The Digital Personal Data Protection Act, 2023: A Constitutional Boon or Democratic Backslide?

ByTFPF

Author: Vivekanand Ashok Sonage, 5th Year BBA LLB (Hons.), MIT World Peace University, School of Law, Pune

INTRODUCTION

In the digital world, data has emerged as the new currency, it can be referred to as the fuel of this generation, powering economies, shaping governance, and influencing people’s lives in an unprecedented manner. From social media platforms and e-commerce sites to banking and healthcare systems, vast volumes of personal data are being produced, stored, and processed daily. With the rise of the digital economy, safeguarding a person’s privacy has become both a legal necessity and a fundamental expectation. The DPDP Act, partly adapted from the principles of the EU’s GDPR but streamlined for India’s unique socio-economic context, provides for data consent, purpose limitation, rights of data principals (access, correction, erasure), cross-border data transfer rules, and a regulatory framework under the Data Protection Board. However, it also includes broad exemptions and limited oversight of government agencies, and is a critical question of debate: Is the DPDP Act a transformative boon that empowers individuals and aligns with global standards, or a potential curse that enables state and corporate overreach?

KEY FEATURES OF DPDP ACT, 2023

The Digital Personal Data Protection Act, 2023 is anchored in key privacy principles, including consent, purpose limitation, data minimization, data accuracy, storage limitation, reasonable data safeguards, and accountability. These foundational principles aim to ensure that personal data is processed lawfully, securely, and transparently.

The Act applies to the processing of digital personal data within India, regardless of whether it was collected online or digitized later. It also has an extra-territorial reach, covering data processing outside India if it relates to offering goods or services to individuals within India. Notably, it also extends protections to non-citizens residing in India.

It defines core terms such as Personal Data (identifiable data about an individual), Data Principal (the individual to whom the data belongs), and Data Fiduciary (the entity determining how data is processed). Processing of personal data must be based on the free, informed, and specific consent of the Data Principal, and this consent must be revocable. For instance, if  Ram opens a trading account using the website/ App of Heroda, a trading website. For completing the Know-Your-Customer formalities, Ram chooses to process his personal data by Heroda through live video verification, here Heroda is bound to give notice to Ram informing the detailed explanation of the personal data and the purpose of its processing. Heroda can only proceed after taking consent from Ram.

However, the Act also permits data processing without consent for legitimate reasons such as legal compliance, delivery of government benefits, and national security. It grants Data Principals rights to access, correct, and update their data, seek redress, and nominate a representative. Data Fiduciaries must uphold safeguards, notify breaches, and comply with stricter obligations if deemed significant. Finally, enforcement lies with the Data Protection Board of India, a statutory authority handling grievances and imposing penalties.

THE “CONSTITUTIONAL BOON” PERSPECTIVE

The Digital Personal Data Protection Act, 2023 marks a pivotal moment in India’s legal evolution, offering its first comprehensive legislation focused solely on digital privacy. This Act draws its constitutional backing from the Supreme Court’s landmark judgment in K.S. Puttaswamy v. Union of India (2017), which recognized privacy as a fundamental right. With this legal foundation, the Act instills greater confidence among citizens in digital systems. A key strength of the Act lies in the empowerment of Data Principals, providing individuals with rights to access, correct, erase data, and seek redressal. This signifies a shift towards a user-centric model where individuals control their personal data, unlike previous frameworks dominated by data fiduciaries. Simultaneously, the Act promotes economic innovation by offering regulatory clarity and streamlining compliance, thereby supporting startups and encouraging responsible data handling.

Importantly, the Act permits cross-border data transfers to government-approved jurisdictions, enhancing India’s ability to participate in international trade and digital services without the strict data localization mandates seen in earlier drafts. It mandates voluntary and informed consent while promoting data minimization, reducing the risk of unnecessary data exposure. Further, it adopts a graded approach, imposing heavier compliance duties on Significant Data Fiduciaries while easing the burden for smaller entities. Enhanced data security provisions and mandatory breach notifications foster robust cybersecurity practices. The Act’s structural alignment with global standards like the GDPR improves international compatibility. Lastly, its accessible grievance redressal mechanism spares individuals from prolonged civil litigation, offering timely relief and strengthening digital rights enforcement in India.

THE “DEMOCRATIC CURSE” PERSPECTIVE

Despite being framed as a progressive step, the Digital Personal Data Protection Act, 2023 contains several controversial provisions that undermine its core purpose. One major concern lies in Section 17, which allows the Central Government to exempt any agency from compliance under loosely defined terms like “national security” or “public order,” without requiring judicial or parliamentary oversight. This blanket power directly contradicts the privacy safeguards the Act claims to offer. Moreover, the Data Protection Board of India, tasked with enforcement, is not an independent constitutional body. Since its members are appointed and controlled by the executive, there is a risk of political influence, weakening public trust in its impartiality. Unlike the EU’s GDPR, India’s law offers no explicit checks on mass surveillance, further fueling fears that privacy may be illusory, especially in a surveillance-heavy environment.

The Act is also criticized for its vague terminology, such as “public interest” and “legitimate use,” which could be misused to delay justice or interpret obligations arbitrarily. Notably, the Act excludes offline or manually processed data, making its protections inaccessible to rural populations that rely on paper-based systems. This selective scope risks creating an inequitable regime of “digital justice.” Compared to earlier drafts, many safeguards, like the Right to be Forgotten and strict fiduciary obligations, have been diluted. Additionally, the Act was passed with minimal public consultation, raising questions about democratic legitimacy. Lastly, in the absence of whistleblower protections, activists and journalists could face threats under state scrutiny masked as legal enforcement.

JUDICIAL AND CONSTITUTIONAL IMPLICATIONS

The Digital Personal Data Protection Act, 2023 is rooted in the Justice K.S. Puttaswamy v. Union of India (2017) judgment, where the Supreme Court affirmed the Right to Privacy as a fundamental right under Article 21. While the Act seeks to implement this ruling, it falls short of meeting constitutional benchmarks like proportionality, necessity, and accountability. A significant concern is the excessive delegation of powers to the executive, which includes framing rules, exempting agencies under Section 17, and controlling the Data Protection Board, raising doubts under Article 14 and the separation of powers doctrine. Moreover, the absence of judicial oversight in government-led data processing undermines Articles 14, 19(1)(a), and 21, violating due process. The Act also fails the proportionality test laid down in the Aadhaar case, as its exemptions are overly broad. Without a dedicated surveillance law, the Act risks legitimizing unchecked executive surveillance, compromising constitutional transparency and safeguards.

CONCLUSION

The Digital Personal Data Protection Act, 2023, stands at the intersection of India’s digital aspirations and constitutional responsibilities. It marks a watershed moment by finally codifying individual rights over personal data in a structured legislative framework. The Act empowers data principals, mandates responsible data practices, and promises a more secure digital ecosystem. For businesses, it offers clarity and consistency, helping align India with global data protection regimes like the GDPR.

However, the Act’s promise is tempered by significant structural and constitutional concerns. Broad discretionary powers granted to the government, the absence of an independent regulatory authority, and vague definitions weaken the enforceability of individual rights. Provisions like unrestricted state exemptions and minimal transparency mechanisms invite fears of mass surveillance and executive overreach. These shortcomings may undermine the very right the Act purports to protect, informational privacy under Article 21 of the Constitution.

Whether the DPDP Act becomes a boon or a curse will depend largely on three key factors:

  1. Judicial scrutiny: particularly whether the Supreme Court upholds or strikes down the Act’s contentious clauses under the lens of proportionality and due process.
  2. Future legislative amendments: which can strengthen regulatory independence, close definitional gaps, and better align with constitutional guarantees.
  3. Implementation and enforcement: including how the Data Protection Board functions in practice and how grievances are resolved.

The DPDP Act is a necessary step in India’s data governance journey. But to fulfil its constitutional promise, it must evolve through active democratic engagement, transparent rule-making, and robust institutional checks. Only then can it be truly seen as a boon for privacy and not a backdoor for digital authoritarianism.