Alok Singh
Introduction
The Digital Personal Data Protection Act, 2023 (DPDPA), is India’s first comprehensive data privacy law. Enacted on 11th August, 2023, its preamble expressly “recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes”. The DPDPA establishes a framework for digital data, replacing India’s patchwork of IT‐Act rules (e.g. the 2011 Sensitive Personal Data rules) with a unified regime. It also implements the constitutional right to privacy affirmed by the Supreme Court, which exists under Article 21 of the Constitution, including the right to informational privacy. It is notable that the Act uses gender‐neutral “she/her” pronouns for individuals, a first in Indian legislation.
Legislative History
The DPDPA’s enactment was a response to both domestic and global pressures. After the Puttaswamy judgment that declared privacy a fundamental right, the Government moved swiftly to devise a data protection regime. Later, a committee was appointed under Justice B.N. Srikrishna to draft a bill that recommended a comprehensive bill. The draft set forth definitions (data principal/fiduciary/processor), lawful processing bases, and a Data Protection Authority, similar to many GDPR‐like features. After a long struggle, the final Bill was approved by the Union Cabinet in July 2023 and received the President’s assent on August 11, 2023. Thus, after six years of deliberations, India finally has a law to balance individual privacy rights with legitimate data uses.
Key Provisions
Scope
The Act applies only to digital personal data (information about identifiable individuals held in electronic form, or digitised from paper). It explicitly excludes data that is already in the public domain by legal obligation. Its territorial extent is broad: it governs the processing of digital data within India, and also applies extraterritorially to data about Indian individuals if foreign entities offer goods or services to them. This mirrors the GDPR’s concept of targeting data subjects.
Key actors are defined as Data Principals (the individuals), Data Fiduciaries (those who determine purposes/means of processing, analogous to “controllers”), and Data Processors (who process on a fiduciary’s behalf).
Lawful Basis for Processing:
Another feature is that data fiduciaries may process personal data only with the Data Principal’s consent or under specified legitimate uses. Consent must be free, specific, informed, unconditional and unambiguous with a clear affirmative act (the same standard as under GDPR). “Legitimate uses” include narrowly defined situations in the public interest, such as: data voluntarily shared by the individual for a specific purpose; processing to comply with a court order or law; for employment (e.g. recruitment or payroll); or for medical emergencies, epidemics or disasters.
Despite many similarities with GDPR, there is no general catch‐all like “legitimate interests” or processing for contract; almost all routine processing must rely on consent or the narrow exceptions.
Obligations of Data Fiduciaries: Entities that collect or use personal data have duties assigned by the Act. Before seeking consent, they must give a clear notice identifying what data will be processed and for what purpose. They must also explain data principals’ rights and how to make complaints to the Data Protection Board (the Act’s regulatory body).
Fiduciaries are required to take reasonable security safeguards to protect data; to ensure data accuracy and completeness; and to delete data once its purpose is fulfilled and no longer legally needed. In the event of any personal data breach, the fiduciary must promptly notify the Board and the affected individuals (with details of the breach).
Data must be retained only as long as necessary; when consent is withdrawn or the purpose is completed, the fiduciary must erase the data (subject to limited exceptions).
Rights of Data Principals:
Individuals gain several enforceable rights. Every principal can request and obtain confirmation of whether a fiduciary holds their data and get a copy of it. They have a right to correct or erase their data, and a right to be informed about processing purposes. Unlike many laws, the Act explicitly requires every fiduciary to have a designated grievance officer, and principals have the right to complain to that officer if their rights are violated. A novel feature is the right to nominate a trusted person to exercise one’s data rights in the event of death or incapacity, a safeguard that is not found in the GDPR.
Significant Data Fiduciaries (SDF):
The Act empowers the government to designate large or sensitive data holders as SDF, which face additional compliance. An SDF must appoint a Data Protection Officer (resident in India) to supervise compliance; it must engage an independent auditor to conduct periodic data protection audits; and it must regularly conduct data protection impact assessments (DPIAs) for high‐risk processing. These measures echo GDPR requirements (which mandate DPIAs and DPOs for many large processors) and aim to keep big players closely in check.
Shortcomings and Recommendations
Despite such a detailed framework, the DPDPA has drawn criticism for leaving key gaps.
First, the broad exemptions granted to the State. The carving out of national security, law enforcement, and even routine government welfare schemes swallow the rule; the agencies might collect and retain vast personal data with minimal accountability. The proportionality of these carve‐outs is questionable, since the Act does not require independent oversight (e.g. judicial approval) when invoking security exceptions. Reformists argue the exemptions should be narrowed or paired with oversight safeguards to prevent unchecked surveillance.
Second, certain rights that exist under GDPR are absent. There is no right to data portability in the DPDPA, and no safeguard against decisions made solely by automated processing. While India’s framework focuses on consent and legitimate uses, some argue that allowing limited processing without consent (for example, under a legitimate interests standard) could make the law more flexible for innovation, as long as strong safeguards remain. At minimum, including portability would help citizens (e.g. to switch service providers) and bringing in automated-decision limits would protect against unchecked profiling.
Thirdly, on the institutional side, reformers urge strengthening the Data Protection Board’s independence. This could include insulating Board appointments from political influence, adding judicial members, and removing the government’s veto power on Board orders. Creating regional or state‐level enforcement arms could also help citizens obtain remedies more easily. Clearer statutory rules on breach reporting thresholds and timelines would reduce confusion. And finally, ensuring that sectoral laws (telecom, finance, healthcare) harmonise with the DPDPA rather than impose conflicting requirements would ease compliance burdens.
Conclusion
The Digital Personal Data Protection Act, 2023, is a seminal law that aligns India with global privacy norms and responds to its constitutional privacy mandate. It establishes a modern framework of consent, individual rights, and fiduciary duties. For legal practitioners, the Act has far‐reaching implications, as it will reshape contract terms, corporate governance, compliance audits, and public‐private data sharing.
Yet its effectiveness remains to be seen. Substantial implementation challenges (rule‐making, Board formation, capacity building) still exist, and critics warn that broad state exemptions and enforcement gaps leave much work unfinished. In future revisions, policymakers might consider narrowing exemptions, enhancing the Board’s independence, and expanding protections (e.g. data portability, offline data) to better harmonise with global standards. As a baseline privacy law, the DPDPA is a major advance for India, but legal professionals will closely watch how rules and cases fill in its gaps and how it evolves in practice.