THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023: A CONSTITUTIONAL AND REGULATORY ANALYSIS

By
inkinccorporation@gmail.com
-
0
4


Abstract

Recognizing privacy as a fundamental right by the Supreme Court in K.S. Puttaswamy, the DPDP Act aims to be the main regulation controlling digital personal data in India. Union of India (published in 2017). This work examines the DPDP Act through a constitutional analysis, looks at the growth of privacy law in India, explains the main definitions, rights and obligations included in the Act and compares its provisions to those established by the EU GDPR and California’s CCPA/CPRA.

 It is concluded by the study that the DPDP Act satisfies the legal, necessary and proportionality criteria of Puttaswamy, as it requires consent, defines rights for the data principal and sets up a Data Protection Board for adjudication. Yet, the broad Section 17 law and extensive authorities for creating rules by executive order can make these safeguards less effective, as it encourages massive surveillance, saves data indefinitely and assigns the main enforcement role to government executives. By introducing these gaps, the government could run into problems with Articles 14, 19 and 21 of the Constitution and reduce transparency by amending Section 8(1)(j) of the Right to Information Act.

The paper suggests remedying these weaknesses by (i) requiring strict proof of proportionality and independent assessment for all significant state exemptions; (ii) improving the Data Protection Board’s autonomy and allocating better funding for it; (iii) implementing algorithmic-impact audits and different forms of penalties for major data fiduciaries; (iv) requiring region-based ombudsmen and simple offline methods for citizens to access redress; and (v) restoring public-interest reasons for use in the application of the Right to Information. According to these ideas, to be in keeping with global standards, match government aims and earn trust and new developments, these reforms are necessary.

Keywords: Digital Personal Data Protection Act 2023 (DPDP Act), Data Privacy, Constitutional Law, Data Fiduciaries

 1: INTRODUCTION
1.1 Overview of the Digital Era and the Emergence of Data as a Valuable Asset

The rise of digital technology has caused significant shifts in how information is used by all. Because of its importance, data is often seen as the new oil, supporting major changes in society, technology and the economy. Since social media, shopping online and the internet are being used so widely, personal information is now being created, gathered and analyzed at an unprecedented rate. The IDC predicts that by 2025[1], data across the globe will reach 175 zettabytes and much of it will likely be personal information. Thanks to more than 800 million internet users, India is one of the leading players in the digital economy because of the huge amounts of data it produces.

These days, companies rely on personal data which allows them to recognize an individual and is made up of names, addresses, banking data and information about personal habits. While governments apply this information to help people and improve laws, companies use it to provide more personal ads, invent new products and provide better services. However, using data so much means that major dangers related to security, privacy and abuse have appeared. Problems caused when data is processed without regulation such as identity theft and illegal surveillance, became obvious due to the Cambridge Analytica data breach in 2018.

Due to programs like Digital India, Aadhaar and UPI, India is transforming fast into a digital society and there are now millions more people online. Because creativity and inclusivity are encouraged, more attention has been given to data protection. The introduction of the DPDP Act was necessary because prior laws did not fully protect Indian citizens online. The GDPR was designed to promote new technology without compromising personal privacy.

1.2 Evolution of Privacy Laws in India

The evolution of India’s privacy laws shows a shift from fragmented sector-specific regulations and court-driven interpretations to a systematic, comprehensive legal framework. This journey highlights India’s response to the challenges of the digital age and has been influenced by global events, legislative actions, and constitutional developments.

Early Judicial Foundations (1950s–1970s)

Privacy was not specifically mentioned as a fundamental right in the 1950 Indian Constitution. Conservative views were reflected in early court interpretations. The Supreme Court emphasized that search and seizure powers did not infringe upon personal liberty when it ruled in M.P. Sharma v. Satish Chandra[2] that the Constitution did not guarantee a right to privacy. In a similar vein, the Court maintained police surveillance in Kharak Singh v. State of Uttar Pradesh[3], concluding that domiciliary visits did not violate the right to life and liberty guaranteed by Article 21. But Justice Subba Rao’s dissenting views in Kharak Singh emphasized privacy as essential to individual dignity, setting the stage for future acknowledgment.

With Govind v. State of Madhya Pradesh[4], the Supreme Court recognized privacy as a component of individual liberty under Article 21 in the 1970s, although it was subject to reasonable limitations for the sake of morality or public order. Although its reach was constrained by the lack of clear constitutional protection, this case demonstrated a growing judicial recognition of the value of privacy.

Sectoral Legislative Measures (1980s–2010s)

India relied on sectoral regulations to address particular aspects of data protection because it lacked a single privacy law. As a first step, the Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act, 1983[5], mandated that public financial institutions keep their transactions confidential. The financial industry’s early acceptance of data protection was mirrored in this law.

An important development was the Information Technology Act of 2000[6], which addressed cybercrimes and gave legal recognition to electronic transactions. A step toward data protection was taken with the introduction of Section 43A of the IT Act through the 2008 amendment, which held entities accountable for failing to protect sensitive personal data. Its scope was constrained, though, as it prioritized compensation over thorough privacy governance.

The financial industry’s early acceptance of data protection was mirrored in this law.
Credit information companies were required to handle credit data securely by the Credit Information Companies (Regulation) Act of 2005[7]. Similar protections for safe financial transactions were put in place by the Payment and Settlement Systems Act of 2007[8]. Through announcements like the 2008 credit card operations guidelines (RBI/2008-2009/100)[9], Know Your Customer (KYC) standards (RBI/2015-16/108)[10], and the 2018 requirement for localized storage of payment system data (RBI/2017-18/153)[11], the Reserve Bank of India (RBI) strengthened the protections of the financial sector even more. Although they were sector-specific, these measures addressed data security, transaction integrity, and customer identification.

A significant advancement in India’s data protection framework was made possible by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules)[12], which were created under the IT Act.

These regulations defined sensitive personal data (passwords, bank account information, medical records, etc.) and required companies to have appropriate security procedures in place, get permission before collecting data, and offer opt-out options. The SPDI Rules, which mainly targeted corporate entities, were criticized for their limited enforcement and applicability despite their progressive nature. [13]

Expanding Sectoral Frameworks (2010s–2020s)

India added more sectoral regulations as digital technologies developed. By addressing data collection practices and creating grievance redressal mechanisms, the Consumer Protection Act of 2019[14] expanded consumer privacy protections. Privacy safeguards for health data were introduced in the healthcare sector by the Ayushman Bharat Digital Mission (ABDM) Health Data Management Policy[15], which placed an emphasis on secure management and confidentiality.

The Telecom Regulatory Authority of India (TRAI) promoted user consent and data protection in its 2018 recommendations (Press Release No. 78)[16] on privacy, security, and data ownership in the telecom industry. Digital platforms and intermediaries were subject to duties under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021[17], which prioritized user data protection, content moderation, and accountability.

These sectoral measures, while effective within their domains, highlighted the fragmented nature of India’s privacy framework. The lack of a unified law created inconsistencies in compliance and enforcement, underscoring the need for comprehensive legislation.

An important turning point in India’s privacy history was the historic K.S. Puttaswamy v. Union of India[18] (2017) ruling. The right to privacy, which includes informational privacy, bodily autonomy, and decisional autonomy, was unanimously upheld by a nine-judge Supreme Court bench as a fundamental right under Article 21. The Court emphasised that privacy is essential to liberty and dignity by overturning M.P. Sharma and Kharak Singh. By introducing the concepts of proportionality, necessity, and legality for state actions that violate privacy, the ruling brought India’s legal system into compliance with international norms such as the International Covenant on Civil and Political Rights [19](ICCPR) and the Universal Declaration of Human Rights (UDHR).[20]

The government was ordered to create a robust data protection law to regulate the processing of personal data by the Puttaswamy ruling. As a result, the Justice B.N. Srikrishna Committee[21] was established in 2017 with the task of creating a framework for data protection. The Committee’s 2018 report, which included a draft Personal Data Protection Bill (PDPB), suggested a comprehensive law that balanced state interests, individual rights, and economic growth.

The Road to the DPDP Act (2018–2023)

After being introduced in 2019, the PDPB was revised and subjected to numerous consultations. The DPDP Act’s provisions permitting government exemptions and its ambiguous enforcement procedures drew criticism. August 11, 2023, saw the enactment of the Digital Personal Data Protection Act, 2023, following several revisions, including the 2021 Joint Parliamentary Committee review and the 2022 draft Digital Personal Data Protection Bill.

India’s disparate privacy laws are unified under the DPDP Act. It provides rights to data principals (the people whose data is processed), defines personal data, and lays out duties for data fiduciaries (the organisations that process data). Consent-based data processing, purpose limitation, data minimisation, and the creation of a Data Protection Board for enforcement are important components. The Act addresses issues unique to India, like digital inclusion and economic growth, while taking cues from international frameworks like the General Data Protection Regulation (GDPR) of the European Union.

1.3  Need for a Dedicated Data Protection Law

The need for a comprehensive data protection law in India has become more evident due to the swift development of digital technologies and the increasing reliance on personal data. This need is demonstrated by several important factors:

  1. The nation has seen a sharp increase in cybercrimes, including identity theft, phishing scams, and data breaches, underscoring flaws in the current legal system. According to a 2023 report by Cybersecurity Ventures,[22] personal data is a prime target for cybercrime, which could cost India $10 trillion a year by 2025. The absence of a comprehensive data protection law left individuals and organizations vulnerable to such threats.
  2. India required a data protection framework in line with international standards, such as the General Data Protection Regulation (GDPR) of the European Union, since it is a centre for IT services and cross-border trade. The absence of such a law made India less appealing as a location for foreign investment and increased the likelihood that it would be left out of international data-sharing agreements.
  3. The Puttaswamy ruling, which emphasised the necessity of striking a balance between individual rights and justifiable state interests, required the government to pass laws to safeguard the right to privacy. Because there was no specific legislation, there was a regulatory void that resulted in insufficient and disjointed privacy protections.
  4. While programs like Aadhaar and Digital India have increased access to the internet, they have also sparked worries about data abuse and monitoring. To increase public confidence in digital systems and guarantee that citizen data is handled securely and transparently, a strong data protection law is necessary.
  5. There are a tonne of chances for innovation and expansion in the data-driven economy. However, in the absence of clear regulations, consumers ran the risk of being taken advantage of and businesses faced uncertainty about compliance. A dedicated law would provide clarity, foster innovation, and protect consumer rights

These issues are addressed by the DPDP Act, which was passed on August 11, 2023, and creates a thorough framework for data protection. A major step towards protecting privacy in India’s digital age, it governs the processing of digital personal data, places duties on data fiduciaries, and gives data principals rights.

1.4  Objectives of the Study

The aim of this dissertation is to analyze the DPDP Act from a constitutional and regulatory perspective.

  1. The aim is to analyze the role of the constitution and the right to privacy in shaping the Digital Personal Data Protection Act.
  2.  To examine the main components, organizational framework and methods of implementation in the DPDP Act.
  3.  To assess the compatibility of the DPDP Act with the constitutional right to privacy in India and global data protection norms.
  4. To assess how well the DPDP Act addresses important matters of executive discretion, accountability and transparency.
  5. To suggest ways to enhance the DPDP Act to establish a strong framework for data protection and privacy in India.
1.5  Research Methodology

Study of the existing legal materials and documents. Analyzing various statutes, legal precedents and writings concerning data protection, privacy and government surveillance is an important step. Sources for doctrinal research will be the DPDPA 2023, related cases and judgments, official documents and published academic literature.

1.6  Scope and Limitations

Scope

The study explores the Digital Personal Data Protection Act, 2023, analyzing its constitutional foundations, framework and conformity with international privacy laws. It outlines how privacy laws have developed in India, important legal cases related to privacy and key features of the Data Protection Act such as the concepts, requirements, rights and procedures for implementation and enforcement. The author also explores exemptions granted to the government and limitations on the regulator’s powers. The assessment clarifies the role of the DPDP Act within the broader international context by comparing it to the GDPR and CCPA.

Limitations

  1. The DPDP Act, passed in August 2023, is not yet fully enforced, as its rules are still under development. The lack of practical implementation data limits the analysis of its real-world impact.
  1. The Act’s reliance on delegated legislation means that many provisions remain subject to future rulemaking, creating uncertainty about their final form.
  2. The study relies primarily on doctrinal analysis due to the absence of empirical data on the Act’s enforcement and compliance.
  3. The rapid evolution of technology and data processing practices may outpace the Act’s provisions, posing challenges to its long-term relevance.

Despite these limitations, the study provides a comprehensive analysis of the DPDP Act, offering insights into its constitutional and regulatory dimensions and proposing actionable recommendations for its improvement.

2. KEY FEATURES OF DIGITAL PERSONAL DATA PROTECTION ACT, 2023
2.1   Key Definitions and Concepts

The enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act)[23] marks the launch of India’s first holistic data protection regime. The landmark ruling in Justice K.S. Puttaswamy v. The Act addresses the landmark ruling in Puttaswamy (2017) which proclaimed privacy as a fundamental right guaranteed by Article 21 of our Constitution. The Digital Personal Data Protection Act seeks to protect personal data and promote innovation in a rapidly growing digital economy that includes platforms like Aadhaar and Digital India, e-commerce and fintech. This chapter examines the Act’s core definitions, essential components, government concessions, enforcement strategies and global comparisons, evaluating the favourable aspects and difficulties confronted during its implementation.

ü  Data

According to Section 2(h) of the Act, data is a representation of facts, information, ideas, opinions, or instructions that can be processed, interpreted, or communicated by automated or human systems. This broad definition encompasses various formats such as text, numbers, images, or other forms that convey meaning, reflecting the Act’s inteinformnt to cover diverse data types in the digital realm.

ü  Personal Data

Personal data comprises any information that relates to an individual who can be identified either directly or indirectly (Section 2(t)). Whether or not data identifies a specific person is determined by the circumstances in which it is utilized. It is consistent with regulations like the GDPR, yet it does not distinguish between “sensitive” and “ordinary” personal data as defined in previous bills like the Personal Data Protection Bill, 2019.

ü  Digital Personal Data

Under the Act, attention is directed solely to personal data in digital format, regardless of whether it was acquired online or converted from non-digital records. The DPA is narrower than laws such as GDPR, as it only applies to digital information.

ü  Processing

Processing in relation to personal data is defined as wholly or partly automated operations performed on digital personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, alignment, combination, indexing, sharing, disclosure, dissemination, restriction, erasure, or destruction (Section 2(x)). This comprehensive definition covers the entire lifecycle of data handling.

ü  Data Principal

The person to whom personal data relates is known as a data principal.  This includes children, where parents or lawful guardians act on their behalf, and persons with disabilities, where lawful guardians represent them (Section 2(j)). The inclusion of these categories ensures that vulnerable groups are adequately protected.

ü  Data Fiduciary

A Data Fiduciary is any person or entity that determines the purpose and means of processing personal data, either alone or with others (Section 2(i)). This includes the State, companies, digital platforms, juristic entities, or individuals. Data Fiduciaries bear significant responsibilities under the Act, akin to data controllers under GDPR.

ü  Data Processor

A Data Processor is any person who processes personal data on behalf of a Data Fiduciary (Section 2(k)). This distinction clarifies the roles of entities involved in data handling, ensuring accountability across the processing chain.

ü  Personal Data Breach

A personal data breach is defined as any incident involving personal data processing, sharing, destruction, alteration or unauthorized access that results in damage or violation of its availability, confidentiality or integrity. It highlights that safeguarding data is a priority for the Act.

ü  Consent

Consent is a free, specific, informed, unconditional, and unambiguous indication of agreement by the Data Principal for processing their data for a specified purpose, limited to necessary data (Section 6(1)). The Act emphasizes clear affirmative action, aligning with global best practices for lawful data processing.

ü  Consent Manager

A Consent Manager is a person registered with the Data Protection Board, acting as a single point of contact to enable Data Principals to manage, review, and withdraw consent through an accessible, transparent, and interoperable platform (Section 2(g)). This idea presents an easy-to-use consent management system.

These definitions establish the essential elements to guide the working of the DPDP Act. Distinct categorization of sensitive personal data and expanded coverage to digital data were key changes distinguishing the proposed strategy from previous iterations and models such as GDPR.

2.2  Salient Features of the Act

India enacted the Data Protection and Privacy for Personally Identifiable Information (Digital Personal Data) Bill, 2023, to protect individuals’ personal data and maintain lawful data processing. Its key features reflect a pragmatic approach to data regulation that draws on global standards while considering India’s unique digital setting.

Scope and Applicability

The DPDP Act applies to:

  • The handling of individuals’ personal information using electronic means or stored in digital formats while the data is in India.
  •  Digital personal data collected and processed outside India can be covered by the Act if it is relevant to the provision of goods or services in India.

This extraterritorial scope is significant, as it extends the Act’s protections to data of Indian residents processed by foreign entities. However, unlike the GDPR, which applies only to individuals physically present in the EU or EU citizens, the DPDP Act does not explicitly limit its definition of “data principal” to Indian citizens or residents, potentially creating ambiguity regarding its extraterritorial reach.

Exceptions are granted for cases where the data is processed by individuals for personal or household needs or when it is publicly available under the authority of either the data principal or the law. (DPDP Act, §17(2)). By granting exceptions for personal and domestic data, it ensures that narrow resources are dedicated to monitoring significant data handling by entities.

Notice Requirements

Data Fiduciaries must provide a notice accompanying or preceding consent requests, detailing the personal data to be processed, the purpose, and mechanisms for exercising rights and filing complaints (Section 5(1)). Notices must be accessible in English or languages listed in the Eighth Schedule of the Constitution, ensuring inclusivity (Section 5(3)).

Consent-Based Processing

The Data Protection and Privacy in Government Act provides the principal legal basis for handling personal information. Under Section 6, consent must be:

  1. Free (without duress)
    1. Specific (limited to particular purposes)
    1. Informed (based on clear information)
    1. Unconditional (not tied to provision of goods or services unless necessary)
    1. Unambiguous (given by clear affirmative action)

Consent cannot be tied to the exchange of goods or services unless the latter are related to the purposes for which data is being inspected, processed, stored or disclosed. Unconditional affirmation is required for giving consent. The Act requires data fiduciaries to communicate effectively with data principals by issuing notice in any of the official languages and using simple and transparent language. (DPDP Act, §5).

The goal is to overcome the challenge of users becoming lost in privacy terms and ultimately failing to provide genuine consent. However, Section 6 of the Act makes clear that giving consent should be just as easy as withdrawing it (DPDP Act, §6(4)). Further, responsibility for any harm caused by withdrawing consent falls on the Data Principal. The requirement that the entity processing personal data demonstrate transparency on the consent securing process encourages them to utilize adequate methods for obtaining consent. Users are allowed to terminate their consent without restriction. Services can continue only if expressly permitted by the law (see Section 6(6) of the DPDP Act). Data processing that is essential for voluntary information exchange and for issuing documents, services or benefits by government agencies is allowed without consent.

Legitimate Uses and Exceptions

Processing of personal information is authorized in specific circumstances outlined by the DPDP Act even if no consent has been given (DPDP Act, §7).

  1. Information is collected when someone willingly shares it to access or use a service.
  2. The processing of personal information is necessary for ensuring that legal obligations are met.
  3. Employment-related purposes
  4.  For contractual or civil claims
  5.  Medical emergencies
  6.  Public interest purposes

These satisfactory exceptions preserve sufficient maneuverability without compromising the limits for data handling without consent. Individuals and organizations are allowed to process personal data for personal/domestic purposes and for the use of data that is publicly accessible by law. (DPDP Act, §17(2)).

Obligations of Data Fiduciaries

A wide range of requirements applies to Data Fiduciaries as set forth in Section 8.

  1. Obliging themselves to comply with all the Act’s requirements even when a Data Principal has failed to meet their responsibilities or any agreement is not in force.
  2. Making sure that all personal data is complete, accurate and up to date, especially if it is used for important decisions or shared with other fiduciaries.
  3. Ensuring adequate protection for personal data using the necessary tools and procedures.
  4.  Reporting personal data breaches to the Data Protection Board and informing the affected Data Principals.
  5. The Data Fiduciary must delete personal data at the Data Principal’s request or once the storage is no longer necessary
  6. Ensuring that a process is in place to handle any disputes or grievances raised by Data Principals.
  7.  Data Processors can be appointed by Data Fiduciaries and are duty-bound to adhere to these responsibilities.
Rights of Data Principals

Under the DPDP Act, data principals are given important rights designed to give them greater control over how their personal data is handled.

  1. Right to Information: Section 11 of the DPDP Act guarantees access to knowledge about the types of personal information that are passed on to different data fiduciaries as well as information regarding the processing carried out on this data.
  2.  Right to Correction and Erasure: Individuals are entitled to request that their personal data be corrected, bolstered, updated or deleted. Principals have the right to ask for their data to be removed when it is no longer needed or required by the original reason for processing.
  3.  Right to Grievance Redressal: Data fiduciaries should offer grievance redressal mechanisms for data subjects and individuals can also bring their concerns before the Data Protection Board when needed (DPDP Act, §13).
  4. Right to Nominate: Data principals are able to appoint someone else to act on their behalf in exercising their rights under the law (§14, DPDP Act).
Duties of Data Principals

Section 15 describes what Data Principals are expected to do, including respecting laws, avoiding deceitful identification, giving precise details and not submitting superfluous or unfounded requests. These requirements promote the responsible use of rights by Data Principals.

Cross-Border Data Transfer

The Act allows data transfers to foreign countries if not prohibited by the Central Government (Section 16). Previously, the bill employed a positive-list system which would have meant fewer legal safeguards for cross-border data transfers to unapproved countries.

Data Protection Board of India

The DPB, set up under Section 18, is responsible for adjudicating and enforcing the Act instead of regulating personal data processing. The DPB is responsible for ensuring compliance, issuing penalties, ordering corrective action in the event of a breach and handling complaints. The DPB accepts and processes complaints filed electronically in accordance with Section 28(1). Challenging a decision made by the DPB goes to the Telecom Disputes Settlement and Appellate Tribunal (Section 29) of the Indian government.

Special Protections for Children and Persons with Disabilities

The DPDP Act offers more advanced protective measures recognizing the unique risks specific groups are exposed to:

  1. Children’s Data: It is necessary that verifiable parental consent is obtained when processing children’s data (under the age of 18). According to this Act, no data fiduciary is allowed to monitor, track, or show ads to children (DPDP Act, §9). The above-referred provision represents a major defence of children’s privacy in the digital world.
    1. Persons with Disabilities: People in charge of the lawfulness of the rights of persons with disabilities acting as data principals (DPDP Act, §2(r)) who ensure that individuals with disabilities are not left out of the Act’s coverage.

These protections are special because they are the Act’s response to the recognition of the existence of certain groups’ particular vulnerabilities and the fact that in these contexts, increased safeguards are necessary.

Significant Data Fiduciaries

The DPDP Act talks about the concept of “a significant data fiduciary”, i.e. organizations that are subjected to a higher level of care owing to factors such as such as data volume, sensitivity, risk to data principals, and potential effects on the state’s security and electoral democracy (DPDP Act, §10). After the said conditions, the Central Government might declare “significant data fiduciaries” inconsequential self-execution of data regulations. Significant data fiduciaries have to do the following:

  1. Appoint an Indian DPO
  1. Hire a third-party data evaluator for the check-up of compliance
  2. Keep by all means the data protection impact assessments instantly
  3. Subject yourself to regular compliance audits

These stricter duties for important data fiduciaries result in a risk-based regulatory approach, in which the tighter standards are targeted at those enterprises whose processing operations are more risky for data owners or the whole of society.

Penalties

If businesses don’t comply, they could face hefty fines up to INR 250 crores for things like not putting security measures in place (as outlined in Section 33). Unlike previous versions of the Act, this one does away with the INR 500 crores limit per incident and has also removed the potential for criminal liability and any compensation for those affected by data breaches. As stated in Section 34, all penalties collected will go into the Consolidated Fund of India.

Amendment to the RTI Act

The DPDP Act updates Section 8(1)(j) of the Right to Information Act, 2005, by exempting all personal information from being disclosed and eliminating exceptions for public interest or parliamentary access (as outlined in Section 44(3)). This change has raised concerns that it could jeopardize transparency.

While the features of the DPDP Act represent a notable advancement in data protection, its actual impact will rely heavily on how well it’s implemented and whether it can tackle criticisms related to exemptions and enforcement.

Government Exemptions (Section 17) and Concerns About Delegated Legislation

Section 17 of the DPDP Act gives the Central Government broad powers to exempt certain entities and processes from its requirements, which raises worries about privacy, transparency, and the possibility of misusing delegated legislation.

Exemptions Under Section 17

Section 17 lists several exemptions, including:

  1. State Instrumentalities (Section 17(2)(a)): The Central Government can exempt state instrumentalities for reasons of sovereignty, security, maintaining friendly relations with foreign countries, public order, or to prevent cognizable offenses. This also covers how the Central Government handles data provided by these entities.
  2.  Legal and Judicial Processes (Section 17(1)): There are exemptions for any processing crucial to enforcing legal rights, judicial duties, or investigating crimes.
  3. Corporate Activities (Section 17(1)(c)): Processing associated with mergers, acquisitions, or financial evaluations is exempt.
  4. Research and Statistical Purposes (Section 17(2)(b)): If data processing for research, archiving, or statistics doesn’t involve decisions impacting Data Principals, it can be exempted.
  5. Specific Data Fiduciaries (Section 17(3)): The Central Government may exempt particular fiduciaries, such as startups, from certain obligations under Sections 5, 10, and 11.
  6. Temporary Exemptions (Section 17(5)): For up to five years from when the Act begins, the government can exempt fiduciaries from any provision for a set time.
  7. Non-Resident Data Processing (Section 17(1)(d)): Personal data processing of non-residents under contracts with foreign entities is exempt, simplifying compliance for business process outsourcing.
Concerns Regarding Exemptions

The broad range of exemptions, particularly those related to state instrumentalities, raises important issues:

  1.  Exempting state agencies under the guise of national security or public order could lead to excessive data collection and storage, potentially violating the right to privacy as recognized in the Justice K.S. Puttaswamy vs. Union of India case. The lack of proportionality and necessity checks for these exemptions weakens the Act’s privacy protections.[24]
  2. Without clear mandates for erasing data once its purpose has been fulfilled, government entities could retain data indefinitely, which sets the stage for mass surveillance. This contradicts the Puttaswamy verdict, which requires that such intrusions be justified by legitimate needs.
  3. The Act doesn’t outline criteria for granting exemptions, leaving these decisions at the Central Government’s discretion. This lack of clarity could lead to arbitrary exemptions, especially concerning politically sensitive organizations.
  4.  Transparency is diminished by the removal of public interest exclusions and the broad exemption of personal information from Section 8(1)(j) of the RTI Act. This goes against the RTI Act’s aim of empowering citizens to keep the government accountable, as shown in the Raj Narain vs. State of Uttar Pradesh case (1975).
  5. Exemptions for biometric and demographic data linked to Aadhaar raise red flags due to the increased risk of misuse in the wake of rising online fraud since the pandemic. The Act’s failure to cover all agencies heightens the potential for data breaches.

Concerns About Delegated Legislation

The DPDP Act leans heavily on delegated legislation, frequently using terms like “as may be prescribed.” The Central Government’s power to establish rules about critical components—the composition of the Data Protection Board (DPB), criteria for exemptions, and parental consent methods—comes with several challenges:

  1. The Act hands over substantial rule-making authority without clear guidelines, which could result in inconsistent or biased regulations. For example, there are no defined criteria for exempting startups or changing the age threshold for processing children’s data.
    1. The government’s control over DPB member appointments and their terms (see Section 19) may compromise the Board’s independence. Short two-year tenures with the possibility of reappointment could sway members to align with government agendas, as highlighted in the report “View of India’s New Data Frontier” (2024).[25]
    1.  The lack of public consultation during rule drafting, evidenced by the non-disclosure of comments on the 2022 Bill, raises concerns about inclusivity. It’s essential to have clear stakeholder engagement, as seen in the amendments to the IT Rules 2021, to foster balanced regulations.
    1.  The absence of a clearly defined transition period for businesses to adapt to the stringent obligations set by the Act could lead to widespread non-compliance, as per the findings in “From Pixels to Policies” (2023)[26]. A clear timeline is vital for successful implementation.
Balancing Exemptions and Privacy

To resolve these issues, the Act needs some reforms:

  1. Exemptions for state agencies should undergo proportionality tests, and there should be compulsory data erasure once the purpose is served.
  2. The DPB should function independently, with appointments made by an impartial committee, akin to the original appointment process for the RTI Act before its amendment in 2019.
  3.  The government should share draft rules for public input, ensuring that stakeholder perspectives influence regulations.
  4. The amendment to Section 8(1)(j) needs to be revisited to restore public interest exceptions and align with the RTI Act’s goals for transparency.

Implementing these suggestions would help ensure that the Act aligns better with the Puttaswamy judgment’s privacy protections while still taking a practical approach to data governance.

Limitations and Criticisms 

  1. Unlike the 2018 and 2019 Bills—which included criminal offenses like deanonymization—the DPDP Act focuses only on monetary penalties. This could be inadequate for serious breaches, as highlighted in “View of India’s New Data Frontier” (2024).[27]
  2.  The Act removes direct remedies for victims by repealing section 43A of the IT Act, 2000, which used to provide compensation for data breaches. This is quite different from GDPR’s provisions for damages. 
  3. The Central Government’s influence over DPB appointments and terms could compromise its independence, leading to potential biased enforcement. 
  4.  The strictly digital complaint process may leave out those without internet access or digital skills, particularly in underserved or rural areas. Notably, the RTI Act’s provisions for offline applications and assistance are missing here. 
  5.  The penalties are more focused on deterrence rather than compensating victims, as the funds collected go to the Consolidated Fund instead of directly benefiting affected individuals. 
  6. The amendment to Section 8(1)(j) of the RTI Act limits access to personal information, curtailing citizens’ ability to expose data misuse by public authorities.[28]
3: Constitutional Analysis of the Digital Personal Data Protection Act, 2023
3.1  Alignment with Privacy Rights

The DPDP Act, passed on August 11, 2023, represents a crucial step in safeguarding digital personal data in India. Its connection to the right to privacy, as outlined in Article 21 of the Constitution, is vital for its constitutional legitimacy. The Puttaswamy ruling recognized privacy as a fundamental right, but it noted that this right can be subject to restrictions that must meet specific criteria of legality, necessity, and proportionality. Furthermore, the provisions regarding consent and the rights of data principals play a significant role in enhancing privacy protections. This section delves into these particular aspects.

Compliance with Puttaswamy’s Legality, Necessity, and Proportionality Tests

In the Puttaswamy case, the Supreme Court established a three-part test for any law limiting the right to privacy: (1) it must be founded on a legitimate law (legality), (2) it must aim to achieve a legitimate state objective (necessity), and (3) it must not excessively intrude on privacy rights, ensuring that any restrictions are proportionate. These criteria are applied to evaluate how the DPDP Act stacks up.[29]

  1. Legality: The DPDP Act passes the legality test since it is a formally enacted law, approved by Parliament after much discussion and amendments from earlier drafts (the Personal Data Protection Bills of 2018, 2019, and 2022). Unlike the Aadhaar scheme, which initially relied on executive orders and faced challenges in the Puttaswamy case due to lack of legislative support, the DPDP Act is firmly based on statutory authority. Its preamble clearly states its purpose: to regulate the processing of digital personal data while balancing individual privacy rights with lawful objectives.
  2. Necessity: The Act addresses a crucial need for regulating data processing amid a surge in cybercrimes, data breaches, and unauthorized surveillance. With India reporting 674.85 million data breaches in just the first quarter of 2021, as per Surfshark, it’s clear that a robust data protection framework is essential. The provisions of the Act resonate with the state’s legitimate aim of safeguarding citizens’ privacy and fostering trust in digital systems, both of which are important for economic development and technological advancement.
  3. Proportionality: Proportionality demands that any restrictions on privacy be precisely tailored to achieve the desired goal. The DPDP Act requires data fiduciaries to process personal data only with consent or for expressly legitimate purposes (like medical emergencies or government services). It sets standards for maintaining data accuracy, ensuring security, and deleting data once its purpose is fulfilled (Section 8). These measures help minimize intrusions on privacy by restricting data collection and retention to what’s absolutely necessary. However, some vagueness around what constitutes “reasonable security measures” (Section 8(5)) raises concerns about enforceability, as the Act does not lay out clear standards proportional to the associated risks, which could undermine its protective intention.

The Act’s alignment with Puttaswamy is also reflected in its acknowledgment of individual control over personal data, a key aspect of privacy. By regulating data fiduciaries and establishing the Data Protection Board of India (DPB), the Act creates a framework to enforce privacy protections, in line with the Puttaswamy court’s call for a well-rounded data protection regime.

Consent and Data Principal Rights as Privacy Enablers

The DPDP Act places a strong emphasis on consent in data processing, which reinforces individual autonomy as a crucial element of privacy. According to Section 6, data fiduciaries must obtain the informed, explicit, and voluntary consent of a data principal before handling their personal information. This consent must be backed by a notice explaining the data being collected and the purpose of its use, ensuring transparency. Data principals can withdraw their consent at any moment, requiring data fiduciaries to stop processing their data (Section 6(5)).

Additionally, the Act empowers data principals with significant rights under Section 11, including:

  1. The right to access information regarding how their data is being processed.
  2.  The right to correct or delete data.
  3. The ability to nominate someone else to exercise these rights in the event of death or incapacity.
  4. The right to seek redress for any violations.

These features allow individuals to exert control over their personal data, aligning closely with the emphasis on informational self-determination highlighted in the Puttaswamy case. For example, the right to erasure mirrors the “right to be forgotten” found in Article 17 of the GDPR, adapting international best practices for the context of India.

However, the consent structure in the Act has its limitations. The notion of “deemed consent” for “certain legitimate uses” (Section 7), which includes scenarios like government services or employment, circumvents the need for explicit consent. This raises questions about the potential for coercion, especially among vulnerable individuals who may rely on government assistance. Additionally, the Act’s exclusive reliance on digital complaint mechanisms (Section 28) could leave behind those with limited access to the internet, given that only 52.4% of India’s population had internet access in 2024, according to Datareportal[30]. These shortcomings could hinder the Act’s ability to fully empower privacy rights for all citizens

3.2  Government Exemptions (Section 17) 

Section 17 of the DPDP Act gives the Central Government extensive authority to exclude state entities from the Act’s provisions when it concerns sovereignty, security, public order, foreign relations, or the prevention of serious offenses. Although such exemptions are common in data protection regulations worldwide, the broad scope and potential for misuse raise significant constitutional questions. This section looks into these exemptions, the risks they pose, and their validity under Articles 14, 19, and 21 of the Constitution.

Exemptions for State Instrumentalities: Security, Public Order, Foreign Relations 

Under Section 17(2)(a), the Central Government is allowed to designate any state entity as exempt from the requirements of the DPDP Act, including those related to consent, data deletion, and security responsibilities. The reasons provided—protecting national security, ensuring public order, and managing foreign relations—are certainly valid. For instance, intelligence agencies may need personal data access to tackle terrorism or cyber threats, making some flexibility in data processing essential. 

The exemptions in this Act resemble those in the RTI Act (Section 24), which exempts intelligence and security organizations from disclosure responsibilities, except in cases of corruption or human rights violations. However, the DPDP Act’s exemptions are broader, as they apply to any state entity the government decides to notify, not just specific agencies. This wide-ranging scope means that the government could potentially exempt organizations like public sector banks or welfare agencies—entities that handle sensitive personal data—without providing a clear reason.

Risks of Surveillance and Data Retention 

Section 17 has drawn criticism from scholars who argue that it allows for unchecked surveillance and data retention. The lack of oversight mechanisms or time limits for these exemptions risks granting the state prolonged access to personal data, including biometric and demographic information, far beyond what is necessary. This is particularly alarming given India’s past data breaches, like the exposure of Aadhaar-linked information, which led to increased fraud following the pandemic. The lack of transparency regarding how exempted agencies manage data only heightens the risk of misuse, undermining the right to privacy. 

The Puttaswamy ruling emphasized the necessity of judicial oversight and reasonable limits on surveillance. Yet, the DPDP Act does not call for an independent review of these exemptions, leaving the Central Government as the sole decision-maker. This creates fears around the arbitrary use of power, particularly given claims that agencies like the CBI and ED have been utilized for political ends.

Constitutional Validity Under Articles 14, 19, and 21 

The constitutional legitimacy of Section 17 largely depends on its alignment with Articles 14 (equality), 19 (freedom of speech and expression), and 21 (life and personal liberty): 

  1.  Article 14: Equality Before the Law 

Article 14 prohibits arbitrary state action and guarantees equality before the law and equal protection. For any law to comply with Article 14, the classification it creates must have a clear rationale and a logical connection to the law’s aim. The exemptions under Section 17 could violate this principle due to their broad and discretionary nature. 

The vague criteria for granting exemptions set out in Section 17(2)(a) open the door to arbitrary application. Without specific standards or oversight, the government could selectively exempt agencies, failing to justify the need or extent of such exemptions. This unchecked discretion doesn’t adhere to the “reasonable classification” test, as it lacks a rational link between the exemption and the Act’s goals of protecting privacy and ensuring legal data processing. The Supreme Court’s ruling in State of West Bengal v. Anwar Ali Sarkar (1952) pointed out that laws granting unfettered discretion to the executive are prone to arbitrariness, which is a relevant concern for Section 17. 

Furthermore, these exemptions lead to an uneven application of data protection standards: private data handlers must comply with stringent regulations, while exempted state entities do not face similar requirements. This disparity undermines the Act’s objective of providing consistent privacy protection, potentially infringing on Article 14’s assurance of equal protection. To align with Article 14, the DPDP Act needs to establish clear criteria for exemptions and include independent oversight mechanisms, like judicial or parliamentary review, to guard against arbitrary state actions.

  • Article 19(1)(a): Freedom of Speech and Expression

Article 19(1)(a) safeguards freedom of speech and expression, which was linked to the right to privacy in the Puttaswamy case. It noted that informational privacy is crucial for free expression. Unfortunately, some provisions of the DPDP Act, especially regarding the amendments to the RTI under Section 44(3) and exemptions in Section 17, threaten this right by limiting transparency and enabling potential surveillance. 

Surveillance Risks from Exemptions 

The exemptions for state entities in Section 17, particularly the lack of limits on data retention, raise serious surveillance concerns. Agencies exempted under this section can keep personal information indefinitely, even after they’ve fulfilled their original purpose for collection, leading to the risk of mass surveillance. This situation is reminiscent of criticisms surrounding the Aadhaar scheme for enabling surveillance due to its insufficient data security. Such potential for unrestricted access to data could lead to a chilling effect on free expression; individuals might self-censor to avoid surveillance, infringing on Article 19(1)(a). 

The Anuradha Bhasin v. Union of India case highlighted the need for proportionality when placing restrictions on fundamental rights. The court ruled that limitations must be narrowly defined and subject to regular reviews, standards that Section 17 fails to meet due to its broad exemptions and absence of oversight. To comply with Article 19, the DPDP Act should narrow these exemptions, impose time limits on data retention, and reinstate public interest exceptions in the RTI amendment to enhance transparency.

  •  Article 21: Right to Life and Personal Liberty

According to the Puttaswamy judgment, the right to privacy is protected by Article 21 alongside the rights to life and personal liberty. It established a three-part test—legality, necessity, and proportionality—for laws that restrict privacy. While the DPDP Act’s focus on informed consent (Section 6) and data principal rights (Section 11), such as the rights to access, correction, and erasure, align with these principles, the exemptions and enforcement gaps raise constitutional issues. 

Consent and Data Principal Rights

The emphasis in the DPDP Act on informed consent and data principal rights supports individuals’ control over their personal information, satisfying the legality and necessity requirements. These provisions reflect an autonomy-focused vision of privacy, ensuring lawful and purpose-limited data processing. However, the reliance on digital means to exercise these rights overlooks those with limited internet access. Given that only 52.4% of India’s population had internet access in 2023, this digital divide threatens to make privacy protections inaccessible, compromising Article 21’s guarantee of universal rights.

Government Exemptions and Proportionality 

The exemptions outlined in Section 17 don’t meet the proportionality test because they’re too broad and lack adequate safeguards. This provision allows state entities to bypass consent and data protection obligations under vague premises like “friendly relations with foreign states,” all without any judicial or parliamentary oversight. The Puttaswamy judgment emphasized that restrictions on privacy should be carefully limited and should come with procedural safeguards, a point that’s supported in Anuradha Bhasin as well. Without a sunset clause or a review mechanism for these exemptions, we’re looking at a situation where the state could have unlimited access to personal data, which undermines the procedural fairness guaranteed by Article 21. 

The risk of surveillance, which is amplified by the potential for unlimited data retention, puts privacy further at risk. The failure of the DPDP Act to establish security standards for exempted agencies only heightens the chances of data breaches, similar to what we saw with the Aadhaar program. To comply with Article 21, the Act needs to implement oversight mechanisms, like creating a judicial committee to review exemptions, and set clear security standards for all data fiduciaries, including government bodies. 

4: RECOMMENDATION AND CONCLUSION

4.1  Recommendations for Strengthening the DPDP Framework

Still, problems such as unclear exemptions, missing enforcement control, and an unfinished global framework make the effectiveness of the rules uncertain.

The Act is based on the ruling in the Justice K.S. Puttaswamy v. Union of India decided in 2017 that privacy should be guaranteed as a fundamental right. Still, Section 17 does not cover all state agencies and might create new barriers to comptroller authority, which might breach the constitution. The current draft rules do not handle these aspects in full.

  1. Both proportionality and judicial review should be applied to any exemptions.

No solid safeguards are required in the Act for government entities when using the exemptions in section 17 for issues related to national security or public order. There is concern that Rule 14 does not require the Central Government to show why and how every exemption is pertinent and justifiable under Puttaswamy, which sets such restrictions on fundamental rights. As such, the rules should be changed as follows:

  • A test that examines if an exemption is both essential and the least intrusive. There should be an independent court to oversee how the state uses personal data, following Article 21. This would ensure that public concern about the misuse of such law are considered as its goal is achieved.
    • There is no mention of algorithmic bias or the use of machines to make decisions in either the Act or the draft rules, despite the risk of breaking Article 14’s requirement for equality. Rule 11 on draft rules mentions DPIAs for significant data fiduciaries (SDFs), and this could be enhanced by adding mandatory audits of algorithms. Recommendations include:
  • Ensuring SDFs make algorithms and audits public that play a role in automatic decisions. Under GDPR’s Article 22, people should be allowed to challenge a decision made solely by a computer. This approach guarantees that certain principles are followed in data-driven activities.
    • The law outlines fines of up to INR 250 crore (Section 33), and the new rules (Rule 18) describe how to implement penalties. Even so, fining companies may not have much impact on large corporations. Make sure the final rules answer: Mandatory compliance audits, the halt of processing data, or the declaration of wrongdoers in public are some of these penalties. Tiered penalties are set, related to the seriousness of the violation, just like GDPR does with fines that can reach up to 4% of a company’s global revenue. Accountability would improve significantly among multinational companies with this approach.
    • The draft rules (Rule 15) establish the DPB as a digital office with inquiry powers but do not specify its funding or selection process, risking government influence. To strengthen the DPB:
    • Define a transparent, merit-based selection process for DPB members, including legal, technical, and civil society representation.
    • Allocate independent funding to prevent reliance on government budgets.
    • Clarify the DPB’s coordination with sectoral regulators (e.g., RBI for fintech) to avoid jurisdictional overlaps, as suggested in Rule 17’s inquiry provisions.
      • The rules suggest that data fiduciaries establish ways to resolve grievances, but nothing ensures that complaints are resolved independently if needed. To enable individuals to exercise their capabilities.
    •  Appoint ombudsmen in every region under the DPB to hear complaints within 30 days.
    • Governments should ensure mandating data fiduciaries to report grievance resolution metrics to the DPB. Establish a Transparent Data Transfer Framework

Conclusion

Thus, the study establishes that, with the implementation of the Digital Personal Data Protection Act, 2023 and its separate Draft Rules (notified January 3, 2025), India’s system will do much to protect the privacy of its 1.4 billion people By demonstrating how the Act upholds the principles set out in Justice K.S. Puttaswamy v. Union of India , by pointing out gaps in the law due to loopholes in the state’s exemptions and lack of proper oversight and suggesting major changes to better enforce data protection, this study help redefine India’s data protection paradigm. It contributes to legal and public policy debate and plays a role in creating digital transparency, accountability and trust in India. As we look forward, the field is shifting toward research on upcoming delegated legislation, the effectiveness of the Data Protection Board for years to come and the privacy matters raised by AI and IoT. Since India is becoming a leader in data governance, it is necessary to update the Data Protection and Privacy in Digital Policy (DPDP) framework to ensure freedom, help the economy and secure India’s place globally in the digital field.

Sunidhi Singh, B.A LL.B (Final year),  Amity University Madhya Pradesh

[1] Int’l Data Corp. (IDC), Worldwide IDC Global DataSphere Forecast, 2023–2027: It’s a Distributed, Diverse, and Dynamic (3D) DataSphere (Apr. 2023), https://www.marketresearch.com/IDC-v2477/Worldwide-IDC-Global-DataSphere-Forecast-33986214/ (last visited May 8, 2025).

[2][2] M.P. Sharma v. Satish Chandra, AIR 1954 SC 300

[3] Kharak Singh v. State of Uttar Pradesh, AIR 1964 SC 1295.

[4] Govind v. State of Madhya Pradesh, AIR 1975 SC 1378

[5] The Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act, 1983 (Act 48 of 1983)

[6] The Information Technology Act, 2000 (Act 21 of 2000),

[7] The Credit Information Companies (Regulation) Act, 2005 (Act 30 of 2005),

[8] The Payment and Settlement Systems Act, 2007 (Act 51 of 2007),

[9] Reserve Bank of India, Credit Card Operations of Banks, RBI/2008-2009/100 (Aug. 1, 2008), https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=4328.

[10] Reserve Bank of India, Master Circular – Know Your Customer (KYC) Norms, RBI/2015-16/108 (July 1, 2015), https://www.rbi.org.in/Scripts/BS_ViewMasCirculardetails.aspx?id=9870.

[11]Reserve Bank of India, Storage of Payment System Data, RBI/2017-18/153 (Apr. 6, 2018), https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11244.

[12] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

[13] Shukla, B. N. (2024). The Evolution of Privacy Law in India: From Fragmentation to Codification. LinkedIn.

[14] Consumer Protection Act, 2019, https://www.linkedin.com/pulse/evolution-privacy-law-india-from-fragmentation-bhaskara-nand-shukla-lstjc/

[15] National Health Authority, Health Data Management Policy, Ayushman Bharat Digital Mission (2021), https://abdm.gov.in/assets/uploads/consultation_papers_docs/Health_Data_Management_Policy.pdf. .

[16] Telecom Regulatory Authority of India, Recommendations on Privacy, Security and Ownership of Data in the Telecom Sector, Press Release No. 78/2018 (July 16, 2018), https://www.trai.gov.in/sites/default/files/PR_No.78of2018.pdf.

[17] Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

[18] K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.

[19] International Covenant on Civil and Political Rights, Dec. 16, 1966, 999 U.N.T.S. 171, https://www.ohchr.org/en/instruments-mechanisms/instruments/international-covenant-civil-and-political-rights.

[20] Universal Declaration of Human Rights, G.A. Res. 217A (III), U.N. Doc. A/810 (Dec. 10, 1948), https://www.un.org/en/about-us/universal-declaration-of-human-rights.

[21] Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (2018), https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf.

[22] Cybersecurity Ventures, 2023 Official Cybercrime Report (2023), https://cybersecurityventures.com/cybercrime-report-2023/.

[23] The Digital Personal Data Protection Act, 2023 (Act 22 of 2023), https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf.

[24] Kashyap, P. K. (2024). Digital Personal Data Protection Act, 2023: A New Light into the Data Protection and Privacy Law in India. ICREP Journal of Interdisciplinary Studies, 2(1), 1–12. https://icrep.cusat.ac.in/journal/d/76abb866-4d9d-4ab8-ab85-8401383e99d1

[25] Saurabh, S. (2024). The Digital Personal Data Protection Act of 2023: Strengthening Privacy in the Digital Age. International Journal of Law in Changing World, 3(2), 77–94. https://doi.org/10.54934/ijlcw.v3i2.84

[26]Sanket Singh Sengar, From Pixels to Policies: Analysing the Provisions and Navigating the Complexities of the Digital Personal Data Protection Act, 2023,  available at SSRN: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4547842.

[27] India’s New Data Frontier: A Critical Legal Insight of the Personal Data Protection Act 2023 (2024), available at https://www.researchgate.net/publication/390869327_India’s_New_Data_Frontier_A_Critical_Legal_Insight_of_the_Personal_Data_Protection_Act_2023

 

[29]  Narula, A. (2023). A Comparative Analysis of the Indian Data Privacy Issues in the Data Protection Act vis-à-vis Right to Privacy in Indian Constitution. *A Landmark on the Indian Constitution*, 139-144.

[30] Kemp, S. (2025, March 23). Digital 2024: Global Overview Report — DataReportal – Global Digital Insights. DataReportal – Global Digital Insights. https://datareportal.com/reports/digital-2024-global-overview-report.



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here