Home » Blog » Digital Sovereignty Meets Global Commerce: India’s DPDP Act 2023 and Its Cross-Border Implications

Digital Sovereignty Meets Global Commerce: India’s DPDP Act 2023 and Its Cross-Border Implications

Authored By: Shivani Pandey

Mahatma Gandhi Kashi Vidhyapith

  1. Introduction 

August 11, 2023 was not just another date on India’s legislative calendar. When the Digital  Personal Data Protection Act — commonly called the DPDP Act — received Presidential assent  that day, something shifted. Not dramatically, not overnight, but noticeably. India, a country with  1.4 billion people, a rapidly expanding digital economy, and a public data infrastructure that  wealthier nations have quietly envied, was no longer simply watching how the world handled  data governance. It was stepping in to help write the rules. 

Data, by now, is not a new topic. For well over a decade, policymakers, technologists, and legal  scholars have debated who really owns the information that people generate just by living their  lives — buying groceries, messaging a friend, booking a doctor’s appointment. That data, in  aggregate, is extraordinarily valuable. It can be monetized, profiled, traded, and in the wrong  hands, weaponized. The question of who gets to decide what happens to it, and under what rules,  has quietly become one of the defining policy contests of this era. 

India’s answer to that contest is the DPDP Act. This article looks at what the Act actually does,  how it fits into India’s constitutional tradition, where it succeeds and where it falls short, and  how it stacks up against comparable laws abroad. It also offers a few targeted suggestions for  how Parliament might strengthen the framework before its gaps become genuine liabilities. 

  1. What the Act Actually Says 

2.1 The Basic Architecture 

At its core, the DPDP Act rests on a fairly intuitive premise: if you want to process someone’s  personal data, you need a lawful reason. That reason can be the person’s consent, or it can be one of the recognized legitimate uses the statute identifies. Simple enough in principle — considerably more layered in practice. 

The Act frames its regulatory relationships around two central characters. Data Fiduciaries are  the entities — businesses, government bodies, platforms — that decide why and how data is  processed. Data Principals are the people the data belongs to. Fiduciaries carry real obligations  under this framework: keep data accurate, collect only what you actually need, and put security  measures in place that are proportionate to the risks involved. Principals, on the other side, get a  set of enforceable rights — the right to know what’s being done with their information, to ask for  corrections or deletion, and to raise complaints when something goes wrong. 

Enforcement sits with the Data Protection Board of India (DPBI), constituted under Section 18.  The penalty numbers are serious — up to ₹250 crore for individual violations, and as high as  ₹10,000 crore for systematic non-compliance. Whether those numbers will translate into actual  enforcement with teeth remains to be seen, but Parliament clearly intended the regime to be more  than symbolic. 

Two features deserve specific mention. The Act requires verifiable parental consent before any  entity can process a child’s data, and it flatly prohibits behavioural advertising targeted at  minors. That’s a meaningful commitment in a country where children’s exposure to data-hungry  platforms has grown faster than any regulatory framework could realistically keep pace with.  The Act also creates a category of ‘Significant Data Fiduciary’ — entities that, because of their  scale, the sensitivity of what they process, or national security implications, face an additional  layer of obligations, including the appointment of a Data Protection Officer physically based in  India. 

On cross-border transfers, the Act takes an approach that diverges from the European model.  Rather than requiring a formal finding that a destination country offers equivalent protections,  the statute hands the central government power to publish a whitelist of approved jurisdictions.  The practical flexibility of that approach is obvious. The accountability gaps are equally obvious,  and the absence of any statutory criteria constraining how that power gets exercised has  generated legitimate concern. 

2.2 Constitutional Roots and Judicial Context

The DPDP Act did not arrive in a vacuum. Its constitutional scaffolding was erected in 2017,  when a nine-judge bench of the Supreme Court ruled unanimously in Justice K.S. Puttaswamy  (Retd.) v Union of India that privacy is a fundamental right — not a privilege, not a policy  preference, but a right anchored in Articles 14, 19, and 21 of the Constitution. Crucially, the  Court extended that right to informational privacy: people have a constitutionally recognized  interest in controlling what happens to their personal information. Any state interference with  that interest must satisfy the requirements of legality, legitimate aim, and proportionality. 

Puttaswamy did two things for the DPDP Act. It exposed how inadequate the previous  framework — a patchwork of Information Technology Act provisions and 2011 Rules — had  become relative to constitutional requirements. And it set the analytical benchmark against  which the Act’s most contested provisions, particularly the sweeping exemptions for state actors,  now have to be judged. The judgment is not merely historical backdrop; it is active legal  constraint that the DPBI, the courts, and Parliament itself cannot ignore. 

At the regulatory level, the DPBI has not yet issued binding guidance on the Act’s more  contested provisions — implementing rules were still in development as of mid-2026. MeitY’s  draft Digital Personal Data Protection Rules 2025 have provided some useful signals, though.  Among the more consequential: consent notices must be written in plain, accessible language,  and must be available in all twenty-two of India’s scheduled languages. In a country with India’s  linguistic diversity, that requirement is not a formality. It is a recognition that ‘informed consent’  means very little if the notice explaining it is incomprehensible to most of the people it  nominally protects. 

2.3 Strengths and Structural Problems 

A fair assessment of the DPDP Act has to credit what it genuinely gets right before cataloguing  what it gets wrong. The consent provisions are a real improvement over the 2011 Rules, under  which users effectively surrendered their data rights by scrolling past terms and conditions they  could not be expected to understand. The individual rights framework — access, correction,  erasure, nomination of a representative — creates enforceable entitlements where the old regime  offered little more than goodwill. Children’s data protections address documented patterns of exploitation that platforms had been getting away with for years. And a penalty regime scaled to  the numbers Parliament chose is at least a credible starting point for deterrence. 

The structural problems, though, are real. Section 17 is the most troubling. It authorizes the  central government — by notification, not primary legislation — to exempt any state body from  the Act’s requirements whenever it considers that necessary for national security, public order, or  territorial integrity. There are no statutory criteria defining when that threshold is met. No  independent body reviews the resulting exemptions. That creates an accountability gap that sits  uncomfortably with the proportionality standard Puttaswamy demands, and which is likely to  face constitutional challenge once the Act is in full operation. 

A second gap is the absence of a distinct sensitive data category. Health records, biometric data,  financial information, and data about religious belief or sexual orientation are not treated any  differently from general personal data under the Act’s text. That’s a meaningful omission. Rules  may partially address it, but clear parliamentary language would be more durable and more  protective. 

2.4 How India Compares: GDPR and Brazil’s LGPD 

India’s DPDP Act shares obvious DNA with the GDPR — consent requirements, data  minimization, individual rights, enforcement penalties. But the comparison only goes so far. The  GDPR mandates data protection impact assessments for high-risk processing, requires privacy by-design as a default engineering standard, and operates through a network of independent  national supervisory authorities. India’s framework, by contrast, concentrates regulatory  authority in a single centralized board whose structural insulation from executive influence is, at  best, uncertain. 

On cross-border transfers specifically, the GDPR’s adequacy framework — whatever its own  imperfections — at least involves a transparent assessment process with published criteria and  independent oversight. India’s executive whitelist offers nothing comparable. That difference  matters practically: it is one of the reasons EU adequacy negotiations with India have stalled on  precisely this point. 

Brazil’s LGPD is a more instructive comparison, perhaps, because it emerged from a similar  context — a large, fast-developing economy with strong growth ambitions and a historically permissive approach to data regulation. The LGPD’s cross-border transfer provisions under  Article 33 are notably more detailed than India’s, allowing transfers via adequacy decisions,  standard contractual clauses, binding corporate rules, or explicit consent. India’s Act still lacks  that kind of layered statutory framework. For multinationals trying to design global compliance  programs, that absence creates real uncertainty. 

Stepping back, the global data governance landscape has become genuinely fragmented. The  GDPR, LGPD, China’s Personal Information Protection Law, and the DPDP Act all reflect  different sovereign choices about the balance between individual rights, economic development,  and state power. For any company operating across these jurisdictions, compliance has become  an increasingly complex exercise in mapping which rules apply where and how conflicts  between them get resolved. India’s Act adds one more layer to that map — one that is not yet  fully drawn. 

2.5 What Parliament Should Do Next 

The DPDP Act’s gaps are correctable, but they will not correct themselves. Four reforms stand  out as priorities. 

First, Section 17 needs statutory guardrails. Parliament should define the criteria that must be  met before an executive exemption can be granted, set a maximum duration after which  exemptions must be reviewed, and establish an independent oversight mechanism — perhaps a  parliamentary committee with appropriate security clearances — to scrutinize classified  notifications. This is not an unusual arrangement; comparable democracies have built similar  structures. 

Second, the cross-border transfer regime needs a statutory foundation, not just executive  discretion. Parliament should specify the factors that determine whether a destination country  makes the whitelist — things like the existence of an independent supervisory authority,  effective remedies for affected individuals, and meaningful limits on state access to transferred  data. That would give businesses predictability, give trading partners a principled basis for  dialogue, and give courts a framework for review. 

Third, sensitive data categories should be defined in the Act itself. Health, genetic, biometric,  financial, religious or political, and sexual orientation data should carry heightened protections and stricter transfer conditions. Leaving this to subordinate rules creates fragility — rules can be  amended or repealed with far less parliamentary scrutiny than primary legislation. 

Fourth, the DPBI’s structural independence needs reinforcement. Board members should be  appointed through a transparent, publicly accountable process, with security of tenure sufficient  to insulate them from political pressure. An adjudicatory body that appears susceptible to  executive influence will struggle to command the credibility it needs — domestically and in  international negotiations alike. 

  1. Conclusion 

The DPDP Act 2023 is a meaningful piece of legislation. That is not a backhanded compliment.  India has spent decades without a serious data protection framework, and the Act represents a  genuine commitment — grounded in constitutional principle and expressed in enforceable legal  obligations — that citizens have rights over their own information. That commitment matters, for  the 1.4 billion people it covers and for the international signal it sends. 

But meaningful is not the same as finished. The Section 17 exemption problem is real, not  theoretical. The whitelist approach to cross-border transfers is a political convenience that  creates legal and diplomatic costs. The absence of a sensitive data category leaves some of the  most personal information people generate without the stronger protections it warrants. None of  these are unfixable — but they require Parliament’s continued attention, not just the good  intentions of rule makers. 

India’s position in the global data economy is unusual and, in some ways, genuinely interesting. It is large enough to set terms, ambitious enough to try, and constitutionally grounded enough to  have a principled basis for doing so. The DPDP Act is the first serious expression of that posture.  Whether it fulfills its promise will depend, in the end, on whether the institutions it creates  operate with the independence they require — and whether Parliament is willing to do the harder  legislative work still ahead.

Reference(S): 

Legislation and Official Documents 

Digital Personal Data Protection Act, 2023 (India). Act No. 22 of 2023. Received Presidential  assent on 11 August 2023. Ministry of Electronics and Information Technology (MeitY).  https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection %20Act%202023.pdf 

Ministry of Electronics and Information Technology (MeitY). 2025. Draft Digital Personal Data  Protection Rules, 2025.  

Information Technology Act, 2000 (India). Act No. 21 of 2000. As amended by the Information  Technology (Amendment) Act, 2008. 

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal  Data or Information) Rules, 2011. Gazette of India Extraordinary, Part II, Section 3(i), 11  April 2011. 

European Parliament and Council of the European Union. 2016. Regulation (EU) 2016/679 of  the European Parliament and of the Council of 27 April 2016 on the Protection of Natural  Persons with Regard to the Processing of Personal Data and on the Free Movement of  Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation).  

Personal Information Protection Law of the People’s Republic of China (PIPL). Adopted at the  30th Session of the Standing Committee of the 13th National People’s Congress on 20  August 2021. Effective 1 November 2021. 

Cases 

Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors. (2017) 10 SCC 1. Supreme  Court of India. Judgment dated 24 August 2017Schrems v. Data Protection  Commissioner, Case (Court of Justice of the European Union, 6 October 2015).  [Invalidating the EU-US Safe Harbour framework.] 

Data Protection Commissioner v. Face book Ireland Limited and Maximillian Schrems, Case (Court of Justice of the European Union, 16 July 2020). 

Books and Book Chapters 

Bhatia, Gautam. 2017. The Transformative Constitution: A Radical Biography in Nine Acts.  New Delhi: HarperCollins India. 

Cate, Fred H., and Viktor Mayer-Schönberger, eds. 2013. Notice and Consent in a World of Big  Data. Oxford: Oxford University Press. 

Datta, Monalisa. 2023. “India’s Data Protection Journey: From Puttaswamy to the DPDP Act.”  In Data Governance in the Asia-Pacific, edited by Graham Greenleaf and Bertrand de la  Chapelle. Singapore: Springer. 

Greenleaf, Graham. 2021. Asian Data Privacy Laws: Trade and Human Rights Perspectives. 2nd  ed. Oxford: Oxford University Press. 

Journal Articles 

Arora, Payal. 2019. “Decolonizing Privacy Studies.” Television & New Media 20 (4): 366–378.  https://doi.org/10.1177/1527476418806092 

Gurumurthy, Anita, and Nandini Chami. 2019. “Towards a Political Economy of Digital Data: A  Perspective from the Global South.” Journal of Information Policy 9: 362–392.  https://doi.org/10.5325/jinfopoli.9.2019.0362 

Iyer, Mishi. 2023. “Children’s Data and the DPDP Act: Parental Consent, Behavioural  Advertising, and Enforcement Gaps.” 

Rathi, Vedant, and Rishab Bailey. 2024. “The Data Protection Board of India: Design,  Independence, and Adjudicatory Legitimacy.”  

Reports and Policy Documents

Internet Freedom Foundation (IFF). 2023. Analysis of the Digital Personal Data Protection Act,  2023. New Delhi: Internet Freedom Foundation. https://internetfreedom.in/analysis-dpdp act-2023 

National Association of Software and Service Companies (NASSCOM). 2024. DPDP Act  2023: 

Organization for Economic Co-operation and Development (OECD). 2022. Personal Data  Protection Committee (PDPC), Singapore. 2021

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top