India’s Digital Personal Data Protection Act, 2023: Rights, Governance, and Global Standards – Part 2

In Part 1 of this series, we laid the groundwork by exploring the preliminary provisions and data protection obligations of India’s Digital Personal Data Protection Act, 2023. We also began to draw parallels with global regulations, situating India’s approach within the broader international context.

India’s journey toward establishing a robust data protection framework reached a significant milestone with the enactment of the Digital Personal Data Protection Act, 2023 (DPDPA). This legislation, which received Presidential assent on August 11, 2023, represents the country’s first standalone law dedicated to protecting digital personal information in an increasingly interconnected world. The Act emerged from a constitutional imperative established by the Supreme Court of India in the landmark case of Justice K.S. Puttaswamy (Retd.) v. Union of India, wherein a nine-judge bench unanimously recognized privacy as a fundamental right under Articles 14, 19, and 21 of the Indian Constitution [1]. This judicial pronouncement, delivered on August 24, 2017, laid the groundwork for legislative action and fundamentally altered the landscape of data protection in the world’s largest democracy.

The DPDPA marks a departure from the previous patchwork of regulations under the Information Technology Act, 2000, and its associated rules. While the Act was passed in 2023, its provisions were brought into force in a phased manner, with the establishment of the Data Protection Board of India notified on November 13, 2025, accompanied by the Digital Personal Data Protection Rules, 2025 [2]. This legislative framework applies to the processing of digital personal data within India’s territory and extends extraterritorially to entities outside India that offer goods or services to individuals located within India. The Act recognizes both the fundamental right of individuals to protect their personal data and the legitimate need for such data to be processed for lawful purposes, striking a delicate balance between privacy protection and economic development.

As this series moves forward, the part 2 will examine the DPDPA’s core framework governing individual rights and duties, the obligations of data fiduciaries, and the role of institutional oversight through the Data Protection Board. The discussion will be supported by comparative references to international regimes, particularly the GDPR, highlighting India’s alignment with global best practices while underscoring its distinctive regulatory approach. This analysis will set the stage for a final examination of enforcement and remedial mechanisms under the Act.

Empowering Data Principals: Rights and Duties Under Chapter III

The DPDPA establishes a framework of rights and corresponding duties for data principals, which the Act defines as individuals to whom personal data relates. Sections 11 through 15 of Chapter III delineate these provisions with clarity and precision. The right to access information under Section 11 empowers individuals to obtain details about their personal data being processed by data fiduciaries. This right is not merely symbolic but serves as a cornerstone for transparency in data processing operations. When an individual exercises this right, the data fiduciary must provide information in clear and plain language regarding the personal data being processed, the purposes for which it is being used, and the identities of other data fiduciaries and data processors with whom such data has been shared.

Sections 12 and 13 establish the rights to correction and erasure respectively. The right to correction allows data principals to have inaccurate or misleading personal data rectified or completed. This provision recognizes that data accuracy is essential not only for the individual’s interests but also for the integrity of data-driven decision-making processes. The right to erasure, sometimes referred to colloquially as the “right to be forgotten,” enables individuals to request deletion of their personal data once the purpose for which it was collected has been fulfilled. However, this right is not absolute and must be balanced against legitimate grounds for retention, such as compliance with legal obligations or the establishment of legal claims.

Section 14 introduces an innovative provision allowing data principals to nominate another individual who may exercise their rights under the Act in the event of death or incapacity. This forward-thinking approach acknowledges the reality that digital identities often outlive physical existence and that incapacity due to unsoundness of mind or infirmity of body should not deprive individuals of data protection rights. The nominated person effectively becomes a digital executor, capable of managing the data principal’s rights when circumstances prevent the principal from doing so personally.

While the Act grants extensive rights to data principals, Section 15 simultaneously imposes certain duties to ensure the framework functions effectively. Data principals are obligated to comply with all applicable laws while exercising their rights and must refrain from impersonating others when providing personal data. They must also not suppress material information when providing data for the purpose of obtaining benefits or services. Furthermore, data principals are prohibited from registering false or frivolous grievances or complaints with data fiduciaries. These duties reflect a recognition that effective data protection requires responsible behavior from all stakeholders, not just those who collect and process data.

Special Provisions: Cross-Border Transfers and Exemptions

Chapter IV of the DPDPA addresses special circumstances that warrant distinct treatment under the legislative framework. Section 16 governs restrictions on the transfer of personal data outside India, a provision of significant consequence for multinational organizations operating in or serving the Indian market. The Central Government is empowered to notify countries or territories to which personal data may not be transferred. This mechanism provides the government with flexibility to respond to evolving geopolitical and data security concerns while allowing most international data transfers to proceed without explicit approval, provided they are not directed to blacklisted jurisdictions [3].

This approach differs markedly from the European Union’s General Data Protection Regulation (GDPR), which requires either an adequacy decision from the European Commission or appropriate safeguards such as standard contractual clauses for data transfers outside the European Economic Area. The DPDPA’s negative list approach—prohibiting transfers only to specifically notified jurisdictions—places less burden on data fiduciaries while reserving the government’s prerogative to restrict transfers when national interests so require.

Section 17 outlines exemptions from certain provisions of the Act, recognizing that inflexible application of data protection requirements could impede legitimate governmental functions, judicial processes, and other activities serving the public interest. The exemptions cover processing necessary for prevention, detection, investigation, or prosecution of offences, for judicial functions, for research and statistical purposes (subject to certain conditions), and for journalistic purposes. Additionally, the government may exempt startups and certain classes of data fiduciaries for specified periods to encourage innovation and avoid stifling nascent enterprises with compliance burdens they are ill-equipped to handle [4].

The Data Protection Board: Establishment and Powers

Chapters V and VI establish the Data Protection Board of India and define its powers, functions, and operational procedures. Sections 18 and 19 provide for the Board’s establishment as a body corporate with perpetual succession, possessing the authority to acquire and dispose of property and enter into contracts. This institutional design ensures the Board operates with independence and possesses the organizational capacity necessary to fulfill its regulatory mandate. The Board comprises a Chairperson and such number of members as the Central Government may appoint, all of whom must possess expertise and experience in fields related to data protection, information technology, data management, or related disciplines.

Sections 20 through 22 address the salary, allowances, and terms of office for Board members, establishing a framework intended to attract qualified professionals while maintaining appropriate standards of conduct. Board members serve terms of two years and are eligible for reappointment, though they cannot hold office beyond the age of sixty-five years. This structure balances the benefits of institutional memory with the need for fresh perspectives and prevents entrenchment that might compromise the Board’s independence or adaptability.

The powers and functions of the Board, as outlined in Section 27, are extensive and multifaceted. The Board may inquire into data breaches, impose monetary penalties for violations of the Act, and issue directions to data fiduciaries regarding compliance with statutory obligations. It possesses the authority to call for information and records from data fiduciaries and may conduct inspections when circumstances warrant. The Board also serves an educational function, promoting awareness of data protection principles and best practices among data fiduciaries and data principals alike. Section 28 establishes procedural requirements the Board must follow when exercising its powers, including providing opportunities for entities under investigation to present their case and ensuring proceedings are conducted fairly and expeditiously [5].

Appeals, Alternative Dispute Resolution, and Enforcement

Chapter VII addresses mechanisms for challenging Board decisions and resolving disputes outside traditional adjudicatory processes. Section 29 provides that any person aggrieved by an order of the Data Protection Board may appeal to the Telecommunications Disputes Settlement and Appellate Tribunal (TDSAT), a specialized tribunal with expertise in technology-related matters. The appellant must prefer such appeal within a period of sixty days from the date of communication of the Board’s order, though the Tribunal may entertain appeals filed after this period if satisfied that sufficient cause prevented timely filing.

Sections 31 and 32 encourage alternative dispute resolution mechanisms, recognizing that not all data protection disputes require formal adjudication. The Board may facilitate mediation or conciliation between parties, and data principals may seek redress through consent managers—entities registered with the Board that assist individuals in managing their consent for data processing. This multi-tiered approach to dispute resolution aims to reduce the burden on formal adjudicatory machinery while providing accessible avenues for grievance redressal.

Chapter VIII establishes the penalties and adjudication framework essential for ensuring compliance with the Act’s provisions. Section 33 enumerates specific violations and corresponding monetary penalties, which may reach up to INR 250 crore (approximately USD 30 million) for serious breaches such as failure to implement reasonable security safeguards or failure to notify the Board and affected data principals of personal data breaches. Penalties for breaches involving children’s data are particularly severe, reflecting the Act’s heightened concern for protecting minors. The penalty amounts are substantial by Indian standards and signal the government’s intent to ensure meaningful deterrence against violations [6].

Section 34 addresses the crediting of penalty amounts to the Consolidated Fund of India, ensuring that monetary sanctions serve the public treasury rather than creating opportunities for misappropriation. This provision also establishes that the imposition of penalties does not preclude other remedies available under law, meaning that civil or criminal proceedings may proceed independently of administrative enforcement actions taken by the Board.

Comparing India’s Framework with the GDPR

The DPDPA shares several conceptual foundations with the European Union’s GDPR, which has served as a global benchmark for data protection legislation since its implementation in May 2018. Both frameworks recognize personal data protection as a fundamental right, require consent as the primary basis for data processing (though the GDPR provides additional lawful bases such as contractual necessity and legitimate interests), and grant individuals rights to access, correct, and erase their personal data [7]. Both establish independent supervisory authorities with investigative and enforcement powers and impose substantial penalties for non-compliance.

However, significant differences distinguish the two regulatory regimes. The DPDPA applies exclusively to digital personal data—information collected electronically or digitized after collection in non-digital form—while the GDPR encompasses all personal data regardless of format. The GDPR’s concept of “special categories” of personal data (including racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, and biometric data) receives heightened protection through more stringent processing requirements, whereas the DPDPA treats all personal data uniformly without distinguishing sensitive categories explicitly within the Act itself, though the Rules may impose additional requirements [8].

The approaches to cross-border data transfers differ substantially. The GDPR requires either an adequacy decision from the European Commission or appropriate safeguards such as standard contractual clauses, binding corporate rules, or codes of conduct for transfers outside the European Economic Area. The DPDPA employs a negative list approach, allowing transfers to all jurisdictions except those specifically notified by the Central Government as restricted destinations. This divergence reflects different regulatory philosophies: the GDPR’s precautionary principle requiring affirmative authorization versus the DPDPA’s presumption of permissibility absent specific prohibition.

The GDPR grants data subjects the right to data portability, enabling individuals to receive their personal data in a structured, commonly used format and transmit it to another controller. The DPDPA does not explicitly provide this right, though future Rules may address portability in certain contexts. Similarly, the GDPR’s provisions on automated decision-making and profiling, including rights related to algorithmic transparency, find no direct parallel in the DPDPA’s current text [9].

Penalty structures also diverge. The GDPR imposes administrative fines up to 20 million euros or four percent of global annual turnover, whichever is higher, for the most serious infringements. The DPDPA establishes specific penalty amounts for enumerated violations, reaching a maximum of INR 250 crore. While both frameworks contemplate substantial penalties, the GDPR’s percentage-of-turnover approach may result in higher absolute amounts for large multinational corporations, whereas the DPDPA’s fixed maximum penalties provide greater certainty regarding worst-case exposure.

Constitutional Foundation and Judicial Oversight

The constitutional underpinnings of India’s data protection regime cannot be understated. The Puttaswamy judgment established that privacy is not merely a policy preference but a constitutionally protected fundamental right. Justice D.Y. Chandrachud, writing for himself and three other judges, observed that privacy is an intrinsic part of the right to life and personal liberty under Article 21 and is closely related to dignity, which is a core constitutional value. The judgment emphasized that privacy includes the right to informational self-determination—the ability of individuals to control information about themselves—and that this right applies to all persons regardless of socioeconomic status.

This constitutional foundation distinguishes India’s data protection regime from purely statutory frameworks in many jurisdictions. Because privacy enjoys constitutional status, legislative efforts to dilute protections or create broad exemptions face potential judicial scrutiny. Any law that infringes upon the right to privacy must satisfy tests of legality, legitimate aim, necessity, and proportionality. The state must demonstrate that restrictions on privacy serve compelling public interests and employ the least intrusive means available to achieve those interests.

Conclusion: Balancing Innovation and Protection

The Digital Personal Data Protection Act, 2023, represents a significant evolution in India’s approach to balancing individual privacy rights with the imperatives of economic development and technological innovation. By establishing clear rights for data principals, imposing obligations on data fiduciaries, creating an independent regulatory authority, and providing mechanisms for enforcement and dispute resolution, the Act constructs a framework capable of adapting to the dynamic challenges posed by rapidly evolving digital technologies. While comparisons with the GDPR reveal both similarities and distinctions, the DPDPA reflects India’s unique legal, cultural, and economic context. As the Rules are finalized and the Data Protection Board becomes operational, the true test of this legislation will lie in its implementation and the extent to which it achieves the twin objectives of protecting individual autonomy and enabling the data-driven economy that India aspires to build.

References

[1] Supreme Court Observer. (2022). Justice K.S. Puttaswamy v Union of India – Fundamental Right to Privacy. Available at: https://www.scobserver.in/cases/puttaswamy-v-union-of-india-fundamental-right-to-privacy-case-background/

[2] Hogan Lovells. (2025). India’s Digital Personal Data Protection Act 2023 brought into force. Available at: https://www.hoganlovells.com/en/publications/indias-digital-personal-data-protection-act-2023-brought-into-force-

[3] Latham & Watkins. (2023). India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison. Available at: https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf

[4] PRS Legislative Research. (2023). The Digital Personal Data Protection Bill, 2023. Available at: https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023

[5] Ministry of Electronics and Information Technology. (2023). The Digital Personal Data Protection Act, 2023. Available at: https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf

[6] EY India. (2025). Decoding the Digital Personal Data Protection Act, 2023. Available at: https://www.ey.com/en_in/insights/cybersecurity/decoding-the-digital-personal-data-protection-act-2023

[7] DLA Piper. (2025). Data protection laws in India – Data Protection Laws of the World. Available at: https://www.dlapiperdataprotection.com/?t=law&c=IN

[8] International Network of Privacy Law Professionals (INPLP). (2023). How does India’s new privacy law compare to GDPR? Available at: https://inplp.com/latest-news/article/how-does-indias-new-privacy-law-compare-to-gdpr/

[9] ComplyDog. (2024). GDPR vs DPDPA: Key Differences Between EU and India’s Data Protection Laws. Available at: https://complydog.com/blog/gdpr-vs-india-dpdpa

Authorized and Published by Dhrutika Barad