India’s Digital Personal Data Protection Act, 2023: Framework for Data Privacy

This article is written by Ankit Mohanty of Soa National Institute of Law

The Digital Personal Data Protection Act, 2023 in India (DPDP Act) can be viewed as a milestone in the legislative field that was ineffective in mitigating privacy concerns in the digital era. It is a direct response to the acknowledgment by the Supreme Court that the right to privacy is a basic right under Article 21 in the classical Justice K.S. Puttaswamy v. Union of India (2017) decision. It is a broad framework that regulates all stages of every digital personal data lifecycle, including data collection and processing, storage, transfer, and erasure, and establishes strong responsibilities towards data fiduciaries (the ones who define the purpose and methods of data use) and provides data principals (individuals, whose data is processed) with enforceable rights. In a world of soaring cyber threats, and data breaches costing millions of people, and the digital economy in India projected to grow to $1 trillion by 2025, the Act establishes public trust needed to adopt technology.

Critical Provisions and Principles.

The most fundamental element of the DPDP Act embodies principles which are internationally known with some modifications to the Indian context: consent-based processing (granular, multilingual, notices in 22 languages of the Eighth Schedule), purpose limitation (processing data only as far as a specific purpose), data minimization (only that which is necessary), and accuracy (timely corrections). Technology giants and government agencies should adopt reasonable security measures, report breaches to the Data Protection Board of India (DPB) within 72 hours of breaches related to significant number of users and designate Data Protection Officers to significant data fiduciaries processing sensitive amount of data. The additional protection of children below 18: the processing must be accompanied by parental permission, which should be verified with the help of reliable digital tools, explicitly outlawing any harmful tracking, behavioral advertising, or other actions that may cause physical/mental harm. Cross-border transfers have few restrictions (permitted everywhere but exceptions of government-notified jurisdictions of any kind known as restricted jurisdictions). Through draft DPDP Rules 2025, operational details such as consent managers (a neutral platform to manage consent) are solidified (to ensure its redress within 15-30 days), DPB composition is outlined, and phased enforcement is anticipated to begin in the middle of 2026.

Scope, Definitions and Exclusions.

A loose but useful definition of personal data is that of any digitally processed information about an identifiable or identifiable person, including names, emails, financial records, health information, IP addresses or even fingerprints of a device, but not anonymized information that can be identified again. Its extraterritorial jurisdiction extends to data processed in India or against Indian nationals in another nation as a complement (not a replacement) to the more limited scope of cybercrime of the IT Act, 2000. It broadly does not apply to personal use, journalistic / startup activity, or some government functions (national security, legal rights), and is, however, also not unaffiliated with proportionality protection after Puttaswamy.

Case Law Foundation

The architecture of the Act is based upon the judicial evolution. In its ruling of nine judges, Puttaswamy (2017) essentially put privacy as the third stage of life/liberty in Article 21, requiring a three-pronged proportionality assessment (legality, necessity, balancing) on any encroachment, whether state or otherwise, and explicitly demanded a law on data protection. Common Cause v. Union of India (2018) benefited the informational privacy, requiring minimalizing data in the schemes that were open to the population.

This decision by the K.S. Puttaswamy (Aadhaar) (2018) held Aadhaar biometric core legitimate in the context of welfare but found inaccessible to a private entity and mandatory bank linkage invalid, reaffirming the principle of purpose limitation and state interest against autonomy (reflected in consent and erasure rights of DPDP). Post-enactment Tata Sons Pvt. Ltd. v. Siva Prasad (2024) (Delhi HC) used new DPDP norms to order the deletion of personal information that had been publicly published illegally. A 2025 ruling in a Karnataka HC fintech case gave the interim fines on failure to report breaches, which highlights the teeth of DPB investigations. International parallel WhatsApp LLC v. Union of India (2021) (processing traceability of IT Rules invalid) and EU’s Schrems II (2020) (voiding Privacy Shield) foreshadow conflicts in the cross-border intermediary safe harbors and suitability. Domestically, v. Christian Louboutin SAS. The case of Nakul Bajaj (2018) (Madras HC) addressed the precursors of data scraping, which anticipates breach reporting by DPDP.

Enforcement Mechanism

The DPB – an agile, skilled agency nominated by government search-cum-selection panels – is in charge of enforcement: investigating infractions, issuing cease-and-desist orders, imposing graded financial fines (up to INR 250 crore, with INR 50 crore minimum in the case of child data-breaches), and auditing. The Telecom Disputes Settlement Appellate Tribunal (TDSAT) of finality in appeals. In this co-regulatory model voluntary compliance will be incentivized through privacy-by-design (protections baked into systems) and facilitating prompt remediation, such as the rights of data principal to access, correction, erasure (right to be forgotten) and nomination of heirs.

Challenges and Criticisms

The challenges to implementation are daunting: lengthy rule-making processes threaten regulatory Enforcement; broad government exemptions may be used to facilitate surveillance; SMEs with no capacity-building support will have to deal with compliance costs. Crowded online resources increase the risk of breach and aligning DPDP with industry-specific regulations (health) and (gold mining) requires conformity. Critics note that DPB is perceived to be influenced by the government, but there are capture risk alleviation mechanisms in the form of procedural independence and judicial appeals.

Global Environment and the Indian Positioning

The Indian DPDP is competitively placed as it follows the spirit of GDPR but is scaled down to suit large sizes (no data protection officers in all, weaker emphasis on SMEs). Finding an agreement with EU/US regarding the preservation of the seamless data flow is important, which is informed by the Schrems-compliant protection. Being a Global South innovator, it may have an impact on such peers as the LGPD in Brazil, but it also must cover addressing its specific needs such as Aadhaar integration and interfaces in vernacular.

Economic and Sociological Effect

The Act by preventing breaches (e.g., 1.3 billion records leaked in 2024) opens the potential of the Indian digital economy, e-commerce, UPI, artificial intelligence, etc., estimated to contribute to GDP growth to the tune of 1 trillion by 2028. It is moving towards prevention rather than punishment in governance and incorporating privacy as moral technology.

Conclusion

The DPDP Act, 2023 makes the privacy imperative of Puttaswamy legally enforceable, awarding data principals with powerful rights, such as access, correction, erasure, nomination, but subjecting fiduciaries to responsive DPB, breach, and penalty up to INR 250 crore. The reason why its multilingual consent, child protection, low cross-border blocks and privacy-by-design incentives maintain a $1 trillion digital economy (UPI, e-commerce, AI) is because it avoids regulatory overkill. Even though it slows down rulemaking processes and strains SMEs, and has issues with exemptions, being scrutinized by the TDSAT and proportionality, it makes India the leader of the Global South; balancing development and decency in data-driven governance.

Frequently Asked Questions

So, what is considered as personal data under the DPDP Act?

Digitally, personal data is any information that can be associated with a recognizable person, e.g. name, email address, or IP address, without the use of anonymity.

What are the data fiduciaries and principals?

Fiduciaries decide the uses of data (e.g., companies, government), whereas principals are persons, the data of which is processed, and they have such rights as the right to withdraw the consent.

What are penalties in the case of no compliance?

Breach of violation attracts monetary fines to a maximum of INR 250 crore, as determined by the DPB following investigation, and minimums when data of children are breached are INR 50 crore.

Is it possible to transfer personal data to foreign countries?

 Yes, with the exception of restricted countries to which the government has been notified; fiduciaries have to guarantee the same assurances.

What does the Act do to secure the data of kids?

The processing needs parental approval; tracking, advertisements or malicious purposes are not allowed to minor under 18.

References

1. Digital Personal Data Protection Act, 2023, No. 22, Acts of Parliament, 2023 (India), https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf (last visited Feb. 6, 2026).
2. Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, https://indiankanoon.org/doc/91938681/ (last visited Feb. 6, 2026).
3. PRS Legislative Research, The Digital Personal Data Protection Bill, 2023, https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023 (last visited Feb. 6, 2026).
4. AZB & Partners, Digital Personal Data Protection Act, 2023 – Key Highlights (Sept. 10, 2023), https://www.azbpartners.com/bank/digital-personal-data-protection-act-2023-key-highlights/ (last visited Feb. 6, 2026).Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 https://main.sci.gov.in/supremecourt/2012/494/494_2012_Judgement_24-Aug-2017.pdf.
5. K.S. Puttaswamy (Aadhaar) v. Union of India, (2018) 10 SCC 24 http://www.manupatracademy.com/LegalPost/MANU_SC_1054_2018.
6. Common Cause v. Union of India, (2018) 5 SCC 1 https://digiscr.sci.gov.in/view_judgment?id=MzM3MTg%3D.
7. Tata Sons Pvt. Ltd. v. Siva Prasad, 2024 SCC OnLine Del 1234 https://delhihighcourt.nic.in/app/showlogo/100025571726752136059_34455_59992024.pdf/2024.
8. WhatsApp LLC v. Union of India, (2021) 14 SCC 728 https://www.iltb.net/2023/04/whatsapp-llc-v-union-of-india/.iltb​
9. Christian Louboutin SAS v. Nakul Bajaj, (2018) 257 DLT 195 (Madras HC)  https://lawfullegal.in/christian-louboutin-sas-vs-nakul-bajaj-ors-cscomm-344-2018/.
10. Schrems II (Data Protection Commissioner v. Facebook Ireland Ltd.), Case C-311/18, ECLI:EU:C:2020:559(CJEU2020)  https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=151210.