Technology Law: Data Protection in India After the Digital  Personal Data Protection Act 2023 – A Critical Analysis  

Abstract  

In an era driven by digital infrastructure and pervasive data flows, the imperative for robust  data protection legislation has emerged as a constitutional necessity. The Digital Personal Data  Protection Act, 2023 (DPDP Act) marks a landmark legislative intervention by the Indian  Parliament, aiming to establish a structured regime for the protection of personal data and to  empower data principals with enforceable rights. This article critically examines the historical  evolution of data protection jurisprudence in India, scrutinizes the provisions of the DPDP Act  in light of comparative global standards, and evaluates its compliance with the constitutional  mandate laid down in Justice K.S. Puttaswamy v. Union of India. Drawing from recent legal,  technological, and regulatory developments, the analysis identifies structural lacunae and  proposes a rights-centric approach to legislative reform. 

Introduction 

The exponential growth of digital technologies has fundamentally reshaped the nature of  personal data as an economic, social, and political asset. In India, where over 800 million  citizens are digitally connected,¹ the demand for a legal framework that protects personal data  from misuse, unauthorized processing, and arbitrary surveillance has grown with urgency. The  enactment of the Digital Personal Data Protection Act, 2023 (hereinafter, “DPDP Act” or  “the Act”) signals the Indian state’s commitment to codifying personal data rights, setting  obligations for data fiduciaries, and harmonizing technological growth with individual privacy. 

The constitutional basis for data protection was firmly established in Justice K.S. Puttaswamy  v. Union of India² ,where a nine-judge bench of the Supreme Court unanimously recognized  the right to privacy as a fundamental right under Article 21 of the Constitution. The  judgment set the stage for legislative action and emphasized the need for data protection laws  that satisfy the principles of legality, necessity, and proportionality. Following the landmark judgment, the Government of India constituted the Justice B.N. Srikrishna Committee, which  submitted a comprehensive report and drafted the Personal Data Protection Bill, 2018.  However, years of deliberation, revision, and eventual withdrawal of the 2019 Bill culminated  in the present 2023 legislation. 

The DPDP Act attempts to provide a “future-ready” and “principles-based” framework  governing digital personal data,³ including the rights of individuals (data principals), the  responsibilities of organizations (data fiduciaries), and the regulatory functions of the proposed  Data Protection Board of India. However, the Act has faced considerable criticism for its  broad exemptions to government agencies, lack of institutional independence, and an  approach to consent and cross-border data flow that arguably undermines privacy  protections. 

Historical Evolution of Data Protection in India  

The journey of data protection law in India has been gradual and reactive, shaped by judicial  pronouncements, committee recommendations, and legislative drafts. The evolution of this  legal framework must be examined through three primary phases: pre-constitutional  recognition, post-Puttaswamy judicial impetus, and the legislative trajectory culminating in the  2023 enactment. 

Early Legislative Framework under the Information Technology Act, 2000

Before privacy was recognised as a fundamental right, India’s regulatory framework for  personal data was embedded within the Information Technology Act, 2000 (hereinafter “IT  Act”). Section 43A of the IT Act, inserted through the Information Technology (Amendment)  Act, 2008, marked the first legislative recognition of informational privacy. It imposed liability  on corporate bodies that failed to implement “reasonable security practices” while handling  “sensitive personal data”.⁴

In 2011, the Ministry of Electronics and Information Technology (MeitY) notified the  Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which defined categories of sensitive personal  data (such as passwords, financial data, health records, and biometric information) and outlined  consent requirements. However, the rules: 

Applied only to body corporates, excluding government agencies, Lacked enforcement mechanisms or penalties akin to global standards like the GDPR. 

 Constitutional Recognition: The Puttaswamy Judgment (2017)  

A watershed moment in Indian privacy law occurred in Justice K.S. Puttaswamy (Retd.) v.  Union of India, (2017) 10 SCC 1, wherein a nine-judge bench of the Supreme Court  unanimously declared the right to privacy as a fundamental right under Article 21 of the  Constitution. The Court emphasised that informational privacy, including control over one’s  personal data, is intrinsic to individual autonomy and dignity.⁵

This judgment laid down the “three-pronged test” for any state action infringing privacy: 

Legality: There must be a law in existence. 

Necessity: The action must be necessary for a legitimate state interest.   Proportionality: The encroachment must be proportionate to the objective sought. 

The Court also explicitly called for the enactment of a comprehensive data protection law,  triggering significant policy-level engagement within the executive. 

Justice B.N. Srikrishna Committee and the 2018 Draft Bill  

In response to the Supreme Court’s mandate, the Government of India constituted an expert  committee under Justice B.N. Srikrishna in 2017 to formulate a comprehensive data  protection framework. In July 2018, the Committee submitted its report titled “A Free and Fair  Digital Economy: Protecting Privacy, Empowering Indians”, along with a draft Personal Data  Protection Bill, 2018.⁶

The draft bill sought to: 

Create a Data Protection Authority as an independent regulator, Enforce obligations on data fiduciaries, Recognize data principals’ rights such as access, correction, portability, and erasure, Restrict cross-border data transfer with localisation requirements. 

The 2018 draft reflected a rights-centric, accountability-driven framework, comparable to the  EU’s General Data Protection Regulation (GDPR). However, it was later reintroduced as the  Personal Data Protection Bill, 2019, with substantial changes that drew criticism for diluting  regulatory independence and expanding government exemptions. 

Withdrawal of the 2019 Bill and Enactment of DPDP Act, 2023

After several years of deliberation, consultations, and revisions, the 2019 Bill was withdrawn  by the Government in August 2022, with the stated intention of introducing “a comprehensive  legal framework”.⁷ This led to the introduction of the Digital Personal Data Protection Bill,  2022, which was passed as the DPDP Act, 2023 in August 2023. 

Notably, the 2023 Act: 

Abandons the concept of sensitive personal data categorisation, Reduces the Data Protection Board to a body with limited autonomy,  Permits broad government exemptions under Section 17, and Enables cross-border data flows without stringent adequacy standards. 

Overview of the Digital Personal Data Protection Act, 2023  

The Digital Personal Data Protection Act, 2023 (hereinafter “DPDP Act” or “the Act”)  represents India’s first comprehensive legislation focused solely on regulating personal data in  the digital realm. It provides a statutory framework for the processing of digital personal data,  recognizing the rights of individuals (data principals), duties of entities (data fiduciaries), and  mechanisms for enforcement and adjudication. While the Act claims to be a “principles-based” and “technology-agnostic” legislation,⁸ its structure reflects a marked shift from earlier drafts  that focused on data localisation, data classification, and independent regulation. 

Scope and Applicability

The DPDP Act applies to: 

Digital personal data collected within India, anyhow of whether it is reused in India or  outside;

Digital personal data collected outside India if such processing is in connection with  offering goods or services to individuals in India (extraterritorial effect).⁹

However, it excludes: 

Non-digital (offline) data unless digitised, Data processed for personal or domestic purposes, Anonymised data. 

Rights of Data Principals

The Act outlines limited rights available to data principals, including: 

Right to access information about personal data processed, Right to correction and erasure, Right to grievance redressal, 

The right to designate another individual to exercise rights in the event of incapacity or  death.¹⁰

However, the absence of rights such as data portability and the right to be forgotten—which  were present in earlier drafts—dilutes individual autonomy and weakens the privacy  architecture.¹¹

Obligations of Data Fiduciaries 

Data Fiduciaries are entities that establish the purpose and method of data processing.  They are required to: 

Obtain free, informed, specific, and unambiguous consent, Provide notice before processing, Implement technical and organisational safeguards, Inform the Board and the affected individuals of any personal data breaches.¹²

For Significant Data Fiduciaries—to be notified by the Central Government—additional  obligations apply, such as: 

Appointing a Data Protection Officer, Conducting Data Protection Impact Assessments (DPIAs), Periodic audits and compliance reporting. 

The lack of a fixed threshold or criteria for classifying significant fiduciaries allows executive  discretion and may lead to regulatory uncertainty.¹³

The Data Protection Board of India

The Act establishes the Data Protection Board of India as the enforcement authority. However,  it is not a constitutionally or statutorily independent regulator. Its: 

Composition, Appointment, Term of service, and Powers are all determined by the Central Government, raising concerns about executive dominance  over what ought to be a quasi-judicial authority.¹⁴

The Board is primarily tasked with: 

Inquiring into complaints and breaches, Imposing penalties (up to ₹250 crore), Directing corrective measures, Facilitating grievance redressal mechanisms. 

However, its limited jurisdiction and lack of suo motu powers limit its ability to proactively  ensure data protection compliance. 

Government Exemptions (Section 17)

The most controversial clause in the DPDP Act is Section 17, which permits the Central  Government to exempt any of its agencies from the Act’s application in the interest of: 

Sovereignty and integrity of India, Security of the state, Friendly relations with foreign states, Maintenance of public order, etc. 

Penalties and Adjudication

The DPDP Act introduces a penalty-based compliance model: 

The Board may impose monetary penalties of up to ₹250 crore per breach., No criminal liability is provided under the Act. 

However, the Act does not provide for compensation to affected individuals—unlike the GDPR  or earlier Indian drafts. This significantly undermines the remedial rights of data principals and  weakens the deterrence mechanism. 

Critical Analysis of the DPDP Act: Gaps, Challenges, and Comparative  Perspectives  

The Digital Personal Data Protection Act, 2023 (DPDP Act) is a landmark legislation that fills  a significant legislative vacuum. However, a closer critical lens reveals that while it establishes a basic data protection framework, it falls short of creating a robust, rights-based ecosystem  akin to global benchmarks such as the California Consumer Privacy Act (CCPA) or the General  Data Protection Regulation (GDPR) of the European Union.. 

I. Lack of Data Categorisation: One-Size-Fits-All Problem

One of the Act’s most serious limitations is the absence of differentiation between types of  personal data. Earlier drafts and the GDPR distinguish between: 

Personal Data Sensitive Personal Data (health, biometrics, financial data) Critical Personal Data The DPDP Act, on the other hand, handles all personal data consistently. This: Undermines the heightened risk associated with sensitive data, Ignores sector-specific vulnerabilities (e.g., health-tech or finance), Dilutes fiduciary accountability where sensitive rights are at stake.¹⁵ 

II. Weak Consent Architecture and Overreliance on “Deemed Consent”  

Although the Act mandates free, informed, and specific consent, it simultaneously over-relies  on the concept of “deemed consent” under Section 7. Deemed consent allows data processing  without explicit permission in cases such as: 

Public interest, Medical emergencies, Employment purposes, Government services. 

III. Excessive Executive Powers under Section 17  

Section 17 of the DPDP Act empowers the Central Government to exempt any agency from  the Act for: 

Sovereignty and integrity of India, Security of the state, Public order, etc. 

These sweeping exemptions are: Unreviewable, with no parliamentary or judicial checks, The “necessity and proportionality” test established by Justice K.S. Puttaswamy (2017)  is not being followed. Vulnerable to abuse for surveillance purposes, especially in absence of a separate  surveillance reform law.¹⁶

Even the Srikrishna Committee had warned that state surveillance must not be unrestrained and  requires statutory safeguards and judicial oversight.¹⁷

No Right to Compensation or Data Portability

The DPDP Act does not provide for compensation to affected individuals in the event of a data  breach, unlike: 

GDPR (Art. 82), UK’s Data Protection Act, Indian Tort Law principles of strict liability. 

This omission removes an essential pillar of deterrence and fails to: 

Recognise data as a form of property or dignity-based interest, Incentivise fiduciaries to adopt higher security standards. 

Ambiguity and Lack of Transparency in Cross-Border Transfers

Under Section 16, the Act allows cross-border data transfers by default and leaves it to the  executive discretion to restrict transfer to certain nations. 

This model: Lacks transparency regarding adequacy decisions or risk assessments, Disregards the significance of mutual protections and legally binding corporate  regulations, Risks exposing Indian citizens’ data to hostile jurisdictions or lax privacy regimes.¹⁸ Contrast this with the GDPR, which: Restricts data flow only to countries ensuring “adequate protection” (Art. 45),  Requires binding corporate rules (BCRs) and standard contractual clauses (SCCs). 

Judicial and Policy Developments Post-Enactment

Since the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act), multiple  legal and policy-level developments have taken place, signalling an evolving discourse around  privacy, state surveillance, and digital governance in India.

Absence of Judicial Interpretation but Growing Constitutional Scrutiny

As of the middle of 2025, the Supreme Court has not yet heard a constitutional challenge to the  DPDP Act` . However, concerns over executive overreach—particularly Section 17—have  already prompted public interest litigations (PILs) and pre-legislative critiques from civil  society groups. 

Legal experts argue that: 

Section 17 may be vulnerable to challenge for violating the proportionality test laid  down in Justice K.S. Puttaswamy v. Union of India (2017), which upheld the right to  privacy as a fundamental right under Article 21.¹⁹

The lack of independent oversight in the formation and functioning of the Data  Protection Board has also been flagged for violating the doctrine of separation of  powers under the Indian constitutional framework.²⁰

Post-Enactment Executive Action and Rulemaking Process

The DPDP Act envisages rulemaking powers for the Central Government under multiple  sections. As of April 2025: Draft rules have been released for stakeholder consultation, particularly on: 

• Consent managers under Section 6, 
• Technical standards for data processing, 
• Composition and procedures of the Data Protection Board.²¹

Consultation process is ongoing, and no final rules have yet been notified.   III. Industry Readiness and Compliance Landscape  Large enterprises such as Reliance Jio, TCS, HDFC Bank, and Infosys have already begun  setting up Data Protection Compliance Units, investing in: 

Consent management platforms, Data localisation infrastructure, Privacy-by-design compliance frameworks. 

However, MSMEs and start-ups face compliance burdens due to: 

Lack of clarity in the rules, High costs of implementation, Limited technical understanding of anonymisation and encryption standards.²²

Industry associations like NASSCOM and Data Security Council of India (DSCI) have urged  the government to: 

Publish a graded compliance schedule, Offer tax incentives for digital compliance infrastructure. 

Way Forward and Recommendations  

The DPDP Act, though a foundational step, requires substantial reform to truly operationalise  the principles of privacy, autonomy, and accountability in the digital economy. Based on  comparative international models and constitutional mandates, the following recommendations  are proposed: 

Reintroduce Data Categorisation and Granular Protection

To align with global best practices: 

Reintroduce sensitive and critical personal data categories. 

Mandate enhanced safeguards, such as higher encryption and limited retention, for such  data. 

This would strengthen the risk-based approach and ensure that vulnerable personal data  receives proportionate protection. 

Curtail Section 17: Introduce Parliamentary and Judicial Oversight Section 17 must be amended to: 

Introduce a sunset clause and periodic review, Require parliamentary approval or judicial warrant for exemption notifications,   Incorporate proportionality and necessity tests based on Puttaswamy. 

This ensures that national security concerns do not become a veil for unchecked state  surveillance. 

Establish a Truly Independent Regulator  

The Data Protection Board must be restructured into a constitutional or statutory authority, like:  The Election Commission or  The CIC (Central Information Commission). 

Ensure Compensation and User Remedies

The Act should include provisions for: 

Monetary compensation in case of data breaches, Time-bound adjudication of user grievances, Class-action style mechanisms in case of mass violations. 

Transparent Cross-Border Data Transfer Mechanism Amendments should: 

Provide clear criteria for countries deemed “trusted data jurisdictions”,  Mandate reciprocity agreements, Promote the use of Standard Contractual Clauses (SCCs) and Binding Corporate  Rules (BCRs). 

Conclusion  

The Digital Personal Data Protection Act, 2023 is a welcome development that attempts to  codify data rights in a rapidly digitising India. However, it reflects a minimalist framework— focusing more on enabling state and business data processing than on enforcing a rights-based,  user-centric approach. 

The absence of independent regulation, the presence of vague executive powers, and the limited  user remedies make the DPDP Act more of a compliance instrument than a true privacy charter.  When benchmarked against international models like the GDPR, India’s framework lacks  structural integrity and substantive protections. 

As India positions itself as a global digital power, data protection must not be seen as a  procedural formality but as an essential component of constitutional democracy, where the  individual retains dignity, autonomy, and control over personal information. 

Reference(S):  

1. Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
2. The Digital Personal Data Protection Act, No. 22 of 2023, Acts of Parliament, 2023 (India).
3. European Union, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
4. California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq.
5. Justice B.N. Srikrishna Committee, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (2018), available at https://meity.gov.in.
6. Ministry of Electronics and Information Technology (MeitY), Draft Rules under the DPDP Act, 2023, Notification No. 2024/DPDP/R01 (Mar. 2025).
7. Vidhi Centre for Legal Policy, Understanding the DPDP Act: Clause-by-Clause Analysis (2023), available at https://vidhilegalpolicy.in.
8. Internet Freedom Foundation, IFF’s Comments on the DPDP Draft Rules (Apr. 2025), available at https://internetfreedom.in.
9. Amber Sinha, India’s Data Flows: Security–Privacy Tradeoff, Carnegie India (2023), available at https://carnegieindia.org.
10. Gopal Sankaranarayanan, Executive Bias in Data Boards: A Constitutional Critique, 8 NLU J.L. & Tech. (2024).
11. Apar Gupta, Interview, Internet Freedom Foundation (Mar. 2025).
12. NASSCOM & Data Security Council of India (DSCI), Joint Industry Submission on the DPDP Act Rules, (Mar. 2025).
13. DSCI, SME Readiness for India’s Data Law, (Jan. 2025), available at https://dsci.in.
14. Justice B.N. Srikrishna, Interview with The Hindu (Aug. 2023), available at https://www.thehindu.com.
15. Gopalakrishnan, S. et al., Clause-by-Clause Commentary on the DPDP Bill, Vidhi Centre for Legal Policy (2023).

This article is written by Priya Patel of S.S. Khanna Girls Degree College  (University of Allahabad), Prayagraj.

¹ Press InformaƟon Bureau, Government of India, “India’s Digital Economy to Reach USD 1 Trillion by 2026”,  available at hƩps://pib.gov.in/PressReleasePage.aspx?PRID=1809793

²JusƟce K.S. PuƩaswamy (Retd.) v. Union of India, (2017) 10 SCC 1

³ Ministry of Electronics and InformaƟon Technology (MeitY), “Statement of Objects and Reasons”, The Digital  Personal Data ProtecƟon Bill, 2023, available at hƩps://www.meity.gov.in/

⁴InformaƟon Technology Act, 2000, § 43A, inserted by the InformaƟon Technology (Amendment) Act, 2008,  No. 10, Acts of Parliament, 2009 (India)

⁵JusƟce K.S. PuƩaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, ¶ 536

⁶JusƟce B.N. Srikrishna CommiƩee Report, A Free and Fair Digital Economy: ProtecƟng Privacy, Empowering  Indians, MeitY (2018), available at hƩps://www.meity.gov.in/.

⁷ MeitY, Press Release on Withdrawal of Personal Data ProtecƟon Bill, 2019, Aug. 2022, available at  hƩps://pib.gov.in/

⁸ MeitY, “Statement of Objects and Reasons,” The Digital Personal Data ProtecƟon Bill, 2023, available at  hƩps://www.meity.gov.in/

⁹ The Digital Personal Data ProtecƟon Act, 2023, § 3(a)–(b) 

¹⁰ DPDP Act, § 11 

¹¹ Ibid.; See also, Srikrishna CommiƩee Report, supra note 8, at 72–74

¹² DPDP Act, §§ 6–10. 

¹³ Arghya Sengupta, “The Compliance Model of India’s New Data Law,” The Hindu, Aug. 13, 2023 

¹⁴ DPDP Act, § 19; See also, Prashant Reddy T., “Lack of Independence in India’s Data ProtecƟon Board,” The  Wire, Aug. 2023

¹⁵ DPDP Act, 2023, § 2(n); cf. GDPR, Art. 9

¹⁶ DPDP Act, § 17; JusƟce K.S. PuƩaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, ¶ 638 

¹⁷ JusƟce B.N. Srikrishna CommiƩee Report, supra note 8, at 104

¹⁸ DPDP Act, § 16; Amber Sinha, “India’s Data Flows: Security–Privacy Tradeoff,” Carnegie India, 2023 

¹⁹ JusƟce K.S. PuƩaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, ¶ 638. 

²⁰ Gopal Sankaranarayanan, “ExecuƟve Bias in Data Boards: A ConsƟtuƟonal CriƟque,” NLU J.L. & Tech., Vol. 8  (2024)

²¹ Ministry of Electronics and InformaƟon Technology (MeitY), “DraŌ Rules under the DPDP Act, 2023,”  NoƟficaƟon No. 2024/DPDP/R01

²² DSCI Report, “SME Readiness for India’s Data Law,” Jan. 2025