📞 Contact us at: +91 81008 19447 | +91 99331 18849 🔔 SFG Combined Scholarship Test 2026: Register Now 🔔 2-Year Weekend Programme – UPSC CSE 2027: Admission Open 🔔 10-Month Programme – UPSC CSE 2026: Admission Open 🔔 RICE IAS introduces Degree+IAS Programme: Admission Open Complete GS Prelims–Mains Coverage through Test Series with Mentorship by Majid Sir: Admission Open
Register for SFG Combined Scholarship Test 2026
Editorial Explained

Digital Personal Data Protection Act, 2023: Balancing Privacy and Accountability

  • November 17, 2025
  • Com 0

The notification of the Digital Personal Data Protection (DPDP) Rules, 2025, operationalizing the Digital Personal Data Protection Act, 2023, marks a significant juncture in India’s data governance landscape. This legislation is a legislative response to the Supreme Court’s landmark K.S. Puttaswamy Judgment (2017), which declared the Right to Privacy as a Fundamental Right under Article 21 of the Constitution. The Act and its subsequent Rules aim to establish a framework for the processing of digital personal data that respects individual rights while fostering a compliant, innovation-friendly digital economy.

Why in the News?

The Act is in the news because the government has recently notified the DPDP Rules, 2025. These rules provide the procedural and operational clarity necessary to implement the Act’s provisions, including:

  • Establishment of the Data Protection Board of India (DPBI): This is the key adjudicatory and enforcement body.
  • Phased Implementation: Key provisions related to user consent, breach notification, and right to erasure are on a phased rollout (12-18 months), allowing entities time to transition.
  • Controversial Amendments: The immediate effect of the amendment to the Right to Information (RTI) Act, 2005, has sparked debate regarding transparency versus privacy.

Key Components

The DPDP Act, 2023, is a crucial topic for its intersection with governance, fundamental rights, digital economy, and public policy.

1. Core Principles and Definitions

TermDefinition/Core PrincipleRelevance for Governance
Data PrincipalThe individual to whom the personal data relates (e.g., a citizen/user).Empowerment through rights like Right to Erasure and Correction.
Data FiduciaryAny person (entity, government, or company) who determines the purpose and means of processing personal data.Establishes Accountability and clear obligations on data handlers.
Consent & TransparencyConsent must be free, specific, informed, unconditional, and unambiguous with a clear affirmative action (no pre-ticked boxes).Fosters user trust and autonomy over their data.
Purpose LimitationPersonal data can only be used for the specific purpose for which consent was taken.Curbs indiscriminate data harvesting and surveillance capitalism.
Data MinimisationData Fiduciaries must collect only the personal data essential for the specified purpose.Reduces the risk of data breaches and misuse.

2. Institutional Framework

The Act creates a dedicated enforcement body:

  • Data Protection Board of India (DPBI):
    • Role: Monitor compliance, address data principal grievances, and impose penalties.
    • Functioning: Designed to be a digital office for efficient filing and tracking of complaints.
    • Appeals: Decisions of the DPBI can be appealed to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

3. Rights and Duties of Data Principals

The Act grants significant rights to individuals, making it a citizen-centric framework:

  • Right to Access: The right to obtain a summary of personal data being processed and the processing activities.
  • Right to Correction and Erasure: The power to demand the correction of inaccurate data and the erasure of data that is no longer necessary for the specified purpose.
  • Right to Grievance Redressal: The right to approach the Data Fiduciary first, and then the DPBI if the grievance is unresolved within 90 days.
  • Duty of Data Principal: A new and unique inclusion, requiring the data principal to provide accurate information and not register false or frivolous grievances.

4. Obligations of Data Fiduciaries

These obligations establish a compliance-driven ecosystem:

  • Security Safeguards: Must implement reasonable security measures (e.g., encryption, access controls) to prevent a personal data breach.
  • Breach Notification: Must notify the DPBI and affected data principals without delay in the event of a personal data breach.
  • Significant Data Fiduciaries (SDFs): Entities classified based on the volume, sensitivity of data, and risk to sovereignty or public order (e.g., major tech companies). They face stricter obligations, including:
    • Appointing a Data Protection Officer (DPO).
    • Conducting Data Protection Impact Assessments (DPIA).
    • Undergoing a periodic independent Data Audit.

5. Cross-Border Data Transfer and Children’s Data

  • Cross-Border Data Transfer: Personal data can be transferred outside India, but the Central Government retains the power to restrict transfer to certain countries/territories based on security considerations. This introduces an element of conditional data localisation.
  • Protection of Children’s Data:
    • Mandates verifiable parental or lawful guardian consent for processing the personal data of a child (under 18).
    • Prohibits behavioural tracking or targeted advertising directed at children.

Critical Analysis: Concerns and Way Forward

Concerns for Transparency and Accountability

  • Dilution of the RTI Act (Section 44(3)): The most criticized provision is the amendment to Section 8(1)(j) of the RTI Act, 2005.
    • Original Provision: Allowed the disclosure of personal information if the “larger public interest” justified it.
    • Amended Provision: Removes the “larger public interest” override, allowing government agencies to potentially withhold all “personal information” from public officials (like their assets, qualifications, or records of misconduct), thereby undermining transparency and public accountability in governance.
  • Broad Government Exemptions: The Act grants wide-ranging exemptions to the Central Government and its instrumentalities from the Act’s provisions for reasons like national security, friendly relations with foreign states, and public order. This may lead to unchecked processing of citizens’ data and potential for surveillance.
  • Delayed Implementation of Key Rights: The phased rollout of 12-18 months for core citizen rights (like informed consent and right to erasure) and fiduciary obligations means that the full protective framework will not be immediately available to citizens.
  • Capacity of DPBI: Concerns exist over the initial capacity and independence of the DPBI to regulate a vast digital economy and enforce the law against global tech giants effectively.

Way Forward and Conclusion

The DPDP Act, 2023, is a necessary and foundational step towards protecting the fundamental right to privacy in India’s rapidly expanding digital space. To ensure it achieves its full potential while safeguarding democratic principles, the following steps are crucial:

  • Harmonising RTI and DPDP: Revisit the amendment to Section 8(1)(j) of the RTI Act to explicitly restore the public interest override. A clear, case-by-case balancing test, as affirmed by courts, is essential to prevent the law from becoming a “Right to Deny Information.”
  • Judicial/Parliamentary Oversight: Ensure that the exercise of government exemptions is subject to robust and transparent oversight to prevent arbitrary state access and surveillance.
  • Clarity in Definitions: Clarify ambiguous terms like “reasonable purposes” and “public order” in the Rules to limit the scope for subjective and arbitrary interpretation by authorities.
  • Independent DPBI: Ensure the DPBI is functionally and financially independent, staffed with adequate technical and legal expertise to enforce the law stringently.

The ultimate success of the Act will depend on its implementation: striking a sustainable balance between the citizen’s right to privacy and the state’s need for legitimate data access for public good and national security, without sacrificing the spirit of transparency championed by the RTI Act.

SourceToo little, much later: on the Digital Personal Data Protection Rules, 2025 – The Hindu

UPSC CSE PYQ

YearQuestion
2024Describe the context and salient features of the Digital Personal Data Protection Act, 2023.
2024Right to privacy is intrinsic to life and personal liberty and is inherently protected under Article 21 of the Constitution. Explain. In this reference, discuss the law relating to DNA testing of a child in the womb to establish its p1aternity.
2021Data security has assumed significant importance in the digitized world due to rising cyber crimes. The Justice B.N. Srikrishna Committee Report addresses issues related to data security. What, in your view, are the s2trengths and weaknesses of the Report relating to protection of personal data in cyb3erspace?
2020“Recent amendments to the Right to Information Act will have profound impact on the autonomy and independence of the Information Commission.” Discuss.
2018‘Right to Privacy’ is protected as an intrinsic part of ‘Right to Life and Personal Liberty’. Do you agree with this statement? Give reasons in support of your answer.
2017The Indian Constitution exhibits centralizing tendencies to maintain unity and integrity of the nation. Elucidate in the perspective of the e-governance initiative as a tool for administrative reform and achieving ‘Minimum Government, Maximum Governance’.
2013What are social networking sites and what security implications do these sites present?
Delhi’s Air Pollution: A ‘Wicked Problem’ in Need of Bold Solutions
The legal hoodwinking of Adivasis
loader