WhatsApp Chat
Talk to Lawyer

Data Protection and Privacy in India: From Puttaswamy to the Digital Personal Data Protection Act, 2023

September 6, 2025

The digital era has transformed the way individuals interact with the State, businesses, and one another. Every action—whether browsing online, using social media, or accessing banking services—leaves behind a digital footprint. These footprints, when collected, stored, and analyzed, form the backbone of a new resource: personal data. While such data drives innovation and growth, it also raises serious concerns about privacy, surveillance, and misuse. In India, the recognition of the right to privacy as a fundamental right in the landmark Puttaswamy judgment (2017) laid the foundation for a legal framework on data protection. This article explores the evolution of privacy law in India, the significance of the Digital Personal Data Protection Act, 2023, and the challenges ahead.

The Right to Privacy: From Denial to Recognition

For decades, India lacked clarity on whether privacy was constitutionally protected. Earlier judgments, such as M.P. Sharma v. Satish Chandra (1954) and Kharak Singh v. State of U.P. (1962), denied privacy the status of a fundamental right. It was only through judicial evolution that the tide began to turn, culminating in the watershed Justice K.S. Puttaswamy v. Union of India (2017) case.

In this case, a nine-judge bench of the Supreme Court unanimously held that the right to privacy is intrinsic to the right to life and personal liberty under Article 21 of the Constitution. The judgment expanded the scope of privacy to include informational privacy, bodily autonomy, and decisional privacy. It also emphasized the need for a robust data protection framework in India, given the increasing collection of personal information by both State and private actors.

The Aadhaar Debate and Its Influence

The debate over Aadhaar—India’s biometric identity system—played a significant role in shaping privacy jurisprudence. While Aadhaar was upheld as constitutional in K.S. Puttaswamy (Aadhaar-2) (2018), the Court limited its use to welfare schemes and struck down its mandatory linkage with services like banking and mobile connections. This highlighted the delicate balance between technological efficiency and individual rights, further underscoring the urgency of a dedicated data protection law.

Pre-2023 Legal Landscape

Before the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act), India’s legal framework on data privacy was fragmented. The Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, provided limited protection. These rules placed obligations on companies handling sensitive data such as financial information, passwords, and health records, but enforcement was weak, and coverage was narrow.

There was no comprehensive legislation regulating the collection, storage, or sharing of personal data across industries. In comparison, jurisdictions like the European Union (EU) had already adopted stringent frameworks like the General Data Protection Regulation (GDPR), which became the global benchmark.

The Digital Personal Data Protection Act, 2023: An Overview

The passage of the DPDP Act, 2023, marked a turning point in India’s data protection journey. The Act aims to regulate how personal data is collected, processed, and stored, while balancing individual rights with the needs of businesses and governance.

Key Features of the DPDP Act:

  1. Scope: The Act applies to the processing of digital personal data within India, and also to data processed outside India if it relates to goods or services offered to Indian individuals. 
  2. Consent-Centric Framework: Personal data can only be processed based on free, informed, specific, and unambiguous consent of the individual (the “data principal”). Consent must be obtained in clear and plain language, with the option to withdraw at any time. 
  3. Rights of Data Principals: Individuals are given rights such as: 
    • Right to access information about their data. 
    • Right to correction and erasure. 
    • Right to nominate someone to exercise rights in case of death or incapacity. 
  4. Obligations of Data Fiduciaries: Entities that determine how personal data is processed (called “data fiduciaries”) must ensure transparency, accuracy, and security of data. “Significant data fiduciaries”—those handling large-scale or sensitive data—have additional obligations, such as appointing a Data Protection Officer. 
  5. Cross-Border Data Transfers: The Act permits cross-border transfer of data to countries notified by the Central Government, unlike earlier drafts that favored strict data localization. 
  6. Children’s Data: Processing of personal data of children under 18 requires parental consent, with restrictions on tracking, behavioral monitoring, and targeted advertising. 
  7. Penalties: Non-compliance attracts significant penalties, up to ₹250 crore for serious breaches, signaling a strong deterrent mechanism. 

Balancing Privacy and Governance

The DPDP Act seeks to strike a balance between individual rights and the State’s interests in governance, law enforcement, and national security. It includes exemptions for processing personal data in the interest of national security, prevention of crime, and government functions. Critics, however, argue that these exemptions are too broad, potentially enabling mass surveillance and undermining privacy protections.

Judicial Response and Continuing Oversight

Since Puttaswamy, courts have remained vigilant in upholding privacy rights. For instance, the Supreme Court in Puttaswamy (Aadhaar-2) recognized informational privacy as central to individual dignity. Similarly, High Courts have dealt with issues of data misuse, emphasizing proportionality and necessity in data collection. With the enactment of the DPDP Act, the judiciary is expected to play a crucial role in interpreting its provisions, especially in balancing State surveillance powers with constitutional freedoms.

Comparative Perspective: GDPR vs. DPDP

While inspired by the EU’s GDPR, the DPDP Act departs in significant ways:

  • GDPR grants individuals the “right to be forgotten,” which is diluted in the Indian law. 
  • The DPDP Act centralizes much of the decision-making with the government, including notification of permitted countries for cross-border data transfer. 
  • Penalties under the GDPR are proportionate to global revenues, while India caps penalties, making enforcement less stringent for large corporations. 

This reflects India’s attempt to balance global trade competitiveness with local realities, but also leaves gaps in protection.

Challenges in Implementation

The success of the DPDP Act will depend not just on the text of the law but its enforcement. Key challenges include:

  • Awareness and literacy: Most citizens are unaware of their data rights, making consent often a formality. 
  • Capacity of regulators: Establishing and empowering the Data Protection Board of India will be critical. 
  • Industry adaptation: Small businesses may find compliance costly, while large corporations may exploit loopholes. 
  • Government exemptions: Without independent oversight, wide-ranging government powers could dilute the Act’s effectiveness. 

The Way Forward

India’s journey toward robust data protection has only just begun. Some essential steps for the future include:

  • Ratifying the UN Convention on the Right to Privacy and aligning domestic law with international standards. 
  • Ensuring independent functioning of the Data Protection Board to prevent conflicts of interest. 
  • Investing in digital literacy campaigns to empower individuals to exercise their rights. 
  • Incorporating stronger safeguards against State surveillance, with provisions for judicial or parliamentary oversight. 

Conclusion

The recognition of privacy as a fundamental right in Puttaswamy and the enactment of the Digital Personal Data Protection Act, 2023 together mark a paradigm shift in India’s approach to data and privacy. However, the real test lies in implementation. If the law becomes merely a compliance checklist for corporations and a surveillance tool for the State, the promise of Puttaswamy will remain unfulfilled.

For India to emerge as a digital democracy that truly respects individual dignity, data protection must be seen not as a technical issue, but as a cornerstone of constitutional governance. Only then can citizens trust that their digital footprints will not become chains binding their freedom.

Connect With Us!
Your Next Step in Legal Support

Trademark Registration

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Learn More

Digital Signature

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Learn More

Legal Notice Drafting

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Learn More

MSME Registraion

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Learn More

GST Registration

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Learn More

Copyright Registration

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Learn More
Trusted by Entrepreneurs & Professionals Across India
I approached Consultyourcounsel for trademark registration for my startup, and the process was smoother than I expected. Their team was responsive and ensured every detail was taken care of professionally
Radhika BansalFounder, Urban Bloom Clothing Pvt. Ltd.
Getting a digital signature certificate seemed complicated, but they handled it with such ease. I had my DSC within 24 hours, and the support was excellent throughout.
Ankit SharmaPartner, Ledgerwise Consultants
We needed a well-drafted legal notice in a short time, and Consultyourcounsel delivered promptly and professionally. Their legal expertise is top-notch.
Meera SethiOperations Manager, Dwellcraft Interiors
We needed urgent help with copyright registration for our creative work. The team not only completed the filing quickly but also explained the legal aspects clearly
Arjun MalhotraCo-founder, Fictive Frames Studio
Thanks to their help, our MSME registration was completed seamlessly. Their team guided us step by step and made the process stress-free
Vivek JainOwner, VJ Tools & Components
The GST registration process was handled efficiently, and they even helped clarify some doubts I had post-registration. Great service and reliable people
Sneha KapoorFreelance Digital Marketer
Your compliance, our responsibility.
From registrations to legal drafting — let us handle it for you.
Get in Touch