Introduction:
The 2017 Supreme Court judgment in Justice K.S. Puttaswamy v Union of India[1] recognized privacy as an intrinsic part of Article 21’s guarantee of life and liberty, creating momentum for a comprehensive data law. In response, Parliament enacted the Digital Personal Data Protection Act, 2023 (DPDP Act) in August 2023.[2] This Act aims to establish a modern framework for digital personal data, but its effectiveness remains in question given delayed commencement and broad exemptions. As of late 2025, core provisions are only now being notified. In this essay we critically evaluate the DPDP Act’s key features, enforcement challenges, and implications for privacy rights and business compliance. We compare it with the previous regime under the IT Act 2000, and situate it in India’s constitutional context (especially Art. 21 and Puttaswamy).
Background: India’s Pre-2023 Data Regime and Privacy Jurisprudence
Until 2023 India lacked a standalone data protection law. Data protection was only an incidental concern under the Information Technology Act, 2000[3] and its 2011 Rules on Sensitive Personal Data (SPDI Rules).[4] These rules imposed modest security obligations on “body corporates” handling certain data, but as commentators note they conferred no rights on individuals. In practice the IT Act regime was “security-based”, focused on penalties for data breaches, without recognizing any individual entitlement to privacy or control over personal data. This gap persisted despite India’s rapid digital growth and recurring data scandals.
A watershed came in Puttaswamy (2017): a Constitution Bench of the Supreme Court unanimously held that the right to privacy is a fundamental right under Article 21. The Court overruled earlier precedents and declared that privacy is guaranteed as part of the right to life and liberty. Moreover, Puttaswamy (joined by nine judges) emphasized that any law encroaching privacy must satisfy the tripartite test of legality, necessity, and proportionality.[5] This landmark judgment implicitly obligated the legislature to enact a dedicated data-protection law. A high-powered committee (Justice Srikrishna Committee, 2018) then drafted proposals, leading through various bills to the final DPDP Act (2023).
Key Provisions of the DPDP Act, 2023
The DPDP Act establishes India’s first comprehensive privacy law for digital personal data. It covers any data about an identifiable individual that is collected or processed in digital form. Notably, the Act excludes non-digital records and non-personal (aggregate or anonymized) data. Some core concepts mirror the EU GDPR. A data fiduciary (akin to a controller) is the entity determining the purposes and means of processing personal data, while a data processor acts on the fiduciary’s behalf. The data principal is the individual to whom the data relates (with guardians for children or disabled persons). The Act makes fiduciaries (not processors) directly liable for compliance, although processors must follow the fiduciary’s directions.
The Act is primarily consent-based.[6] Data fiduciaries must provide clear privacy notices and obtain “free, specific, informed, and unambiguous” consent from individuals. Certain processing purposes are exempt from consent only in narrow categories: for example, emergencies (health/safety), legal compliance, performance of government functions, or other reasons listed in Sec. 7.[7] Notably absent are broad grounds like “legitimate interests” (found in GDPR) or contractual necessity. In practice, this means nearly all routine processing of personal data requires express consent. Individuals (data principals) have specific rights: they can withdraw consent at any time, and upon withdrawal fiduciaries must cease processing and delete the data unless required by law. The Act also envisages rights of access, correction and grievance, to be fleshed out in rules.
On security and accountability, the law obliges fiduciaries to implement “reasonable security safeguards” for example encryption, access controls, audits and breach response procedures. In the event of a data breach, fiduciaries must inform both affected individuals and the Data Protection Board promptly (within 72 hours for the Board). Specific classes of fiduciaries have heightened duties: for instance, large-volume or sensitive-data fiduciaries must appoint a Data Protection Officer, conduct risk assessments, and allow audits by the Board. The Act also addresses cross-border transfers of data: transfers are generally prohibited unless (for example) approved by the Board or carried out under a contract meeting board requirements.
Enforcement is vested in a new Data Protection Board of India (DPBI). Under the Act, this independent authority is to supervise implementation, adjudicate complaints, and impose penalties. Complaints about data breaches or misuse can be brought before the Board, which has powers to investigate, issue directions, and order relief. Appeals from Board orders lie to an appellate tribunal (to be constituted). Substantial fines are prescribed: penalties can range up to INR 250 crore for serious violations, a quantum intended to be punitive. (For perspective, the previous IT Rules only allowed fines up to INR 100,000.) Significantly, the Act does not create any new criminal offenses – all enforcement is through administrative sanctions and compensation.
Comparison to the IT Act Regime
The DPDP Act represents a fundamental shift from the old framework. As one analyst notes, it moves India “from a security-based to a rights-based framework”. Under the IT Act/SPDI Rules[8], compliance meant implementing some security practices, but individuals had no legal control over their data. By contrast, the DPDP Act explicitly treats personal data as an extension of individual autonomy. It defines affirmative duties for organizations (data fiduciaries) and grants rights to data principals (consent, withdrawal, etc.), akin to global privacy laws.
In procedural terms, the Act also formalizes measures that were missing before. For example, Puttaswamy had expressly encouraged a legislative remedy; now privacy protection is rooted in statute. Section 21 of the Constitution (Article 21)[9] read in light of Puttaswamy still trumps any law, but the DPDP Act now embodies the constitutional privacy ethos in positive rights and obligations.
Privacy Rights and Constitutional Implications
The DPDP Act must be assessed against India’s constitutional commitment to privacy. Under Puttaswamy, any limitation on privacy must meet strict tests. On paper, the new law advances privacy by statutoryizing many safeguards (consent, purpose limitation, notice, etc.). Yet it also raises concerns about state power. Critics point out that Section 17 of the Act (and corresponding rules) permits the central government to exempt any agency from compliance on broad grounds like “national security”, “public order” or “enforcement of any law”. In effect, state agencies can bypass consent, notice and many other requirements if so authorized. Civil society commentators warn this provision “overwhelmingly” favours surveillance and severely undermines privacy protections.[10]
In the implementing rules, these exemptions have concrete form. For example, data fiduciaries must retain full usage logs if demanded by any state agency, and the government can treat applications for public services as requests to establish user accounts with data collection. This has alarmed privacy advocates. The Internet Freedom Foundation observes that the Act “instituted onerous duties on individuals and carved out broad exceptions that weaken the fundamental right to privacy”. Similarly, a law review article notes that Section 17 “tilts the balance in favour of state surveillance powers” and contains “no real procedural safeguards”. The Act’s whistleblower provisions and confidentiality rules even bar fiduciaries from informing individuals when data is requisitioned by the state (in matters of sovereignty or security), eliminating a key transparency check.
These state-actor carve-outs are striking given Puttaswamy’s emphasis on stringent tests. The Court in 2017 said any privacy restriction must be backed by a valid law, aim to achieve a legitimate state interest, and be proportionate. By contrast, the DPDP Act’s language leaves many terms undefined and places no requirement of judicial oversight or proportionality review. In practice, therefore, the privacy rights guaranteed by Article 21 may be compromised. While the Act nominally protects data, it simultaneously authorizes far-reaching state intrusions without the checks (necessity, judicial warrant, independent review) that would satisfy constitutional norms.
Enforcement and Implementation Challenges
A major challenge has been that the DPDP Act did not immediately become operative upon enactment. After presidential assent in August 2023, the law’s Sections needed separate notification under Sec.1(2) to commence. Due in part to rulemaking delays, the Act lay dormant for over two years, creating a legal vacuum. Only in November 2025 were the DPDP Rules, 2025 notified along with a phased rollout schedule. Under this schedule, the Data Protection Board provisions (Secs.18–26) took effect immediately, but core privacy obligations (Secs.3–17) remain deferred (most coming into force 18 months later).
This stalled implementation has drawn judicial reproach. A Delhi High Court recently questioned why a year after assent the DPDP Act had not been implemented, calling for clarity on the commencement notification.[11] Observers note that businesses are in limbo, uncertain whether to continue under the old IT rules or start gearing up for the new law. In practice, many companies have adopted interim best practices (ISO standards, GDPR-like policies) anticipating the Act’s enforcement.[12] At the same time, India’s sectoral regulators (e.g. RBI for banks, telecom security rules) have stepped in to fill the void, sometimes creating overlapping or conflicting requirements.
Notably, even the enforcement agency itself is not fully functional. The Act envisaged a Data Protection Board of India (DPBI) as an independent regulator. But as of late 2024 no Board members were appointed. Baker McKenzie reports the government had not set a timeline, though the DPBI was expected by end-2025. Until the Board is active, there is no mechanism to adjudicate complaints or impose penalties. This gap has prompted the legislature to allow phasing but it also means that, at least initially, violations will attract only theoretical fines.
Implications for Corporations and Privacy Rights
The DPDP Act, 2023 imposes extensive compliance duties on businesses handling personal data. Data fiduciaries must document processing, honour data principal rights, issue privacy notices, obtain valid consent with withdrawal options, and report breaches within strict timelines. Significant fiduciaries must appoint Data Protection Officers, conduct impact assessments, maintain processing registries, and undergo DPBI audits. These obligations require operational upgrades, staff training, and contractual revisions. While the Act aligns India with global standards and benefits cross-border trade, compliance costs are substantial, especially amid delayed rules. Small and medium enterprises may struggle unless exemptions or simplified standards are clarified.
Conclusion
The Digital Personal Data Protection Act, 2023 marks a major shift toward a rights-based data protection framework in India, recognizing privacy’s constitutional value and aligning with global standards. However, its impact remains uncertain due to delayed enforcement, pending rules, and the absence of the Data Protection Board. Broad governmental exemptions risk weakening privacy safeguards. Corporations must nonetheless prepare for phased compliance, stronger consent mechanisms, enhanced security, and significant penalties. Ultimately, the Act’s success will depend on transparent rulemaking, effective enforcement, and judicial oversight to protect Article 21 privacy rights.
Author(s) Name: Sana Jahangir (Aligarh Muslim University)
References:
[1] Justice K S Puttaswamy (Retd) v Union of India (2017) 10 SCC 1.
[2] Digital Personal Data Protection Act, 2023.
[3] Information Technology Act, 2000.
[4] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.
[5] Justice K S Puttaswamy (Retd) v Union of India (2017) 10 SCC 1 (Chandrachud J).
[6] Digital Personal Data Protection Act 2023, s 6.
[7] Digital Personal Data Protection Act 2023, s 7.
[8] (n 4)
[9] The Constitution of India, 1950.
[10] Internet Freedom Foundation, ‘Brief Analysis of the Digital Personal Data Protection Act, 2023’ (2023)
[11] Digital News Publishers Association v Union of India (Delhi High Court, 2024).
[12] DLA Piper, Data protection laws of the world: India (2024).
