This article, the first in a series, traces the evolution of privacy in India from a fragmented common law concept to the fundamental right enshrined in the 2017 Puttaswamy judgment. It then provides a comprehensive overview of the Digital Personal Data Protection Act, 2023, highlighting its key definitions, salient features, and how it establishes a unified, consent-centric framework to replace the outdated sectoral regulations of the IT Act.
Lt Col Ujjual Abhishek Jha, Retd
Introduction
The enactment of the Digital Personal Data Protection Act, 2023 (DPDPA) marks a transformative milestone in India’s journey toward a robust and accountable digital economy. The Act is designed to operationalize the Right to Privacy, affirmed as a fundamental right by the Supreme Court in the landmark K.S. Puttaswamy Judgment (2017). By establishing a comprehensive, consent-centric framework for processing digital personal data, the DPDPA empowers individuals with meaningful rights over their information, thereby aligning India’s data governance with global privacy standards.
The Concept of Privacy in India: A Pre-DPDPA Perspective
Prior to the DPDPA, the concept of privacy in India was not anchored in a single, overarching statute but was instead shaped through fragmented judicial interpretations and sector-specific regulations. This patchwork approach left the judiciary grappling with the dual challenge of defining the scope of privacy rights while balancing them against national imperatives like economic growth and digital inclusion.
The watershed moment for this evolution was the large-scale digitization of public services—most notably the Aadhaar program—which catalyzed a paradigm shift. The understanding of privacy expanded from a notion of physical autonomy to a broader right of control over one’s own data. In the contemporary context, Indian jurisprudence now views privacy through a dual lens:
- As a Fundamental Value: Recognizing privacy as an intrinsic and inalienable human right.
- As an Active Value: Acknowledging privacy as a critical prerequisite for fostering innovation, building trust in the digital ecosystem, and safeguarding other fundamental freedoms.
Cornerstones of Privacy: Milestones & Governing Laws
Before the DPDPA, India’s privacy landscape was a mosaic of constitutional principles and sectoral rules. The key pillars were:
The Constitutional Keystone: K.S. Puttaswamy V. Union Of India (2017). This unanimous verdict by a nine-judge Constitution Bench of the Supreme Court serves as the bedrock of modern Indian privacy law.
– The Landmark Ruling: The Court unanimously held that the Right to Privacy is an intrinsic facet of the Right to Life and Personal Liberty guaranteed under Article 21 of the Constitution.
– The Enduring Impact: The judgment established a rigorous, three-fold test to validate any state-imposed intrusion into privacy, mandating that such action must satisfy:
– Legality: The presence of a validly enacted law.
– Necessity: A legitimate state interest or aim.
– Proportionality: A rational and proportionate link between the means employed and the object sought to be achieved.
The Pre-Existing Legal Framework Governing Privacy
The Information Technology Act, 2000 (IT Act). For years, the IT Act served as the primary statutory mechanism for data protection in India, functioning largely through Section 43A.
– The SPDI Rules (2011): Framed under the IT Act, the Sensitive Personal Data or Information Rules mandated that corporate entities implement and maintain reasonable security practices and procedures.
– Inherent Limitations: The Rules were confined to corporate bodies and applied only to a narrow category of “sensitive” data, leaving a vast expanse of “personal” data—and the public sector—outside any regulatory ambit.
Sector-Specific Regulations. Pending a central law, sectoral regulators filled the void by imposing privacy and confidentiality mandates within their domains:
– Financial Sector: The Reserve Bank of India (RBI) enforced stringent data localization norms and confidentiality requirements for payments ecosystem data.
– Telecom Sector: The Unified License agreement imposed binding confidentiality clauses on telecom service providers concerning subscriber details.
– Healthcare Sector: Patient confidentiality was primarily governed by professional ethics regulations, such as the Indian Medical Council Regulations, 2002, alongside draft legislation like the Digital Information Security in Healthcare Act (DISHA), which remained in a nascent stage.
The Imperative for a Comprehensive Framework – The inadequacies of the IT Act’s Section 43A—particularly the absence of an independent regulatory authority and weak enforcement mechanisms—underscored the urgent need for a dedicated, omnibus data protection law. This legislative journey commenced with the Justice B.N. Srikrishna Committee (2017), which produced the first draft of the Personal Data Protection Bill. Subsequent iterations in 2018, 2019, and 2022 were deliberated, debated, and ultimately withdrawn, paving the way for the passage of the DPDPA in August 2023. The subsequent notification of the DPDP Rules, 2025 translated the Act’s mandate into actionable procedures, detailing governance structures, compliance thresholds, and implementation timelines.
Overview of the DPDPA 2023 – The DPDPA 2023 establishes a comprehensive regime for the processing of digital personal data within India, including data originally collected in non-digital form and later digitized. It possesses extraterritorial applicability, binding entities outside India that process data in connection with offering goods or services to Data Principals within India. The Act applies uniformly to public and private entities, with specific exemptions for notified state functions, research, and certain low-risk processing activities.
Key Definitions:
– Data Principal: The individual to whom the personal data pertains, with special provisions for children and persons with disabilities.
– Data Fiduciary: The entity that determines the purpose and means of processing. A subclass, Significant Data Fiduciaries (SDFs), are subject to heightened compliance obligations due to the scale and sensitivity of their operations.
– Other Key Entities: The framework also defines the roles of Data Processors, Consent Managers, and establishes the Data Protection Board of India (DPBI) as the primary adjudicatory and enforcement authority.
Salient Features of the DPDPA 2023
– Consent and Legitimate Uses: Consent must be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action. Notices must be provided in plain and simple language, including translations in any language specified in the Eighth Schedule of the Constitution. The Act also identifies certain “legitimate uses” that permit data processing without explicit consent (e.g., for specified state functions, medical emergencies, employment purposes, and legal compliance).
– Empowering Data Principals: The Act enshrines foundational rights for individuals, including the rights to access information, seek correction and completion of data, demand erasure, and have access to effective grievance redressal mechanisms. A novel provision allows a Data Principal to nominate another individual to exercise these rights in the event of their death or incapacity.
– Safeguarding Children’s Data: The Act imposes strict prohibitions on tracking, behavioural monitoring, or targeted advertising** directed at children. Processing of children’s data is conditional upon obtaining verifiable parental consent, with provisions for future relaxations to be specified through rules.
– Enshrining Duties of Data Principals: In a significant move, the Act imposes specific duties on individuals, prohibiting them from filing frivolous or false complaints, furnishing false particulars, or impersonating others.
– Penalties for Non-Compliance: The Act introduces a stringent financial penalty regime, with monetary fines reaching up to ?250 Crore Per Contravention. Higher penalty slabs are prescribed for particularly egregious violations, such as data security breaches and non-compliance with provisions relating to children’s data.
India’s erstwhile privacy framework, anchored in the Information Technology Act, 2000 (amended in 2008), proved fragmented and ill-suited for the digital age. Provisions like Sections 43A and 72A offered limited recourse, primarily focusing on compensation for negligence and penalties for unauthorized disclosure, but fell short of establishing a holistic framework of data rights. The Digital Personal Data Protection Act, 2023, therefore, represents a pivotal and long-overdue shift. As India’s first comprehensive data privacy law, it regulates the entire lifecycle of digital personal data, embedding principles of user consent, data minimization, and purpose limitation, while granting citizens enforceable rights and establishing the Data Protection Board as a robust oversight mechanism.
(Lt Col Ujjual Abhishek Jha, Retd, is a Certified Data Privacy Professional and Strategic & GeoPolitical Advisor. In addition, his specialised fields includes Intelligence, Insider Threat Management, Financial Crime Investigation and Geopolitical Risk Analysis with experience of two decades in the field.)
The post Digital Personal Data Protection Act (DPDPA) 2023 Series: Part I — The Foundations of Privacy: Evolution of Indian Laws & A Roadmap to DPDPA first appeared on The Frontier Manipur.
Read more / Original news source: https://thefrontiermanipur.com/digital-personal-data-protection-act-dpdpa-2023-series-part-i-the-foundations-of-privacy-evolution-of-indian-laws-a-roadmap-to-dpdpa/