Shaping India’s Digital Privacy Future: The DPDP Act, 2023

By Anmol Rajak

Abstract

The Digital Personal Data Protection Act, 2023 establishes a statutory framework for the processing of digital personal data in India and, under certain circumstances, outside India. It imposes obligations on Data Fiduciaries, including ensuring transparency, obtaining valid consent for data processing from the data principal (whose data is being processed), building reasonable security safeguards to prevent a data breach, and giving certain rights to a Data Principal such as erasure, correction, and access to information about data processing.

The Act includes provisions for the establishment of the Data Protection Board of India to monitor compliance, resolve disputes, impose penalties, and ensure enforcement—it will act as an adjudicating authority. The Act provides certain exemptions, such as processing of data by individuals for personal or domestic purposes and specific legitimate uses without consent (for example, in emergencies or legal compliance). At the same time, the Act prescribes penalties for non-compliance.

The Act also raises critical concerns, including expansive state exemptions, exclusion of key data rights such as portability, unrestricted cross-border transfers, inadequate safeguards against risks like fraud and profiling, and a weakening of the Right to Information through amendments to the RTI Act. To address these gaps, strengthening measures such as promoting regulatory agility, establishing a dedicated task force for AI and emerging risks, and aligning with global data protection standards are essential.

Introduction

Imagine waking up in a world where technology has suddenly disappeared. In an era where technology defines the 21st century, it plays a huge role in our modern lives. It has transformed the way we communicate through emails, video calls, and social media, keeping us connected across the world. In education, online classes, YouTube, and Google have made learning easier and more accessible. In workplaces, technology increases productivity through laptops and cloud storage, enabling people to work from anywhere. Everyday travel and navigation have become more convenient with Google Maps and GPS.

In today’s digital era, data has become one of the most valuable assets for progress in innovation, trade, and governance. Every digital interaction—through social media, online shopping, digital payment, or educational platforms—creates personal information. This data, when collected, processed, and analyzed, provides value to businesses and governments. However, if left unprotected, it can lead to serious threats to individual privacy, security, and even national integrity.

To address these challenges, in the landmark case of Justice K.S. Puttaswamy vs. Union of India (2017) 10 SCC 1, the Supreme Court declared the Right to Privacy as a fundamental right under Article 21 of the Indian Constitution. This strengthened the need for data protection laws.

Building on this, the Justice B.N. Srikrishna Committee drafted the initial framework that led to India’s Digital Personal Data Protection Act, 2023, submitting its Personal Data Protection Bill in 2018 to the government. This committee, formed by the Ministry of Electronics and Information Technology (MeitY), was tasked with studying data protection issues and recommending a comprehensive framework. The Act also closely resembles the Digital Personal Data Protection Bill, 2022, which was released for public consultation in November 2022.

Although the DPDP Act, 2023 received presidential assent and was published in the Official Gazette on 11 August 2023, it is not yet operational as no official commencement date has been notified. To implement the Act’s provisions, MeitY released the Draft Digital Personal Data Protection Rules, 2025 on 03 January 2025, inviting public comments until 18 February 2025. Minister Ashwini Vaishnaw announced that the final administrative rules under the DPDP Act would be issued by 28 September 2025.(Source: The Economic Times, Sep 19, 2025, 06:01:00 AM IST.)

Features of the Act

1. Applicability

• The Act applies to the processing of digital personal data within India where such data is:

  • Collected online;

  • Collected offline and digitized later.

• It will also apply to the processing of personal data outside India if it is for offering goods or services in India.

• It does not apply to personal data used for personal purposes or data made public by the data principal or under a legal obligation.

2. Consent

• Personal data may be processed only for lawful purposes after obtaining the consent of the individual.

• A notice must be given before seeking consent, containing details about the personal data to be collected and the purpose of processing.

• Consent may be withdrawn at any point in time.

• Consent will not be required for “legitimate uses” such as government services and medical emergencies.

• Section 9 of the DPDP Act, 2023 requires that for individuals below 18 years of age, consent will be provided by the parents or legal guardian for processing children’s data. It prohibits harmful processing as well as advertising directed at minors.(The Digital Personal Data Protection Act, 2023 §9.)

3. Rights and Duties of Data Principal (Individual)

An individual whose data is being processed is called a Data Principal. They have the right to access information, request correction and erasure of personal data, seek grievance redressal, and nominate a representative in case of death or incapacity.

Data Principals also have certain duties, such as not registering false or frivolous complaints, and not furnishing false particulars or impersonating others in specified cases. Violation of these duties is punishable with a penalty of up to ₹10,000.

4. Obligations of Data Fiduciaries

The entity determining the purpose and means of processing must:

1. Make reasonable efforts to ensure the accuracy and completeness of data, and build reasonable security safeguards to prevent a data breach.

2. Inform the Data Protection Board of India and affected persons in the event of a breach.

5. Transfer of Personal Data Outside India

The Act allows transfer of personal data outside India, except to countries restricted by the Central Government through notification.

6. Establishment of the Data Protection Board of India

Under Section 18 of the Act, the Central Government is to establish the Data Protection Board of India (DPBI). Members are appointed for two years and are eligible for reappointment.

Its functions include monitoring compliance, imposing penalties, directing data fiduciaries to take necessary measures in the event of data breaches, and hearing grievances made by affected persons. Appeals can be made to the Telecom Disputes Settlement and Appellate Tribunal.

7. Penalties

The Schedule to the Act specifies penalties for various offences such as:

• ₹200 crore for non-fulfilment of obligations relating to children.

• ₹250 crore for failure to take security measures to prevent data breaches.

8. Exemptions

Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases, including:

• For notified agencies, in the interest of security, sovereignty, or public order.

• For research, archiving, or statistical purposes.

• For start-ups or other notified categories of Data Fiduciaries.

• To enforce legal rights and claims, or for prevention and investigation of offences.

• To perform judicial or regulatory functions.

• To process in India personal data of non-residents under foreign contracts.

IT Minister Ashwini Vaishnaw explained that exemptions to the Centre were needed:

Key Provisions of the Draft DPDP Rules, 2025

• Data Transfer: The rules allow the transfer of certain personal data outside India, as approved by the government.

• Data Erasure: Data retention is allowed for up to three years from the last interaction with the Data Principal or the effective date of the rules, whichever is later. Data fiduciaries must notify the Data Principal at least 48 hours before erasure.

• Digital-First Approach: The rules prescribe a "digital by design" Data Protection Board of India (DPBI) for consent mechanisms and grievance redressal, ensuring faster online resolution of complaints.

• Graded Responsibilities: Startups and MSMEs will have lower compliance burdens, while Significant Data Fiduciaries will have higher obligations.

• Consent Managers: Digital platforms may collect consent through Consent Managers, who must be Indian companies with a minimum net worth of ₹2 crore. They are responsible for managing the collection, storage, and use of user consent in data privacy and digital interactions.

Key Concerns

• Broad State Exemptions: The Act provides wide-ranging exemptions to the government, potentially undermining the fundamental right to privacy.

• Missing Key Data Rights: Important safeguards such as the right to data portability are not included in the Act.

• Unrestricted Cross-Border Transfers: The Act permits transfer of personal data to most countries, leaving restrictions solely to government discretion.

• Inadequate Protection Against Harm: The law does not clearly address risks such as identity theft, financial fraud, or discriminatory profiling.

• Impact on the Right to Information: Section 44(3) of the DPDP Act modifies Section 8(1)(j) of the RTI Act, eliminating the “larger public interest” test—allowing denial of information classified as personal data.

Measures to Strengthen the DPDP Act, 2023

• Promote Regulatory Agility: Establish a flexible regulatory framework that evolves with emerging technologies and privacy risks.

• Create a Dedicated Task Force: Form a specialized body to assess risks linked to AI and design responsive protection measures.

• Incorporate Global Standards: Draw from international models like the EU–US data privacy framework to strengthen cross-border data security.

Conclusion

The DPDP Act, 2023 introduces India’s first comprehensive framework for data protection, aiming to balance individual privacy and lawful data processing. Building on this foundation, the 2025 Draft Rules strengthen compliance requirements, establish digital mechanisms for grievance redressal, and allow cross-border data transfers. Together, they align with global benchmarks such as the EU’s GDPR while tailoring provisions to India’s specific context.