Introduction
India wants to become a developed nation by 2047. If the growth is built on Personal Data, then the risk of privacy can be easily compromised if the law does not evolve with the technology. Therefore, the Digital Personal Data Protection Act,2023, tries to fill this gap. The act claims to protect individual digital data while also enabling a strong base for the digital economy whether its success in balancing both sides is a real question.
Privacy and Viksit Bharat
Privacy is a pressing concern in the digital age. The increase in the adoption of smartphones for ambitious e-governance programs has made personal data a valuable resource. However, after digitalisation, there have been increased concerns about individual privacy. In the Justice K.S. Putta Swamy case (2017), the Supreme Court declared that privacy is part of Article 21 as a human dignity and liberty. J. Chandrachud wrote, “privacy, in its simplest sense, allows each human being to be left alone in a core which is inviolable.”[1] This 2017 judgment gave all the rights to privacy that the Constitution provides under Article 21[2], and this would lead to greater laws governing data protection. The DPDP Act was the first privacy law enacted by parliament.[3]
It aims to protect the individual’s data and use it for legitimate data uses for the economy and society.[4] This legislation is presented at a time when the government is mapping out a strategic path to turn India into a developed nation by 2047 (Viksit Bharat).
Policymakers consider a digital infrastructure and data innovation as one of the pillars of such a Vision. It tries to balance on the one hand, people should have the right to privacy; but on the other hand, while that data can still flow to fuel development, like for e‐governance, research, fintech, AI, etc., at the heart of development policy.
Features of DPDP Acts,2023
The Act is based on the seven principles: lawful and transparent processing, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability, which are noted by the government press release.[5] The scope and application of the act covers all digital personal data, regardless of sensitivity or particular sectors, including processing outside India if it is related to Indian residents.[6] Firms (called “Data Fiduciaries”)[7] Must obtain explicit informed consent from data principals (the individuals) before processing their data, and it also prohibits “bundled consent” or alternative lawful grounds under Section 7, such as compliance with legal obligations.[8]
The Act also grants the right to know information concerning their data and how it is used, the right to edit or wipe data (the right to be forgotten), the right to complain against the fiduciary of a grievance, and even the right to nominate someone to act on their behalf in case of their death or incapacity.[9]
The DPDP Act establishes a Data Protection Board of India as an adjudicatory body for data protection matters and has powers to investigate complaints, take actions, impose penalties (up to ₹250 crore for breaches and ₹200 crore for violations involving children)[10] And also advise the government.[11]
Balancing privacy with Developments
Development and privacy are both important for good governance. The DPDP Act tries to balance privacy with the needs of growth; however act also expressly allows certain exemptions for national interests. Section 7 of the Act lists situations where data can be processed without consent, for instance, when required by law, in compliance with court orders, or when data is “voluntarily provided” by principals. As per Section 7(b) of the DPDP Act, which permits government agencies to process data without purpose limitations, so long as the data principal has freely given it (for example, submitting information on a government form). The aim is to let states use data to achieve public objectives.
Similarly, under Section 17(2) of the Act grants the Central Government is granted broad immunity, exempting it from all the obligations of the Act when doing things necessary for sovereignty, integrity, security, public order, and related concerns.[12] Practically, the law does not bind the state in many areas. It need not obtain consent for the security of the state, or even the state can use this to suppress the public media (which is the “fourth pillar of our Constitution”)[13] From the flow of information, which goes against the state.
The DPDP Act allows cross-border transfers with certain safeguards. For example, RBI rules require payment system data to be stored in India for data security within the economy. If we read together with the DPDP Act, it also aims to promote growth in (finance, research, digital services) while keeping a watchful eye on privacy and security. The Act is also written in simpler language (“SARAL” – simple, accessible, rational, actionable) to reduce red tape.[14]
DPDP Acts v. IT Acts – A Paradigm Shift
A paradigm shift refers to a significant modification in the Digital Personal Data Protection Act, 2023’s (DPDP Act) methodology. It seeks to strike a balance between state security and privacy. Only “sensitive personal data” stored by specific private companies was protected under the IT Act/SPDI Rules. But the DPDP Act covers all digital personal data, including government & foreign entities.[15]. The concept of consent has been upgraded now Explicit, informed, purpose-specific consent, earlier in often implied earlier via privacy policies. Individual Rights were limited to withdrawal/correction via policy; now it has become wider by allowing the right to edit or wipe data (the right to be forgotten), the right to complain against the fiduciary of a grievance, and even the right to nominate someone to act on their behalf in case of their death or incapacity.
For the enforcement, the IT Act relied on general tribunals and low fines, up to a maximum of ₹25,000; the DPDP Act establishes a specialised Data Protection Board and allows fines up to ₹250 crores. The DPDP Act extends the scope and includes extra‐territorially (covering foreign entities that offer goods/services to Indians or monitor their behaviour), whereas the IT Act’s privacy rules applied only to Indian corporates.
Still, one of the important gaps is in the IT Act Section 43A[16]. A person may seek compensation under the SPDI Rules if their data is not protected. Individual privacy breaches are not covered under the Digital Personal Data Protection Act of 2023. Indeed, it specifically leaves out any recourse such as damages under Section 43A.
DPDP Act vs. RTI Act 2005 – Balancing Privacy or Diluting Transparency
The DPDP Act covers only personal digital data; on the other hand, ‘information’ given under the RTI Act is used extensively.[17] It covers both digital and non-digital forms of records available with the government. As per section 38 of the DPDP Act[18]. It shall prevail over other existing laws, including the RTI Act, when the disclosure of personal data is concerned. Under the DPDP Act, section 44(3), it was later substituted with a shorter phrase in the RTI- “8(1)(j) information which relates to personal information;” Earlier RTI allowed the disclosure of personal information if it served a larger public interest, like revealing the name of a loan defaulter, ration beneficiaries, or the public officials missing the funds, but after the DPDP Act, “so, the detail about the loan write-offs, beneficiaries, and contractor behind the collapsing bridge can be blocked under the excuse of privacy.”
Journalists who try to collect or process such data independently could be treated as “data fiduciaries” and face fines of up to 250 crores for the “unauthorised processing”. It is not about privacy; it is about control. When information is inaccessible, then meaningful accountability becomes impossible. The government has released a press notification that states the DPDP Acts uphold privacy while preserving transparency.[19] Although section 8(2) of RTI remains, which “allows disclosure when public interest outweighs harms.”[20]. In practice, the removal of the public interest override in 8(1)(j) of the Act means many cases of personal information linked to public activity may simply be rejected without the previous balancing. Privacy could have been protected without deleting the “public interest” clause.
Conclusion
The DPDP Act, 2023, is an important step to ensure the digital privacy of people of India, as it enhances data protection as compared to the IT Act by expanding consent, rights, and penalties. However, the removal of the word public interest from the RTI Act weakens transparency and accountability in governance. Every law is good in its era, but for balancing privacy and development towards the vision of Viksit Bharat, Parliament should pass a constitutional amendment to incorporate “Digital Rights” into Part III of the Constitution, rather than leaving them solely dependent on judicial interpretation.
Author(s) Name: Chandan Sha (Indian Insitute of Legal Studies)
References:
[1]Justice KS Puttaswamy (Retd) v Union of India (2018) <https://delawarelaw.widener.edu/files/resources/indiaputtaswamy1jointjudgment2018.pdf > accessed 16 November 2025.
[2] Constitution of India 1950, art 21.
[3] Digital Personal Data Protection Act 2023.
[4] PRS Legislative Research, ‘The Digital Personal Data Protection Bill, 2023’ <https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023> accessed 16 November 2025.
[5] PRS Legislative Research, (n 4).
[6] Taxmann, ‘DPDP Act vs IT Act – Shifting India’s Data‑protection Paradigm’ <https://www.taxmann.com/post/blog/dpdp-act-vs-it-act > accessed 16 November 2025.
[7] Digital Personal Data Protection Act 2023, s 2(i).
[8] NYU Journal of International Law and Politics, ‘The Right to Privacy: Understanding India’s Dystopian Data Protection Legislation’ < https://nyujilp.org/the-right-to-pry-vacy-understanding-indias-dystopian-data-protection-legislation/ > accessed 16 November 2025.
[9] Press Information Bureau, Government of India, ‘Government notifies DPDP Rules to empower citizens and protect privacy’ (Ministry of Electronics & IT, 14 November 2025) <https://www.pib.gov.in/PressReleseDetailm.aspx?PRID=2190014 > accessed 16 November 2025.
[10] Digital Personal Data Protection Act 2023, s 33(1).
[11] Taxmann, (n 6).
[12] NYU Journal of International Law and Politics, (n 8).
[13] Samriddha Ray, ‘Role of Media as the Fourth Pillar of Democracy’(Law Article,30 September 2025) <https://lawarticle.in/role-of-media-as-the-fourth-pillar-of-democracy/> accessed 16 November 2025.
[14] Press Information Bureau, (n 9).
[15] Taxmann, (n 6).
[16] Information Technology Act 2000, s 43A.
[17] Right to Information Act 2005, ss 2(f), 8(1)(j).
[18] Digital Personal Data Protection Act 2023, s 38.
[19] Press Information Bureau, Government of India, ‘DPDP Act, 2023 Upholds Privacy While Preserving Transparency Under RTI’ (Ministry of Electronics & IT, 20 August 2025) <https://www.pib.gov.in/PressReleasePage.aspx?PRID=2158506®=3&lang=2 > accessed 16 November 2025.
[20] Right to Information Act 2005, s 8(2).
