THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A CONSTITUTIONAL AND REGULATORY ANALYSIS

ABSTRACT
Recognizing privacy as a fundamental right in K.S. Puttaswamy, the Supreme Court, the DPDP Act aims to be the primary regulation governing digital personal data in India. Union of India (published in 2017). This work is a constitutional analysis of the DPDP Act, an overview of the evolution of privacy law in India, an explanation of key definitions, rights and obligations contained within the Act, and a comparison to the provisions of the EU GDPR and California’s CCPA/CPRA.
The study concludes that the DPDP Act meets the criteria of Puttaswamy – Legal, Necessary and Proportionality – by obtaining consent, providing rights for the Data Principal, and establishing a Data Protection Board for adjudication. However, the sweeping Section 17 legislation and broad powers to establish regulations that require executive action can diminish the effectiveness of these protective measures, leading to massive surveillance, to the indefinite retention of information and to the principal role of government executives in enforcing the regulations. The government can face issue with Articles 14, 19 and 21, of the Constitution and further decrease transparency by changing Section 8(1)(j) of the Right to Information Act by introducing these gaps.
The paper proposes that these shortcomings can be addressed by (i) obliging strict proof of proportionality and independent evaluation for all important state exemptions; (ii) increasing the autonomy and funding of the Data Protection Board; (iii) introducing algorithmic-impact audits and various types of penalties for major data fiduciaries; (iv) establishing region-based ombudsmen and user-friendly offline redress mechanisms; and (v) reinserting public-interest reasons for use into the Right to Information’s application. On the basis of these ideas, the following are necessary reforms to be in line with global standards, to gain trust and to achieve new developments in accordance with the government’s goals.

This paper explores the features of the Digital Personal Data Protection Act 2023 (DPDP Act) and its implications on privacy law. This paper examines the characteristics of the DPDP Act 2023 and the effect of this Act on privacy law.

I: INTRODUCTION
1.1 Overview of the Digital Era and the Emergence of Data as a Valuable Asset
The constant growth in the digital technology has considerably changed how any digitally available information is used. As a result of this data is now refereed as the new oil due to the importance and influence it has on the society, technology and economy. Due to the vast use of internet through shopping online, the social media, etc, it has been an easy way to access, gather and collect personal information at an undetermined rate. The IDC has so far predicted that, globally by 2025 the data has reached till 175 zettabytes and this also includes data of personal information. Surprisingly the leading country in this censes in India.
The personal data collected are available to government, companies etc, which they further use to enhance their services. The government use the personal data such as name address, occupation and so of a person to alter and improve laws, and on the other hand companies use them to advertise, improve and innovate their products and services. But along with such benefits there is also a lingering threat of security, privacy and abuse of such information. This highlights the much needed importance of data regulations.
Since the speedy Evolution of India to Digital India such as compulsory use of Aadhaar and the increased use of UPI, showed how millions of people rely on the online accessibility. The digital innovations had its pros and cons making it necessary to regulate such innovations and protect the Indian citizens online and since there was no already existing rules to regulate it, the Digital Personal Data Protection Act also called as DPDP Act. was introduced. The DPDP Act was influenced by GDPR which was originally designed by the European Union to promote new technology along with safeguarding the personal data of individuals.
1.2 History of Privacy Laws in India
The development of India’s privacy laws demonstrates how far the regulation has come from being a set of sector specific laws and court decisions towards a coherent and comprehensive framework. This journey reflects India’s efforts to meet the demands of the digital era and has been shaped by worldwide occurrences, policies, and composition.
Early Judicial Foundations (1950s-1970s)
In the 1950s and 1970s, the Indian Constitution did not specify privacy as a basic right. Early court interpretations reflected conservative viewpoints. M.P. Sharma v Satish Chandra is noteworthy in making it clear that search and seizure powers do not clash with personal liberty, and that the Constitution does not provide for a right to privacy. The Court, in a similar fashion, left no scope for police surveillance in Kharak Singh v State of Uttar Pradesh , holding that there was no restriction on the right to life and liberty of the Indian citizen as guaranteed under Article 21 of the Constitution of India, 1949. However, the future came when Justice Subba Rao dissented in Kharak Singh and placed emphasis on privacy as a core to dignity of an individual. In the 1970s, the Supreme Court added the right to privacy to the list of individual liberties guaranteed by Article 21, but limited it to reasonable restrictions in the interests of morality and public order.In Govind v. State of Madhya Pradesh , the Supreme Court established privacy as part of the right to liberty in the 1970s, but subjected it to reasonable limitations for morality or public order reasons. Widespread constitutional protection was lacking, but this case illustrated a developing awareness of the importance of privacy in the courts.
Sectoral Legislative Measures (1980s–2010s)
Since India lacked a uniform privacy law, it devised a sectoral approach to address unique data protection challenges. The Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act was a first step, 1983 which required public financial institutions to ensure the confidentiality of their transactions. Just like in the financial sector, data protection was embraced by the industry early on.
A significant development was the enactment of the Information Technology Act, 2000 , which included provisions to address cybercrimes and to provide legal recognition to electronic transactions. The amendment of IT Act in 2008 introduced Section 43A to make entities responsible in case of failure to protect sensitive personal data. However, it had limited applicability as its focus was on compensation rather than comprehensive privacy governance.
This law was similar to that of the financial sector, where data protection was adopted in the early days. The Information Companies (Regulation) Act of 2005 mandated that credit information companies manage credit data securely . The Payment and Settlement Systems Act of 2007 established comparable safeguards for secure financial transactions . The Reserve Bank of India (RBI) further enhanced the financial sector’s protection by introducing various guidelines such as the 2008 credit card operations guidelines (RBI/2008-2009/100) , Know Your Customer (KYC) standards RBI/2015-16/108 and the requirement for localized storage of payment system data RBI/2017-18/153 . These measures were sector-specific, but covered areas of data security, transaction integrity and customer identification.
The IT Act’s Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) represented a significant advancement in India’s data protection framework.
These rules would classify personal information that is sensitive (such as passwords, banking information, medical records, and so on) and would mandate that companies have adequate security measures and ask for consent before collecting any data, and provide an opt-out option. Although progressive, the main criticism of the SPDI Rules was that they were poorly enforced and poorly applicable, being mainly directed at corporate entities.
Expanding Sectoral Frameworks (2010s–2020s)
As digital technologies grew, India has introduced more sectoral regulations. The Consumer Protection Act of 2019 enhanced consumer privacy rights by introducing measures for data collection and mechanisms to handle grievances. The healthcare industry was protected by privacy measures under the Ayushman Bharat Digital Mission (ABDM) Health Data Management Policy that emphasized the security and confidentiality of health data.
The Telecom Regulatory Authority of India (TRAI) recommended user consent and data protection in its 2018 recommendations on privacy, security and data ownership in telecom industry (Press Release No. 78) . The Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021 placed duties on digital platforms and intermediaries focussing on user data protection, content moderation and accountability.
Though effective in their respective areas, these sectoral measures were able to show that India’s privacy regime was fragmented. There was no single law that led to inconsistencies of compliance and enforcement, highlighting the need for a comprehensive law.
The landmark K.S. Puttaswamy v. Union of India (2017) was a pivotal moment in the history of privacy in India. The Supreme Court, with all bench members, in a unanimous verdict, held that the right to privacy, with its three aspects of informational privacy, bodily autonomy and decisional autonomy, is a fundamental right guaranteed by Article 21. The Court made it clear that ‘privacy is the fundamental right of liberty and dignity’ and struck down M.P. Sharma and Kharak Singh. The judgement had incorporated the principles of proportionality, necessity, and legality for the state’s infringement of privacy and aligned India’s law with the international standards like the International Covenant on Civil and Political Rights (ICCPR) and Universal Declaration of Human Rights (UDHR).
The government was mandated to establish a strong data protection law that will govern the processing of personal data in light of the Puttaswamy ruling. Consequently, the Justice B.N. Srikrishna Committee was set up in 2017 to develop the data protection framework. In its 2018 report, the Committee proposed a comprehensive draft Personal Data Protection Bill (PDPB), which was a mix of the state’s interests, the rights of individuals and economic growth.
The Road to the DPDP Act (2018–2023)
The PDPB was introduced in 2019 and revised, with a number of consultations thereafter. The provisions of the DPDP Act that allowed for government exemptions and the vague implementation of enforcement, created criticism. In a process of several revisions, the Digital Personal Data Protection Act, 2023 was passed on 11 August, 2023. The draft Digital Personal Data Protection Bill, 2022 and review by the Joint Parliamentary Committee in 2021 are two of these revisions.
The DPDP Act brings together India’s fragmented privacy laws. It gives data principals (person whose data is being processed) rights, defines the term personal data, and establishes obligations for data fiduciaries (organisations that process data). Important components of that include consent-based data processing, purpose limitation, data minimisation and the establishment of a Data Protection Board for enforcement. While taking inspiration from international regulatory bodies such as the General Data Protection Regulation (GDPR) of the European Union, the Act brings into the spotlight some issues that are specific to India, such as digital inclusion and economic growth.
1.3 Need for a Data Protection Law.
In recent years we have seen the push for a far-reaching data protection law in India grow which is in response to the fast growth of digital technologies and we see this in a number of key areas:

1. The nation is reporting a rise in cybercrimes which include identity theft, phishing scams, and data breaches which in turn is a proof that the present legal system is defective. As reported by Cybersecurity Ventures in 2023[22] personal data is the main target for cyber criminals which may cause $10 trillion loss to India by 2025. Also we do not have a comprehensive data protection law which left individuals and organizations at risk.
2. India needed to put in place a data protection framework which is in the international best practice the EU’s General Data Protection Regulation (GDPR) is an example of. Also that which the country is a hub for IT services and cross border trade. Without such a law in place foreign investment was less likely to choose India as a location and also the country ran the risk of being left out of international data sharing agreements.
3. In the Puttaswamy ruling we saw that which which the Court emphasized the need for a balance between individual rights and what is justifiable from the state’s interest also which put on the government the responsibility to put in place laws that protect the privacy rights of its citizens. Due to the absence of such specific legislation there was a regulatory void which in turn led to weak and unconnected privacy protections.
4. While the roll out of schemes like Aadhaar and Digital India has seen an increase in internet access we have also seen a rise in what is done with that data which citizens may not be comfortable with. To build public trust in digital initiatives and to see that private citizen data is managed properly and in full view of the people a robust data protection law is required.
5. In the data driven economy we see great opportunity for growth and innovation. That said in the lack of which we have clear rules, consumers are at risk of exploitation and businesses are in a state of uncertainty as to what is expected of them. A standalone law would bring clarity to the issue, encourage innovation, and also protect consumer rights.
   These issues are brought up by the DPDP Act, which went into effect on August 11, 2023 and which puts forth an in-depth framework for data protection. A large step toward protecting privacy in India’s digital age it regulates the processing of digital personal data, requiring data fiduciaries to take certain actions, and also puts in place rights for data principals.
   1.4 The goals of the study
   This dissertation sets out to study the DPDP Act from a constitutional and regulatory point of view.
6. The issue at hand is to look at the role of the constitution and the right to privacy in the Digital Personal Data Protection Act.
7. To look at the main elements, organizational structure and which are put into practice in the DPDP Act.
8. To look at the issue of the compatibility of the DPDP Act with the constitutional right to privacy in India and global data protection standards.
9. To see how the DPDP Act does with issues of executive discretion, accountability and transparency.
10. To put forth what we think are better provisions for the DPDP Act which will set up a strong base for data protection and privacy in India.
    1.5 Research Approach.
    Review of present legal frameworks and materials. We look at various statutes, legal precedents and writings on data protection, privacy and government surveillance, which is a key step. For sources of doctrinal research, we will use DPDPA 2023, related cases and judgments, official documents, and published academic work.
    1.6 Scope and Limitations
    Scope
    The research looks at the Digital Personal Data Protection Act of 2023 which it studies in terms of its constitutional bases, structure and also how it measures up to international privacy standards. We see in this how privacy laws have evolved in India, we look at key legal cases which relate to privacy and put forth the main elements of the Data Protection Act which includes the put forth concepts, what is required of entities, what rights are given to individuals and the procedures for implementation and enforcement. Also looked at are the government’s exempted areas and the regulator’s limited powers. We also look at the place of the DPDP Act in the world stage by comparing it to the GDPR and the CCPA.
    Limitations
11. In August 2023, the DPDP Act was put into place but is not yet fully in force as we still are in the process of developing the rules. Also we do not have enough practical implementation data which in turn limits our analysis of its real world impact.
12. The Act’s use of delegated legislation which in turn sees many details left for future regulation thus creating uncertainty as to their final form.
13. The study reports mainly on a doctrinal research as there is a lack of empirical data related to the Act’s enforcement and compliance.
14. Technology and data processing which is evolving at a very fast rate may outstrip what the Act covers which in turn presents issues for the Act’s relevance in the long term.
    Although these limitations exist the study does a thorough analysis of the DPDP Act which is in terms of its constitutional and regulatory aspects and also puts forth put forth action oriented recommendations for its betterment.

II. KEY FEATURES OF DIGITAL PERSONAL DATA PROTECTION ACT, 2023
2.1 Key Definitions and Concepts
The enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act) marks the launch of India’s first holistic data protection regime. The landmark ruling in Justice K.S. Puttaswamy v. The Act addresses the landmark ruling in Puttaswamy (2017) which proclaimed privacy as a fundamental right guaranteed by Article 21 of our Constitution. The Digital Personal Data Protection Act seeks to protect personal data and promote innovation in a rapidly growing digital economy that includes platforms like Aadhaar and Digital India, e-commerce and fintech. This chapter examines the Act’s core definitions, essential components, government concessions, enforcement strategies, and global comparisons, evaluating the favourable aspects and difficulties confronted during its implementation.
• Data
According to Section 2(h) of the Act, data is a representation of facts, information, ideas, opinions, or instructions that can be processed, interpreted, or communicated by automated or human systems. This broad definition encompasses various formats such as text, numbers, images, or other forms that convey meaning, reflecting the Act’s inteinformnt to cover diverse data types in the digital realm.
• Personal Data
Personal data comprises any information that relates to an individual who can be identified either directly or indirectly (Section 2(t)). Whether or not data identifies a specific person is determined by the circumstances in which it is utilized. It is consistent with regulations like the GDPR, yet it does not distinguish between “sensitive” and “ordinary” personal data as defined in previous bills like the Personal Data Protection Bill, 2019.
• Digital Personal Data
Under the Act, attention is directed solely to personal data in digital format, regardless of whether it was acquired online or converted from non-digital records. The DPA is narrower than laws such as GDPR, as it only applies to digital information.
• Processing
Processing in relation to personal data is defined as wholly or partly automated operations performed on digital personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, alignment, combination, indexing, sharing, disclosure, dissemination, restriction, erasure, or destruction (Section 2(x)). This comprehensive definition covers the entire lifecycle of data handling.
• Data Principal
The person to whom personal data relates is known as a data principal. This includes children, where parents or lawful guardians act on their behalf, and persons with disabilities, where lawful guardians represent them (Section 2(j)). The inclusion of these categories ensures that vulnerable groups are adequately protected.
• Data Fiduciary
A Data Fiduciary is any person or entity that determines the purpose and means of processing personal data, either alone or with others (Section 2(i)). This includes the State, companies, digital platforms, juristic entities, or individuals. Data Fiduciaries bear significant responsibilities under the Act, akin to data controllers under GDPR.
• Data Processor
A Data Processor is any person who processes personal data on behalf of a Data Fiduciary (Section 2(k)). This distinction clarifies the roles of entities involved in data handling, ensuring accountability across the processing chain.
• Personal Data Breach
A personal data breach is defined as any incident involving personal data processing, sharing, destruction, alteration or unauthorized access that results in damage or violation of its availability, confidentiality or integrity. It highlights that safeguarding data is a priority for the Act.
• Consent
Consent is a free, specific, informed, unconditional, and unambiguous indication of agreement by the Data Principal for processing their data for a specified purpose, limited to necessary data (Section 6(1)). The Act emphasizes clear affirmative action, aligning with global best practices for lawful data processing.
• Consent Manager
A Consent Manager is a person registered with the Data Protection Board, acting as a single point of contact to enable Data Principals to manage, review, and withdraw consent through an accessible, transparent, and interoperable platform (Section 2(g)). This idea presents an easy-to-use consent management system.
These definitions establish the essential elements to guide the working of the DPDP Act. Distinct categorization of sensitive personal data and expanded coverage to digital data were key changes distinguishing the proposed strategy from previous iterations and models such as GDPR.
2.2 Salient Features of the Act
To safeguard people’s personal information and uphold legal data processing, India passed the Data Protection and Privacy for Personally Identifiable Information (Digital Personal Data) Bill, 2023. Its main characteristics show a practical approach to data regulation that takes into account India’s particular digital environment while drawing on international standards.
Scope and Applicability
The DPDP Act applies to:
• Handling of personal information of individuals by electronic means or in a digital form when the information is in India.
• The Act shall also apply to digital personal data collected and processed outside of India that is relevant to the provision of goods and services in India.
This extraterritorial application is very important as it brings the Act’s protections beyond its territorial boundaries to the data of citizens of India that are processed by foreign entities. Unlike the GDPR, however, where the definition of “data principal” is limited to Indian citizens and residents, the DPDP Act does not explicitly limit its definition of “data principal” to Indian citizens and residents, which means that it can be argued that it does not have any territorial restrictions, and thus an extraterritorial scope of application.
Exceptions are made in the case of data processed by an individual for their personal or domestic use, and for data that is available to the public in accordance with the authority of the data principal or the law. (DPDP Act, S 17(2)). It guarantees that limited resources are allocated to important data handling by entities by offering a means of permitting exceptions for personal and domestic data.
Notice Requirements
When consent is requested, each Data Fiduciary is required to provide a notice explaining that personal data is being processed, why it is being processed, how to exercise one’s rights, and who to contact in the event of a complaint (Section 5(1)). In order to ensure inclusivity, notices must be made available in English or the languages listed in the Constitution’s Eighth Schedule (Section 5(3)).
Consent-Based Processing
The principal legislation for dealing with personal information is the Data Protection and Privacy in Government Act. Under sec 6, Consent shall be:
a. Free (not under coercion)
b. Particular (restricted to specific applications)
c. Knowledgeable—based on precise information
d. Unconditional: (Not subject to any requirements, such payment for products or services)
e. Clear (affirmative action), unambiguous.
Consent cannot be connected to the delivery of goods or services unless those goods or services are relevant to the reasons why the data is examined, processed, kept, or disclosed. Giving consent requires unconditional affirmation. According to the Act, data principals must receive notice pertaining to data in a “effective and understandable way,” which includes using “simple and clear language” and any of the official languages. (DPDP Act, S5).
The aim is to address the issue of users getting lost in privacy terms and not giving real consent in the end. On the other hand, it is not difficult to give consent as it is to withdraw consent (DPDP Act, S 6(4)). In addition, the Data Principal is responsible for any damage or loss that occurs when withdrawing consent. Requiring transparency regarding the consent securing process helps the entity processing personal data to employ appropriate means to obtain consent. Users are free to revoke their permission at any time. Only with legal authorization may services be provided (see Section 6(6) of the DPDP Act). Consent is not required for data processing that is necessary for voluntary information exchange or for government entities to issue papers, services, or benefits.

Legitimate Uses and Exceptions
The processing of personal information is permissible in certain situations where no consent has been obtained (DPDP Act, S7).
a. Information that is voluntarily provided to access or use a service is collected.
b. Process of personal information is essential for compliance with the law.
c. Employment-related purposes
d. If contractual or civil claims are present, they may be quite complex.
e. Medical emergencies
f. Public interest purposes
Without lowering the exception boundaries for processing data without consent, these permissible exceptions preserve a suitable degree of flexibility. In addition to using data that is legally accessible to the public, individuals and organizations are permitted to utilize personal data for domestic and personal purposes. (DPDP Act, S17(2)).
Data Fiduciaries obligations
Many of the provisions outlined in Section 8 apply to Data Fiduciaries.
a. Obliging themselves to adhere to all Act requirements, regardless of whether a Data Principal has fulfilled their obligations or whether an agreement is in effect.
b. Ensuring that all personal data is accurate, complete, and current, particularly when utilized for crucial decisions or communicated to other fiduciaries.
c. Properly securing personal information with the proper tools and procedures.
d. Notify the Data Protection Board and notify the Data Principals of a personal data breach.
e. The Data Fiduciary shall delete personal data upon the request of the Data Principal and/or when the data is no longer needed.
f. Having a procedure in place for dealing with any disputes or grievances that Data Principals may raise.
g. Data Fiduciaries have the authority to appoint Data Processors, who are obligated to fulfill these obligations.

Rights of Data Principals
The DPDP Act includes valuable rights that are intended to provide data principals with more control over their personal data.
a. Right to Information: Section 11 of the DPDP Act ensures that people have access to information about the kinds of personal data that are transferred to various data fiduciaries, as well as details about how this data is processed.
b. Right to Correction and Erasure: The right to ask for correction, reinforcement, update or deletion of personal information. Principals can request their data to be deleted if it is no longer necessary or if no longer required by the purpose for which they were processed.
c. Right to Grievance Redressal: When necessary, individuals can raise their concerns to the Data Protection Board, and data fiduciaries should provide grievance redressal channels for data subjects (DPDP Act, S13).
d. Right to Nominate: In order to exercise their legal rights, data principals may designate another person to act on their behalf (S14, DPDP Act).
The responsibilities of Data Principals
In Section 15 some tasks Data Principals are expected to perform are stated, such as respecting the laws, not pretending to be someone they are not, providing accurate information and not making unnecessary or unnecessary requests. These requirements champion the responsible exercise of Data Principals’ rights.
Cross-Border Data Transfer
The Act allows data transfers to foreign countries if not prohibited by the Central Government (Section 16). In the past, the bill used a positive-list system, which would have led to a reduction of legal protection for cross-border data transfers to countries not approved.
Data Protection Board of India
Rather than regulating the processing of personal data, the DPB, established under Section 18, is in charge of deciding cases and executing the Act. In the event of a violation, the DPB is responsible for enforcing compliance, enforcing penalties, ordering corrective measures, and handling complaints. In accordance with Section 28(1), the DPB receives and reviews complaints filed electronically. Challenging a decision made by the DPB goes to the Telecom Disputes Settlement and Appellate Tribunal (Section 29) of the Indian government.
Special Safeguard for Children and Disabled Persons
The DPDP Act provides more sophisticated safeguards in recognition of the particular hazards that particular groups face:
a. Children’s Data: Verifiable consent of the parents must be obtained in the case of processing of children’s data (those under 18 years old). This Act prohibits any data fiduciary from tracking, monitoring, or displaying advertisements to minors (DPDP Act, §9). The aforementioned clause significantly protects children’s online privacy.
b. People with Disabilities: Those who oversee the legality of the rights of people with disabilities and serve as data principals (DPDP Act, §2(r)) to make sure that people with disabilities are covered by the Act. These rights are exceptional because they came about as a result of the recognition that some groups are particularly vulnerable and that extra safeguards are required in these circumstances.
These protections are unique because they are the result of the realization that certain groups are especially vulnerable and, in these situations, additional protections are needed.
Significant Data Fiduciaries
The concept of “a significant data fiduciary” is mentioned in the DPDP Act, and means data fiduciaries whose processing of data carries a higher degree of responsibility due to the volume of data, its sensitivity, the potential harm to the rights of the data principals or the impact on the security and electoral democracy of the state (DPDP Act, §10). The Central Government may deem “significant data fiduciaries” to be irrelevant self-execution of data regulations under the aforementioned requirements. Fiduciaries of significant data must perform the following:
• Designate an Indian DPO.
• Enlist 3rd party data evaluator for checkup of compliance
• The data protection impact assessments should be kept at all times.
• Solve the subjects themselves by making them stick to the rules frequently.
These more stringent obligations for significant data fiduciaries lead to a risk-based regulatory approach, where the more stringent regulations are aimed at businesses whose processing operations pose a greater risk to data owners or society as a whole.
Penalties
Failure to comply with the requirements of the business will be punishable by a fine as high as INR 250 crores for activities such as failure to implement security measures (as specified in Section 33). Unlike the earlier version of the Act, the current Act eliminates the limitation of INR 500 crores per incident and even eliminates the possibility of criminal liability or any compensation to be paid to the affected parties due to data breaches. As stated in Section 34, all penalties collected will go into the Consolidated Fund of India.
RTI Act, 2009 Amendment
The DPDP Act modifies Section 8(1)(j) of the Right to Information Act, 2005, eliminating the exceptions for public interest or parliamentary access (included in Section 44(3)) and exempting all personal data from disclosure. There are concerns that this change may jeopardize transparency.
The provisions of the DPDP Act are a positive step towards data protection, but only if effective in practice, and if the practice of exemptions and enforcement is shown to be ineffective in addressing the criticisms.
Government Exemptions (Section 17) and Concerns About Delegated Legislation
The Central Government has extensive powers to exempt processes and entities from the requirements of the DPDP Act in Section 17 of that Act, and this has caused concerns about how privacy, transparency and delegated legislation might be compromised.
Exemptions Under Section 17
The following are listed as exemptions in Section 17:

1. For the sake of public order, security, maintaining cordial ties with other nations, sovereignty, etc. the Central Government can exempt state instrumentalities (Section 17(2)(a)). This includes the processing of data by these entities and by the Central Government.
2. Legal and Judicial Processes (Section 17(1)): Processing is exempt for any processing that is necessary for the performance of a task in the public interest for the purposes of the exercise of legal rights, the performance of official duties and the prevention, investigation, prosecution or punishment of offences.
3. Corporate Activities (Section 17(1)(c)): Financial assessments, mergers, and acquisitions are exempt.
4. Research and Statistical Purposes (Section 17(2)(b)): Data processing for research, archiving, or statistics may be exempt if it does not entail choices that directly and significantly affect Data Principals.
5. Section 17(3) provides some exemptions for particular Data Fiduciaries. Certain fiduciaries, including startups, may be released from some of the obligations outlined in Sections 5, 10, and 11 by the Central Government.
6. Exemptions (Section 17(5)): The government may exempt fiduciaries from any requirement for a predetermined period of time, up to five years from the start of the Act.
7. Non-Resident Data Processing (Section 17(1)(d)): BPO compliance is facilitated by the exemption of non-residents’ personal data processing via contracts with foreign firms.
   Concerns Regarding Exemptions
   The wide variety of exemptions, including those for state instrumentalities, presents interesting questions:
8. Such exceptions, under the guise of national security or public order, may result in unwarranted collection and storage of data, which could make a dent in the right to privacy, as enshrined in the Justice K.S. Puttaswamy case. These exemptions are missing proportionality and necessity safeguards, which diminishes the Act’s privacy protections.
9. If there were no clear rules as to the deletion of data after it serves the purpose, government institutions could keep the data forever, thereby paving the way for mass surveillance. This is at variance with the Puttaswamy judgment which had said that such intrusions have to be for the sake of a ‘legitimate purpose’.
10. The Act does not specify what the criteria are for giving an exemption; this is at the discretion of the Central Government. The uncertainty might result in arbitrary exemptions, particularly for politically sensitive organisations.
11. Transparency has been compromised two-fold: the public interest exceptions have been scrapped and the RTI Act, Section 8(1)(j) has been widely interpreted to exempt personal information from coverage. This is contrary to the objectives of the RTI act which is to make citizens hold the government is responsible, as demonstrated in the 1975 Raj Narain v. State of Uttar Pradesh case. in 1975.
12. The introduction of Aadhaar-linked biometric and demographic data exemptions is alarming as there is a high risk of misuse of data since the onset of the pandemic, especially online. Not including all agencies in the Act increases the risk of data breaches.
    Concerns of delegated legislation
    Much of the DPDP Act is dependent upon delegated legislation, often using phrases such as “as may be prescribed.” Central Government has a number of challenges when establishing rules regarding the critical components, such as who will serve on the Data Protection Board (DPB), who is exempted from the rules and how parental consent will be sought:
13. The Act gives a significant amount of rule-making power without sufficient direction, potentially leading to inconsistent or biased regulations. The definition of a ‘startup’ is not specified, for instance, nor is there a defined age limit for children’s data being processed.
14. The government’s right of appointment and removal of members of the DPB (see Section 19) could impact on the independence of the DPB. The short appointments (tenure of only two years) and reappointment can make members turn toward the government agenda, as reported in “View of India’s New Data Frontier” (2024).
15. There are worries about inclusivity as the public was not consulted on the drafting of the rules in the 2022 Bill, and hardly any comments were received on that Bill. The modifications to the IT Rules 2021 demonstrate how important it is to have explicit stakeholder participation in order to promote balanced legislation
16. The lack of a clear period for businesses to meet the new requirements imposed by the Act could result in a large number of businesses failing to comply, according to the insights in “From Pixels to Policies” (2023) . There must be a clear timeframe for successful implementation.
    A Blurred Line between Exemptions and Privacy
    The Act has to be changed in order to address these problems:
17. Proportionality criteria should be applied to state agency exemptions, and measures for the mandatory deletion of data once the objective has been achieved should be included.
18. The DPB should have the autonomy and be appointed by an unbiased committee, similar to how the original DPB was appointed under the RTI Act prior to its 2019 amendment.
19. To incorporate stakeholder opinions into regulations, the government should make draft rules available for public comment.
20. The adjustment to Section 8(1)(j) ought to be reexamined and brought into compliance with the RTI Act’s transparency goals.
    The following suggestions would help in ensuring that the Act better reflects the privacy protections of the Puttaswamy decision and is also practical in data governance.
    Limitations and Criticisms
    a. The DPDP Act only considers monetary sanctions, unlike the Bills of 2018 and 2019 which contained criminal offences such as deanonymisation. This may not be sufficient in severe cases as mentioned in “View of India’s New Data Frontier” (2024).
    b. The Act does not include direct remedies for victims as the data breach compensation provision under section 43A of the IT Act, 2000, has been repealed. This is completely different to GDPR’s damages provisions.
    c. The Central Government’s control over the appointment and duration of DPB members may detract from DPB independence and result in potential bias when implementing its decisions.
    d. The digital complaint system can exclude people who do not have access to the internet or digital skills, especially in disadvantaged or rural communities. Notably, there is no mention of offline applications and support in the RTI Act here.
    e. Penalties are more geared toward deterrence than compensation, and money collected goes to the Consolidated Fund, not to the victim.
    f. The RTI Act’s Section 8(1)(j) change limits access to personal data, making it harder for citizens to discover instances of public authorities misusing personal data.

III Constitutional Analysis of the Digital Personal Data Protection Act, 2023
3.1 Alignment with Privacy Rights
In order to safeguard digital personal data in India, the DPDP Act was passed on August 11, 2023. Its constitutional validity depends on how it relates to the right to privacy, which is guaranteed by Article 21 of the Constitution. Although the Puttaswamy ruling upheld privacy as a fundamental right, it also made clear that this right may be restricted in accordance with the standards of need, legality, and proportionality. Additionally, strengthening privacy protections depends on the permission clauses and data principals’ rights. These specific elements are explored in detail in this section.
Adherence to the Legality, Necessity and Proportionality Tests laid down by Puttaswamy.
In the Puttaswamy case, the Supreme Court established a three-part test to evaluate any law that violates the right to privacy: (1) the law must have a legitimate legal basis (legality); (2) the law must have a legitimate state objective (necessity); and (3) the law must not unduly restrict privacy rights, and any restriction must be proportionate. These serve as a standard for evaluating the DPDP Act’s efficacy.
• Legality: This legislation is formally enacted and has been debated and amended from previous drafts (the Personal Data Protection Bills of 2018, 2019 and 2022) and thus passes the legality test. Unlike the Aadhaar scheme that mainly depended on executive orders and did not have any legislative support, the DPDP Act is firmly grounded in statutory support. The purpose of its preamble is to regulate the processing of personal data in digital form, as well as to ensure that the rights of the individual are respected and that there is a balance between individual rights and legitimate aims.
• The Act aims to respond to a critical need to govern data processing in the face of increasing cybercrime, data breaches and unauthorized surveillance. Considering the staggering number of data breaches reported in the first quarter of 2021 for India (674.85 million), according to Surfshark, a comprehensive data protection framework is a must.The Act’s provisions align with the state’s legitimate goals of protecting individuals’ privacy and promoting confidence in digital systems, both of which are critical for technological innovation and economic growth.
• Proportionality: This requires the restrictions upon privacy to be carefully calibrated to meet the aim. The DPDP Act mandates that data fiduciaries only process personal data when consented to by the data principal, or when there is a specific legitimate purpose (such as medical emergencies, or for government services). It establishes criteria for data error prevention, security and data purging after the data has served its purpose (Section 8). These measures help limit data collection and retention to the minimum, to reduce intrusions on privacy. Some ambiguity exists regarding what amounts to “reasonable security measures” (Section 8(5)), however, which could limit enforcement and in turn the protective purpose of the Act, since there are no clear standards that are proportional to the risks.
The Act’s recognition of the right to regulate personal data, one aspect of privacy, further demonstrates its compatibility with Puttaswamy. As envisioned by the Puttaswamy court for a complete data protection system, the Act introduces the idea of data fiduciaries and establishes the Data Protection Board of India (DPB) as a body to enforce the privacy protection.
Consent and Data Principal Rights as Privacy Enablers
Consent is a key factor in data processing, and is heavily emphasized by the DPDP Act, further strengthening the role of individual autonomy in privacy, Before using data, data fiduciaries must get a data principal’s informed, express, and voluntary agreement under Section 6.
It needs to be accompanied by a notice that communicates what data is being collected and how it will be used, so as to be transparent. Data principals may withdraw the consent at any time, which will lead to the termination of the processing of their data by the data fiduciary (Section 6(5)).
Moreover, the Act grants data principals substantial rights under Section 11 such as:
• Right to information about the processing of their personal data.
• The right to rectify and/or remove information.
• The right to appoint someone else to act on their behalf if they become ill or die.
• The right of redress if any violations are made.
Similar to the emphasis on informational self-determination in the Puttaswamy case, these elements provide citizens with authority over their personal information. The right to erasure is peculiar to the Indian context and is comparable to the “right to be forgotten” in Article 17 of the GDPR.
There are limitations of the consent structure in the Act, however. The concept of ‘deemed consent’ for ‘certain legitimate uses’ (Section 7) avoids the need for explicit consent, including where the use is for government services or employment. This brings up concerns about the possibility of coercion, particularly for those who are vulnerable and may need assistance from the government. Further, the Act has not relied on any complaint-based processes apart from digital ones (Section 28), potentially excluding those who do not have access to the internet, as 52.4% of Indians had Internet access in 2024 (Datareportal ). The weaknesses may affect the Act’s capacity to really give all citizens the right to privacy.
3.2 Government Exemptions (Section 17)
The Central Government has wide powers to exclude state entities from the provisions of the DPDP Act when it relates to sovereignty, security, public order, foreign relations or the prevention of serious offences pursuant to section 17 of the DPDP Act. While this type of exemptions is found in data protection laws around the world, the wide breadth and possible misuse of such exemptions pose serious constitutional issues. This section examines these exemptions, the dangers they present and whether they are constitutional under Articles 14, 19 and 21 of the Constitution.
Exemptions for State Instrumentalities: Security, Public Order, Foreign Relations
The Central Government may exclude any state entity from any of the DPDP Act’s provisions, including those pertaining to consent, data deletion, and security obligations, according to Section 17(2)(a) of the Act.
Such motives as “national security,” “public order,” and “foreign affairs” are certainly valid. In cases of national security, such as fighting terrorism or cyber threats, personal data access may be necessary, which means some flexibility of data processing is essential.
The exemptions provided for in this Act are similar to the exemptions provided for in the RTI Act (Section 24) which exempts intelligence and security agencies from the disclosure obligations except in cases of corruption or human rights violation. But the exemptions provided by the DPDP Act are wider in scope; they do not just pertain to certain agencies, but to any state entity the government chooses to notify. Such a broad mandate could give the government the power to exclude organizations, such as public sector banks or welfare agencies, that are processing sensitive personal information, but do so for unspecified reasons.
The risks of surveillance and data retention are discussed. The dangers of surveillance and data retention are presented.
Section 17 has attracted criticism from academics who say that it enables unrestricted monitoring and data collection. The exemptions will not have time limits or oversight mechanisms, which poses a risk for the state to have too much access to personal data, such as biometric and demographic information. This is especially concerning because in India, data breaches have been common in the past, such as Aadhaar exposure, resulting in a surge in fraud after the pandemic. It also leaves room for the misuse of data, as it is not clear how exempted agencies handle data.Lack of transparency about how exempted agencies handle data also increases the risk of misuse, which robs people of their right to privacy.
The Puttaswamy judgment highlighted the need for proper control and limitations on surveillance powers of the state. However, the DPDP Act does not require a review of these exemptions on an independent basis and the Central Government will be the only entity to make that decision. This fuels the anxiety of the misuse of power, especially in the light of allegations of agencies such as the CBI and ED being used for political motives.
Constitutional Validity of Articles 14, 19, and 21
The constitutional validity of Section 17 is to a significant extent dependent on its compatibility with the principles of Article 14 (equality), Article 19 (freedom of speech and expression) and Article 21 (life and personal liberty):

1. Article 14: Equality Before the Law
   Article 14 bares the state of taking action arbitrarily and ensures equality before the law and equal protection. The classification that the law establishes must have a clear and logical basis in relation to the law’s objective, for any law to satisfy Article 14. This principle might be infringed upon by the exemptions in Section 17, which are wide and discretionary.
   The general conditions under which an exemption is granted (specified in Section 17(2)(a)) present the scope for abuse of discretion. The Government might be able to exempt agencies on a case-by-case basis without providing any reasons or justification. This unchecked discretion does not follow the “reasonable classification” test since there is no rational connection between exemption and the goals of the Act to protect privacy and ensure legal data processing. Arbitrariness is a concern of Section 17, as the Supreme Court did mention in State of West Bengal v. Anwar Ali Sarkar (1952) that laws giving too much discretion to the executive tend to be arbitrary.
   In addition, the exemptions create an uneven application of data protection standards – data handlers have a more robust regime to comply with, whereas state bodies without the protection exemption do not. This imbalance is a threat to the intent of the Act to give consistent protection to privacy, and may interfere with Article 14’s guarantee of equal protection. In compliance with Article 14, the DPDP Act should provide solid conditions for exemptions and provide for the establishment of independent oversight mechanisms ensuring protection from arbitrary acts on the part of the state, such as judicial or parliamentary review.
2. Article 19(1)(a): Freedom of Speech and Expression
   Article 19(1)(a) protects freedom of speech and expression, which was connected with right to privacy in the Puttaswamy case. It pointed out the importance of informational privacy for free expression. Unfortunately, some aspects of the DPDP Act, including new provisions contained in Section 44(3) of the RTI and exemptions in Section 17, pose a risk to this right, narrowing the transparency and allowing for potential surveillance.
   Surveillance Risks associated with Exemptions
   Section 17 exempts state entities from limits placed on data retention (and in general), which poses serious concerns regarding surveillance. This section exempts agencies from any limit to the duration of their retention of personal data, even after they have served their intended purpose of data collection, which could lead to mass surveillance. It is similar to issues raised over Aadhaar-based identity scheme to facilitate surveillance on lack of proper security measures. It is reasonable to fear that unrestricted access to these data could have a chilling effect on expression; that people may become self-censors, violating Article 19(1)(a).
   The case of Anuradha Bhasin vs Union of India pointed out the requirement of proportionality while imposing restrictions on fundamental rights. The court added that the limitations need to be very strictly drawn and that there needs to be periodic review of the limitations, which Section 17 does not provide.Section 17 does not satisfy the court’s requirements of narrow definitions of limitation and periodic review. The DPDP Act should reduce these exemptions, set time limits on the storage of data, and restore the exceptions for public interest in the RTI amendment to improve transparency, as required under Article 19.
3. Article 21: Right to Life and Personal Liberty
   The Puttaswamy judgment has recognised the right to privacy as a part of Article 21 along with the rights to life and personal liberty. It introduced a three-pronged test: legality, necessity and proportionality, for laws that impinge on privacy. The DPDP Act’s principles of informed consent (Section 6) and data principal rights (Section 11) – including the right to access, correction and erasure – are consistent with these, but exemptions and enforcement weaknesses have constitutional implications.
   The rights of consent and data principal rights
   It can be seen that the emphasis of the DPDP Act on informed consent and data principal rights will promote the control of individuals over their personal data, which meets with the requirement of “legality” and “necessity” of the Act. These measures are aligned with a ‘privacy by autonomy’ approach and promote limited and purposeful processing of data. But the digitalization of the exercise of these rights does not account for those who do not have convenient internet access. With only 52.4% of the Indian population having access to the Internet in 2023, this digital divide poses significant threat to access to privacy protection, which undermines the universal rights guaranteed under Article 21.
   Government exemptions and proportionality
   Exemptions provided for in section 17 do not satisfy the proportionality test as they are too wide and lack adequate safeguards. This provision gives state bodies the freedom to ignore consent and data protection requirements on broad grounds such as ‘friendly relations with foreign states’, and there is no judicial or parliamentary oversight of such action. In both Anuradha Bhasin and the Puttaswamy judgment, the restriction on privacy has been emphasised to be carefully calibrated, with procedural safeguards.It seems that the state may have unrestricted access to personal data in the absence of a sunset clause or a review process for these exemptions, which would violate Article 21’s requirement of procedural fairness.
   Potential for unlimited data retention and risk of surveillance further compromise privacy. The same way as the Aadhaar program did, the absence of security provisions in the DPDP Act further increases the risk of data leakages. In order to fulfill Article 21, the Act should introduce regulatory provisions, such as the establishment of a judicial body to evaluation the exemptions granted, and set security guidelines for government organizations and other data fiduciaries.

IV: RECOMMENDATION AND CONCLUSION
4.1 This paper highlights some recommendations to strengthen the DPDP framework as follows:
However, issues of ambiguous exemptions, lack of a control regime and an unfinished global regime mean the rules remain uncertain in terms of effectiveness.
The 2017 decision in Justice K.S. Puttaswamy v. Union of India, which held that privacy should be protected as a basic right, served as the foundation for the Act. However, not all state agencies are covered by Section 17, and it may create new obstacles to comptroller jurisdiction that violate the Constitution. These are not fully addressed in the existing draft regulations.

1. Any exemptions should be subject to both judicial review and proportionality. When invoking the exemptions in section 17 for matters pertaining to public order or national security, government bodies are not obligated by the Act to provide strong protections. There is apprehension that Rule 14 does not explain why and how all exemptions are relevant and legitimate under Puttaswamy, a rule which limits the fundamental rights. Therefore, the following changes need be made to the rules:
   • A minimization test to ascertain whether an exemption is required. establishing an impartial court to oversee the state’s use of personal data in accordance with Article 21. This would guarantee that the public’s concerns regarding the abuse of the law are taken into account as its objective is fulfilled.
2. The Act and the draft rules do not refer to algorithmic bias or to decisions being taken by machines, even though this could compromise Article 14’s principle of equality. Draft rules also in Rule 11 refer to DPIAs for significant data fiduciaries (SDFs) which could be further developed by making it mandatory for algorithms to be audited. Recommendations include:
   • Making algorithms and audits, that are used in automatic decisions, public for SDFs. People should be able to contest a judgment made entirely by a computer under GDPR’s Article 22. This guarantees that certain guidelines are followed when handling data-driven tasks.
3. The law provides for punishment of up to INR 250 crore (under Section 33) and the new rules (Rule 18) detail the procedure for imposing penalties. Nevertheless, fining companies might not be having a substantial effect on big companies. Verify the final rules response: These consequences include mandatory compliance audits, stopping data processing, and publicly identifying wrongdoers.
4. . Like GDPR, there are tiered penalties, depending on the severity of the violation, too. This would create a greater level of accountability in multinationals.
5. Draft rules (Rule 15) provide for a digital office of the DPB with powers of inquiry, but they do not provide any information on funding or selection of the DPB, which may thus be subject to government influencing. To enhance the DPB:
   a. Establish a clear selection process for DPB membership (including civil society, technical and legal representation) based on merit.
   b. Fund on its own; avoid dependence on government budgets.
   c. Make clear how the DPB works with other regulators of sectors like fintech to prevent any kind of overlap in jurisdiction as stated in the provisions of the DPB’s inquiry in Rule 17.
6. The rules do not provide any mechanism for resolution of grievances if they are required, only the establishment of a mechanism to provide resolution. To enable individuals to exercise their capabilities.
   d. Establish ombudsmen in all regional units for complaints within 30 days.
   e. Governments must require data fiduciaries to submit metrics of complaints resolution to DPB. Set up a clear data transfer system

Conclusion
Therefore, the analysis concludes that India’s system will significantly protect the privacy of its 1.4 billion citizens with the implementation of the Digital Personal Data Protection Act, 2023 and its separate Draft Rules (notified January 3, 2025). This study helps redefine India’s data protection paradigm by showing how the Act upholds the principles outlined in Justice K.S. Puttaswamy v. Union of India, highlighting legal gaps caused by the state’s exemptions and inadequate oversight, and proposing significant changes to better enforce data protection. Additionally, it contributes to digital transparency, accountability, and confidence in India and aids in legal and public policy discussions. Looking to the future, the focus is on the effectiveness of the Data Protection Board over the years ahead, new delegated legislation, and the privacy issues brought by AI and IoT.

• Aniket Diwan, LL.M., Amity University, Madhya Pradesh