Author: Ajim Shaikh

Introduction

In today’s digital landscape, whenever we engage online our personal information is collected and stored. Whether conducting a search, making a payment, posting on social media, or checking in at a location, we always leave behind our extensive records of behaviors, preferences, and identity.

In reality it’s very concerning. Anyone who has utilized a UPI application or linked their Aadhaar to a bank account, or encountered precise location- based advertisements on Google, can relate to this sentiment. People are very unaware that there purchasing patterns, movements, and identities are being documented. A single data breach or any official request can quickly reveal our digital existence. Such apprehension makes the necessity of data protection law or legislation.

For many years, India lacked a comprehensive and distinct data protection law, creating in a legal void on citizens as depended on digital platforms and online services. The Digital Personal Data Protection Act, 2023 represents a pivotal advancement. it establishes India’s first dedicated legislation concerning digital personal data and states the duties of those who collect and process it. This article examines the framework of the DPDPA, evaluates its strengths and weaknesses in relation with constitutional principles and judicial rulings.

And also argues that although the Act serves as a vital initial measure, but it still falls short as an effective mechanism for safeguarding citizens’ rights

An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.

This Act may be called the Digital Personal Data Protection Act, 2023. It shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint and different dates may be appointed for different provisions of this Act.

Subject to the provisions of this Act, it shall— (a) apply to the processing of

digital personal data within the territory of India where the personal data is collected— (i) in digital form; or (ii) in non-digital form and digitised subsequently; (b) also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India; (c) not apply to— (i) personal data processed by an individual for any personal or domestic purpose; and (ii) personal data that is made or caused to be made publicly available by— (A) the Data Principal to whom such personal data relates; or (B) any other person who is under an obligation under any law… Illustration. X, an individual, while blogging her views, has publicly made available her personal data on social media. In such case, the provisions of this Act shall not apply.

“personal data” means any data about an individual who is identifiable by or in relation to such data; “digital personal data” means personal data in digital form; “Data Principal” means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian…; “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data; “processing”  means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction; “personal data breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.

A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— (a) for which the Data Principal has given her consent; or (b) for certain legitimate uses. For the purposes of this section, the expression “lawful purpose” means any purpose which is not expressly forbidden by law.

The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action…

A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act. Implement technical and organisational measures to safeguard personal data.

Provide a privacy notice while obtaining consent Irrecoverably delete

personal data after the purpose… Sign a valid contract with Data

Processors…

Data principals are given the right to inspect their private information… Data principal can get summary of private information… right to rectify… delete… Right to Access Information… Right to Correction and Erasure… Right to Withdraw Consent… Right to Grievance Redressal… Right to Nominate…

The Data Protection Board of India (DPBI) is a regulatory body which would be set-up… comprise of chairperson and members appointed by the Central government… It can direct urgent measures… inquire into such breach and impose penalty… levy a huge monetary penalty of up to Rs. 250 crores.

Appeals to TDSAT, then Supreme Court.

Breaches attract penalties up to ₹250 crore (e.g., failure to secure data, breach notification). Data Principals up to ₹10,000 for duties violation.

The Digital Personal Data Protection Act of 2023 stands out as a crucial legislative milestone in preserving individual privacy rights and strengthening data security… In order to make the reality of landmark judgment of the Supreme Court of India in ‘Justice K.S. Puttaswamy (Retd)

v. Union of India’ was enacted…

The launch of the Digital Personal Data Protection Act (DPDPA) in 2023, along with the DPDP Rules in 2025, represents a major shift in governance outlook in India.

The DPDPA 2023 is the onset of the data protection regime in India. It emphasises and encourages organisations to protect digital personal data.