Introduction

The DPDP Act, 2023 marks a watershed moment in India’s digital governance landscape. Enacted on 11 August 2023, it represents India’s first comprehensive statutory framework governing personal data privacy.

The Act seeks to strike a balance between two competing imperatives:

• Protection of individual privacy (fundamental right under Puttaswamy judgment)
• Facilitation of lawful data processing for economic and governance purposes

Legislative Background & Evolution

India’s journey toward data protection has been long and complex:

• Justice B.N. Srikrishna Committee Report (2018)
• Personal Data Protection Bill, 2019 (withdrawn)
• Revised DPDP Bill, 2023 → enacted as DPDP Act

Unlike earlier drafts, the DPDP Act adopts a minimalist and principle-based approach, focusing only on digital personal data, rather than a broader regulatory structure.

Scope and Applicability

The Act applies to:

• Processing of digital personal data within India
• Data collected offline but subsequently digitised
• Processing outside India if it relates to offering goods/services in India

Key Observation (Critical Insight)

The extra-territorial applicability aligns India with global standards like GDPR, but enforcement mechanisms remain unclear—raising jurisdictional challenges.

Key Concepts Under the Act

1. Data Principal

• The individual to whom the personal data relates

2. Data Fiduciary

• Any entity (company, government, etc.) processing personal data

3. Consent-Centric Framework

The Act establishes a strict consent-based regime, making consent the cornerstone of lawful processing.

Rights of Data Principals

The Act grants several rights:

• Right to access personal data
• Right to correction and erasure
• Right to withdraw consent
• Right to grievance redressal
• Right to nominate another person (in case of death/incapacity)

Analytical View

While these rights appear robust, their practical enforceability depends heavily on the Data Protection Board, which is yet to fully operationalize.

Obligations of Data Fiduciaries

Data Fiduciaries must:

• Obtain valid consent
• Ensure data security safeguards
• Inform users about data usage
• Report data breaches

Significant Data Fiduciaries may have additional obligations like:

• Appointing Data Protection Officers
• Conducting impact assessments

Special Protection for Children

The Act imposes stricter rules for minors:

• Mandatory verifiable parental consent
• Prohibition on:
  • Behavioral tracking
  • Targeted advertising
  • Harmful data processing

Critical Insight

This is one of the strongest child-data protection regimes globally, but may create compliance burdens for ed-tech and social media platforms.

Penalties and Enforcement

• Monetary penalties up to ₹250 crore for non-compliance
• Adjudication by the Data Protection Board of India

Issue

The Board is executive-controlled, raising concerns about:

• Independence
• Accountability

Cross-Border Data Transfers

Unlike earlier drafts:

• The DPDP Act does not mandate strict data localization
• Allows transfers to notified countries

Analytical Perspective

This liberal approach:

• Encourages global business operations
• But raises concerns over data sovereignty and surveillance risks

Comparison with GDPR

Key Insight

The DPDP Act is business-friendly but weaker in rights protection compared to GDPR.

Major Criticisms & Concerns

1. Broad Government Exemptions

The government can exempt agencies on grounds like:

• Sovereignty
• Public order

👉 This raises fears of mass surveillance and executive overreach.

2. Impact on RTI Act

Recent challenges argue that DPDP amendments:

• May override transparency obligations
• Allow denial of information citing “personal data”

3. Lack of Independent Regulator

Unlike global models:

• No fully autonomous Data Protection Authority

4. Compliance Burden on Startups

Experts highlight:

• Confusion in compliance timelines
• Risk of non-compliance for SMEs

5. Ambiguity in Rules

Industry bodies (e.g., media organizations) have raised concerns about:

• Lack of clarity
• Threat to press freedom

DPDP Act & Emerging Technologies (Deep Insight)

AI and Data Protection

Research indicates:

• The Act struggles to address AI-specific risks like:
  • Algorithmic bias
  • Data poisoning
  • Deepfakes

Dark Patterns & Consent Manipulation

Modern UI/UX practices may:

• Manipulate user consent
• Undermine “free and informed consent”

👉 This creates a regulatory gap between law and technology

Future Outlook

The Act is being implemented in a phased manner (2025–2027)

Key developments to watch:

• Final DPDP Rules
• Judicial scrutiny by Supreme Court
• Evolution of enforcement practices

The DPDP Act, 2023 is a foundational step in India’s digital constitutionalism, but not without limitations.

Strengths

✔ Consent-based framework
✔ Strong penalties
✔ Child data protection
✔ Global alignment

Weaknesses

✖ Government exemptions
✖ Weak regulatory independence
✖ Ambiguity in implementation
✖ Limited coverage (only digital data)

Final Analysis 

The DPDP Act reflects a “middle-path model”—balancing privacy with state and business interests. However, its success will depend on:

• Judicial interpretation
• Regulatory independence
• Clarity in subordinate legislation

👉 In its current form, the Act is not the final destination but the beginning of India’s data protection regime.

Case Laws vs DPDP Act, 2023 — Comparative Legal Chart