Cyber Law

Embedding Privacy in India’s Digital Infrastructure: Informational Privacy and the Evolution of India’s Data Protection Framework

June 15, 2026 Amit Patel & Associates 28 min read
  1. INTRODUCTION:

In the digital era, personal information is required to be shared in almost every aspect of our daily life. When we unlock our phone with our fingerprint, when we shop online, when we use social media, when we book a travel ticket, when we even consult a doctor through an app, we leave digital footprints. Our names, phone numbers, locations, financial information, health records and browsing habits are only tiny bits of data, but when put together they paint a detailed picture of who we are. This is highly valuable information. Companies use it to tailor services and advertising; governments use it to deliver digital services and benefits.

But mishandling, leaking or misusing this information can result in serious consequences such as identity theft, financial fraud, harassment or emotional distress. Data protection is therefore vital, as it enables people to have control over their own information, knowing who collects it, why it is collected, how it is used and whether they can correct or delete it. Most importantly, privacy is closely connected to dignity and freedom, and without adequate protection, people may feel constantly watched or vulnerable. Strong data protection laws build confidence in the digital economy, hold organisations to account and ensure technological advancements are not made at the expense of personal privacy. Data protection is in essence, protecting people.

 

  1. THE ARCHITECTURE OF PRIVACY REGULATION IN INDIA PRIOR TO THE DPDP ACT, 2023

Before 2023, India did not have one single holistic law solely dedicated to the protection of personal data. Instead, privacy safeguards were carried out in a fragmented and limited way through scattered statutory provisions, delegated rules, contractual obligations and sector-specific regulations. The primary regulatory approach was to protect “sensitive personal data or information,” such as passwords, financial details and medical records, rather than protecting all types of personal data thoroughly. The 2011 SPDI Rules brought in ideas like prior consent for collection, privacy policies and reasonable security practices, but the scope was limited and only applicable to body corporates involved in commercial activities. Enforcement mechanisms were weak, compliance oversight was minimal, and individuals were required to seek remedies after harm had already occurred rather than being empowered with proactive rights.

However, this framework was limited in scope and mainly focused on data security rather than broader privacy rights. It did not clearly grant individuals rights like access, correction, or deletion of their data, nor did it establish a strong, independent regulatory authority to oversee compliance. As a result, India’s pre-2023 privacy system was often described as fragmented and reactive, addressing issues only after harm occurred rather than proactively safeguarding personal data in a rapidly growing digital environment.

 

2.1 The Information Technology Act, 2000

India has also enacted the Information Technology Act, 2000[1] to provide legal recognition to electronic records and digital signatures, to facilitate e-commerce and e-governance and to prescribe offences for cybercrime. The data protection under the IT Act was limited and not comprehensive before the promulgation of the Digital Personal Data Protection Act, 2023. The Act dealt mainly with cybercrimes like hacking (Section 66), tampering with computer source documents (Section 65), publishing obscene material in the internet (Section 67), breach of confidentiality (Section 72) and cyber terrorism (Section 66F) by prescribing punishments like imprisonment and fine among others.

The main legal framework for data protection in India before the Digital Personal Data Protection Act, 2023 was under the Information Technology Act, 2000 had several lacunae because it did not provide a complete privacy regime.

The most important section related to data protection was Section 43A, but it was limited only to “sensitive personal data or information” and applied only to body corporates, leaving out a large amount of personal data and many data handlers. It also did not clearly define strong individual rights such as the right to access, correction, or deletion of personal data, and instead only required “reasonable security practices,” which was vague and left interpretation to companies.

Section 72A of Information Technology Act, 2000 prescribes punishment for disclosure of personal information in breach of a lawful contract. In simple terms, it is when someone or a service provider gains access to a person’s sensitive or personal data through an arrangement or professional relationship and then knowingly shares or misuses that information without the person’s consent. This part is mainly concerned with situations where data is lawfully collected (say by banks, telecom companies, online platforms or employers) but is then disclosed improperly for wrongful gain or wrongful loss. Clearly, Section 72A only penalises intentional disclosure of information in violation of a lawful contract but does not cover many real-world data protection issues.

Another important lacuna is that Section 72A does not give rights to individuals such as the right to know how their data is being used, the right to correction, or the right to deletion. It does not establish a regime of consent, purpose limitation or data minimisation which are key principles of modern privacy law. Thirdly, enforcement is weak as it only punishes after disclosure takes place, not preventing abuse through an organised regulatory framework.

Section 66E of Information Technology Act, 2000 provides for punishment for violation of privacy. It states that whoever intentionally captures, publishes or transmits the image of a private area of any person without the consent of that person, under circumstances when the person has a reasonable expectation of privacy, the major gap is the very narrow section 66E, which does not provide full privacy or data protection framework. It just protects you against unauthorised capture or publication of private images and not the broader concept of personal data protection.

A key downside is that the scope of Section 66E is limited to intentional acts relating to images and does not cover accidental leaks, systemic data breaches or misuse of data by organisations that do not take images. It also does not create any user rights like consent control, access, correction or deletion rights and there is no notion of data fiduciaries or accountability obligations on companies handling data.

As per Section 67C of the Information Technology Act, 2000, intermediaries (internet service providers, websites and online platforms) are required to preserve and retain certain information and data for a period of time as may be prescribed by the government. The main idea behind this section is to ensure that digital evidence is available for investigation of cyber offences.

Section 79 of the Information Technology Act, 2000, provides ‘safe harbour’ protection to intermediaries including social media platforms, internet service providers and online marketplaces. The biggest gap there is that Section 79 provides very wide immunity to intermediaries. This sometimes results in a lack of accountability in terms of harmful or unlawful content hosted on their platforms.

2.2 SPDI Rules, 2011

There is often a common confusion around the term “SPDI Act[2],” but it is important to understand that no such Act exists in Indian law. What actually exists is the SPDI Rules, 2011, formally known as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which are framed under the Information Technology Act, 2000. These Rules are not a separate law passed by Parliament, but subordinate legislation issued under the authority of the IT Act to explain how certain provisions especially Section 43A should be implemented in practice. In simple terms, the IT Act is the main law, while the SPDI Rules act as detailed instructions on how companies must handle sensitive personal data.

They introduced basic privacy requirements such as consent, security practices, and disclosure rules, but they never formed an independent “Act” governing data protection. This distinction is crucial because, unlike a full-fledged law, these Rules had limited scope and enforcement power, which is one of the key reasons India later moved toward a comprehensive framework under the Digital Personal Data Protection Act, 2023.

Rule 3 of the SPDI Rules, 2011 under the Information Technology Act, 2000 defines what qualifies as Sensitive Personal Data or Information (SPDI). It includes categories such as passwords, financial information (like bank account or credit card details), health conditions, biometric data, sexual orientation, and any information relating to these categories that is collected for providing services or processing data on behalf of others. However, the rule reflects a narrow and early-stage understanding of privacy, because it focuses only on traditional “high-risk” categories and does not include many forms of modern digital data such as location data, browsing history, device identifiers, behavioural profiles, or social media activity. In today’s data-driven ecosystem, such excluded data can also reveal deeply personal insights, making Rule 3 outdated in scope.

Rule 5 of the SPDI Rules, 2011 under the Information Technology Act, 2000 deals with the collection of Sensitive Personal Data or Information (SPDI) and the requirement of consent and privacy policy. It mandates that a body corporate must obtain clear consent from the individual in writing or through electronic means before collecting SPDI, and it must also inform the individual about the purpose of collection, usage, and disclosure of such data. The rule further requires companies to collect data only for a lawful and necessary purpose and not retain it longer than required.

The main lacuna in Rule 5 is that the concept of consent was not strongly defined or strictly enforced. The rule did not clearly require informed, specific, or granular consent, allowing companies to use broad or bundled consent mechanisms where users often agreed without fully understanding how their data would be used. Additionally, the rule lacked strong mechanisms to ensure meaningful choice, as services could still be denied if users refused consent, reducing real control over personal data.

Rule 6 regulates the disclosure of SPDI and states that such information can only be shared with the consent of the individual or under legal obligation, such as a court order or government request, and it also restricts unnecessary sharing with third parties to maintain confidentiality.

Rule 6 lacked strong safeguards for preventing over-disclosure because it allowed data sharing under broad conditions like “legal necessity,” without strict purpose limitation or data minimisation principles.

Rule 7 governs the transfer of SPDI to another body corporate or entity, allowing it only when the recipient ensures the same level of data protection or when consent is obtained, especially in cases involving cross-border data transfer. Rule 7 was weak in regulating cross-border data flows, as it did not impose strong restrictions or ensure consistent international data protection standards, making it easier for data to be transferred outside India without adequate safeguards.

 

 

  1. HOW THESE LACUNAE IMPACTED REAL-WORLD DATA PROTECTION IN INDIA

The lacunae in the pre-DPDP legal framework, particularly under the Information Technology Act, 2000 and the SPDI Rules, 2011, had a deep and direct impact on the banking and financial sector, which became one of the most vulnerable areas in India’s digital ecosystem. Although banks were required to follow “reasonable security practices” under Section 43A, the absence of a strong, uniform, and enforceable data protection law meant that financial institutions often relied on internal policies rather than strict statutory obligations. This created inconsistency in cybersecurity standards across banks, fintech platforms, and payment systems, leaving gaps that cybercriminals could exploit. Overall, these legal and regulatory gaps made the banking sector highly exposed to cyber risks, where data misuse did not always originate from direct hacking but often from weak governance, fragmented regulations, and inadequate data protection standards.

In 2020, India reported around 2.9 lakh cyber security incidents related to digital banking, as informed in Parliament based on CERT-In data, showing a continuous rise from 1.59 lakh cases in 2018 and 2.46 lakh in 2019. These incidents included phishing attacks, malware, network scanning, and website hacking, highlighting the growing vulnerability of the digital banking ecosystem. At the same time, digital transactions increased sharply by 46% in 2020 compared to 2018–19, rising from 3,134 crore to 4,572 crore transactions, which expanded the attack surface for cybercriminals. The government also reported blocking 9,849 websites/webpages/accounts in 2020 under Section 69A of the IT Act, 2000, compared to 2,799 in 2018 and 3,635 in 2019. Additionally, NCRB data showed a rise in fraud and cheating cases involving digital means, increasing from 3,353 cases in 2018 to 6,233 cases in 2019. These figures clearly indicate that cyber fraud and data security incidents were increasing rapidly alongside digital adoption. This situation exposed the limitations of the existing IT Act framework, which focused more on punishment rather than strong data protection and prevention mechanisms.[3]

In 2020, India recorded 50,035 cyber-crime cases, showing an 11.8% increase compared to the previous year, according to NCRB data, while the rate of cybercrime also rose from 3.3% in 2019 to 3.7% in 2020. The data revealed that the majority of these offences were driven by fraud, which accounted for 60.2% of total cases (30,142 cases), highlighting the dominance of financial cybercrime. Within this, there were 4,047 online banking frauds, 1,093 OTP frauds, 1,194 debit/credit card frauds, and 2,160 ATM-related cases, showing the growing vulnerability of the digital financial ecosystem. Additionally, cases of cyber stalking or bullying (972 cases), fake profiles (149 cases), data theft (98 cases), and fake news on social media (578 cases) were also reported, reflecting the wide range of digital offences. In terms of geographical distribution, Uttar Pradesh reported the highest number of cases, followed by Karnataka, Maharashtra, Telangana, and Assam, while Karnataka recorded the highest crime rate. Overall, these figures demonstrate a sharp rise in cybercrime across India, especially financial frauds, exposing the limitations of the existing IT Act framework, which was more reactive in nature and lacked strong preventive data protection mechanisms.[4]

Between 2012 and 2015, India witnessed a steady rise in digital frauds and cyber security incidents, reflecting the growing risks in the expanding digital ecosystem. According to data shared in Parliament, banks reported 8,765 cases of ATM, credit/debit card and net banking frauds in 2012–13, which increased to 9,500 in 2013–14, 13,083 in 2014–15, and further to 11,997 cases in 2015–16 (up to December 2015), as per RBI data. During the same period, NCRB data showed a sharp rise in cybercrime cases registered under the IT Act, 2000, increasing from 2,876 cases in 2012 to 7,201 cases in 2014, while cases under IPC cyber-related sections also rose significantly. Additionally, CERT-In reported a continuous increase in cyber security incidents, from 41,319 in 2013 to 49,455 in 2015, including phishing, malware, website intrusions, and denial-of-service attacks, along with a large number of spam incidents. The government also noted that cybercriminal activities were becoming more sophisticated, especially with the growing use of dark web technologies, making detection and enforcement more challenging. These trends clearly indicate that cyber threats were rapidly increasing even in the early digital phase, exposing the limitations of the IT Act, 2000, which was primarily designed for cyber offences rather than a strong preventive data protection framework.[5]

In People’s Union for Civil Liberties vs. Union of India[6] is a foundational judgment in India’s privacy jurisprudence, as it was one of the earliest cases in which the Supreme Court directly confronted the tension between State surveillance powers and individual informational privacy. The Court recognised that telephone conversations form an integral part of personal liberty and that indiscriminate interception of communication by the State amounts to a serious infringement of constitutional rights under Article 21. While the Court did not prohibit telephone tapping entirely, it laid down strict procedural safeguards, emphasising that any interference with private communication must be authorised by law, justified by necessity, and subject to oversight mechanisms to prevent arbitrary abuse.

In this sense, the judgment acted as an early constitutional signal that India’s legal framework was ill-equipped to protect personal data in an evolving technological landscape. It laid the conceptual groundwork for later privacy jurisprudence, culminating in the recognition of privacy as a fundamental right in Justice K.S. Puttaswamy (Retd.) vs. Union of India[7], and ultimately reinforced the legislative necessity that led to the enactment of the Digital Personal Data Protection Act, 2023.

Shreya Singhal vs. Union of India[8] is a landmark judgment that significantly exposed the structural and constitutional limitations of India’s early digital governance framework under the Information Technology Act, 2000. In this case, the Supreme Court struck down Section 66A of the IT Act on the grounds that it was vague, overly broad, and prone to arbitrary misuse, thereby violating the fundamental right to freedom of speech and expression under Article 19(1)(a). The Court held that the provision failed to meet the constitutional standards of clarity and proportionality, allowing subjective interpretation that led to misuse against individuals for online speech.

This case became a turning point in India’s digital rights discourse because it demonstrated how outdated and poorly defined legal provisions could directly infringe constitutional freedoms in the online space. It strengthened judicial recognition of the need for clearer, rights-based regulation of the digital environment. Along with subsequent privacy jurisprudence, it contributed to the growing realization that India required a dedicated and coherent data protection framework

Anuradha Bhasin vs. Union of India[9] is highly relevant to India’s privacy and digital rights jurisprudence because it represents one of the first major judicial recognitions of the internet as an essential component of constitutional freedoms in the digital age. The Supreme Court held that indefinite restrictions on internet access are impermissible under the Constitution and that any suspension of internet services must satisfy the principles of proportionality, necessity, and reasonableness.

The relevance of this judgment to India’s data protection framework lies in its implicit recognition that digital connectivity forms the backbone of individual rights in the contemporary era. By requiring the State to justify restrictions through transparent and reviewable procedures, the Court highlighted the risks of unchecked administrative control over digital infrastructure. This exposed the absence of a comprehensive statutory framework governing digital rights and data governance, where decisions affecting millions of users could be taken without robust safeguards for accountability or individual privacy protection.

The data from 2012 to 2020 reveals a disturbing pattern as India’s digital economy expanded, cybercrime and financial fraud grew alongside it at an alarming pace. From thousands of ATM and card frauds to lakhs of cybersecurity incidents and tens of thousands of registered cybercrime cases, the numbers were not merely statistics; they were warning signals. The law emphasized punishment after harm had occurred, but it lacked a comprehensive preventive structure that could enforce accountability, ensure uniform compliance, and empower individuals with enforceable rights over their personal data. “Reasonable security practices” remained vague, enforcement mechanisms were weak, and regulatory fragmentation allowed institutions to interpret obligations loosely. The result was clear: India’s digital financial ecosystem was scaling rapidly, but its data protection architecture was not evolving at the same pace. Citizens were sharing more data than ever before, yet they had limited control, limited remedies, and limited transparency regarding how their personal information was processed.

The result was clear: India’s digital financial ecosystem was scaling rapidly, but its data protection architecture was not evolving at the same pace. Citizens were sharing more data than ever before, yet they had limited control, limited remedies, and limited transparency regarding how their personal information was processed. This raises a fundamental and unsettling question if cyber threats were escalating year after year under the old regime, was India’s legal framework ever truly designed to protect data in a digital-first economy?

It is against this backdrop of rising cyber frauds, governance gaps, and regulatory inadequacies that the Digital Personal Data Protection Act, 2023 emerges not merely as another statute, but as a potential structural shift. The crucial question now is whether the DPDP Act, 2023 can finally transform India’s approach from reactive punishment to proactive protection, from fragmented compliance to enforceable accountability, and from institutional discretion to citizen-centric data rights.

  1. HOW THE DIGITAL PERSONAL DATA PROTECTION (DPDP) ACT, 2023 TRANSFORMS INDIA’S PRIVACY LANDSCAPE

4.1 Why it was introduced

As seen from the previous incidents of rising cybercrime, financial frauds, data theft, and large-scale digital vulnerabilities, India’s existing legal framework was clearly inadequate to handle the complexities of a rapidly digitising economy. The continuous growth in cyber offences was not merely a technological challenge but a regulatory failure exposing the absence of a comprehensive, rights-based data protection regime. It became evident that relying solely on the Information Technology Act, 2000 and the SPDI Rules, 2011 was insufficient to safeguard personal data in an era where information had become the most valuable digital asset.

It was in response to these systemic shortcomings and escalating threats that the Digital Personal Data Protection Act, 2023 was introduced, aiming to fundamentally restructure India’s approach to personal data protection.

4.2 Its objective

The Digital Personal Data Protection Act, 2023 was enacted to establish a comprehensive legal framework governing the processing of digital personal data in India. Its primary objective is to protect the privacy of individuals while simultaneously enabling the lawful and transparent use of personal data for legitimate purposes. The Act seeks to strike a careful balance between safeguarding the fundamental right to privacy recognized by the Supreme Court in Justice K.S. Puttaswamy (Retd.) vs. Union of India[10] and promoting innovation, economic growth, and digital governance. It introduces a structured regime based on consent-driven data processing, clear obligations for data fiduciaries, enforceable rights for data principals, and accountability through regulatory oversight. By replacing the earlier fragmented and limited framework under the Information Technology Act, 2000 and the SPDI Rules, 2011, the DPDP Act aims to create a uniform, rights-based, and enforceable system of data protection suited to India’s rapidly expanding digital economy.

4.3 Legislative background

The legislative background of the Digital Personal Data Protection Act, 2023 is rooted in India’s evolving constitutional and policy recognition of privacy and data protection. The journey formally began after the Supreme Court’s landmark decision in Justice K.S. Puttaswamy (Retd.) vs. Union of India, which declared the right to privacy as a fundamental right under Article 21[11] of the Constitution. In its judgment, the Court underscored the urgent need for a robust data protection framework to safeguard informational privacy in the digital age.

Following this, the Government of India constituted the Justice B.N. Srikrishna Committee in 2017[12] to examine issues relating to data protection and recommend a comprehensive legal framework. The Committee submitted its report in 2018 along with a draft Personal Data Protection Bill, proposing a structured regime based on consent, accountability, and regulatory oversight. Subsequently, the Personal Data Protection Bill, 2019 was introduced in Parliament and referred to a Joint Parliamentary Committee, which suggested several modifications. However, due to concerns over complexity and scope, the 2019 Bill was withdrawn in 2022 to allow for a fresh, simplified framework. After public consultations and revised drafting, the Digital Personal Data Protection Bill, 2023 was introduced and ultimately enacted as the Digital Personal Data Protection Act, 2023.

 

 

  1. THE ARCHITECTURE OF THE DPDP ACT, 2023 RIGHTS, DUTIES, AND ENFORCEMENT

5.1 CONSENT-BASED DATA PROCESSING UNDER THE DPDP ACT, 2023
The DPDP Act, 2023 establishes consent as the primary legal basis for processing digital personal data. The statutory foundation for this principle is laid down in Section 4, which provides that a Data Fiduciary may process personal data only for a lawful purpose and either with the consent of the Data Principal or for certain “legitimate uses” expressly recognized under the Act.

Under Section 6, consent must satisfy specific statutory standards. It must be Free, Specific, Informed, Unconditional, Unambiguous. This means implied consent, pre-ticked boxes, or vague privacy clauses do not meet the statutory threshold. Consent must relate to a clearly defined purpose, and the Data Principal must understand what data is being processed and why. The Act further mandates that a request for consent must be accompanied by a clear and plain notice, containing: – the personal data to be collected, the purpose of processing, the manner in which the Data Principal may exercise their rights, The process for grievance redressal. his introduces transparency as a mandatory element of lawful processing.

Right to Withdraw Consent (Section 6(4)) explicitly provides that the Data Principal has the right to withdraw consent at any time, and the process for withdrawal must be as easy as the process of giving consent. Once consent is withdrawn, the Data Fiduciary must cease processing the personal data unless it is required for a legitimate use under Section 7. This strengthens informational self-determination by ensuring that control over personal data remains with the individual.

Burden of Proof (Section 8) Under Section 8, the Data Fiduciary bears the responsibility of ensuring compliance with the Act. This includes maintaining records and demonstrating that valid consent was obtained in accordance with statutory requirements. The accountability lies on the entity processing the data, not the individual.

 

5.2 RIGHTS OF DATA PRINCIPALS UNDER THE DPDP ACT, 2023

Under Section 11 of the DPDP, 2023, a Data Principal is granted the statutory right to obtain information from a Data Fiduciary regarding the processing of their personal data. This includes the right to seek confirmation as to whether their personal data is being processed, access a summary of the personal data being processed, understand the specific purposes and nature of such processing activities, and obtain details of the identities of other Data Fiduciaries or Data Processors with whom the data has been shared.

Under Section 12 of the Digital Personal Data Protection Act, 2023, the Data Principal is provided with the right to seek correction, completion, and erasure of their personal data held by a Data Fiduciary. This includes the right to correct inaccurate or misleading information, update incomplete data to ensure accuracy, and request the deletion of personal data when it is no longer necessary for the purpose for which it was originally collected. However, the Act also imposes a limitation on the right to erasure, allowing retention of data where it is required under applicable law or for compliance with legal obligations. This provision plays a crucial role in operationalizing the principles of data accuracy, storage limitation, and purpose limitation, thereby ensuring that personal data remains relevant, up-to-date, and not retained indefinitely without justification.

Under Section 13 of the Digital Personal Data Protection Act, 2023, the Data Principal is granted the statutory right of grievance redressal in relation to the processing of their personal data. This provision enables an individual to first approach the Data Fiduciary directly with any complaint or concern regarding the handling of their data, ensuring that issues can be addressed at the organisational level. In cases where the response of the Data Fiduciary is unsatisfactory or no resolution is provided, the Data Principal has the further right to escalate the matter to the Data Protection Board of India for adjudication.

Section 14 introduces a distinctive provision allowing a Data Principal to nominate another person to exercise their rights in the event of death or incapacity. This is particularly significant in the digital age, where personal data continues to exist and hold value even after an individual’s lifetime.

5.3 OBLIGATION OF DATA FIDUCIARIES

First, a Data Fiduciary shall process personal data only for a lawful purpose and in accordance with valid consent or any other lawful uses permitted under the Act. It must also guarantee purpose limitation, meaning that data collected for a particular purpose cannot be arbitrarily reused for other purposes. The Fiduciary must also maintain the accuracy of the data. It must take reasonable steps to ensure that personal data is complete and up to date, especially where such data is used to make decisions about individuals.

The Act also imposes a heavy obligation of security safeguards on Data Fiduciaries, who has to implement adequate technical and organisational measures to prevent breaches of data, unauthorised access or accidental disclosure. In case of a personal data breach, the Fiduciary shall inform the Data Principals affected and also the Data Protection Board of India, thereby ensuring transparency and accountability. The Act also provides for the limitation of retention, by which personal data should be deleted immediately after the purpose of the data has been fulfilled unless the law imposes a legal obligation to retain such data. Together, these obligations place the onus on organisations handling data, turning compliance into a legal obligation rather than a matter of choice, thereby enhancing trust and accountability in India’s digital ecosystem.

5.4 DATA PROTECTION BOARD OF INDIA

The Board has an important enforcement and accountability function under the Act. The Board may examine the matter, conduct enquiries and determine whether a Data Fiduciary has failed to comply with statutory obligations in case of a data breach or when a complaint is filed by a Data Principal under grievance redressal provisions. The Data Protection Board provides a dedicated institutional mechanism, which is exclusively focused on enforcement of data protection as against earlier frameworks under the Information Technology Act, 2000, which did not have a specialised privacy regulator and relied largely on general adjudicating officers.

A key function of the Board is the power to levy substantial financial penalties on bodies breaching data protection obligations particularly in cases of negligence, failure to implement security safeguards, or unlawful data processing. It also ensures timely resolution of complaints, thereby providing individuals with an effective remedy in cases of privacy infringement. In addition, the Board is empowered to direct corrective measures, ensuring that organisations not only face penalties but also improve compliance practices.

5.5 PENALTIES

Perhaps the most striking feature of the Act is the level of financial penalties it allows. In cases of serious non-compliance, fines can be up to ₹250 crore per breach depending on the nature, gravity and repetitive conduct of the violation. This is not only punitive but also preventive in nature, as it forces organisations, especially large technology companies, banks and fintech platforms, to put in place stronger cybersecurity systems and governance practices. Unlike the earlier frameworks formulated under the Information technology Act, 2000 where penalties were relatively less and enforcement was inconsistent, the DPDP Act provides a structured and deterrent based approach to enforcement. Breach in observance of duty of Data Principal up to INR10,000. Failure to notify the Data Protection Board and affected Data Principals in the event of a personal data breach is up to INR 200 crore. reach in observance of additional obligation in relation to children up to INR 200 crore.

The sincerity of this penalty structure lies in its purpose: to recognise that a data breach is not just a technical failure but a direct violation of individual privacy and trust. By imposing high financial consequences, the law ensures that organisations treat personal data protection as a core responsibility rather than a secondary compliance requirement. In this way, the penalty regime strengthens accountability, reinforces user trust, and ensures that India’s digital ecosystem operates with greater responsibility and caution.Bottom of Form

  1. A PROMISING FRAMEWORK WITH OPEN QUESTIONS: CRITICALLY ASSESSING THE DPDP ACT, 2023

The Digital Personal Data Protection Act, 2023, while a major step towards creating a structured data protection regime in India, has also raised significant concerns, highlighting the ongoing tensions between privacy protection, regulatory control, and individual rights. One of the main criticisms is the broad scope of exemptions given to the State, which allow government agencies to process personal data without the same consent-based restrictions that apply to private entities. This raises questions about the balance between individual privacy and State power particularly in the absence of strong independent oversight mechanisms.

Another important issue is the limited independence and structure of the Data Protection Board of India responsible for enforcement and adjudication of data protection violations. Critics say its composition and functioning may not ensure the level of institutional independence required for a truly independent privacy regulator. In addition, there have been questions raised about the depth of privacy protection available to individuals due to the comparatively weaker focus of the Act on data minimisation and purpose limitation principles compared to global standards such as the GDPR framework.

Further, the Act has been criticised for lack of detailed sector specific safeguards, especially for sensitive sectors like health, financial and biometric data which are highly vulnerable to misuse. While the Act introduces a consent-based framework and imposes obligations on Data Fiduciaries, questions remain about the practical effectiveness of enforcement mechanisms and the capacity of regulatory institutions to handle large-scale digital ecosystems.

Overall, while the Digital Personal Data Protection Act, 2023 marks a major legislative milestone in India’s privacy landscape, these open questions highlight that its effectiveness will ultimately depend on implementation, regulatory independence, and judicial interpretation in the years ahead.

[1] Information Technology Act is Act No. 21 of 2000

[2] The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (G.S.R. 313(E), dated 11-04-2011)

[3] https://www.business-standard.com/article/finance/over-290-000-cyber-security-incidents-related-to-banking-reported-in-2020-121020401220_1.html

[4] https://timesofindia.indiatimes.com/india/india-reported-11-8-rise-in-cyber-crime-in-2020-578-incidents-of-fake-news-on-social-media-data/articleshow/86230597.cms

[5] https://economictimes.indiatimes.com/industry/banking/finance/banking/11997-cards-net-banking-frauds-reported-in-apr-dec-2015/articleshow/51157269.cms?from=mdr

[6] People’s Union for Civil Liberties v. Union of India & Anr., (1997) 1 SCC 301

[7] Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors., (2017) 10 SCC 1; AIR 2017 SC 4161

[8] Shreya Singhal v. Union of India, (2015) 5 SCC 1 ; AIR 2015 SC 1523

[9] Anuradha Bhasin v. Union of India & Ors., (2020) 3 SCC 637; AIR 2020 SC 1308.

[10] Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors., (2017) 10 SCC 1; AIR 2017 SC 4161

[11] Constitution of India, art. 21

[12] Justice B.N. Srikrishna Committee Report (2018), MeitY, Government of India

BY- Sameer Kumar Rajak, 1st year
Student of Chanakya National Law University, Patna

Need Legal Assistance?

If you need help with legal matters, our experienced team can guide you through the process and protect your rights.

Contact Us
Call Us For Consultation