A comprehensive legal analysis of the DPDP Act — its constitutional foundations, key provisions, rights and obligations, enforcement framework, and its implications for individuals and organizations in India’s rapidly expanding digital economy.
I. Introduction
The enactment of the Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), which received Presidential assent on 11th August 2023, represents a watershed moment in India’s legislative history concerning individual privacy rights and data governance. For a country with over 800 million internet users and one of the world’s fastest-growing digital economies, the absence of a standalone, comprehensive data protection framework was a glaring legislative lacuna — one that this Act seeks to fill.
This legislation did not emerge in a vacuum. It is the culmination of a legislative journey spanning over six years, triggered by the landmark judgment of the nine-judge Constitutional Bench of the Supreme Court of India in Justice K.S. Puttaswamy (Retd.) v. Union of India [Writ Petition No. 494/2012], which unequivocally recognized the right to privacy as a fundamental right under Article 21 of the Constitution of India. Until the DPDP Act’s enactment, India’s data protection framework rested primarily on the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 — an inadequate patchwork for the digital age.
“The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.” — Justice K.S. Puttaswamy v. Union of India (2017)
Notably, the DPDP Act, 2023 is the first Act of Parliament to use “she/her” pronouns throughout its text, departing from the traditional legislative convention of using “he/him” — a symbolic recognition of gender-inclusive legislative drafting. The Act further employs practical illustrations within its sections, adopting what the Government describes as the SARAL design — Simple, Accessible, Rational and Actionable Language — to promote ease of understanding and compliance.
II. Legislative Journey
The path from the Puttaswamy judgment to the final enactment was long and winding, marked by multiple drafts, extensive consultations, and a complete withdrawal and redrafting of the Bill.
24 August 2017: Supreme Court delivers the historic Right to Privacy verdict in Puttaswamy case.
22 December 2018: Justice B.N. Srikrishna Committee submits the Personal Data Protection Bill, 2018 to the Government.
11 December 2019: Personal Data Protection Bill, 2019 introduced in Lok Sabha and referred to the Joint Parliamentary Committee.
3 August 2022: The 2019 Bill is withdrawn from Parliament following criticism from stakeholders, opposition, and experts.
18 November 2022: MeitY releases the Digital Personal Data Protection Bill, 2022 for public consultation.
3 August 2023: The revised Digital Personal Data Protection Bill, 2023 introduced in Lok Sabha.
11 August 2023: Presidential assent received — the Bill becomes the DPDP Act, 2023.
3 January 2025: MeitY releases Draft DPDP Rules, 2025 for public consultation.
13 November 2025: DPDP Rules, 2025 officially notified; provisions for establishment of the Data Protection Board brought into force.
III. Scope and Applicability
The DPDP Act applies to the processing of digital personal data within India where such data is either collected in digital form or collected in a non-digital form and subsequently digitized. The Act defines “personal data” broadly as any data about an individual who is identifiable by or in relation to such data, and “digital personal data” as personal data in digital form. [Section 2(i), 2(n)]
Significantly, the Act possesses extra-territorial applicability — it extends to the processing of digital personal data outside the territory of India if such processing is in connection with any activity related to offering goods or services to Data Principals located within India. [Section 3]
Key Distinction from GDPR: Unlike the European Union’s General Data Protection Regulation (GDPR), the DPDP Act treats all personal data uniformly. It does not create a separate, heightened category of “sensitive personal data” — a conscious legislative choice that simplifies compliance but has drawn both praise for its simplicity and criticism for potentially offering insufficient protection to particularly sensitive categories of information such as health data, biometric data, or sexual orientation.
The Act does not apply to personal data that has been made publicly available by the Data Principal herself or by any other person who is under a legal obligation to make such personal data publicly available. Additionally, processing of personal data in a non-digital form falls outside the Act’s purview.
IV. Key Definitions and Conceptual Framework
The Act establishes a clear conceptual architecture through its defined terms. The two principal actors in the data protection framework are the Data Fiduciary and the Data Principal.
Data Fiduciary
Any person who, alone or in conjunction with other persons, determines the purpose and means of processing personal data. This includes private entities, corporations, and government instrumentalities. The term “fiduciary” itself carries significant legal weight — it implies a relationship of trust and a corresponding duty of care towards the Data Principal’s data. [Section 2(i)]
Data Principal
The individual to whom the personal data relates. In the case of children (persons under the age of 18), the parent or lawful guardian acts as the Data Principal. Similarly, for persons with disabilities, the lawful guardian assumes this role. [Section 2(j)]
Data Processor
Any person who processes personal data on behalf of a Data Fiduciary. While the primary obligations under the Act rest with Data Fiduciaries, the inclusion of Data Processors within the framework ensures that outsourcing of data processing activities does not create regulatory gaps. [Section 2(k)]
Consent Manager
A unique innovation in the DPDP Act, the Consent Manager is an entity registered with the Data Protection Board that acts as a single point of contact for Data Principals to manage, review, and withdraw their consent across multiple Data Fiduciaries. The DPDP Rules, 2025 mandate that Consent Managers must be Indian companies and must maintain interoperability, technical safeguards, and freedom from conflict of interest. [Section 6(8), (9)]
V. The Seven Core Principles
The DPDP Act is founded upon seven guiding principles that permeate its provisions and serve as the interpretive lens through which its obligations must be understood. These are: consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability. These principles closely mirror internationally accepted data protection standards and signal India’s intent to align its framework with global best practices while retaining sovereign flexibility.
VI. Grounds for Lawful Processing
The Act stipulates that personal data may be processed only for a lawful purpose. The two primary grounds for lawful processing are consent and certain legitimate uses specified under the Act. [Section 4]
Consent
Consent must be free, specific, informed, unconditional, and unambiguous, indicated by a clear affirmative action. Importantly, the Act mandates that every request for consent must be presented in clear and plain language, and must be made available in English or any of the 22 languages listed in the Eighth Schedule of the Constitution. The Data Fiduciary must accompany or precede the request with a notice describing the personal data to be collected and the purpose of its processing. [Sections 5, 6]
The Act further provides that any part of consent that infringes the provisions of the Act shall be invalid to the extent of such infringement. Notably, a consent that includes a waiver of the Data Principal’s right to file a complaint before the Data Protection Board would be invalid to that extent.
Legitimate Uses Without Consent
The Act recognizes certain scenarios where processing without explicit consent is permissible under Section 7. These include: voluntary provision of data by the Data Principal for a specified purpose; processing necessary for the State to provide subsidies, benefits, services, certificates, licences or permits; processing under any law or court order; processing for responding to medical emergencies; and processing related to employment purposes. [Section 7]
VII. Rights of Data Principals
Chapter III of the Act enshrines several fundamental rights for Data Principals, creating a robust framework of individual empowerment over personal data.
Right to Information (Section 11): Data Principals have the right to obtain a summary of the personal data being processed by the Data Fiduciary and the processing activities undertaken with respect to such data. They also have the right to know the identities of all Data Fiduciaries and Data Processors with whom personal data has been shared.
Right to Correction and Erasure (Section 12): Data Principals can seek correction of inaccurate or misleading personal data, completion of incomplete personal data, updating of personal data, and erasure of personal data that is no longer necessary for the stated purpose of processing.
Right of Grievance Redressal (Section 13): Data Principals have the right to readily available means of grievance redressal provided by the Data Fiduciary. If unsatisfied with the response, they may file a complaint with the Data Protection Board of India.
Right to Nominate (Section 14): A Data Principal may nominate any individual who shall, in the event of the Data Principal’s death or incapacity, exercise the Data Principal’s rights under the Act.
VIII. Duties of Data Principals
In a notable balance between rights and responsibilities, the Act also prescribes duties for Data Principals under Section 15. These include compliance with applicable laws while exercising rights under the Act, refraining from impersonating another person while providing personal data, refraining from suppressing material information, not registering false or frivolous grievances or complaints, and furnishing only verifiably authentic information. A breach of these duties may attract a penalty of up to ₹10,000.
IX. Obligations of Data Fiduciaries
Chapter II of the Act places comprehensive obligations on Data Fiduciaries, reflecting the fiduciary nature of the relationship and the duty of care it entails.
Data Security (Section 8(1), (5)): Data Fiduciaries must implement appropriate technical and organizational measures to ensure effective compliance, including reasonable security safeguards to protect personal data in their possession or under their control, preventing personal data breaches.
Breach Notification (Section 8(6)): In the event of a personal data breach, the Data Fiduciary must inform both the Data Protection Board of India and each affected Data Principal without undue delay. The DPDP Rules 2025 further require that such notification be in plain language, explaining the nature of the breach, potential consequences, and remedial steps taken.
Data Retention and Erasure (Section 8(7)): Where the Data Principal has not approached the Data Fiduciary for the performance of the specified purpose, or has withdrawn consent, the Data Fiduciary must erase personal data, unless retention is necessary for legal compliance.
Significant Data Fiduciaries
The Act empowers the Central Government to designate certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on factors such as the volume and sensitivity of personal data processed, risk to the rights of Data Principals, potential impact on sovereignty and integrity of India, and risk to electoral democracy. SDFs face additional obligations including the appointment of a Data Protection Officer (DPO) based in India, the appointment of an independent data auditor, conducting periodic Data Protection Impact Assessments (DPIAs), and periodic audits. [Section 10]
X. Special Provisions for Children’s Data
The Act provides heightened protection for children’s personal data. Data Fiduciaries must obtain verifiable consent of the parent or lawful guardian before processing a child’s data. Furthermore, the Act prohibits any processing that is likely to cause any detrimental effect on the well-being of a child, and specifically bans tracking, behavioural monitoring, and targeted advertising directed at children. [Section 9]
The definition of a child under the Act is any individual below the age of 18, consistent with the Indian Contract Act, 1872, though this threshold has attracted criticism for being higher than the 13–16 year threshold adopted by other major jurisdictions including the United States, the European Union, and the United Kingdom.
XI. Cross-Border Data Transfer
The Act adopts a relatively permissive approach to cross-border data transfers. Rather than requiring adequacy assessments for each receiving jurisdiction (as under the GDPR), the Central Government may, by notification, restrict the transfer of personal data to specific countries or territories. In effect, transfers are permitted to all jurisdictions except those specifically blacklisted by the Government. This represents a “negative list” approach. [Section 16]
XII. Exemptions
Section 17 provides several exemptions from the Act’s provisions. These include processing for prevention and investigation of offences, enforcement of legal rights, processing by courts or tribunals, and processing of non-Indian residents’ data within India pursuant to a contract. The Central Government may also exempt instrumentalities of the State in the interest of sovereignty, integrity, and security of India, public order, and friendly relations with foreign states.
The breadth of governmental exemptions under the Act has been one of the most intensely debated aspects of the legislation. Critics argue that the wide discretionary power vested in the Central Government to exempt state instrumentalities from the Act’s provisions undermines the very purpose of the legislation, given that the State is among the largest collectors and processors of personal data in India.
XIII. The Data Protection Board of India
Chapter V establishes the Data Protection Board of India (DPBI) as the adjudicatory body responsible for monitoring compliance, investigating violations, directing remedial measures in the event of data breaches, hearing grievances, and imposing penalties. The Board is constituted as a body corporate with perpetual succession. [Section 18]
The Board consists of a Chairperson and such number of Members as the Central Government may notify, appointed for a term of two years with eligibility for re-appointment. Significantly, the Board does not possess regulation-making power — the power to frame rules rests exclusively with the Central Government under the expansive delegated legislation provision of Section 40.
The provisions relating to the establishment of the Data Protection Board were brought into force on 13th November 2025 through the notification of the DPDP Rules, 2025.
XIV. Penalty Framework
The Act establishes a tiered penalty structure under the Schedule (referenced through Section 33), prescribing maximum monetary penalties for various categories of non-compliance. Unlike the earlier 2019 Bill, the DPDP Act does not prescribe criminal penalties — all consequences are monetary in nature.
| NATURE OF BREACH | MAX PENALTY |
| Failure to take reasonable security safeguards to prevent personal data breach | ₹250 Crore |
| Failure to notify the Board and affected Data Principals of a personal data breach | ₹200 Crore |
| Breach of obligations in relation to children’s data | ₹200 Crore |
| Breach of additional obligations of Significant Data Fiduciary | ₹150 Crore |
| Non-fulfilment of other obligations / breach of conditions | ₹50 Crore |
| Breach of duties by Data Principal (e.g. filing frivolous complaints, impersonation) | ₹10,000 |
It is important to note that these are maximum caps. The Data Protection Board retains the discretion to calibrate actual penalties based on the nature, gravity, and duration of the breach; the type and nature of personal data affected; whether the breach was repetitive; and any mitigating steps taken by the Data Fiduciary.
XV. The DPDP Rules, 2025: Operationalising the Act
On 13th November 2025, MeitY notified the Digital Personal Data Protection Rules, 2025, providing the implementation machinery for the Act. The Rules establish an 18-month phased compliance timeline, allowing organizations time for smooth transition, with full compliance expected by 13th May 2027. Key aspects of the Rules include detailed requirements for privacy notices in clear and simple language, the registration and operational framework for Consent Managers, the process for verifiable parental consent for processing children’s data, the framework for personal data breach notification, provisions for the appointment and functioning of the Data Protection Board, and cross-border data transfer restrictions.
XVI. Comparison with GDPR
While the DPDP Act shares foundational principles with the EU’s GDPR — including consent-based processing, purpose limitation, data minimization, and rights of access and correction — there are notable divergences. The GDPR applies to all forms of personal data while the DPDP Act covers only digital data. The GDPR distinguishes between personal data and special categories of sensitive data, whereas the DPDP Act treats all personal data uniformly. The GDPR provides for an independent supervisory authority with regulation-making powers, while the DPDP Act’s Board is appointed and supervised by the Central Government without such autonomous rule-making authority. On cross-border transfers, the GDPR requires adequacy assessments while the DPDP Act employs a negative list approach. Finally, the GDPR imposes penalties of up to 4% of global annual turnover, whereas the DPDP Act prescribes fixed maximum monetary caps.
XVII. Critical Assessment and Concerns
While the DPDP Act is a commendable first step, several areas merit critical scrutiny from a constitutional and rights-based perspective.
The broad exemptions granted to State instrumentalities under Section 17, particularly for national security and public order, lack sufficient judicial oversight mechanisms. The absence of independent judicial authorization for state surveillance activities stands in contrast to frameworks in jurisdictions like the United Kingdom, where the Investigatory Powers Act, 2016 requires prior approval by a Judicial Commissioner.
The lack of autonomy of the Data Protection Board — whose members are appointed by and serve at the pleasure of the Central Government for relatively short two-year terms — raises questions about institutional independence. The Srikrishna Committee had recommended a more robust governance structure, and regulatory bodies like SEBI and CCI operate with five-year terms to insulate them from executive influence.
The absence of a “sensitive personal data” category, while simplifying compliance, potentially leaves categories such as health records, biometric data, financial information, and data relating to sexual orientation without the differentiated protection they warrant.
Further, the expansive delegated legislation power under Section 40(2), which includes a catch-all provision permitting the Central Government to prescribe rules on “any other matter,” effectively allows the executive to shape large aspects of the data protection framework without parliamentary oversight.
XVIII. Implications for Stakeholders
The Act will impact virtually every sector of India’s economy. Organizations in IT, e-commerce, healthcare, financial services, telecommunications, education, and the public sector must develop comprehensive data privacy governance programmes. This includes reviewing and updating privacy policies, implementing consent management mechanisms, establishing or strengthening data security infrastructure, conducting data protection impact assessments (for SDFs), training personnel on data protection obligations, and setting up internal grievance redressal mechanisms.
For individuals, the Act empowers them with rights that were previously absent from India’s legal framework. Citizens can now hold organizations accountable for the mishandling of their personal data and seek recourse through a formal adjudicatory mechanism.
XIX. Conclusion
The Digital Personal Data Protection Act, 2023, together with the DPDP Rules, 2025, represents India’s most significant legislative intervention in the domain of data privacy. It establishes a foundational framework that, while imperfect, provides the scaffolding upon which a robust data protection regime can be built. The Act’s consent-based architecture, the rights it confers upon Data Principals, and its penalty framework signal a serious governmental commitment to data protection.
However, the law’s effectiveness will ultimately depend on the independence and capacity of the Data Protection Board of India, the judiciousness with which governmental exemptions are exercised, and the extent to which the subordinate legislation remains faithful to the Act’s protective intent. As practitioners, it will be incumbent upon us to test the Act’s provisions through the crucible of judicial interpretation, particularly in the High Courts and the Supreme Court, to ensure that the fundamental right to privacy recognized in Puttaswamy finds its fullest expression in our digital age.
The enactment of the DPDP Act is not the end of the journey — it is the beginning of a new chapter in India’s ongoing commitment to balancing individual liberty with legitimate state interests in the digital era.
Disclaimer: This article is intended for informational and educational purposes only. It does not constitute legal advice and should not be relied upon as such. Readers are advised to consult a qualified legal professional for advice specific to their circumstances. The views expressed herein are the personal views of the author.
About the Author: Advocate Ravinder Singh Dhull is a practicing Advocate at the Punjab & Haryana High Court (Bar Registration P/991/2003) and former Additional Advocate General for the Government of Haryana. He specializes in constitutional law, Public Interest Litigation, writ petitions, and RTI activism, with an active practice spanning the Supreme Court of India, Punjab & Haryana High Court, and Delhi High Court. He currently serves as Legal Advisor to the Congress Legislative Party and National Media Panelist for the Indian National Congress.
Website: ravindersinghdhull.net | For legal consultations, please use the contact form on the website.