India wants to become a developed nation by
2047. That requires massive digital growth AI, fintech, e-governance,
data-driven public services, and innovation ecosystems. But growth built on
personal data also comes with an obvious risk: privacy can be easily
compromised if the law doesn’t keep pace with technology.
That’s exactly the gap the Digital Personal
Data Protection Act (DPDP Act), 2023 tries to fill. It is India’s first
dedicated privacy law, passed after years of fragmented rules and increasing
public concern about the misuse of personal data. The Act claims to protect
individuals while also enabling a strong digital economy. Whether it succeeds
in balancing both sides is the real question.
This blog breaks down how the DPDP Act
evolved, what it contains, and how it fits into the larger Viksit Bharat 2047
ambition.
Why India
Needed a New Privacy Law
The digital expansion of the last
decade smartphones everywhere, Aadhaar-linked services, online payments,
massive e-governance platforms turned personal data into a kind of fuel for
both businesses and governments. But the IT Act, 2000 and its 2011 SPDI Rules
were outdated and toothless.
They covered only:
- a narrow category of “sensitive personal data,”
- only private entities (not government),
- and had weak enforcement.
Most companies did the bare minimum with a
checkbox privacy policy, and individuals had almost no real control over their
data.
The turning point was Justice K.S.
Puttaswamy (2017), where the Supreme Court declared privacy a fundamental
right under Article 21. Justice Chandrachud’s observation "privacy allows
each human being a protected core of solitude"forced Parliament to wake up.
A proper legal framework became unavoidable.
A committee headed by Justice B.N. Srikrishna
drafted the first bill in 2018. The 2019 Bill went through scrutiny, then was
withdrawn. Finally, in 2023, Parliament unanimously passed the Digital Personal
Data Protection Act.
What the
DPDP Act Tries to Achieve
The Act openly acknowledges the two-sided
reality of modern data governance:
- Individuals must have control over their personal data, and
- Data must flow for legitimate, lawful purposes governance, business, AI development, research, public welfare,
and security.
This dual intention fits into the government’s
broader Viksit Bharat 2047 vision, which sees data infrastructure and
digital innovation as central pillars of a developed India.
In short, the Act is not anti-growth. It tries
to be a growth-friendly privacy law.
Key
Features of the DPDP Act, 2023
The law is built around seven principles:
lawfulness, transparency, purpose limitation, data minimization, accuracy,
storage limitation, security safeguards, and accountability.
Here are the important parts broken down:
1. Wide
Scope
The Act applies to all digital personal
data.
It even covers foreign entities if they handle data of people in India.
This is a giant leap from the SPDI Rules,
which applied only to some private entities and only to certain sensitive
categories.
2. Consent
is Now Meaningful, Not a Formality
Data Fiduciaries (companies or government
bodies that handle data) must seek:
- clear, informed, specific consent
- in accessible language
- without bundling it with unrelated conditions
This shuts down the old practice of hiding
consent inside endless privacy policies.
The Act still allows certain non-consent
grounds under Section 7—such as legal requirements, court orders, or when
data is voluntarily submitted.
3. Stronger
Rights for Individuals
People now have:
- the right to access how their data is used,
- the right to correct or erase data,
- the right to grievance redress,
- and the right to nominate someone to manage their data after
death.
These rights simply did not exist earlier.
4. A
Dedicated Enforcement Body
The Data Protection Board of India
handles complaints, supervises compliance, and imposes penalties.
Fines can go up to:
- ₹250 crore for
major breaches,
- ₹200 crore for
violations involving children.
This is far stronger than the IT Act’s
negligible penalties.
The Big
Question: Does the Act Really Balance Privacy and Development?
The Act tries to strike a middle path. But the
balancing isn’t perfectly symmetrical.
Where It
Protects Privacy
- Requires consent for most processing
- Gives individuals rights they never had
- Holds companies accountable through penalties
- Applies even to foreign tech giants
These are welcome changes for a country where
people commonly surrender data without understanding the consequences.
Where
Development and Government Powers Dominate
The Act includes broad exemptions this is
where the balance tilts.
1. Section
7 (Processing Without Consent)
Data can be processed without consent:
- if required by any law,
- by courts,
- when individuals voluntarily give data (e.g., government forms),
- or for state-provided services.
This means the government has wide room to use
data for governance and welfare.
2. Section
17(2) (Government Exemptions)
This is the real power clause.
The Central Government can exempt any of its
agencies from:
- purpose limitation,
- storage limitation,
- consent requirements,
- and even some transparency obligations
for reasons of national security, sovereignty,
public order, or similar concerns.
In practice, the government can collect and
use data without the same restrictions imposed on private entities. Critics
argue this leaves too much discretion with the state.
Cross-Border
Data
The DPDP Act permits cross-border data
transfers except to blacklisted countries.
This supports global business operations.
However, other sectoral laws like RBI’s
Payment Data Rules require strict localisation. The combination suggests India
wants digital sovereignty plus digital growth—a tricky combination, but
not impossible.
DPDP Act
vs. the Old IT Act: What’s Really Changed?
You can think of this as a complete overhaul.
|
IT Act + SPDI Rules |
DPDP Act, 2023 |
|
Covered only “sensitive data” |
Covers all personal data |
|
Applied mainly to private companies |
Applies to government, private and foreign entities |
|
Implied/blanket consent common |
Explicit, informed consent required |
|
Weak individual rights |
Strong rights: access, correction, erasure, nomination |
|
No specialist regulator |
Dedicated Data Protection Board |
|
Max penalty: ₹25,000 |
Penalties up to ₹250 crore |
|
Compensation available under §43A |
No compensation mechanism for individuals |
One notable drawback:
DPDP removes the right to compensation that individuals previously had
under Section 43A of the IT Act. That’s a gap the new law should have ideally
filled, not eliminated.
How Courts
Have Shaped India’s Privacy Landscape
The DPDP Act rests on decades of evolving
jurisprudence:
- Kharak Singh (1964):
Privacy hinted but not clearly recognised.
- R. Rajagopal (1994):
Privacy linked to Article 21 more firmly.
- Binoy Viswam (2017):
Aadhaar-PAN linkage upheld with privacy safeguards.
- Puttaswamy (2017):
Privacy declared a fundamental right, triggering the need for a full data
protection law.
Without Puttaswamy, the DPDP Act would not
exist.
Conclusion
The Digital Personal Data Protection Act, 2023
is a long-overdue milestone. It modernises India’s privacy framework, gives
citizens control over their data, and pushes companies toward responsible data
practices. At the same time, it clearly prioritises India’s development and
digital ambitions under the Viksit Bharat 2047 vision.
Is the balance perfect?
No.
Government exemptions are broad, compensation rights are missing, and certain
definitions remain vague.
But it is still a foundational law one that
gives India a starting point to build a privacy-aware, innovation-friendly
digital economy.
As India moves toward 2047, the real test will
be in its implementation, not its text. The gap between principle and
practice will determine whether the DPDP Act becomes a genuine protector of
digital rights or just another policy document with good intentions.
