Introduction

In the digital age, cybersecurity has emerged as a critical challenge for governments, organizations, and individuals worldwide. With increasing reliance on digital infrastructure, the threat of cyberattacks, data breaches, and cyber warfare poses significant risks to national security, economic stability, and public trust. International law, traditionally rooted in principles designed for physical conflicts and territorial disputes, faces the complex task of addressing cybersecurity threats in a borderless and rapidly evolving digital landscape. This article explores the current international legal frameworks governing cybersecurity, recent developments, and the challenges associated with enforcing these norms.

The Nature of Cybersecurity Threats

Cybersecurity threats encompass a broad spectrum of malicious activities, ranging from hacking and phishing to ransomware attacks and state-sponsored cyber operations. These threats target critical infrastructure, such as power grids, healthcare systems, and financial institutions, often with devastating consequences. Cybercrime, including identity theft and financial fraud, further exacerbates the vulnerabilities of individuals and businesses.

State-sponsored cyberattacks, such as the alleged Russian interference in the 2016 U.S. presidential elections or the 2020 SolarWinds hack, highlight the geopolitical dimensions of cybersecurity. Such incidents raise questions about the application of international law, including state responsibility, sovereignty, and the use of force in cyberspace.

Existing International Legal Frameworks 

The applicability of international law to cybersecurity threats is governed by several principles and treaties, although no comprehensive global treaty specifically addresses cybersecurity. Key frameworks include:

1. The United Nations Charter: The principles of state sovereignty, non-intervention, and the prohibition of the use of force are foundational to international law. Cyber operations that cause physical damage or loss of life may qualify as a “use of force” under Article 2(4) of the UN Charter. Additionally, the right to self-defense under Article 51 may apply to cyberattacks that reach the threshold of an “armed attack.”
2. The Tallinn Manual: Although not legally binding, the Tallinn Manual on the International Law Applicable to Cyber Warfare provides an influential interpretation of how existing international law applies to cyber operations. Developed by legal experts under the auspices of the NATO Cooperative Cyber Defence Centre of Excellence, the manual addresses issues such as state responsibility, neutrality, and proportionality in cyber conflicts.
3. The Budapest Convention on Cybercrime: The Council of Europe’s Budapest Convention is the first international treaty addressing internet crimes. It provides a framework for harmonizing national laws, enhancing investigative techniques, and fostering international cooperation in combating cybercrime. However, its limited membership and criticism from non-signatory states, such as China and Russia, pose challenges to its universality.
4. The UN Group of Governmental Experts (GGE) and Open-Ended Working Group (OEWG): The UN has facilitated discussions among member states on the application of international law to cyberspace through the GGE and OEWG processes. These forums have produced consensus reports affirming that existing international law applies to cyberspace, but they have also highlighted divisions among states regarding norms and enforcement.

Challenges in Applying International Law to Cybersecurity Threats

The unique characteristics of cyberspace complicate the application and enforcement of international law. Key challenges include:

1. Attribution: Identifying the perpetrators of a cyberattack is notoriously difficult, given the ability to mask identities and operate through proxies. Without reliable attribution, holding states or non-state actors accountable under international law becomes challenging.
2. Jurisdictional Issues: Cyberattacks often transcend national borders, involving multiple jurisdictions with varying legal standards. Coordinating international responses and prosecutions can be hindered by conflicting laws and priorities.
3. Lack of Consensus: States have differing views on key issues, such as the definition of cyberattacks, the threshold for invoking self-defense, and the role of non-state actors. Geopolitical rivalries further impede efforts to establish a comprehensive international treaty.
4. Enforcement Mechanisms: Unlike traditional conflicts, cyber operations rarely involve physical assets or territories, making it difficult to impose traditional enforcement measures such as sanctions or military intervention.

Recent Developments in Cybersecurity Governance

In recent years, there have been notable advancements in cybersecurity governance at both international and regional levels. For example:

1. United Nations Initiatives: The OEWG’s 2021 report emphasized the need for capacity building, confidence-building measures, and adherence to voluntary norms for responsible state behavior in cyberspace. These efforts aim to foster trust and cooperation among states.
2. Regional Frameworks: Organizations such as the European Union and ASEAN have developed regional cybersecurity strategies to address cross-border threats. The EU’s General Data Protection Regulation (GDPR) has also set global standards for data protection and privacy.
3. Private Sector and Multi-Stakeholder Engagement: Tech companies, civil society organizations, and academia play an increasingly important role in shaping cybersecurity norms. Initiatives such as Microsoft’s Cybersecurity Tech Accord and the Global Forum on Cyber Expertise (GFCE) reflect the growing importance of public-private partnerships.
4. Emerging Technologies: Advances in artificial intelligence, quantum computing, and blockchain present both opportunities and risks for cybersecurity. International law must adapt to address the implications of these technologies, including their potential misuse by malicious actors.

The Role of International Courts and Arbitration

While there have been few cases directly addressing cybersecurity in international courts, legal mechanisms such as arbitration and dispute resolution are gaining relevance. The International Court of Justice (ICJ) and other forums may provide avenues for states to resolve disputes arising from cyber operations. However, the absence of precedent and the complexity of cyber issues pose significant hurdles.

Future Directions and Recommendations for Tackling Cybersecurity Threats

To strengthen international legal responses to cybersecurity threats, the following steps are essential:

1. Developing a Comprehensive Treaty: Efforts to negotiate a global treaty on cybersecurity should be intensified, focusing on shared norms, definitions, and enforcement mechanisms. Such a treaty could draw from existing frameworks like the Budapest Convention while addressing gaps in coverage.
2. Enhancing Attribution Capabilities: Investments in technology and international collaboration are necessary to improve the accuracy and reliability of attribution mechanisms. Transparent and credible attribution processes can deter malicious actors and facilitate accountability.
3. Promoting Capacity Building: Developing nations often lack the resources and expertise to address cybersecurity threats effectively. Capacity-building initiatives, including training programs and knowledge-sharing platforms, can help bridge this gap.
4. Encouraging Multi-Stakeholder Governance: Cybersecurity governance should involve all relevant stakeholders, including governments, private companies, and civil society. Collaborative approaches can foster innovation and resilience while ensuring inclusivity.

Conclusion  

Cybersecurity threats represent one of the most pressing challenges of the 21st century, requiring robust and adaptive international legal responses. While existing frameworks provide a foundation, gaps in enforcement, attribution, and consensus highlight the need for continued efforts to strengthen cybersecurity governance. By fostering cooperation, building capacity, and embracing innovative solutions, the international community can mitigate cyber risks and ensure the security and stability of the digital world.

The post International Legal Responses to Cybersecurity Threats appeared first on Bhatt & Joshi Associates.

As we continue our journey into the heart of the Digital Personal Data Protection Act, 2023, Part 3 marks the final stage of this exploration, focusing on enforcing data protection and shaping a secure digital future. This concluding part examines the Act’s provisions on offences and penalties and offers a comprehensive analysis of its enforcement architecture, assessing its broader implications for individual privacy, national security, and India’s evolving digital economy.

The enforcement mechanism of any data protection legislation ultimately determines whether its provisions remain theoretical ideals or translate into tangible protections for individuals. India’s Digital Personal Data Protection Act, 2023, establishes a penalty framework designed to secure compliance through meaningful financial consequences, while preserving sufficient flexibility for contextual adjudication by the Data Protection Board of India. The Act received Presidential assent on August 11, 2023, and represents India’s first standalone statute devoted exclusively to the protection of digital personal data. While the foundational principles and individual rights provisions define the substantive obligations of data fiduciaries, it is the penalty regime under Chapter VIII and the miscellaneous provisions in Chapter IX that determine how the law will function in practice.

The Act’s enforcement architecture reflects a regulatory philosophy that diverges in important respects from global counterparts such as the European Union’s General Data Protection Regulation and the California Consumer Privacy Act. Instead of linking penalties to a percentage of global turnover, the DPDPA adopts a tiered structure prescribing fixed maximum penalties for specified categories of violations. This model enhances predictability for organizations by clearly delineating their maximum exposure, while still ensuring that penalties are sufficiently substantial to deter non-compliance. Notably, the Act does not criminalize data protection breaches through imprisonment, nor does it create private rights of action enabling individuals to directly sue data fiduciaries. Enforcement authority is instead centralized in the Data Protection Board of India, a design choice intended to promote consistency in regulatory outcomes and to avoid the fragmentation and excessive litigation observed in some other jurisdictions.

The Penalty Framework: Structure and Implementation

Section 33 of the DPDPA empowers the Data Protection Board to impose monetary penalties when it determines that a breach of the Act or rules is significant. The provision requires the Board to provide an opportunity for the person or entity under investigation to be heard before imposing any penalty, ensuring procedural fairness. The Schedule annexed to the Act specifies maximum penalty amounts for different categories of violations, creating a hierarchy that reflects the legislature’s assessment of relative severity [1]. The highest penalty, reaching up to INR 250 crore (approximately USD 30 million at current exchange rates), applies to failures by data processors or data fiduciaries to ensure reasonable safeguards for preventing personal data breaches. This substantial sum signals that security obligations constitute the apex of the compliance pyramid.

Failure to notify the Data Protection Board and affected data principals about personal data breaches attracts penalties up to INR 200 crore. The same maximum applies to non-fulfillment of obligations pertaining to children’s data, reflecting heightened concern for protecting minors in the digital ecosystem. Violations by significant data fiduciaries—a category the Act defines as those processing personal data at a scale and nature requiring additional obligations—can result in penalties up to INR 150 crore. For violations where no specific penalty is prescribed, the Board may impose penalties up to INR 50 crore. Even data principals themselves face potential penalties up to INR 10,000 if they violate their duties under Section 15, such as providing false information or registering frivolous complaints [2].

When determining the actual penalty amount within these maximum limits, Section 33 directs the Board to consider several factors. These include the nature, gravity, and duration of the breach; the type and nature of personal data affected; whether the breach was repeated or continued after the Board directed corrective action; whether the person derived financial gain or avoided losses through the breach; whether the person took action to mitigate effects and consequences; and whether the monetary penalty will be proportionate and effective to secure observance and deter future breaches. This multi-factor assessment mirrors approaches found in other jurisdictions and allows the Board to calibrate penalties appropriately rather than mechanically applying maximum amounts in every case.

The Board may also accept voluntary undertakings from persons or entities to ensure compliance at any stage of proceedings. If the Board accepts such an undertaking, it may suspend or terminate proceedings on related issues. However, failure to honor a voluntary undertaking is itself treated as a breach, allowing the Board to resume enforcement action. This mechanism encourages settlement and cooperative resolution while maintaining credibility through consequences for broken promises. Section 34 specifies that all sums realized through penalties shall be credited to the Consolidated Fund of India, preventing any financial conflict of interest and ensuring the Board’s impartiality [3].

Comparing Penalty Regimes: GDPR and CCPA

The GDPR’s penalty structure, articulated in Article 83, establishes two tiers of administrative fines. Less serious infringements can result in fines up to EUR 10 million or two percent of the undertaking’s total worldwide annual turnover from the preceding financial year, whichever is higher. More serious infringements—including violations of basic processing principles, data subject rights, and international transfer requirements—can result in fines up to EUR 20 million or four percent of total worldwide annual turnover, whichever is higher [4]. The percentage-based calculation means that fines can scale dramatically with company size, and the concept of “undertaking” under EU competition law principles means that parent company turnover may be considered even when a subsidiary committed the violation.

In practice, the GDPR has generated some of the largest data protection fines in history. Meta received a record EUR 1.2 billion penalty from Ireland’s Data Protection Commission in 2023 for unlawfully transferring personal data to the United States without adequate safeguards. Amazon was fined EUR 746 million by Luxembourg’s supervisory authority for processing personal information without proper consent mechanisms. These amounts, while representing small percentages of the companies’ global revenue, demonstrate the GDPR’s capacity to impose financially meaningful sanctions on even the largest technology companies [5].

California’s CCPA takes a different approach through Section 1798.155. Violations subject businesses to civil penalties of up to USD 2,500 per violation, or USD 7,500 per intentional violation. These penalties are enforced exclusively by the California Attorney General rather than through private litigation, except in cases involving data breaches where Section 1798.150 provides a limited private right of action. Under that provision, consumers may seek statutory damages of USD 100 to USD 750 per consumer per incident, or actual damages, whichever is greater. Before filing suit, consumers must provide businesses thirty days’ notice and an opportunity to cure violations, except in cases involving willful disregard for security [6].

The DPDPA’s fixed maximum penalties occupy middle ground between these approaches. Unlike the GDPR’s percentage-of-turnover model, Indian law provides greater certainty regarding worst-case exposure. Unlike the CCPA’s per-violation calculation, which could theoretically accumulate to massive amounts in cases affecting many consumers, the DPDPA establishes clear ceilings. However, the INR 250 crore maximum is substantially lower than potential GDPR fines for large multinationals, raising questions about whether penalties will prove sufficiently deterrent for global technology companies whose annual revenues measure in billions of dollars. For domestic Indian businesses and smaller enterprises, conversely, penalties in the hundreds of crores represent existential financial threats that should motivate serious compliance efforts.

Exemptions and Flexibility: Balancing Protection with Practicality

Chapter IV of the DPDPA, containing Sections 16 and 17, addresses special circumstances requiring distinct treatment. Section 17 enumerates various exemptions from the Act’s requirements, acknowledging that inflexible application of data protection rules could impede legitimate activities serving the public interest. The provisions of Chapter II (except specified subsections), Chapter III, and Section 16 do not apply when processing is necessary for enforcing legal rights or claims; preventing, detecting, investigating, or prosecuting offences; judicial functions; mergers and acquisitions; debt recovery; or public interest research and statistics [7].

More controversially, Section 17 also provides broad exemptions for state instrumentalities. When the Central Government notifies a state entity, that entity may be exempted from various obligations if processing personal data for purposes involving sovereignty, integrity, security of the state, friendly relations with foreign countries, maintaining public order, or preventing incitement to cognizable offences. Critics have expressed concern that these exemptions, lacking robust oversight mechanisms or sunset provisions, could facilitate surveillance without adequate checks on government power. The absence of specific procedural safeguards, judicial review requirements, or proportionality assessments in the exemption provisions represents a significant departure from the GDPR’s Article 23, which requires member states to maintain legislative measures clearly delineating the scope and application of restrictions on data subject rights [8].

Section 17 also addresses startups specifically, recognizing the challenges these entities face in achieving compliance with sophisticated data protection requirements. The provision allows the Central Government to exempt startups from certain requirements for specified periods, provided they meet criteria established by the department handling startup matters. This accommodation reflects policy priorities around fostering innovation and entrepreneurship, though it creates a two-tier system where established businesses face obligations that startups may temporarily avoid. The rationale is that nascent companies with limited resources and technical capabilities should not face compliance burdens that could strangle growth, but critics note that some of the most significant privacy violations have occurred at rapidly scaling technology startups.

Notably absent from Section 17’s exemptions is any express provision for journalistic purposes, an omission that has drawn sustained criticism from media organizations. The Editors Guild of India has repeatedly urged the Ministry of Electronics and Information Technology to exercise powers under Section 17(5)—which allows exempting any class of data fiduciaries for up to five years—to protect journalistic activities. The Guild argues that requiring journalists to obtain consent before processing personal data would fundamentally undermine investigative journalism and the media’s watchdog function. Previous drafts of India’s data protection legislation included journalistic exemptions similar to those found in the GDPR, which allows member states to reconcile data protection with freedom of expression and information. The final Act’s silence on this issue has created uncertainty about how journalism can continue operating under the DPDPA’s consent-centric framework [9].

Impact on National Security, Economic Development, and Privacy

The DPDPA’s enforcement provisions must be evaluated not merely as technical legal mechanisms but as instruments shaping India’s digital future across multiple dimensions. From a national security perspective, the state instrumentality exemptions reflect genuine concerns about maintaining sovereign capabilities in an environment where adversaries exploit personal data for intelligence gathering and influence operations. India faces unique security challenges, including persistent threats from state and non-state actors seeking to destabilize the nation. Intelligence and law enforcement agencies require flexibility to respond to these threats without procedural obstacles that could delay critical interventions.

However, the breadth of these exemptions and the absence of independent oversight create risks of overreach. Democratic governance requires balancing security imperatives against civil liberties, and history demonstrates that surveillance powers granted for legitimate purposes frequently expand beyond their original justification. The DPDPA lacks mechanisms comparable to those in some Western democracies, where judicial warrants, parliamentary oversight committees, or independent review boards provide checks on intelligence activities. Civil society organizations and privacy advocates have warned that Section 17’s exemptions could facilitate mass surveillance disproportionate to actual security needs, potentially chilling free expression and dissent.

From an economic development perspective, the DPDPA aims to position India as both a significant player in the global digital economy and a jurisdiction offering credible data protection standards. Foreign companies seeking to serve Indian consumers must comply with local law, while Indian companies aspiring to global markets need domestic regulations that facilitate rather than hinder international data flows. The Act’s approach to cross-border transfers—allowing transfers except to specifically prohibited jurisdictions—creates a more permissive environment than the GDPR’s framework requiring adequacy decisions or standard contractual clauses. This facilitates India’s integration into global supply chains and services ecosystems while reserving the government’s ability to block transfers when necessary.

The penalty structure influences economic behavior by making data protection a boardroom issue rather than merely a technology or legal compliance matter. When potential fines reach hundreds of crores, senior executives pay attention and allocate resources accordingly. This should drive investment in security infrastructure, privacy engineering, and governance frameworks. However, the effectiveness of penalties depends crucially on consistent enforcement. If the Data Protection Board develops a reputation for imposing nominal penalties or declining to pursue violations, the deterrent effect will dissipate. Conversely, if enforcement appears arbitrary or disproportionate, it could chill legitimate innovation and investment.

Procedural Safeguards and Dispute Resolution

Beyond the penalties themselves, the DPDPA establishes procedural mechanisms intended to ensure fair adjudication and provide alternatives to formal enforcement. The Act requires that data principals first exhaust the grievance redressal mechanism provided by data fiduciaries or consent managers before approaching the Board. This requirement reduces the Board’s caseload by filtering out matters that parties can resolve directly, though it also means individuals must navigate potentially company-controlled processes before accessing independent adjudication.

The Act provides for appeals from Board decisions to the Telecommunications Disputes Settlement and Appellate Tribunal, a specialized body with technical expertise relevant to digital matters. This appellate mechanism ensures that Board decisions face judicial scrutiny and reduces risks of regulatory overreach. The involvement of a specialized tribunal rather than general courts recognizes that data protection disputes often involve technical complexities requiring specific expertise. However, the choice of TDSAT rather than establishing a dedicated data protection appellate body has been questioned, as telecommunications and data privacy involve distinct policy considerations and technical domains.

Chapter VII also contemplates alternative dispute resolution mechanisms, encouraging mediation and conciliation as means of resolving conflicts without formal adjudication. This reflects best practices from other areas of law where ADR reduces costs, accelerates resolution, and preserves relationships. In the data protection context, ADR could be particularly valuable for disputes where both parties have legitimate interests—for instance, when a data principal seeks erasure but the fiduciary has legal obligations requiring retention, or when transparency and proprietary business concerns conflict.

Looking Forward: Implementation and Evolution

The Digital Personal Data Protection Rules notified in November 2025 have begun operationalizing the Act’s provisions, providing detailed requirements for notice formats, consent mechanisms, grievance procedures, and breach notifications. As these rules take effect and the Data Protection Board begins adjudicating cases, the practical implications of the penalty framework will become clearer. Early enforcement decisions will establish precedents influencing how subsequent cases are evaluated, and the Board’s interpretive choices will determine whether the Act evolves as a protective shield for individuals or primarily as a regulatory burden on businesses.

Several challenges lie ahead. The Board must build institutional capacity sufficient to handle complaints from a population of 1.4 billion people and oversee an economy where digital services touch nearly every aspect of life. It must develop expertise not only in legal and policy matters but also in the technical dimensions of data processing, security, and emerging technologies. The Board must calibrate enforcement to achieve deterrence without stifling innovation, provide clarity through guidance while remaining flexible enough to address novel situations, and maintain independence from both government pressure and industry capture.

The Act’s success will ultimately be measured not by the sophistication of its text but by whether it achieves its twin objectives: protecting individual privacy and enabling India’s digital economy to flourish. These goals are not inherently contradictory, but tensions between them will arise repeatedly. Strong data protection can enhance economic value by building consumer trust and reducing costs associated with breaches and litigation. Conversely, burdensome compliance requirements can divert resources from innovation and create barriers to entry that favor established players. The challenge for Indian policymakers, regulators, and courts will be navigating these tensions through enforcement decisions and regulatory evolution that serves both privacy and prosperity.

Conclusion: A Framework Taking Shape

India’s Digital Personal Data Protection Act represents a significant step in establishing a legal framework for the digital age, but it remains a work in progress. The penalty provisions create meaningful consequences for violations while preserving flexibility for contextual assessment. The exemptions acknowledge legitimate needs for processing personal data without consent in specific circumstances, though their breadth raises concerns about surveillance and government overreach. The Act’s enforcement model, centered on an independent Board rather than private litigation, reflects policy choices about how best to achieve compliance in India’s particular legal and social context.

Comparison with the GDPR and CCPA reveals both alignments and divergences, reflecting India’s unique position as a populous democracy with development aspirations, security challenges, and distinctive legal traditions. The fixed maximum penalties differ from the GDPR’s percentage approach and the CCPA’s per-violation model, offering greater certainty but potentially less deterrence for the largest companies. The exemptions for state instrumentalities exceed those in Western frameworks, raising questions about the balance between security and liberty. The absence of journalistic exemptions contrasts with European practice and may require correction to avoid chilling press freedom.

As implementation proceeds, the Data Protection Board’s performance will determine whether the DPDPA achieves its promise. Rigorous enforcement respecting procedural fairness, clear guidance helping organizations understand obligations, and willingness to adapt as technology and society evolve will be essential. The Act provides the structure, but the substance will emerge through the accumulation of decisions, rules, and interpretive guidance in the years ahead. India’s journey toward data protection continues, with the destination still taking shape.

References

[1] AM Legals. (2024). Penalties under the Digital Personal Data Protection Act, 2023: A Guide. Available at: https://amlegals.com/penalties-under-the-digital-personal-data-protection-act2023/

[2] Mondaq. (2024). Enforcement and Penalties Under the Digital Personal Data Protection Act, 2023. Available at: https://www.mondaq.com/india/data-protection/1543038/enforcement-and-penalties-under-the-digital-personal-data-protection-act-2023

[3] Tsaaro. (2025). Enforcement and Penalties under the DPDPA, 2023 and Draft DPDP Rules, 2025. Available at: https://tsaaro.com/blogs/enforcement-and-penalties-under-the-dpdpa-2023-and-draft-dpdp-rules-2025/

[4] GDPR.eu. (2019). What are the GDPR Fines? Available at: https://gdpr.eu/fines/

[5] Sprinto. (2025). GDPR Fines Explained: Penalties for Data Breaches. Available at: https://sprinto.com/blog/gdpr-fines/

[6] Consumer Privacy Act. (2019). Section 1798.155. Civil penalties. Available at: https://www.consumerprivacyact.com/section-1798-155-civil-penalties/

[7] India DPDPA. (2023). Article 17 – Exemptions. Available at: https://indiadpdpa.com/india-dpdpa-article-17-exemptions/

[8] Tsaaro. (2025). Exemptions Under the Digital Personal Data Protection (DPDP) Act, 2023. Available at: https://tsaaro.com/blogs/exemptions-under-the-digital-personal-data-protection-dpdp-act-2023/

[9] Medianama. (2025). EGI Reiterates Need To Protect Journalists Under DPDP Rules. Available at: https://www.medianama.com/2025/11/223-egi-journalists-indias-digital-data-protection-rules/

The post Navigating the Digital Frontier: India’s Personal Data Protection Act, 2023 – Part 3 appeared first on Bhatt & Joshi Associates.

Analyzing India’s Personal Data Protection Act, 2023

India’s journey toward establishing a robust data protection framework reached a significant milestone with the enactment of the Digital Personal Data Protection Act, 2023 (DPDPA). This legislation, which received Presidential assent on August 11, 2023, represents the country’s first standalone law dedicated to protecting digital personal information in an increasingly interconnected world. The Act emerged from a constitutional imperative established by the Supreme Court of India in the landmark case of Justice K.S. Puttaswamy (Retd.) v. Union of India, wherein a nine-judge bench unanimously recognized privacy as a fundamental right under Articles 14, 19, and 21 of the Indian Constitution [1]. This judicial pronouncement, delivered on August 24, 2017, laid the groundwork for legislative action and fundamentally altered the landscape of data protection in the world’s largest democracy.

The DPDPA marks a departure from the previous patchwork of regulations under the Information Technology Act, 2000, and its associated rules. While the Act was passed in 2023, its provisions were brought into force in a phased manner, with the establishment of the Data Protection Board of India notified on November 13, 2025, accompanied by the Digital Personal Data Protection Rules, 2025 [2]. This legislative framework applies to the processing of digital personal data within India’s territory and extends extraterritorially to entities outside India that offer goods or services to individuals located within India. The Act recognizes both the fundamental right of individuals to protect their personal data and the legitimate need for such data to be processed for lawful purposes, striking a delicate balance between privacy protection and economic development.

As this series moves forward, the part 2 will examine the DPDPA’s core framework governing individual rights and duties, the obligations of data fiduciaries, and the role of institutional oversight through the Data Protection Board. The discussion will be supported by comparative references to international regimes, particularly the GDPR, highlighting India’s alignment with global best practices while underscoring its distinctive regulatory approach. This analysis will set the stage for a final examination of enforcement and remedial mechanisms under the Act.

Empowering Data Principals: Rights and Duties Under Chapter III

The DPDPA establishes a framework of rights and corresponding duties for data principals, which the Act defines as individuals to whom personal data relates. Sections 11 through 15 of Chapter III delineate these provisions with clarity and precision. The right to access information under Section 11 empowers individuals to obtain details about their personal data being processed by data fiduciaries. This right is not merely symbolic but serves as a cornerstone for transparency in data processing operations. When an individual exercises this right, the data fiduciary must provide information in clear and plain language regarding the personal data being processed, the purposes for which it is being used, and the identities of other data fiduciaries and data processors with whom such data has been shared.

Sections 12 and 13 establish the rights to correction and erasure respectively. The right to correction allows data principals to have inaccurate or misleading personal data rectified or completed. This provision recognizes that data accuracy is essential not only for the individual’s interests but also for the integrity of data-driven decision-making processes. The right to erasure, sometimes referred to colloquially as the “right to be forgotten,” enables individuals to request deletion of their personal data once the purpose for which it was collected has been fulfilled. However, this right is not absolute and must be balanced against legitimate grounds for retention, such as compliance with legal obligations or the establishment of legal claims.

Section 14 introduces an innovative provision allowing data principals to nominate another individual who may exercise their rights under the Act in the event of death or incapacity. This forward-thinking approach acknowledges the reality that digital identities often outlive physical existence and that incapacity due to unsoundness of mind or infirmity of body should not deprive individuals of data protection rights. The nominated person effectively becomes a digital executor, capable of managing the data principal’s rights when circumstances prevent the principal from doing so personally.

While the Act grants extensive rights to data principals, Section 15 simultaneously imposes certain duties to ensure the framework functions effectively. Data principals are obligated to comply with all applicable laws while exercising their rights and must refrain from impersonating others when providing personal data. They must also not suppress material information when providing data for the purpose of obtaining benefits or services. Furthermore, data principals are prohibited from registering false or frivolous grievances or complaints with data fiduciaries. These duties reflect a recognition that effective data protection requires responsible behavior from all stakeholders, not just those who collect and process data.

Special Provisions: Cross-Border Transfers and Exemptions

Chapter IV of the DPDPA addresses special circumstances that warrant distinct treatment under the legislative framework. Section 16 governs restrictions on the transfer of personal data outside India, a provision of significant consequence for multinational organizations operating in or serving the Indian market. The Central Government is empowered to notify countries or territories to which personal data may not be transferred. This mechanism provides the government with flexibility to respond to evolving geopolitical and data security concerns while allowing most international data transfers to proceed without explicit approval, provided they are not directed to blacklisted jurisdictions [3].

This approach differs markedly from the European Union’s General Data Protection Regulation (GDPR), which requires either an adequacy decision from the European Commission or appropriate safeguards such as standard contractual clauses for data transfers outside the European Economic Area. The DPDPA’s negative list approach—prohibiting transfers only to specifically notified jurisdictions—places less burden on data fiduciaries while reserving the government’s prerogative to restrict transfers when national interests so require.

Section 17 outlines exemptions from certain provisions of the Act, recognizing that inflexible application of data protection requirements could impede legitimate governmental functions, judicial processes, and other activities serving the public interest. The exemptions cover processing necessary for prevention, detection, investigation, or prosecution of offences, for judicial functions, for research and statistical purposes (subject to certain conditions), and for journalistic purposes. Additionally, the government may exempt startups and certain classes of data fiduciaries for specified periods to encourage innovation and avoid stifling nascent enterprises with compliance burdens they are ill-equipped to handle [4].

The Data Protection Board: Establishment and Powers

Chapters V and VI establish the Data Protection Board of India and define its powers, functions, and operational procedures. Sections 18 and 19 provide for the Board’s establishment as a body corporate with perpetual succession, possessing the authority to acquire and dispose of property and enter into contracts. This institutional design ensures the Board operates with independence and possesses the organizational capacity necessary to fulfill its regulatory mandate. The Board comprises a Chairperson and such number of members as the Central Government may appoint, all of whom must possess expertise and experience in fields related to data protection, information technology, data management, or related disciplines.

Sections 20 through 22 address the salary, allowances, and terms of office for Board members, establishing a framework intended to attract qualified professionals while maintaining appropriate standards of conduct. Board members serve terms of two years and are eligible for reappointment, though they cannot hold office beyond the age of sixty-five years. This structure balances the benefits of institutional memory with the need for fresh perspectives and prevents entrenchment that might compromise the Board’s independence or adaptability.

The powers and functions of the Board, as outlined in Section 27, are extensive and multifaceted. The Board may inquire into data breaches, impose monetary penalties for violations of the Act, and issue directions to data fiduciaries regarding compliance with statutory obligations. It possesses the authority to call for information and records from data fiduciaries and may conduct inspections when circumstances warrant. The Board also serves an educational function, promoting awareness of data protection principles and best practices among data fiduciaries and data principals alike. Section 28 establishes procedural requirements the Board must follow when exercising its powers, including providing opportunities for entities under investigation to present their case and ensuring proceedings are conducted fairly and expeditiously [5].

Appeals, Alternative Dispute Resolution, and Enforcement

Chapter VII addresses mechanisms for challenging Board decisions and resolving disputes outside traditional adjudicatory processes. Section 29 provides that any person aggrieved by an order of the Data Protection Board may appeal to the Telecommunications Disputes Settlement and Appellate Tribunal (TDSAT), a specialized tribunal with expertise in technology-related matters. The appellant must prefer such appeal within a period of sixty days from the date of communication of the Board’s order, though the Tribunal may entertain appeals filed after this period if satisfied that sufficient cause prevented timely filing.

Sections 31 and 32 encourage alternative dispute resolution mechanisms, recognizing that not all data protection disputes require formal adjudication. The Board may facilitate mediation or conciliation between parties, and data principals may seek redress through consent managers—entities registered with the Board that assist individuals in managing their consent for data processing. This multi-tiered approach to dispute resolution aims to reduce the burden on formal adjudicatory machinery while providing accessible avenues for grievance redressal.

Chapter VIII establishes the penalties and adjudication framework essential for ensuring compliance with the Act’s provisions. Section 33 enumerates specific violations and corresponding monetary penalties, which may reach up to INR 250 crore (approximately USD 30 million) for serious breaches such as failure to implement reasonable security safeguards or failure to notify the Board and affected data principals of personal data breaches. Penalties for breaches involving children’s data are particularly severe, reflecting the Act’s heightened concern for protecting minors. The penalty amounts are substantial by Indian standards and signal the government’s intent to ensure meaningful deterrence against violations [6].

Section 34 addresses the crediting of penalty amounts to the Consolidated Fund of India, ensuring that monetary sanctions serve the public treasury rather than creating opportunities for misappropriation. This provision also establishes that the imposition of penalties does not preclude other remedies available under law, meaning that civil or criminal proceedings may proceed independently of administrative enforcement actions taken by the Board.

Comparing India’s Framework with the GDPR

The DPDPA shares several conceptual foundations with the European Union’s GDPR, which has served as a global benchmark for data protection legislation since its implementation in May 2018. Both frameworks recognize personal data protection as a fundamental right, require consent as the primary basis for data processing (though the GDPR provides additional lawful bases such as contractual necessity and legitimate interests), and grant individuals rights to access, correct, and erase their personal data [7]. Both establish independent supervisory authorities with investigative and enforcement powers and impose substantial penalties for non-compliance.

However, significant differences distinguish the two regulatory regimes. The DPDPA applies exclusively to digital personal data—information collected electronically or digitized after collection in non-digital form—while the GDPR encompasses all personal data regardless of format. The GDPR’s concept of “special categories” of personal data (including racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, and biometric data) receives heightened protection through more stringent processing requirements, whereas the DPDPA treats all personal data uniformly without distinguishing sensitive categories explicitly within the Act itself, though the Rules may impose additional requirements [8].

The approaches to cross-border data transfers differ substantially. The GDPR requires either an adequacy decision from the European Commission or appropriate safeguards such as standard contractual clauses, binding corporate rules, or codes of conduct for transfers outside the European Economic Area. The DPDPA employs a negative list approach, allowing transfers to all jurisdictions except those specifically notified by the Central Government as restricted destinations. This divergence reflects different regulatory philosophies: the GDPR’s precautionary principle requiring affirmative authorization versus the DPDPA’s presumption of permissibility absent specific prohibition.

The GDPR grants data subjects the right to data portability, enabling individuals to receive their personal data in a structured, commonly used format and transmit it to another controller. The DPDPA does not explicitly provide this right, though future Rules may address portability in certain contexts. Similarly, the GDPR’s provisions on automated decision-making and profiling, including rights related to algorithmic transparency, find no direct parallel in the DPDPA’s current text [9].

Penalty structures also diverge. The GDPR imposes administrative fines up to 20 million euros or four percent of global annual turnover, whichever is higher, for the most serious infringements. The DPDPA establishes specific penalty amounts for enumerated violations, reaching a maximum of INR 250 crore. While both frameworks contemplate substantial penalties, the GDPR’s percentage-of-turnover approach may result in higher absolute amounts for large multinational corporations, whereas the DPDPA’s fixed maximum penalties provide greater certainty regarding worst-case exposure.

Constitutional Foundation and Judicial Oversight

The constitutional underpinnings of India’s data protection regime cannot be understated. The Puttaswamy judgment established that privacy is not merely a policy preference but a constitutionally protected fundamental right. Justice D.Y. Chandrachud, writing for himself and three other judges, observed that privacy is an intrinsic part of the right to life and personal liberty under Article 21 and is closely related to dignity, which is a core constitutional value. The judgment emphasized that privacy includes the right to informational self-determination—the ability of individuals to control information about themselves—and that this right applies to all persons regardless of socioeconomic status.

This constitutional foundation distinguishes India’s data protection regime from purely statutory frameworks in many jurisdictions. Because privacy enjoys constitutional status, legislative efforts to dilute protections or create broad exemptions face potential judicial scrutiny. Any law that infringes upon the right to privacy must satisfy tests of legality, legitimate aim, necessity, and proportionality. The state must demonstrate that restrictions on privacy serve compelling public interests and employ the least intrusive means available to achieve those interests.

Conclusion: Balancing Innovation and Protection

The Digital Personal Data Protection Act, 2023, represents a significant evolution in India’s approach to balancing individual privacy rights with the imperatives of economic development and technological innovation. By establishing clear rights for data principals, imposing obligations on data fiduciaries, creating an independent regulatory authority, and providing mechanisms for enforcement and dispute resolution, the Act constructs a framework capable of adapting to the dynamic challenges posed by rapidly evolving digital technologies. While comparisons with the GDPR reveal both similarities and distinctions, the DPDPA reflects India’s unique legal, cultural, and economic context. As the Rules are finalized and the Data Protection Board becomes operational, the true test of this legislation will lie in its implementation and the extent to which it achieves the twin objectives of protecting individual autonomy and enabling the data-driven economy that India aspires to build.

References

[1] Supreme Court Observer. (2022). Justice K.S. Puttaswamy v Union of India – Fundamental Right to Privacy. Available at: https://www.scobserver.in/cases/puttaswamy-v-union-of-india-fundamental-right-to-privacy-case-background/

[2] Hogan Lovells. (2025). India’s Digital Personal Data Protection Act 2023 brought into force. Available at: https://www.hoganlovells.com/en/publications/indias-digital-personal-data-protection-act-2023-brought-into-force-

[3] Latham & Watkins. (2023). India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison. Available at: https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf

[4] PRS Legislative Research. (2023). The Digital Personal Data Protection Bill, 2023. Available at: https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023

[5] Ministry of Electronics and Information Technology. (2023). The Digital Personal Data Protection Act, 2023. Available at: https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf

[6] EY India. (2025). Decoding the Digital Personal Data Protection Act, 2023. Available at: https://www.ey.com/en_in/insights/cybersecurity/decoding-the-digital-personal-data-protection-act-2023

[7] DLA Piper. (2025). Data protection laws in India – Data Protection Laws of the World. Available at: https://www.dlapiperdataprotection.com/?t=law&c=IN

[8] International Network of Privacy Law Professionals (INPLP). (2023). How does India’s new privacy law compare to GDPR? Available at: https://inplp.com/latest-news/article/how-does-indias-new-privacy-law-compare-to-gdpr/

[9] ComplyDog. (2024). GDPR vs DPDPA: Key Differences Between EU and India’s Data Protection Laws. Available at: https://complydog.com/blog/gdpr-vs-india-dpdpa

Authorized and Published by Dhrutika Barad

The post India’s Digital Personal Data Protection Act, 2023: Rights, Governance, and Global Standards – Part 2 appeared first on Bhatt & Joshi Associates.

Analyzing India’s Personal Data Protection Act, 2023

Introduction: The Dawn of Data Protection in India

In today’s interconnected world, personal data has become a valuable commodity. The rapid advancement of technology, the growth of e-commerce, social media, and digital services, and the increasing reliance on data analytics have led to an unprecedented collection and processing of personal data. This has brought forth global challenges in ensuring data protection, privacy, security, and ethical use of information.

The Digital Personal Data Protection Act, 2023, is a response to the global and national challenges in data protection. It aims to create a resilient and responsible data governance framework that respects individual privacy, ensures national security, fosters economic growth, and aligns with international standards. By doing so, it positions India at the forefront of the global data protection landscape, reflecting a commitment to safeguarding the digital rights and interests of its citizens.

The digital transformation sweeping across India has brought unprecedented opportunities alongside significant challenges regarding personal data protection. With over 1.4 billion people and a rapidly expanding digital economy, India’s need for a robust data protection framework became increasingly apparent. This necessity culminated in the enactment of the Digital Personal Data Protection Act, 2023 (DPDPA), which received Presidential assent on August 11, 2023[1]. The legislation represents India’s first standalone law specifically designed to regulate the processing of digital personal data, marking a watershed moment in the country’s legal landscape.

The journey toward this legislation began in earnest following a landmark constitutional judgment. On August 24, 2017, a nine-judge bench of the Supreme Court of India delivered a unanimous verdict in Justice K.S. Puttaswamy (Retd.) v. Union of India, declaring that the right to privacy is a fundamental right protected under Article 21 of the Constitution of India[2]. This historic judgment overruled earlier decisions and established that privacy is intrinsic to the right to life and personal liberty. The Court observed that privacy encompasses various dimensions including informational privacy, decisional privacy, and physical privacy, all essential to human dignity and autonomy.

The Constitutional Foundation: Puttaswamy Judgment

The Puttaswamy judgment emerged from a challenge to the Aadhaar scheme, India’s biometric identification program. Justice K.S. Puttaswamy, a retired judge of the Karnataka High Court, contended that the mandatory collection of biometric data without adequate safeguards violated citizens’ privacy rights. The case required the Court to address whether the Constitution guarantees a right to privacy, as earlier eight-judge and six-judge benches had held otherwise.

Justice D.Y. Chandrachud, writing for himself and three other judges, articulated that privacy is not merely a common law right but a constitutionally protected fundamental right. The judgment emphasized that privacy enables individuals to exercise control over vital aspects of their lives and protects personal autonomy in matters of intimacy, family, and personal choices. The Court specifically noted that sexual orientation is an essential attribute of privacy and that discrimination based on sexual orientation is deeply offensive to dignity and self-worth.

This constitutional recognition of privacy created an imperative for Parliament to enact legislation safeguarding personal data. The judgment acknowledged that in an age where information technology governs virtually every aspect of life, the law must evolve to protect individual liberty against the overarching presence of both state and non-state entities.

Legislative Evolution and the Path to DPDPA

Following the Puttaswamy judgment, the Government of India constituted a Committee of Experts on Data Protection in 2017, chaired by Justice B.N. Srikrishna. This committee submitted its report in July 2018, which formed the basis for the Personal Data Protection Bill, 2019. That bill was introduced in Parliament in December 2019 and referred to a Joint Parliamentary Committee, which submitted its report in December 2021. However, the government withdrew this bill in August 2022, citing the need for a fresh comprehensive legal framework.

In November 2022, the Ministry of Electronics and Information Technology released a draft Digital Personal Data Protection Bill for public consultation. After incorporating stakeholder feedback, the revised Digital Personal Data Protection Bill, 2023 was introduced in Lok Sabha on August 3, 2023. The bill passed through both houses of Parliament with remarkable speed, passing Lok Sabha on August 7 and Rajya Sabha on August 9, 2023[3]. The President’s assent on August 11, 2023, transformed it into the Digital Personal Data Protection Act, 2023.

Phased Implementation

The DPDPA provides for phased implementation, with different provisions coming into force on dates notified by the Central Government. On November 13, 2025, the government notified the Digital Personal Data Protection Rules, 2025, and established the Data Protection Board of India[4]. The Rules provide for an eighteen-month compliance period, with full implementation expected by May 13, 2027. This phased approach allows organizations time to align their systems and practices with the new requirements.

Core Principles and Scope of the DPDPA

The DPDPA adopts what the government describes as the “SARAL” approach—Simple, Accessible, Rational, and Actionable. The legislation applies to the processing of digital personal data within India and also has extraterritorial application. Specifically, it applies to processing of personal data outside India if such processing relates to offering goods or services to individuals within India. This extraterritorial reach mirrors the approach taken by the European Union’s General Data Protection Regulation (GDPR).

Personal data under the DPDPA is defined as any data about an individual who is identifiable by or in relation to such data. Digital personal data means personal data in digital form. Importantly, the Act applies to data that is collected digitally or collected in non-digital form and subsequently digitized. However, it excludes personal data processed for purely personal or domestic purposes and personal data made publicly available by the data principal or under legal obligation.

Key Stakeholders

The DPDPA defines three primary stakeholders. The Data Principal is the individual to whom the personal data relates. For children under eighteen years of age, parents or legal guardians act as data principals. Similarly, for persons with disabilities, lawful guardians exercise rights on their behalf. The Data Fiduciary is any person who, alone or jointly with others, determines the purpose and means of processing personal data. This concept parallels the “data controller” under GDPR. Finally, the Data Processor is any person who processes personal data on behalf of a data fiduciary. Unlike GDPR, the DPDPA does not impose direct statutory obligations on data processors; responsibilities rest primarily with data fiduciaries.

Consent and Lawful Bases for Processing

The DPDPA establishes consent as the primary legal basis for processing personal data. The Act requires that consent must be free, specific, informed, unconditional, and unambiguous, signified by a clear affirmative action. Data fiduciaries must provide a notice describing the personal data to be collected, the purpose of processing, and the manner in which consent may be withdrawn. This notice must be provided in English or any of the twenty-two languages specified in the Eighth Schedule of the Constitution, ensuring accessibility across India’s linguistically diverse population.

Consent must be limited to personal data necessary for the specified purpose. Data principals have the right to withdraw consent at any time, and the withdrawal mechanism must be as simple as the process for giving consent. Upon withdrawal, data fiduciaries must cease processing and delete the personal data unless retention is required under any law.

Legitimate Uses Beyond Consent

The DPDPA also recognizes certain “legitimate uses” where consent may not be required. These include processing for voluntary sharing by the data principal for a specified purpose, processing necessary for compliance with any law or court order, processing for employment-related purposes, and processing necessary to respond to medical emergencies or public health crises. Additionally, processing for purposes specified by the State such as issuing licenses, permits, or welfare benefits falls within legitimate uses. These exceptions balance individual privacy rights with practical necessities of governance and public welfare.

Rights of Data Principals

The DPDPA grants data principals several important rights concerning their personal data. Data principals have the right to access information about personal data and processing activities. Specifically, they can obtain a summary of personal data being processed, the processing activities undertaken, and the identities of all data fiduciaries and processors with whom their data has been shared.

Data principals also possess the right to correction, completion, and updating of their personal data. This right becomes particularly important when personal data is inaccurate or incomplete. Additionally, data principals have the right to erasure of their personal data. Data fiduciaries must erase personal data once the purpose for which it was collected has been fulfilled or when consent is withdrawn, unless retention is mandated by law.

One innovative feature of the DPDPA is the right to nominate another individual to exercise these rights in the event of death or incapacity. This provision recognizes that digital assets and personal data may have significance beyond an individual’s lifetime and ensures continuity in data protection rights.

Grievance Redressal

The Act mandates that data fiduciaries establish mechanisms for effective grievance redressal. Data principals can submit complaints regarding violations of their rights, and data fiduciaries must respond within a reasonable timeframe. If unsatisfied with the resolution, data principals may escalate their grievances to the Data Protection Board of India.

Obligations of Data Fiduciaries

Data fiduciaries bear substantial responsibilities under the DPDPA. They must ensure that personal data is processed lawfully and transparently, limiting collection to what is necessary for the specified purpose. Data fiduciaries must implement reasonable security safeguards to prevent personal data breaches, which include unauthorized processing, acquisition, disclosure, or any action that compromises the confidentiality, integrity, or availability of personal data.

In the event of a personal data breach, data fiduciaries must immediately notify the Data Protection Board and inform each affected data principal. This requirement differs from GDPR, which requires notification to supervisory authorities within 72 hours and to affected individuals only when the breach poses high risk. The DPDPA’s approach mandates universal notification regardless of severity, reflecting a more stringent standard.

Data fiduciaries must ensure accuracy and completeness of personal data. They are required to erase personal data once the purpose is served or when the data principal withdraws consent. The Act also mandates that data fiduciaries not undertake any processing that is likely to cause harm to children or involve tracking, behavioral monitoring, or targeted advertising directed at children.

Significant Data Fiduciaries

The Central Government has the authority to notify certain data fiduciaries as “Significant Data Fiduciaries” based on factors such as the volume and sensitivity of personal data processed, risk to the rights of data principals, and potential impact on India’s sovereignty and integrity. Significant data fiduciaries face additional obligations including appointing a Data Protection Officer, appointing an independent data auditor, conducting periodic data protection impact assessments, and undertaking other measures as prescribed. This tiered approach recognizes that larger organizations processing substantial volumes of sensitive data require heightened oversight.

The Data Protection Board of India

The DPDPA establishes the Data Protection Board of India as the principal regulatory and adjudicatory authority for data protection. The Board consists of a Chairperson and members appointed by the Central Government. Members must possess special knowledge or practical experience in fields such as data governance, law, information technology, or consumer protection. The Board functions as a quasi-judicial body rather than a policy-making regulator, focusing specifically on enforcement and adjudication.

The Board’s functions include determining non-compliance with the Act, imposing monetary penalties, issuing directions for remedial action in case of data breaches, and hearing grievances escalated by data principals. The Board operates digitally, allowing individuals to file complaints online and track proceedings through a dedicated portal and mobile application. This digital-first approach aims to make the grievance redressal process accessible and efficient.

Appeals against the Board’s decisions lie with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which was established under the Telecom Regulatory Authority of India Act, 1997. This appellate mechanism ensures judicial oversight of the Board’s orders and decisions.

Penalties and Enforcement

The DPDPA empowers the Data Protection Board to impose significant penalties for non-compliance. Penalties range from INR 50 crores to INR 250 crores (approximately USD 6 million to USD 30 million) depending on the nature and severity of the violation. The Act specifies different penalty amounts for various breaches including failure to protect children’s data, breach of confidentiality, failure to implement reasonable security safeguards, and failure to erase data. These substantial penalties underscore the seriousness with which India approaches data protection compliance.

Cross-Border Data Transfers and Exemptions

Unlike some earlier draft versions, the DPDPA does not impose blanket restrictions on cross-border data transfers. Personal data may be transferred outside India to any country except those specifically notified as restricted by the Central Government. This approach differs significantly from GDPR, which requires adequacy decisions or appropriate safeguards such as standard contractual clauses for transfers to third countries. India’s framework is more flexible, adopting a blacklist approach rather than a whitelist mechanism[5].

The Act provides several exemptions recognizing the legitimate needs of government operations and research activities. Processing by government instrumentalities for purposes related to national security, public order, sovereignty and integrity of India, or prevention and investigation of offenses is exempt from certain provisions. Similarly, processing for research, archiving, or statistical purposes by government entities or entities notified by the government is exempt, provided such processing does not involve making decisions specifically affecting data principals.

Comparison with Global Data Protection Frameworks

The DPDPA shares several foundational principles with the European Union’s General Data Protection Regulation, which has become the global benchmark for data protection. Both frameworks emphasize consent-based processing, recognize individual rights of access and erasure, impose accountability on data controllers or fiduciaries, and provide for substantial penalties for non-compliance. Additionally, both have extraterritorial application extending jurisdiction beyond geographical boundaries[6].

However, important differences exist between the two frameworks. The GDPR provides six lawful bases for processing including consent, contract, legal obligation, vital interests, public task, and legitimate interests. The DPDPA relies primarily on consent with a narrower set of legitimate uses. The GDPR distinguishes between regular personal data and special categories of data (such as health, biometric, genetic, and data revealing racial or ethnic origin) that require enhanced protection. The DPDPA treats all personal data uniformly without categorizing sensitive personal data separately.

The GDPR grants data subjects extensive rights including not only access, correction, and erasure but also rights to data portability, restriction of processing, and objection to automated decision-making. The DPDPA provides a more limited set of rights, omitting data portability and specific protections against automated decision-making. Additionally, GDPR requires data protection impact assessments for high-risk processing, designates data protection officers for certain categories of controllers, and mandates breach notification to supervisory authorities within 72 hours. The DPDPA requires breach notification immediately but without a specific timeframe[7].

Comparison with US Privacy Laws

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act, represents another significant data protection regime. Like the DPDPA, the CCPA emphasizes transparency and consumer control over personal data. Both frameworks require clear notices and provide rights to access and delete personal information. However, the CCPA focuses heavily on the right to opt out of the sale of personal information, a concept absent from the DPDPA since the Act does not specifically address data sales. The CCPA also applies based on revenue thresholds and volume of data processed, whereas the DPDPA has universal application to all data fiduciaries processing data of individuals in India.

Special Protections for Children and Vulnerable Populations

The DPDPA demonstrates particular concern for protecting children’s data. The Act defines a child as any individual who has not completed eighteen years of age, adopting a higher age threshold than GDPR’s sixteen years (or thirteen in some member states). Processing children’s personal data requires verifiable consent from parents or legal guardians. Data fiduciaries are prohibited from undertaking any processing that could cause harm to children, including tracking, behavioral monitoring, or targeted advertising directed at children.

Similarly, the Act provides protections for persons with disabilities by requiring verifiable consent from lawful guardians for processing their personal data. These provisions recognize the vulnerability of certain populations and establish heightened safeguards to protect their interests.

Innovation: Consent Managers

One distinctive feature of the DPDPA is the concept of Consent Managers. These are entities registered with the Data Protection Board that enable data principals to give, manage, review, and withdraw their consent through a single platform. Consent Managers act as intermediaries, simplifying the consent process especially when individuals interact with multiple data fiduciaries. This innovation addresses a practical challenge in the digital ecosystem where individuals often struggle to track and manage consents given to numerous platforms and services[8].

Consent Managers must maintain technological and operational capabilities to effectively manage consent and must adhere to standards prescribed by the Data Protection Board. This framework creates a user-centric mechanism that potentially enhances individual control over personal data while reducing compliance burdens on data fiduciaries.

Challenges and Implementation Considerations

While the DPDPA represents significant progress in India’s data protection journey, its implementation presents several challenges. The Act’s reliance on rules and notifications for many operational details means that its full scope will only become clear as the government issues implementing regulations. Organizations must navigate this evolving regulatory landscape while ensuring ongoing compliance with existing laws until the DPDPA becomes fully operative.

The absence of a definition for sensitive personal data may create uncertainties, particularly for sectors handling health information, financial data, or biometric information. International organizations operating in India must reconcile DPDPA requirements with obligations under GDPR, CCPA, and other jurisdictions’ laws. The differing definitions of lawful processing bases, consent requirements, and individual rights create compliance complexities for multinational entities.

The two-year term for Data Protection Board members, while allowing for re-appointment, has raised questions about the independence and continuity of the regulatory authority. Shorter tenures compared to other regulatory bodies may impact institutional knowledge and consistent enforcement. Additionally, broad exemptions for government processing, particularly for national security and public order, have generated concerns about adequate oversight and potential for misuse.

Prior Legal Framework

Before the DPDPA, India’s data protection framework consisted primarily of Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Section 43A provided for compensation to affected persons for negligence in implementing reasonable security practices resulting in wrongful loss or gain. The 2011 Rules defined sensitive personal data and prescribed security practices for body corporates collecting, receiving, or processing such information[9].

This patchwork framework had significant limitations including narrow scope confined to body corporates, absence of an independent regulatory authority, limited enforcement mechanisms, and inadequate provisions for cross-border data transfers. The DPDPA addresses these deficiencies by establishing a dedicated regulatory body, providing detailed individual rights, imposing specific obligations on data fiduciaries, and creating a robust penalty framework.

Conclusion: India’s Data Protection Future

The Digital Personal Data Protection Act, 2023 marks a pivotal moment in India’s legal evolution, establishing a framework that balances individual privacy rights with the imperatives of digital economic growth. By enshrining data protection principles in legislation and creating institutional mechanisms for enforcement, India has joined the community of nations committed to safeguarding personal data in the digital age.

The Act reflects lessons learned from global experiences while addressing India’s unique context—its scale, diversity, developmental priorities, and digital transformation journey. The phased implementation provides organizations time to adapt, while the simplified language and digital-first approach of the Data Protection Board aim to make the law accessible and practical.

As India moves toward full implementation by 2027, the success of the DPDPA will depend on several factors. The quality and clarity of implementing rules will be crucial. The independence, expertise, and effectiveness of the Data Protection Board will determine enforcement outcomes. The willingness of organizations to embrace a culture of data protection beyond mere compliance will shape the practical impact. Most importantly, public awareness and engagement will empower individuals to exercise their rights meaningfully.

The DPDPA represents not merely a legal obligation but an opportunity—to build trust in the digital ecosystem, to establish India as a responsible data economy on the global stage, and to ensure that technological progress serves human dignity and individual autonomy. As the world’s largest democracy and one of its fastest-growing digital markets, India’s approach to data protection will have implications far beyond its borders, potentially influencing standards across South Asia and beyond.

References

[1] Ministry of Electronics and Information Technology, Government of India. (2023). The Digital Personal Data Protection Act, 2023 (No. 22 of 2023). The Gazette of India Extraordinary. https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

[2] Supreme Court of India. (2017). Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors. Writ Petition (Civil) No. 494 of 2012. https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf

[3] Wikipedia. (2025). Digital Personal Data Protection Act, 2023. https://en.wikipedia.org/wiki/Digital_Personal_Data_Protection_Act,_2023

[4] Press Information Bureau, Government of India. (2025). Digital Personal Data Protection (DPDP) Rules, 2025. Ministry of Electronics & Information Technology. https://www.pib.gov.in/PressReleasePage.aspx?PRID=2190655

[5] Linklaters. (2023). India – The Digital Personal Data Protection Act, 2023 finally arrives. DigiLinks Blog. https://www.linklaters.com/en/insights/blogs/digilinks/2023/august/india-the-digital-personal-data-protection-act

[6] Latham & Watkins LLP. (2023). India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison. https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf

[7] DLA Piper. (2025). Data protection laws in India. Data Protection Laws of the World. https://www.dlapiperdataprotection.com/?t=law&c=IN

[8] Morgan Lewis. (2023). India Enacts New Privacy Law: The Digital Personal Data Protection Act. https://www.morganlewis.com/pubs/2023/08/india-enacts-new-privacy-law-the-digital-personal-data-protection-act

[9] PRS Legislative Research. (2023). The Digital Personal Data Protection Bill, 2023. https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023

Published and Authorized by Rutvik Desai

The post Navigating the Digital Frontier: India’s Personal Data Protection Act, 2023 – Part 1 appeared first on Bhatt & Joshi Associates.