal data prohibits the Board from actively monitoring the way organizations practice data protection. As the Board is not empowered to develop sector-specific policy directives, conduct sector compliance audits, and provide “preventive” guidance, the Board’s ability to perform systematic oversight is limited. Therefore, any protections provided by the Act are largely reactive to a breach or formal complaint that triggers the protections. As a result, individuals are then vulnerable to harm that could have been mitigated through proactive actions.
The Board’s connection to the executive raises serious concerns not just about independence, but also about impartiality. The risk is further heightened by the fact that representatives of the Board are nominated by the Central Government and can be dismissed from the Board if they are being appointed members. So there is a genuine concern that in adjudicating a case involving a powerful government agency or large corporation, the Board lacks independence and impartiality. The fact that there is a perception that there is executive control over such a body that is designed to protect individual rights will directly impair public confidence in the Board’s decision as a “neutral” adjudicator.
Furthermore, the lack of authority the Board has to establish long-term data protection policies, or propose new legislation, limits its ability to contribute to the shift in the legal framework. Therefore, while the establishment of the Data Protection Board takes place, its role as a mere adjudicator may not go far enough to upcoming complex and evolving problems of data privacy. As India moves in a data-driven future, the legal and institutional framework must evolve to facilitate stronger, transparent, and participatory safeguards.
While there is no truly empowered and independent authority, the promise of digital privacy appears to be a promise on paper instead of a lived and tangible reality.
The Right to be forgotten – Scope in India
The Right to Be Forgotten (RTBF) is a pivotal component of informational privacy, allowing a person to ask for the deletion of their personal data from public views when that data is no longer needed, or when the data subject withdraws permission. The RTBF in Indian law has seen sparse but growing recognition. For example, in Zulfiqar Ahmed Khan v. Quintillion Business Media Pvt. Ltd., the Delhi High Court recognized an individual’s right to delete content published on digital media that offended his dignity and reputation.
The act provides Individuals with the rights to correction, completion, updating, erasure of their personal data (Section 12). The act does not provide for the right to data portability (a person’s right to obtain and reuse their personal data, and allow its migration from one entity to another for their own purposes) and the right to be forgotten, both of which are recognised by the European Union’s data protection law, the General Data Protection Regulation (GDPR). Data fiduciaries must erase data when they are obsolete or consent is withdrawn, except where there is a legal obligation to retain it, although it is questionable whether public record/judicial information considerations fall under a legal requirement to retain exceptions. The enforceability of this right is effectively impeded by a number of factors. To begin with, the Act does not even require data fiduciaries to delete data when asked to erase their data unless otherwise required, in which case it would be within a legal exception to retain. The Act does not provide for a legal obligation to notify third parties that were disclosed personal data by data fiduciaries. The lack of these components create a framework of their right to access personal data that is uncertain and tenuous, especially for Individuals whose rights and interest are fundamentally vulnerable.
Opinions Surfacing
The revised 2019 Bill was criticized by Justice B. N. Srikrishna, the drafter of the original Bill, as having the ability to turn India into an “Orwellian State”. In an interview with Economic Times, Srikrishna said that, “The government can at any time access private data or government agency data on grounds of sovereignty or public order. This has dangerous implications.” Orwellian is an adjective which is used to describe a situation, an idea, or a societal condition that 20th-century author George Orwell identified as being destructive to the welfare of a free and open society. It denotes an attitude and a brutal policy of draconian control by propaganda, surveillance, disinformation, denial of truth, and manipulation of the past. The real concern is if the new law gives the government unlimited power to decide what and when data can be taken without the consent of the people and if this power can lead to what Justice Srikrishna called an “Orwellian State”.
Opposition MPs expressly criticized the ability of central government to exempt state authorities from important requirements in the Act, which raised fears about unchecked surveillance by the state, and a reduction in accountability. Activists and opposition leaders including Rahul Gandhi argued that amendments to the RTI provisions of the DPDP Act allow information to be withheld on “personal data”, thereby eroding transparency and public oversight regardless of its relevance to public activity or interest. Human Rights Watch and other advocates emphasized the lack of reforms to protect children’s privacy, and expanded powers awarded to the state. Activists alleged that the DPDP Act has been employed as an instrument to limit citizens’ access to public information, complicating efforts to combat corruption. Among the MPs who walked out of the meeting in protest are Communist Party of India (Marxist) MP John Brittas, Congress MP Karti P Chidambaram, and Trinamool Congress MPs Jawhar Sircar and Mohua Moitra. One of the main concerns Brittas raised is that like its previous iterations, the current version of the Bill too makes exceptions for government entities to process the personal data of individuals in certain instances and pointed out that the Joint Parliamentary Committee Report on the 2019 version of the Bill had recommended that a selection committee shall nominate the members of the Data Protection Authority, which should include the Attorney General of India, independent experts from fields such as data protection, information technology, or cyber laws, and Directors of an Indian Institute of Technology (IIT) and an Indian Institute of Management (IIM) which haven’t been touched by the new law.
Recent Developments
India is rapidly rolling out facial recognition technology at airports, streamlining security checks amid concern about the emergence of a surveillance state in the world’s largest democracy. The use of digital biometric systems doubled last month to 28 airports, covering about 90 per cent of India’s sky-bound travel volumes, according to Suresh Khadakbhavi, chief executive of the Digi Yatra Foundation, an industry-led initiative co-ordinated by the country’s civil aviation ministry. But some groups have questioned the security of data processed by Digi Yatra in a country that has yet to implement the digital privacy law that was enacted last year. In early July, government think tank Niti Aayog urged Digi Yatra to provide a clear statement on its data protection policies and conduct regular independent audits. Khadakbhavi conceded that Digi Yatra “did not focus” on public messaging in the rush to scale up. He said his organisation and the government could not access passenger data, which was “purged systematically” within 24 hours of departure. “A lot of people do not know actually what we do and therefore all these questions about data privacy, surveillance are coming up,” Khadakbhavi said. “The fundamental point is that I do not have your data.” But the Internet Freedom Foundation, a digital rights organisation that has called for the technology to be removed from airports, has argued that Digi Yatra’s policy published by the Ministry of Civil Aviation allows for data to be accessed by government agencies and purge settings to be changed for security requests. Digital payment companies Google Pay, PhonePe and Amazon Pay as well as the National Payments Corporation of India (NPCI) have sought exemption from Digital Personal Data Protection (DPDP) Act provisions that require user consent for each transaction, arguing that this will be too onerous, people aware of the development told ET. The mandate will also be applicable on recurring payments and will lead to a rise in cost and complexity, the companies said in submissions to the Ministry of Electronics and Information Technology ( MEITY). India’s Ministry of Electronics and Information Technology (MeitY) released in June 2025 a Business Requirement Document for Consent Management Under the DPDP Act, 2023 (BRD). The BRD, while not legally binding, provides technical and functional guidance on implementing a consent management system (CMS) under India’s Digital Personal Data Protection (DPDP) Act. The BRD offers a detailed breakdown of core components of a CMS, including consent lifecycle management, a user dashboard, notifications, and grievance redress mechanisms. It also outlines administrative capabilities, including user role management and data retention policy configuration to ensure operational efficiency and compliance.
Suggestions
- Constitute an autonomous Data Protection Authority with independent funding and appointment mechanisms insulated from executive control.
- Amend Section 17 to require parliamentary oversight and judicial review for state exemptions. The Investigatory Powers Act, 2016 (IPA) (often called the “Snooper’s Charter”) allows state surveillance but requires judicial commissioners and parliamentary committees to oversee any data access. In Canada, the Privacy Act, 1983 provides exemptions to government agencies but subjects them to annual parliamentary reporting by the Privacy Commissioner. These oversight mechanisms prevented abuse of “national security” clauses. In 2021, the UK’s Investigatory Powers Commissioner publicly criticized unlawful bulk surveillance orders — showing oversight actually works.
- Incorporate clear criteria and due erasure requests. The EU’s GDPR Article 17 legally mandates that individuals can request erasure of personal data. This right originated from the CJEU’s Google Spain Case (2014), which recognized a “right to be forgotten” under EU law. Post-GDPR, major tech companies implemented global deletion protocols. Over 1.2 million erasure requests were processed in the first 18 months.
- Launch nationwide privacy literacy campaigns to empower citizens as informed data principals. After enacting the Personal Data Protection Act (PDPA) in 2012, Singapore launched the “Do Not Call Registry” campaign and public awareness drives led by the Personal Data Protection Commission (PDPC). Simialarly in Estonia, a digital pioneer, runs nationwide “Data Hygiene” education programs integrated into school curricula. Within five years, Singapore achieved over 90% compliance awareness among citizens and companies.
- Introduce subset clauses requiring statutory review every five years to adapt to technological advances.
- Harmonize DPDP act with upcoming AI and cybersecurity frameworks to avoid regulatory fragmentation. The EU maintains regulatory coherence across the GDPR, AI Act (2024), and Cybersecurity Act (2019). All these frameworks reference each other, preventing contradictions and overlaps. The California Privacy Rights Act (CPRA, 2020) harmonizes with the California Cybersecurity Standards — giving unified compliance obligations. This alignment has encouraged innovation without regulatory confusion, while maintaining strong consumer protections.
Conclusion
The Digital Personal Data Protection Act, 2023 Is rightly regarded as a game-changer in India’s evolving digital privacy journey. The Act creates a framework built on consent and recognizing the rights of data principals. But, its broad exceptions, lack of regulatory oversight, and omitting multiple procedural safeguards effectively undermines transformative potential. If India is going to honour the essence of Puttaswamy, it might have to fundamentally amend the law to balance national interest with individual liberty, build greater institutional safeguards, and ensure privacy isn’t a theoretical right but a lived reality of existence in the digital age. Only then will India be able to transition from a surveillance based regime to a rights-centred data governance regime and fulfil its constitutional commitments to dignity, and autonomy and democratic accountability.
Reference(S):
Justice K.S. Puttaswamy v. Union of India (2017)
10 SCC 1; AIR 2017 SC 4161
Zulfiqar Ahmed Khan v. Quintillion Business Media Pvt. Ltd. (2018)
CS (OS) 642/2018, decided December 14, 2018 (Delhi High Court)
CONSTITUTION OF INDIA
PART IV ARTICLE 14,19 AND 21
Data Protection ACT, 2023
https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf Data Protection BOARD
https://dpdpa.in/chapter5.htm
A&O Shearman, Evolution of Data Protection (May 24 2023)
https://www.aoshearman.com/en/insights/how-has-gdpr-influenced-the-evolution-of-data protection-in-apac?utm
European Data Protection Supervisor, Data Protection Law
https://www.edps.europa.eu/data-protection_en?utm_
A Guide for Policy Engagement on Data Protection, Independent Supervisory Authority
https://privacyinternational.org/sites/default/files/2018-09/Part%207-
%20Independent%20Supervisory%20Authority%20copy.pdf?utm_
Personal Data Protection Commission Singapore (2023)
https://www.pdpc.gov.sg/news-and-events/events/2023/01/privacy-awareness-week 2023?utm_
Intersoft Consulting, Section 52 of GDPR
https://gdpr-info.eu/art-52-gdpr/?utm_
Financial Times, Facial Recognition at airports in India (2025)
https://www.ft.com/content/f1ba12ac-fe1d-4a51-b2e7-077f392115a7
Matt Burgess, WIRED, Biometrics Leak in India ( May 23, 2024 12:00 PM ) https://www.wired.com/story/police-face-recognition-biometrics-leak-india/
Charmian Aw and Roshni Patel, Hogan Lovells, Consent management rules under dpdp act,2023 (11 June 2025)
https://www.hoganlovells.com/en/publications/india-publishes-consent-management-rules under-digital-personal-data-protection-act
The Investopedia Team, General Data Protection Regulation (August 08, 2025)
https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp The logical Indian, Role of Data Protection Board (30 August, 2023 )
https://thelogicalindian.com/data-protection-board-clarified-as-adjudicator-not-regulator-by mos-it-41098/
The Hindu, Clarification by National Cabinet ( 5 July, 2023 )
https://www.thehindu.com/news/national/cabinet-clears-data-protection bill/article67046012.ece
HsfKramer, India’s new Data protection law ( 10 October, 2023 )
https://www.hsfkramer.com/notes/data/2023-10/indias-new-data-protection-law-how-does-it differ-from-gdpr-and-what-does-that-mean-for-international-businesses
Megha Mandavia, Economic Times, Personal Data Protection Bill ( 12 December, 2019)
https://m.economictimes.com/news/economy/policy/personal-data-protection-bill-can-turn india-into-orwellian-state-justice-bn-srikrishna/articleshow/72483355.cms
PRS legislative Research, The personal Data Protection Bill ( 2019)
https://prsindia.org/billtrack/the-personal-data-protection-bill-2019
Sflc, Data protection board ( 5 February, 2025 )
https://sflc.in/data-protection-board-of-india-a-watchdog-without-teeth/ Adhil Shetty, Financial Express, Data Protection laws ( 8 October, 2023 )
https://www.financialexpress.com/money/data-protection-law-focus-on-accountability-amp consent-but-offline-data-must-be-treated-at-par-3266125/
Jahnavi, The news minute, Digital Personal Data protection bill 2023 ( 27 July, 2023)
https://www.thenewsminute.com/news/digital-personal-data-protection-bill-2023-what-are opposition-s-main-objections-180288
