Scope and Objectives of the Digital Personal Data Protection Act, 2023: Constitutional Alignment and Policy Framework

Posted On - 22 September, 2025 • By - Jidesh Kumar

Introduction

The enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act) marks a defining moment in India’s regulatory and constitutional journey. While India has long grappled with data protection under the Information Technology Act, 2000, and sectoral regulations, the DPDP Act is the first comprehensive legislation designed to address the rights of individuals and obligations of entities handling personal data.

The Act’s scope and objectives cannot be understood in isolation they are deeply embedded in India’s constitutional jurisprudence, particularly the recognition of the Right to Privacy as a Fundamental Right under Justice K.S. Puttaswamy (Retd.) v. Union of India (2017). This essay examines the DPDP Act in India’s reach, its underlying objectives, and how it aligns with, and occasionally diverges from, constitutional principles.

Historical and Constitutional Background

From IT Act to Privacy-Centric Regulation

  • Before the DPDP Act, India’s framework for data protection was limited to Section 43A and Section 72A of the IT Act, 2000, alongside the 2011 SPDI Rules. These provisions focused narrowly on “sensitive personal data,” leaving wide gaps in enforcement and individual protection.
  • The landmark judgment in Puttaswamy (2017) compelled the State to recognize informational privacy as a facet of Article 21. The judgment emphasized the need for a comprehensive data protection law to ensure that personal data is collected and processed in a manner consistent with constitutional guarantees of dignity, liberty, and autonomy.

Policy Milestones

  • 2017: Justice B.N. Srikrishna Committee constituted to draft a data protection framework.
  • 2018: Committee report + draft bill stressed the idea of “data as a public good” but anchored in individual rights.
  • 2019–2022: Multiple drafts of the Personal Data Protection Bill faced parliamentary review and criticism over government exemptions.
  • 2023: DPDP Act finally enacted, balancing individual rights with state and corporate obligations.

Scope of the DPDP Act, 2023

Territorial Scope

  1. Data processed within India, irrespective of where the data principal resides.
  2. Data processed outside India if it relates to goods or services offered to individuals within India.

This aligns with global practices like the extraterritorial application of the GDPR, reflecting the recognition that data flows are borderless.

Material Scope

The Act exclusively covers digital personal data:

  • Data that is digitally collected or subsequently digitized.
  • Excludes non-digitized personal data.
  • Excludes data processed for personal or domestic purposes.
  • This is narrower than GDPR, which covers both automated and structured manual data. However, the choice reflects India’s pragmatic focus on digital-first regulation, given the sheer volume of digitized citizen and business data.

Categories of Data and Fiduciaries

  • No distinction between “personal data” and “sensitive personal data” (unlike prior drafts).
  • Introduces the concept of Data Fiduciaries (DFs) and Significant Data Fiduciaries (SDFs), based on risk assessment thresholds.

Objectives of the DPDP Act

The stated objectives of the Act are both individual-centric and economic-policy driven:

1. Protecting Individual Autonomy and Dignity

The Act operationalizes the right to informational privacy by ensuring that personal data cannot be processed without:

  • Consent: Must be free, informed, specific, and unambiguous.
  • Notice: Must be clear and accessible, available in regional languages.
  • This empowers individuals to exercise control over their digital identity, in line with constitutional guarantees.

2. Enabling Data-Driven Innovation

  • The Act acknowledges that data is a driver of the digital economy. By creating clear compliance standards, it aims to build trust in India’s digital ecosystem, encouraging innovation in AI, fintech, health tech, and e-commerce.

3. Ensuring Accountability of Data Fiduciaries

Entities processing data are obligated to:

  • Implement reasonable security safeguards.
  • Respect data principal rights.
  • Notify the Data Protection Board in case of breaches.
  • This aligns with the principle of accountability, central to global privacy frameworks.

4. Institutional Oversight

  • The establishment of the Data Protection Board of India (DPB) as a regulatory authority ensures a quasi-judicial enforcement mechanism. While questions remain about its independence, the DPB provides a formal institutional framework.

5. Balancing State Interests and Individual Rights

  • The Act explicitly exempts certain state functions (e.g., law enforcement, sovereignty, public order). While this raises concerns about overbroad exemptions, the objective is to reconcile constitutional privacy rights with national security and governance needs.

Constitutional Alignment of the DPDP Act

A) Puttaswamy Principles

The Act reflects the three-pronged proportionality test laid down in Puttaswamy:

  1. Legality – Processing is authorized by law (DPDP itself).
  2. Legitimate Aim – Pursues objectives like data protection, innovation, governance.
  3. Proportionality – Consent, notice, and rights serve as checks on overreach.

B) Article 14 (Equality and Non-Arbitrariness)

The Act applies uniformly to all entities processing personal data, subject to risk-based obligations for SDFs. However, broad government exemptions may attract challenges for violating Article 14 by granting arbitrary powers.

C) Article 19 (Freedom of Speech and Expression)

Privacy is closely tied to free expression, as seen in Shreya Singhal v. Union of India (2015). By protecting informational autonomy, the DPDP Act indirectly fortifies free speech in the digital domain.

D) Article 21 (Life and Personal Liberty)

At its core, the Act is a statutory manifestation of Article 21. By regulating how personal data is used, it protects dignity, autonomy, and personal liberty.

Key Critiques and Limitations

  1. Government Exemptions

Section 17 grants wide exemptions to the State, allowing data processing without consent for reasons like “sovereignty” and “public order.” Critics argue this risks constitutional overreach and weakens the proportionality standard.

  1. Absence of Sensitive Data Classification

Unlike GDPR, the DPDP Act does not differentiate between ordinary and sensitive personal data (health, biometrics, financial). This may dilute safeguards for highly sensitive information.

  1. Limited Individual Rights

While rights to access, correction, and erasure are recognized, the absence of a robust Right to Data Portability and Right to be Forgotten limits the empowerment of data principals.

  1. Institutional Independence

The Data Protection Board is appointed by the Central Government, raising concerns about its independence and impartiality.

Comparative Perspective: GDPR vs. DPDP

  • Extraterritoriality: Both laws extend beyond borders.
  • Consent and Notice: Both emphasize explicit consent.
  • Rights: GDPR provides broader rights (portability, objection, automated decision-making).
  • Exemptions: GDPR provides narrow, specific exemptions, whereas DPDP’s exemptions are broader.
  • Regulator Independence: GDPR mandates independent supervisory authorities; DPDP’s regulator is executive-controlled.

This comparison highlights India’s attempt to balance individual rights with state-centric governance priorities.

Sectoral Impact of the DPDP Act

Fintech and Banking

  • Stricter obligations on financial institutions to secure digital transactions.
  • Impacts credit rating, digital lending, and KYC compliance.

Healthcare and Health-Tech

  • Patient data, telemedicine records, and insurance data must comply with consent requirements.
  • Absence of sensitive data classification raises concerns for genetic and biometric data.

Employment and HR Data

  • Employers as data fiduciaries must manage employee data with notice and consent.
  • Employee surveillance, background verification, and HR analytics come under scrutiny.

Startups and MSMEs

  • Risk-based compliance ensures smaller entities are not disproportionately burdened.
  • Provides a clearer compliance roadmap for data-driven startups.

Future Outlook

The DPDP Act is not the final word—it is part of a broader Digital India legislative ecosystem, which will include:

  • Digital India Act – to replace the IT Act, 2000.
  • Sectoral privacy rules – especially in finance, telecom, and healthcare.
  • AI governance frameworks – addressing algorithmic accountability.

As India positions itself as a global digital hub, the DPDP Act serves both as a constitutional safeguard and a strategic economic policy instrument.

Conclusion

The scope and objectives of the DPDP Act, 2023 are deeply intertwined with India’s constitutional commitment to privacy. By embedding consent, accountability, and individual rights within a statutory framework, the Act reflects the spirit of Puttaswamy while also addressing the practical needs of a rapidly digitizing economy.

Yet, its broad government exemptions, absence of sensitive data distinctions, and questions over regulatory independence present ongoing challenges. As jurisprudence develops, the Act will likely face judicial scrutiny to ensure it remains consistent with constitutional guarantees.

Ultimately, the DPDP Act is both a legal milestone and a policy experiment—one that must evolve alongside technology and society to fully realize its promise of protecting individual dignity in the digital age.

Contributed By – Aurelia Menezes