The Digital Personal Data Protection Act, 2023: Balancing Privacy, Innovation, and State Power in India

Introduction 

India’s digital economy has grown exponentially over the last decade. With over 850 million internet users, the country generates massive amounts of personal data daily. Until 2023, India lacked a dedicated, omnibus data protection law. The IT Act, 2000 and the SPDI Rules, 2011 provided fragmented protection, often criticized as outdated and inadequate. 

The Digital Personal Data Protection Act, 2023 [DPDPA] marks India’s first comprehensive attempt to regulate the processing of personal data. Enacted after years of deliberation, multiple drafts, and the Supreme Court’s landmark Puttaswamy v. Union of India ruling recognizing privacy as a fundamental right, the Act seeks to strike a balance between individual privacy, business innovation, and state interests. 

This article analyzes the key features of the DPDPA, its challenges in implementation, and its implications for individuals, businesses, and the state. It argues that while the Act is a necessary step forward, its success depends on robust rulemaking, independent enforcement, and a rights-based approach to data governance. 

Key Features of the DPDPA, 2023 

1.1 Applicability and Scope 

The Act applies to the processing of digital personal data within India, and to data processed outside India if it involves offering goods or services to individuals in India. It covers both automated and non-automated data that has been digitized. This extraterritorial scope aligns with the GDPR model and addresses the reality of cross-border data flows. 

1.2 Lawful Basis for Processing 

Section 4 mandates that personal data can only be processed for a lawful purpose for which the data principal has given consent, or for “legitimate uses” specified in the Act. Consent must be free, specific, informed, unambiguous, and revocable. The Act introduces the concept of “deemed consent” for situations like employment, public interest, and compliance with law, which has been both praised for reducing friction and criticized for diluting consent. 

1.3 Rights of Data Principals 

The Act codifies several rights for individuals: 

– Right to access information about personal data processed 

– Right to correction and erasure 

– Right to grievance redressal 

– Right to nominate another person to exercise rights in case of death or incapacity

[2017] 

These rights are narrower than under the GDPR, as the Act does not include a right to data portability or a comprehensive right to be forgotten. 

1.4 Obligations of Data Fiduciaries 

Data fiduciaries must ensure data accuracy, implement security safeguards, delete data when its purpose is fulfilled, and prevent data breaches. Significant Data Fiduciaries face additional obligations, including appointing a Data Protection Officer, conducting Data Protection Impact Assessments, and periodic audits. 

1.5 Data Protection Board of India 

The Act establishes the Data Protection Board to adjudicate breaches and impose penalties up to ₹250 crore. The Board is a digital-first, adjudicatory body, but concerns exist about its independence, as the Central Government controls appointments and terms of service. 

1.6 Cross-Border Data Transfers 

Section 16 allows the Central Government to restrict data transfers to certain countries through a notification mechanism. This replaces the “adequacy” model of the GDPR with a more discretionary, executive-led approach. 

1.7 Exemptions for the State 

Section 17 provides broad exemptions for state agencies in the interests of sovereignty, security, public order, and prevention of offenses. This provision has drawn criticism for potentially creating a wide carve-out that could undermine privacy protections. 

2. Strengths of the Act 

2.1 Simplicity and Business-Friendliness 

Compared to the 2019 draft bill, the 2023 Act is shorter and less prescriptive. This reduces compliance burden for startups and MSMEs. The principle-based approach allows flexibility for innovation. 

2.2 Recognition of Privacy as a Right 

By giving statutory force to the Puttaswamy ruling, the Act acknowledges that individuals have control over their personal data. The consent framework, though imperfect, is a step toward informed data processing. 

2.3 Focus on Accountability 

Obligations like breach notification, data minimization, and purpose limitation create accountability for data fiduciaries. Penalties for non-compliance are significant, signaling regulatory seriousness. 

3. Key Challenges and Criticisms

3.1 Weak Independent Oversight 

The Data Protection Board’s lack of structural independence is a major concern. When the state is both a data fiduciary and the appointing authority for the adjudicator, conflicts of interest are inevitable. This undermines trust in the enforcement mechanism. 

3.2 Overbroad State Exemptions 

Section 17’s exemptions are broadly worded and not subject to proportionality or necessity tests on the face of the statute. Without judicial oversight, there is a risk of surveillance and data collection beyond what is permissible under Article 21. 

3.3 Dilution of Consent 

The “deemed consent” provisions and the absence of a clear right to opt out of certain processing activities reduce the practical value of consent. In practice, individuals may have little choice but to accept terms to access essential services. 

3.4 Limited Individual Rights 

The absence of data portability, algorithmic transparency, and a robust right to be forgotten limits the Act’s alignment with global best practices. It focuses more on data protection as a compliance exercise than as an empowerment tool. 

3.5 Regulatory Uncertainty 

The Act leaves significant detail to subordinate rules. As of October 2025, the rules are not fully notified, creating uncertainty for businesses on compliance requirements, SDF classification, and breach notification timelines. 

4. Comparative Perspective: GDPR and DPDPA 

The GDPR remains the gold standard for data protection globally. Key differences include: – *Consent*: GDPR requires explicit, granular consent with an easy withdrawal mechanism. DPDPA allows deemed consent in broader circumstances. 

– Rights: GDPR includes data portability and automated decision-making rights. DPDPA does not. 

– Enforcement: GDPR’s supervisory authorities are independent. The DPDPA Board’s independence is questionable. 

– Penalties: Both have high penalties, but GDPR penalties are a percentage of global turnover, making them more impactful for large MNCs. 

India’s approach is closer to a “business-first” model, aiming to avoid stifling its digital economy while providing a baseline of protection. Whether this model works will depend on how the rules and enforcement evolve. 

5. Implications for Stakeholders

5.1 For Individuals

Individuals gain statutory rights and a grievance mechanism, but must remain vigilant. The effectiveness of rights depends on awareness and the ease of accessing the Board. Public education and civil society engagement will be crucial. 

5.2 For Businesses

Companies must audit their data flows, update privacy policies, and implement security measures. SDFs face higher compliance costs. However, a clear legal framework reduces regulatory risk and builds consumer trust, which is a competitive advantage. 

5.3 For the State

The government gains a legal basis for data processing and cross-border transfers. However, it must ensure that exemptions are used sparingly and subject to judicial review to avoid violating the _Puttaswamy_ proportionality test. 

6. The Road Ahead

6.1 Robust Rulemaking

The success of the DPDPA hinges on the rules. Key areas needing clarity include: – Definition and criteria for SDFs 

– Timelines and procedures for breach notification 

– Standards for consent management platforms 

– Mechanisms for cross-border data transfer assessments 

6.2 Judicial Oversight

Courts will likely play a key role in interpreting the scope of Section 17 and the independence of the Board. Early litigation will shape the jurisprudence around the Act. 

6.3 Institutional Capacity Building

The Data Protection Board needs technical expertise, financial autonomy, and operational independence. Without this, it risks becoming ineffective or perceived as a rubber-stamp body. 

6.4 Global Interoperability 

For India to participate in global data flows, its framework must be seen as trustworthy. Aligning with OECD privacy principles and pursuing adequacy-like arrangements with key partners will be important. 

offers flexibility but creates risks of under-protection and executive overreach. The coming years will determine whether India builds a rights-based data governance ecosystem or a compliance-heavy, state-centric regime. 

7 Judicial Interpretation of Privacy Post-Puttaswamy: Setting the Stage for the DPDPA

The Supreme Court’s 9-judge bench decision in Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1 fundamentally altered India’s constitutional landscape. The Court unanimously held that the right to privacy is intrinsic to life and personal liberty under Article 21. Crucially, the majority laid down the proportionality test for any state infringement of privacy: 

1. The action must be sanctioned by law, 
2. It must have a legitimate aim, 
3. There must be a rational nexus between the means and the aim, and 
4. The means must be necessary and the least restrictive. 

The DPDPA is the legislature’s first attempt to create a statutory framework that satisfies this test. Section 3’s statement of purpose—protecting the rights of individuals while recognizing the need to process data for lawful purposes mirrors the balancing approach in Puttaswamy. 

However, the judiciary’s role doesn’t end with enactment. Sections 17 and 42 of the Act are likely to face constitutional scrutiny. In Puttaswamy (Aadhaar)(2018) 1 SCC 809, the Court struck down provisions that lacked procedural safeguards. The broad exemptions in Section 17 without a requirement for judicial authorization or independent oversight may face similar challenges. Future jurisprudence will determine whether the DPDPA meets the “necessity” and “proportionality” standards laid down in 2017. 

8. Section-Wise Commentary on Core Provisions 

8.1 Chapter III: Obligations of Data Fiduciaries [Sections 8-10] 

Section 8 codifies the principle of purpose limitation and data minimization. A fiduciary cannot process more data than necessary for the stated purpose. This is a direct import from GDPR Article 5 but lacks the detailed guidance present in EU WP29 opinions. 

Section 9 requires reasonable security safeguards. The Act does not specify standards, leaving it to the rules. This is both a strength and a weakness: it allows the law to remain technology-neutral, but creates uncertainty until the DPDP Rules are notified. 

Section 10 imposes additional obligations on Significant Data Fiduciaries. The criteria for SDF designation—volume and sensitivity of data, risk to rights—are left to the Central Government. This gives flexibility but risks arbitrary classification. A transparent, criteria-based approach would reduce regulatory uncertainty.[SDFs] 

8.2 Chapter IV: Rights and Duties of Data Principals [Sections 11-14] 

The Act grants a right to access, correction, erasure, and grievance redressal. Notably, it imposes a duty on data principals not to impersonate others, suppress information, or file false complaints. This “two-way accountability” is unique and addresses concerns about misuse of data subject rights.

The absence of a right to data portability is a gap. Data portability drives competition and innovation by allowing users to switch services without losing their data. India may need to address this through sectoral regulations or future amendments. 

8.3 Chapter V: The Data Protection Board of India [Sections 18-30] 

The Board is designed as a digital office with online adjudication. This is efficient but raises due process concerns. Section 21 allows the Board to accept voluntary undertakings instead of imposing penalties, which can encourage compliance. 

However, Section 42 allows the Central Government to direct the Board in matters of policy. Combined with the government’s control over appointments under Section 20, this structure undermines the Board’s independence. For the Board to command trust, the rules must insulate it from executive interference and mandate multi-stakeholder participation in its functioning. 

9. Comparative Analysis: DPDPA vs. GDPR vs. CCPA vs. PDPA Singapore Aspect GDPR (EU) DPDPA (India) CCPA/CPRA (California) PDPA (Singapore)

Legal Basis : Consent, contract, legal obligation, legitimate interest Consent, deemed consent, legitimate uses Notice and opt-out for sale/sharing Consent, deemed consent, legitimate interest 

Data Subject Rights : Access, erasure, portability, object, rectification Access, correction, erasure, grievance Access, deletion, opt-out, correction Access, correction, withdrawal of consent 

Independent Authority : Independent Supervisory Authorities Data Protection Board, govt-controlled California Privacy Protection Agency Personal Data Protection Commission, independent 

Penalties:  Up to 4% of global turnover Up to ₹250 crore Up to $7,500 per violation Up to SGD 1 million 

Cross-Border Transfers : Adequacy + SCCs + BCRs Govt notification of restricted countries No restrictions, but contractual obligations Binding corporate rules, adequacy The table shows that the DPDPA is lighter on obligations and individual rights compared to the GDPR, but more structured than the CCPA’s notice-and-opt-out model. Singapore’s PDPA is the closest analogue, but with a stronger independent regulator. India’s model prioritizes ease of doing business, but may need to strengthen independent oversight to gain international trust.

10. Practical Compliance Checklist for Startups and MSMEs 

For small and medium enterprises, full GDPR-style compliance is often unfeasible. The DPDPA’s simplicity helps, but proactive steps are still needed: 

1. Data Mapping: Identify what personal data you collect, why, and where it is stored. Consent Mechanism: Implement a clear, granular consent banner and maintain logs. For “deemed consent,” ensure your purpose falls within Section 7.
2. Privacy Policy Update: Rewrite policies in plain language, stating purpose, retention period, and grievance officer details. 
3. Security Measures: Implement encryption, access controls, and regular vulnerability testing. Document these measures. 
4. Breach Response Plan: Prepare a 72-hour breach notification protocol, even though the exact timeline is yet to be notified in rules. 
5. Vendor Contracts: Update DPAs with processors to include confidentiality, security, and deletion obligations. 
6. Training: Train employees on data handling and breach reporting. Human error remains the leading cause of breaches. 

For SDFs, add Data Protection Impact Assessments and annual audits to this list. Startups should track notifications from MeitY to know if they are designated as SDFs. 

11. The Role of Consent Managers and Emerging Ecosystems 

Section 2(j) introduces “Consent Managers” entities registered with the Board to manage consent on behalf of data principals. This is a novel feature aimed at reducing consent fatigue and creating a user-centric data economy. 

If implemented well, Consent Managers can function like India’s Account Aggregator framework in finance, giving users control over who accesses their data and for how long. The success of this model depends on interoperability standards, user awareness, and low friction in onboarding. The rules must clarify liability, data retention, and audit requirements for Consent Managers to prevent them from becoming data aggregators in disguise. 

12. Critical Gaps and Recommendations 

Despite its progressiveness, the DPDPA has gaps that need addressing through rules, amendments, or judicial interpretation: 

1. Algorithmic Transparency: The Act is silent on automated decision-making and profiling. With AI adoption rising, individuals should have the right to know when decisions affecting them are made by algorithms and to seek human review. 
2. Child Data Protection: Section 9 provides for verifiable parental consent for children, but lacks a “best interests of the child” standard seen in the UK Age Appropriate Design Code. Detailed rules are needed. 
3. Judicial Review of Exemptions:  Section 17 exemptions should be subject to a mandatory proportionality review by the Board or a court, not just executive discretion. 4. Independent Board: Amend Section 42 to remove the government’s power to issue policy directions to the Board. Appointments should involve a collegium including judiciary and civil society. 

Right to Explanation: Include a right to explanation for automated decisions, especially in credit, employment, and healthcare.

13. Conclusion: 

The Digital Personal Data Protection Act, 2023 is a milestone in India’s legal journey. It provides a much-needed framework for data protection in the digital age. However, it reflects a compromise between privacy, innovation, and state power. 

The Act’s minimalist structure offers flexibility but creates risks of under-protection and executive overreach. The coming years will determine whether India builds a rights-based data governance ecosystem or a 

From Law on Paper to Rights in Practice 

The DPDPA, 2023 is not the end of India’s data protection journey it is the beginning. Its minimalist structure avoids over-regulation but places enormous weight on subordinate rulemaking and judicial oversight to fill the gaps. 

For the law to be effective, three things must happen: 

First, the rules must be notified quickly and after meaningful public consultation. Vague rules will create compliance chaos. 

Second, the Data Protection Board must be built as a technically competent, procedurally fair, and institutionally independent body. Without trust, enforcement will fail. 

Third, civil society, academia, and the bar must engage with the law through litigation, commentary, and public education. Rights are only as strong as the people who claim them. 

India has an opportunity to create a data governance model suited to its digital economy one that protects privacy without stifling innovation. Whether it succeeds depends on how the next 18 months of implementation unfold. 

For law students and young lawyers, this is a moment to shape the law. Engage with the rules, write on the gaps, and use the grievance and adjudication mechanisms once they are live. The DPDPA is a live statute. Your articles, arguments, and advocacy will define its future.