Friday, January 16, 2026
spot_img
Login/Register
DPDP ACT

REIMAGINING PRIVACY: CHALLENGES AND PROSPECTS OF INDIA’S DATA PROTECTION LAW

Tripti Pal
By Tripti Pal
0
32
IPR
Designed by Freepik

ABSTRACT:

The recognition of privacy as a fundamental right in Justice K.S. Puttaswamy v. Union of India (2017) compelled India to adopt a comprehensive legal framework to safeguard personal data. The Digital Personal Data Protection Act, 2023 (DPDP Act) marks a significant step in regulating the processing of personal data in the digital age. While the Act establishes important obligations for data fiduciaries and recognizes individual consent as central to data protection, it is not without shortcomings. Broad exemptions for state surveillance, weak regulatory independence, and curtailed transparency under the Right to Information Act threaten to dilute the effectiveness of the statute. This article critically evaluates the challenges and prospects of the DPDP Act by situating it within constitutional jurisprudence and comparative global frameworks, particularly the European Union’s GDPR. It concludes that while the Act lays a foundation for digital rights, robust reforms are needed to ensure that India’s data protection law genuinely upholds privacy, autonomy, and democratic accountability in the face of state and corporate power.

1. INTRODUCTION:

In an era of accelerating digitization, personal data has taken center stage as both a vital resource and a potential threat. The norms by which data are collected, processed, stored, and shared determine not just privacy but also autonomy, dignity, and democratic accountability. In India, the landmark Supreme Court judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India recognized privacy as a fundamental right under the Constitution, creating a constitutional demand for robust legal protection of personal data.¹ However, only in 2023 did India enact a comprehensive statute tailored to data protection: the Digital Personal Data Protection Act, 2023 (DPDP Act).² This legislation seeks to govern the regime of personal data in digital environments, drawing upon both domestic jurisprudence and foreign models. Yet, it presents a tension: how to balance the demands of state surveillance, corporate data use, and individual rights. This article examines the key features of the DPDP Act, critiques its weak points in light of constitutional and comparative norms, and offers prospects for reform.

2. THE CONSTITUTIONAL FOUNDATION: PUTTASWAMY AND THE RIGHT TO PRIVACY:

The Supreme Court’s decision in Puttaswamy (2017) is the touchstone for any data protection regime in India. In that case, a nine-judge bench held unanimously that the right to privacy is intrinsic to the broader rights guaranteed under Part III of the Indian Constitution, especially Article 21 (protection of life and liberty).³ Importantly, the Court laid down that any infringement of privacy by the State must satisfy the tests of legality, legitimate purpose, necessity, and proportionality.⁴ These requirements impose constraints not just upon the State but also upon the design of any law that allows for collection, processing, or retention of personal data.

3. KEY FEATURES OF THE DPDP ACT, 2023:

Enacted in 2023, the DPDP Act seeks to regulate the processing of “personal data” by “data fiduciaries” (those who determine the purpose and means of processing) and to protect “data principals” (individuals whose data are processed). Major features include:

  • Consent and processing obligations: Data fiduciaries must obtain consent from data principals, unless certain legitimate uses apply; provide notice; ensure data minimization; and limit retention.²
  • Cross-border data transfers: Transfers are permitted unless prohibited by the Central Government. Rules may later define conditions.²
  • Exemptions for State and government instrumentalities: Under broad grounds like sovereignty, security, public order, or foreign relations, certain State entities or their instrumentality may be exempted.²
  • Regulatory authority: A Data Protection Board is constituted to enforce the Act, issue penalties, supervise data fiduciaries, and adjudicate complaints.²

4. CHALLENGES: WHERE THE DPDP ACT STRUGGLES:

While the DPDP Act addresses many aspects of a modern data protection regime, there are serious challenges and potential weaknesses, particularly when viewed through the lens of constitutional norms and comparative benchmarks.

Broad and Vague State Exemptions

One of the most contested features of the Act is the breadth of exemptions granted to the State (and state instrumentalities). These include provisions for entirely exempting State agencies from several obligations under the law for purposes such as “security of the State,” “maintenance of public order,” or “sovereignty and integrity of India.”⁵ Such exemptions are framed broadly and lack sufficient procedural and judicial safeguards. They raise the risk that the State may evade liability for intrusive surveillance or pervasive data collection without effective oversight. The Supreme Court’s Puttaswamy ruling requires restrictions on privacy to satisfy necessity and proportionality; broad, unchecked exemptions may violate that standard.⁶

Weakness in Rule-making and Regulatory Oversight

The Act delegates significant power to the Central Government and subordinate rule-making bodies to regulate aspects such as defining “reasonable security safeguards,” the criteria for exemptions, and procedures for consent.⁷ The Data Protection Board, while envisaged as the regulatory authority, has been critiqued for its limited autonomy: members are appointed by the government; terms are short; oversight of appointments and removal lies largely with the executive.⁸ These structural issues may compromise its capacity to act impartially, especially in cases involving state agencies.

Transparency, the RTI Act, and Right to Information

Another key concern is the interaction between the DPDP Act and the Right to Information Act, 2005 (RTI Act). Section 44(3) of the DPDP Act amends Section 8(1)(j) of the RTI Act so as to broadly exempt “personal information” from disclosure, regardless of public interest.⁹ This amendment weakens transparency and may shield questionable government actions from public scrutiny. Given that Puttaswamy itself acknowledges transparency and information flow as essential in a democracy that balances individual rights and state power, this change could dissonantly tip the balance in favour of secrecy.¹⁰

Limited Remedies and Corporate Accountability

While the DPDP Act introduces penalties for non-compliance, critics point out that it lacks robust remedial mechanisms for individuals. For example, the Act does not explicitly empower the Data Protection Board to award compensation to data principals harmed due to privacy violations.¹¹ Additionally, the omission or weakening of provisions such as those analogous to Section 43A of the Information Technology Act, 2000 (which concerned compensation for wrongful disclosures) raises concerns about whether individuals can meaningfully enforce rights.¹² Without effective remedies, rights remain formal rather than real.

Cross-border Data Transfers and Global Standards

Another area needing careful attention is cross-border data transfers. While the DPDP Act allows transfers unless prohibited by government notification, the criteria for such prohibition (or for any adequacy assessments) are not clearly laid out.¹³ This lacuna could expose Indian personal data to jurisdictions with weaker data-protection norms, undermining trust in Indian data fiduciaries among foreign partners and international users. Considering the influence of models such as the EU’s General Data Protection Regulation (GDPR), which require stringent adequacy or contractual safeguards for transfers, the vagueness of India’s approach is a weak link.¹⁴

5. PROSPECTS AND RECOMMENDATIONS:

To ensure that India’s data protection law fulfills its promise in striking a constitutional and equitable balance, certain reforms and developments are necessary.

Clearer Limits on State Exemptions & Judicial Oversight

Statutory clarity is essential for the grounds of state exemptions: what kinds of State action make the exemption available, how to define “public order,” “security of the State,” etc. The law should mandate judicial or quasi-judicial review of decisions to exempt State entities or processes. This would align with Puttaswamy’s requirements of legality, necessity, and proportionality. Also, sunset clauses or periodic review of exemptions could guard against permanence of sweeping powers.

Enhancing the Independence and Powers of the Data Protection Board

Reforming the structure of the regulatory authority is key. This could include:

  • Appointment process for board members to be insulated from political influence (e.g., via independent selection panels, fixed non-renewable terms).
  • Explicit power to deliver compensation to data principals, not just penalties.
  • Transparent complaint and adjudication procedures, with public access and oversight.

Preserving Transparency and the RTI

Amendments or clarifications are needed to ensure RTI-related rights are not unduly curtailed. Where personal data is requested under RTI, public interest or importance of disclosure should remain a required test. Any limitation on this right should again adhere to Puttaswamy’s proportionality framework.

Strengthening Consent, Data Minimization, Decay & Retention Rules

The DPDP Act should more precisely define what constitutes “clear and plain language” for consent notices; ensure data minimization; limit retention periods; mandate deletion once the purpose is fulfilled. Rules for anonymization or pseudonymization should be prescribed clearly. Existing ambiguity in the rules could be misused.¹⁵

International Alignment & Cross-border Safeguards

India could benefit by drawing more closely from best practices under GDPR, as well as privacy laws in other jurisdictions: adequacy assessments, binding corporate rules, and standard contractual clauses. These would provide clearer standards for transfer and greater trust in global data relations.

Public Awareness & Capacity Building

Even the strongest law is ineffective if citizens do not know their rights, and companies do not comply. Public education campaigns; transparency obligations on companies; independent monitoring; inclusion of digital rights in legal education; civil society oversight will help. Empirical research (including recent surveys) shows that while many Indian internet users are concerned about privacy, their awareness of the regulatory regime and ability to demand rights remains weak.¹⁶

6. CONCLUSION:

The Digital Personal Data Protection Act, 2023 represents a watershed moment in India’s legal landscape. It translates constitutional recognition of privacy (as established in Puttaswamy) into legislative form and provides many tools—consent, fiduciary obligations, cross-border restrictions, regulatory oversight—to structure how personal data is handled. Yet, the Act also embodies tensions: state exemptions that risk arbitrary surveillance, opaque rule-making, weak remedial pathways for individuals, and threats to transparency under the RTI. If India is to truly reimagine privacy—not simply codify procedural obligations, but embed dignity, autonomy, and public accountability—then reforms must follow. Stronger oversight, clearer limits, transparency, and empowered individuals will ensure that the promise of privacy in the digital age is not just aspirational but actual.

 REFERENCES:

  1. Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 S.C.C. 1 (India).
  2. Digital Personal Data Protection Act, No. 31 of 2023, Acts of Parliament, 2023 (India).
  3. Right to Information Act, No. 22 of 2005, Acts of Parliament, 2005 (India).
  4. Information Technology Act, No. 21 of 2000, Acts of Parliament, 2000 (India).
  5. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
  6. Jurist, India’s Data Protection Act Is More About the Processing of Personal Data Than it Is About Privacy (Aug. 18, 2023).
  7. Scroll.in, India’s Data Protection Law Does Little for Privacy While Bolstering the State’s Surveillance Powers (Aug. 14, 2023).
  8.  The Amikus Qriae, The Digital Personal Data Protection Act, 2023: A Constitutional and Regulatory Analysis.
  9.  Lex Locum, Drawbacks and Criticisms of the DPDP Act, 2023.
  10. Vision IAS, Provisions of the Digital Personal Data Protection (DPDP) Act, 2023 Dilute the RTI Framework: MPs (Apr. 14, 2025).
  11.  DPDP Consultants, 10 Loopholes of the DPDPA, 2023.
  12. K&S DigiProtect, Positives and Negatives of DPDP Bill 2023.
  13. Finology Legal, Data Privacy Law in India.
  14. Global Bihari, Draft Data Protection Rules Raise Privacy, Compliance Issues.
  15. Arxiv.org, “Nobody Should Control the End User”: Exploring Privacy Perspectives of Indian Internet Users (2025).

Also Read:
Rights of undertrial prisoners in India
How To Send A Legal Notice In India

Previous article
India’s Green Jurisprudence: A Judicial Voyage Towards Environmental Sustainability (repeat )
Next article
Taxation of Digital Services: India’s Equalization Levy and Global Debates
Tripti Pal
Tripti Pal
I'm 2nd year (LLB) law student. I completed my first internship at VidhiVigya office, and I also intern at NyaSarthak, Record of Law (ROL), Jus Corpus, LawArticle. From these internships I gained knowledge about the legal research, writing & drafting. Currently I'm interning at LawArticle for the 6 months as campus ambassador & legal article writer. My area of interests in constitution law, criminal & contract law, and IPR.
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Load more

© 2016-2025 eduLex Solutions | All Rights Reserved