---

Abstract

India’s Digital Personal Data Protection Act, 2023 (DPDPA) marks a pivotal step in establishing a comprehensive data protection framework, addressing the growing need for privacy in a rapidly digitizing economy. Enacted after extensive deliberations, the DPDPA introduces principles of consent, transparency, and accountability while aligning with global standards like the EU’s General Data Protection Regulation (GDPR). This paper evaluates the DPDPA’s provisions, strengths, and limitations, analyzing its impact on individuals, businesses, and governance. By comparing it with prior frameworks and international benchmarks, the study highlights the Act’s pragmatic approach, its reliance on government discretion, and areas requiring further clarity for effective implementation. The analysis underscores the DPDPA’s role in fostering trust in India’s digital ecosystem while identifying challenges in enforcement and compliance.

Keywords: Digital Personal Data Protection Act, DPDPA, Data Protection, Privacy Laws, India, Consent, Data Fiduciary, Data Principal, GDPR, Information Technology Act, Puttaswamy Judgment, Data Privacy, National Security, Extraterritorial Applicability, Data Protection Board.

1  Introduction

The rapid expansion of India’s digital economy, with over 800 million internet users and a burgeoning digital services market, has amplified the need for robust data protection laws. The Supreme Court’s 2017 ruling in Justice K.S. Puttaswamy v. Union of India recognized privacy as a fundamental right under Article 21 of the Constitution, catalyzing the development of a comprehensive data protection framework (1). The Digital Personal Data Protection Act, 2023 (DPDPA), enacted on August 11, 2023, represents India’s first cross-sectoral legislation dedicated to personal data protection (2). Replacing the limited provisions of the Information Technology Act, 2000 (IT Act) and its associated rules, the DPDPA aims to balance individual privacy rights with the legitimate needs of data processing (5).

This paper evaluates the DPDPA’s framework, focusing on its key provisions, strengths, and shortcomings. It examines the Act’s alignment with global standards, its implications for stakeholders, and the challenges of implementation, particularly given the significant discretionary powers granted to the central government. By analyzing the Act’s legislative evolution and stakeholder perspectives, the study provides insights into its potential to reshape India’s data privacy landscape.

2.  Background: Evolution of Data Protection in India

Prior to the DPDPA, India’s data protection regime was governed by Section 43A of the IT Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). These frameworks were limited, focusing primarily on sensitive personal data and lacking com- prehensive coverage (15). The Puttaswamy judgment in 2017 underscored the need for a robust legal framework, leading to the formation of the Srikrishna Committee, which proposed an initial draft in 2018 (5). After multiple iterations, including the Personal Data Protection Bill, 2019, and extensive stakeholder consultations, the DPDPA emerged as a streamlined yet pragmatic legislation (9).

2  Key Provisions of the DPDPA

The DPDPA establishes a framework for processing digital personal data, defined as any data relating to an identifiable individual in digital form or digitized after collection (4). Below are its core provisions:

2.1 Scope and Applicability

The DPDPA applies to digital personal data processed within India and extends extraterritorially to foreign entities offering goods or services to Indian residents (13). It excludes non-digital data, personal data processed for domestic purposes, and publicly available data (12). Exemptions are provided for state functions, national security, and research purposes, raising concerns about discretionary power (9).

2.2 Consent and Lawful Processing

Consent is the cornerstone of the DPDPA, requiring it to be free, specific, informed, unconditional, and unambiguous (8). Unlike the GDPR, which allows processing based on legitimate interests or contractual necessity, the DPDPA limits lawful processing to consent or specific “legitimate uses,” such as state functions, legal compliance, or medical emergencies (8). Data fiduciaries must provide clear, multilingual privacy notices and ensure mechanisms for consent withdrawal (18).

2.3 Data Fiduciary Obligations

Data fiduciaries, akin to data controllers under GDPR, are responsible for ensuring data accuracy, security, and timely deletion (10). Significant Data Fiduciaries (SDFs), identified based on data volume and sensitivity, face additional obligations, including appointing a Data Protection Officer (DPO) and conducting Data Protection Impact Assessments (DPIAs) (3). The Act mandates reasonable security measures but leaves specifics to subordinate rules, creating ambiguity (14).

2.4 Data Principal Rights

Data principals (individuals) have rights to access, correct, erase, and restrict processing of their data (6). The Act emphasizes grievance redressal mechanisms, requiring fiduciaries to respond promptly (18). However, the absence of a clear timeline for implementation limits immediate enforceability (3).

2.5 Penalties and Enforcement

Non-compliance attracts penalties up to INR 250 crore, with specific violations like data breaches or failure to protect children’s data incurring fines up to INR 200 crore (3). The Data Protection Board of India, an independent body, oversees compliance and adjudicates disputes, but its limited rulemaking powers raise concerns about enforcement efficacy (17).

3  Strengths of the DPDPA

The DPDPA introduces several progressive elements:

• Comprehensive Framework: As India’s first cross-sectoral data protection law, it addresses gaps in the IT Act and SPDI Rules, providing a unified approach (14).
• Consent-Centric Approach: The emphasis on informed consent and multilingual notices enhances transparency and accessibility (11).
• Protection for Vulnerable Groups: Strict provisions for children’s data, including bans on tracking and targeted advertising, prioritizing vulnerable populations (14).
• Extraterritorial Reach: Applicability to foreign entities ensures global accountability for data processed in India (13).
• Business-Friendly Design: Exemptions for startups and provisions for lawful processing balance privacy with economic growth (9).

4 Limitations and Challenges

Despite its strengths, the DPDPA faces criticism:

• Government Discretion: The Act grants the central government broad powers to exempt entities and define rules, risking arbitrary application ( 17).
• Implementation Delays: As of June 2025, the Act awaits full enforcement, with draft rules released in January 2025 still under consultation (4). This delays compliance for businesses and rights enforcement for individuals.
• Limited Regulatory Autonomy: The Data Protection Board lacks rulemaking authority, unlike GDPR’s supervisory authorities, potentially undermining its independence (16).
• Ambiguity in Standards: Terms like “reasonable security measures” lack specificity, complicating compliance (14).
• Data Localization and Cross-Border Transfers: While the Act allows data transfer unless restricted, sector-specific localization requirements create complexity (16).

5 Comparative Analysis with GDPR

The DPDPA shares principles with the GDPR, such as transparency, purpose limitation, and data minimization (8). However, key differences include:

• Legal Basis for Processing: The DPDPA’s reliance on consent contrasts with GDPR’s broader grounds, potentially limiting flexibility for businesses (8).
• Sensitive Data: Unlike GDPR’s special categories, the DPDPA treats all digital personal data uniformly, simplifying compliance but potentially under protecting sensitive data (11).
• Regulatory Structure: GDPR’s independent supervisory authorities contrast with the DPDPA’s government-controlled rulemaking, raising concerns about impartiality (17).

6  Implications for Stakeholders

6.1  Individuals

The DPDPA empowers data principals with rights to control their data, fostering trust in digital services. However, low awareness (only 16% of consumers know about the Act) and complex privacy notices hinder effective exercise of rights (6).

6.2  Businesses

Organizations must overhaul data management practices, adopting privacy-by-design and robust security measures (19). While compliance costs may burden smaller firms, the Act’s clarity offers opportunities for innovation in secure data analytics (10).

6.3  Government

The Act strengthens India’s digital governance, but risks overreach due to exemptions for state functions and discretionary powers, potentially undermining privacy protections (12).

7  Recommendations

To enhance the DPDPA’s effectiveness:

1. Clarify Implementation Timelines: The government should expedite notification of the Act’s provisions and finalize rules to enable compliance (7).
2. Strengthening the Data Protection Board: Granting limited rulemaking powers could enhance its autonomy and align it with global standards (17).
3. Define Security Standards: Clear guidelines on “reasonable security measures” would reduce ambiguity and ensure consistent compliance (14).
4. Public Awareness Campaigns: Initiatives to educate consumers about their rights would maximize the Act’s impact (6).

• Balance Government Discretion: Introduce procedural safeguards to limit arbitrary exemptions and ensure proportionality (12).

8 Conclusion

The Digital Personal Data Protection Act, 2023, is a landmark legislation that positions India as a key player in global data protection. Its consent-centric approach, extraterritorial applicability, and focus on vulnerable groups are commendable, yet its reliance on government discretion, implementation delays, and ambiguous standards pose challenges. By addressing these gaps through clear rules, enhanced regulatory autonomy, and public awareness, India can strengthen its data privacy framework, fostering trust and innovation in its digital economy.

References

 

• Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
• The  Digital  Personal  Data  Protection  Act,     2023,                                                                                     No. 22 of 2023,                                                                     Gazette

of     India,      August     11,     2023,        https://www.meity.gov.in/writereaddata/files/ DigitalPersonalDataProtectionAct2023.pdf.

• EY India, “Decoding the Digital Personal Data Protection Act, 2023,” August 23, 2023, https://www.ey.com.
• DLA Piper, “Data protection laws in India,” January 6, 2025, https://www. dlapiperdataprotection.com.
• PRS India, “The Digital Personal Data Protection Bill, 2023,” August 3, 2023, https:

//prsindia.org.

• PwC India, “The Digital Personal Data Protection Act 2023,” 2023, https://www. pwc.in.

• Privacy World, “The Impact of India’s New Digital Personal Data Protection Rules,” April 30, 2025, https://www.privacyworld.blog.
• Global Privacy Blog, “India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison,” December 13, 2023, https://www.globalprivacyblog.com.
• Carnegie Endowment for International Peace, “Understanding India’s New Data Protection Law,” October 3, 2023, https://carnegieendowment.org.
•  JISA Softech, “Impact of the Digital Personal Data Protection Act 2023,” February 21, 2025, https://www.jisasoftech.com.
•  Linklaters, “India – The Digital Personal Data Protection Act, 2023 finally arrives,” August 23, 2023, https://www.linklaters.com.
•  Nishith Desai Associates, “India’s Digital Personal Data Protection Act, 2023: His- tory in the Making,” August 7, 2023, https://www.nishithdesai.com.
•  Mintz, “Unveiling India’s New Data Privacy Law,” February 7, 2025, https://www. mintz.com.
•  Legal 500, “A Dawn of a New Era for Data Protection in India,” August 15, 2023, https://www.legal500.com.
•  Chambers and Partners, “Data Protection & Privacy 2024 – India,” February 13, 2024, https://practiceguides.chambers.com.
•  EMILDAI, “DPDPA 2023 vs. GDPR: A Comparative Analysis of India’s & EU’s Data Privacy Laws,” May 15, 2024, https://emildai.eu.
•  IJLT, “Rulemaking for Data Protection: Implementing India’s Digital Personal Data Protection Act, 2023,” July 5, 2024, https://www.ijlt.in.
•  CookieYes, “Guide to India’s Digital Personal Data Protection Act (DPDP Act),” January 7, 2025, https://www.cookieyes.com.
•  AHK Indien, “A New Era of Data Protection: Understanding India’s Digital Per- sonal Data Protection Act, 2023,” September 5, 2024, https://indien.ahk.de.

BY – NISHA KUMARI

AMITY UNIVERSITY MADHYA PRADESH ( GWALIOR )