Author: Rasika Pitale

1. Background & Objective of the Act 

India’s digital ecosystem has undergone a profound structural transformation over the last  decade. The proliferation of smartphones, affordable internet access, and platform-based  services has led to an unprecedented expansion of data-driven economic activity. E-commerce  platforms collect granular consumer behaviour data; fintech companies process sensitive  financial and biometric information; social media platforms engage in behavioural profiling;  digital health systems store medical records; and state-led digital infrastructure initiatives such  as Aadhaar, DigiLocker, and direct benefit transfer systems rely extensively on personal data. 

In this context, personal data has become central not only to economic value creation but also  to governance, public service delivery, and national digital infrastructure. However, this rapid  expansion exposed significant regulatory gaps. Until recently, India relied primarily on the  Information Technology Act, 2000 and the Information Technology (Reasonable Security  Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 to regulate  data protection. These frameworks were fragmented, sector-specific, and ill-equipped to  address modern data-processing practices such as algorithmic profiling, automated decision making, large-scale data analytics, and cross-border data transfers. 

The constitutional turning point came with K.S. Puttaswamy v. Union of India (2017), where  the Supreme Court unequivocally recognised the right to privacy as a fundamental right under  Article 21 of the Constitution. The Court articulated informational privacy as an essential facet  of individual autonomy and dignity, emphasising principles such as consent, purpose  limitation, proportionality, and procedural safeguards. These principles now form the  normative foundation of India’s data protection framework. 

Against this backdrop, the Digital Personal Data Protection Act, 2023 (“DPDP Act”) was  enacted with the following core objectives: 

• To protect individuals from unauthorised, excessive, or exploitative use of their  personal data;

• To establish clear accountability mechanisms for entities that determine the purpose  and means of processing personal data; 

• To facilitate lawful, transparent, and purpose-driven data processing for economic and  governance-related functions; and 

• To align India’s data governance regime with evolving global standards while  preserving regulatory flexibility suited to domestic conditions. 

Significantly, the Act adopts a light-touch, principles-based regulatory model, consciously  departing from the highly prescriptive compliance architecture seen in jurisdictions such as the  European Union. This approach reflects an attempt to balance privacy protection with  innovation, ease of doing business, and India’s developmental priorities. 

2. Who Does the Act Apply To? 

(a) Data Principals 

A Data Principal is the individual to whom personal data relates. The DPDP Act limits its  protection strictly to natural persons, thereby excluding data relating to juristic persons such as  companies or partnerships. This individual-centric approach underscores the Act’s focus on  personal autonomy, dignity, and informational self-determination. 

Importantly, the Act does not distinguish between citizens and non-citizens, meaning that any  individual whose personal data is processed within the scope of the Act is entitled to its  protections. 

(b) Data Fiduciaries 

A Data Fiduciary is any person or entity that determines the purpose and means of processing  personal data. This definition is intentionally broad and includes: 

• Private companies and multinational corporations, 

• Start-ups and technology platforms, 

• Partnership firms and LLPs, 

• Government departments, public authorities, and instrumentalities of the State.

Crucially, the State is not exempt merely by virtue of being a public authority. Government  bodies collecting and processing personal data—whether for welfare schemes, regulatory  compliance, or public service delivery—are subject to the same core obligations of legality,  transparency, and proportionality. This marks a significant shift towards public-sector  accountability in data governance. 

(c) Data Processors 

Data Processors are entities that process personal data on behalf of Data Fiduciaries, such as  cloud service providers, payroll management firms, customer relationship management  platforms, and data analytics vendors. While Data Processors operate under contractual  arrangements, the Act places primary regulatory responsibility on the Data Fiduciary,  reinforcing the principle that accountability follows decision-making power. 

(d) Territorial Scope 

The Act applies to: 

• Processing of digital personal data within India, and 

• Processing outside India where such processing is connected with offering goods or  services to individuals in India. 

This extraterritorial application is particularly relevant in an era of global digital platforms and  cross-border outsourcing. It ensures that foreign entities targeting Indian users cannot evade  compliance obligations merely by locating their servers or operations abroad. 

(e) Exemptions 

The Act provides limited exemptions for: 

• Personal or domestic use of data, 

• Research, archiving, or statistical purposes (subject to safeguards), 

• Certain sovereign, security, and law-enforcement functions of the State. 

However, these exemptions are not absolute and remain subject to the constitutional  requirement of proportionality, ensuring that fundamental privacy rights are not diluted  arbitrarily.

3. Key Sections Explained (Critical Provisions) 

Section 4 – Lawful Grounds for Processing 

Personal data may be processed only for a lawful purpose, either on the basis of: • Valid consent of the Data Principal, or 

• Certain statutorily recognised “legitimate uses,” such as employment-related  processing or provision of government benefits. 

This provision operationalises the principle of purpose limitation, preventing “function creep”  where data collected for one purpose is repurposed for unrelated or exploitative objectives. 

Section 5 – Notice to Data Principal 

Before obtaining consent, Data Fiduciaries must provide a clear, intelligible, and accessible  notice specifying: 

• The purpose of data processing, 

• The nature and categories of personal data collected, 

• The rights available to the Data Principal, and 

• The mechanism for grievance redressal. 

This requirement addresses long-standing concerns regarding opaque privacy policies and  information asymmetry between data collectors and individuals. 

Section 6 – Consent Framework 

Consent under the DPDP Act must be: 

• Free, 

• Specific, 

• Informed, 

• Unconditional, and 

• Unambiguous.

A key innovation is the requirement that withdrawal of consent must be as easy as granting it,  ensuring that consent remains a dynamic and continuous expression of individual choice rather  than a one-time formality. 

Section 8 – Obligations of Data Fiduciaries 

Data Fiduciaries are required to: 

• Ensure accuracy and completeness of personal data, 

• Implement reasonable security safeguards to prevent breaches, 

• Prevent unauthorised access or misuse, and 

• Erase personal data once the purpose of processing has been fulfilled. 

These obligations form the operational core of compliance and reflect the principle of data  minimisation. 

Section 10 – Significant Data Fiduciaries 

The Central Government may designate certain entities as Significant Data Fiduciaries (SDFs) based on factors such as: 

• Volume and sensitivity of data processed, 

• Risk of harm to Data Principals, 

• Impact on sovereignty, public order, or electoral democracy. 

SDFs are subject to enhanced compliance obligations, including appointment of a Data  Protection Officer, independent audits, and Data Protection Impact Assessments. 

Section 11 – Rights of Data Principals 

The Act grants enforceable rights, including: 

• Right to access information about data processing, 

• Right to correction and erasure, 

• Right to grievance redressal, 

• Right to nominate another person to exercise rights in cases of death or incapacity.

Notably, the Act avoids explicitly recognising a “right to be forgotten,” instead embedding  erasure within the framework of purpose limitation. 

Section 33 – Penalties 

Penalties may extend up to ₹250 crore, particularly in cases involving: 

• Failure to prevent personal data breaches, 

• Violations relating to children’s data. 

The penalty regime is civil in nature, reinforcing compliance rather than criminal punishment. 

4. Rights, Duties & Penalties 

Rights of Data Principals 

The DPDP Act transforms individuals from passive data subjects into active rights-holders,  enabling meaningful control over personal data and fostering accountability among processors. 

Duties of Data Principals 

Uniquely, the Act also imposes duties on individuals, including: 

• Prohibition on impersonation, 

• Prohibition on suppression of material information, 

• Prohibition on frivolous or malicious complaints. 

This reflects a balanced regulatory approach that recognises reciprocal responsibility. Penalties & Enforcement 

The Data Protection Board of India is empowered to investigate violations, impose penalties,  and enforce compliance, functioning as a specialised regulatory authority. 

5. Practical Applications & Real-Life Scenarios 

Corporate Compliance

A fintech company processing KYC data must ensure explicit consent, robust encryption,  breach notification mechanisms, and deletion of data once statutory retention requirements are  satisfied. 

Employment Context 

Employers may process employee biometric or attendance data under legitimate use, but  repurposing such data for surveillance or behavioural profiling would violate purpose  limitation. 

Government Services 

Welfare schemes collecting beneficiary data must adhere strictly to data minimisation and  purpose limitation to prevent inter-departmental misuse. 

6. Common Myths and Compliance Mistakes 

Myth: Consent clauses buried in standard terms and conditions are valid. Reality: Consent must be clear, standalone, and informed. 

Myth: Government bodies are immune from compliance. 

Reality: State entities are Data Fiduciaries under the Act. 

Mistake: Retaining personal data indefinitely “just in case,” which violates data  minimisation and purpose limitation principles. 

7. Landmark Judgments & Regulatory Context 

Although the Act is relatively new, its interpretation is guided by prior constitutional  jurisprudence, particularly: 

• Recognition of privacy as a fundamental right, and 

• Judicial insistence on proportionality and necessity in data collection. 

Future delegated legislation concerning cross-border data transfers, consent managers, and  breach reporting timelines will significantly shape the Act’s practical implementation.

7A. Comparative Perspective: India’s DPDP Act and Global Data Protection Regimes 

While the Digital Personal Data Protection Act, 2023 draws inspiration from global data  protection frameworks, it reflects a distinctly Indian regulatory philosophy. Comparatively, the  European Union’s General Data Protection Regulation (GDPR) adopts a highly prescriptive,  rights-heavy model with detailed obligations such as data portability, automated decision 

making restrictions, and mandatory breach reporting timelines. In contrast, the DPDP Act opts  for regulatory flexibility, granting the executive significant rule-making power to adapt  compliance requirements over time. 

Unlike the GDPR, the DPDP Act does not categorise personal data into multiple tiers such as  “sensitive” or “special category” data, nor does it explicitly recognise rights such as data  portability or objection to automated processing. This design choice reduces compliance  complexity, particularly for start-ups and small enterprises, but also places greater reliance on  regulatory oversight by the Data Protection Board. 

From a cross-border perspective, the DPDP Act departs from strict data localisation mandates  and instead permits international data transfers to jurisdictions notified by the Central  Government. This approach seeks to balance national security concerns with India’s integration  into the global digital economy, particularly in sectors such as IT services, outsourcing, and  cloud computing. 

7B. Compliance Roadmap: What Organisations Must Do in Practice 

From a practical standpoint, compliance with the DPDP Act requires organisations to move  beyond formal documentation and adopt operational data governance frameworks. At a  minimum, Data Fiduciaries should undertake the following steps: 

First, organisations must conduct a data mapping exercise to identify what personal data they  collect, the purpose for which it is processed, where it is stored, and with whom it is shared.  Without such mapping, compliance with purpose limitation and erasure obligations becomes  impractical. 

Second, consent architecture must be redesigned to ensure that consent is granular, informed,  and revocable. This includes separating consent from general terms of service and ensuring  that withdrawal mechanisms are easily accessible.

Third, internal policies on data retention and deletion must be aligned with the principle of data  minimisation. Retaining personal data indefinitely for speculative future use exposes  organisations to regulatory risk. 

Fourth, organisations, particularly those likely to be notified as Significant Data Fiduciaries, must invest in governance structures, including appointment of compliance officers, audit  mechanisms, and breach response protocols. 

7C. Implementation Challenges and Future Outlook 

Despite its strengths, the DPDP Act presents several implementation challenges. The absence  of detailed statutory timelines for breach reporting and grievance redressal places significant  reliance on delegated legislation, which will determine the Act’s real-world effectiveness.  Additionally, the wide exemption powers granted to the State have raised concerns regarding  potential dilution of privacy protections if not exercised proportionately. 

Another challenge lies in enforcement capacity. The effectiveness of the Data Protection Board  of India will depend on its institutional independence, technical expertise, and ability to  adjudicate complex data-related disputes efficiently. 

Looking ahead, the DPDP Act should be viewed as a foundational framework rather than a  final code. As India’s digital economy evolves, future amendments, sector-specific rules, and  judicial interpretation will play a critical role in strengthening protections against emerging risks such as artificial intelligence-driven profiling, automated decision-making, and large scale surveillance technologies. 

8. Conclusion: Why This Act Matters Today 

The Digital Personal Data Protection Act, 2023, represents a cornerstone of India’s evolving  digital constitutionalism. It seeks to harmonise individual autonomy, State interests, and  economic growth in a data-driven society. 

For law firms, the Act opens avenues in compliance advisory, regulatory litigation, and data  governance structuring. 

For businesses, it necessitates a shift towards privacy-by-design and compliance-by-default.

For individuals, it restores informational self-determination and legal control over personal  data. 

In an economy where data is both an asset and a liability, the DPDP Act is not merely regulatory,  it is foundational to trust, accountability, and sustainable digital growth.