Until recently, India did not have a single, clear law dedicated to protecting people’s personal information. Companies and government departments collected names, phone numbers, Aadhaar details, browsing data, shopping histories — often without asking properly or explaining how they used it. The Supreme Court’s landmark Justice K.S. Puttaswamy (Retd.) vs. Union of India decision in 2017 changed this conversation forever by declaring privacy a fundamental right under Article 21 of the Constitution. But India still needed a practical law to make that right real.
In August 2023, Parliament passed the Digital Personal Data Protection Act, 2023. It aims to give every Indian better control over how their data is collected, stored, and shared — and to hold companies and government bodies accountable if they misuse it.
The law’s core promise is simple: your personal data cannot be collected or used without your clear permission. This permission must be free, informed, specific, and easy to understand. Companies can no longer hide behind complicated terms and conditions. They must tell you what they want, why they want it, and how they plan to use it. If you change your mind later, you can withdraw your consent just as easily.
The new law applies to any business, big or small, that handles digital personal data in India. It also covers foreign companies if they handle Indians’ data. If they break the rules, they face strict penalties, with fines going up to 250 crore rupees for serious violations such as failing to protect data properly or not reporting leaks.
The law gives every person clear right over their data. You have the right to know what data a company holds about you. You can ask for it to be corrected if it’s wrong. You can even ask for it to be deleted when it is no longer needed. If you have a problem with how your data is handled, you can complain first to the company. If they don’t fix it, you can approach the new Data Protection Board of India, which has the power to investigate and punish wrongdoers.
Children’s privacy is given extra protection. If you are under 18, companies must get permission from your parent or guardian before collecting your personal data. This will force apps, social media platforms, gaming sites, and edtech companies to tighten their rules for young users. Some argue this age limit might create practical issues — especially for teens who use the internet freely — but for now, that is the law.
Another important question is about cross-border data flows. Earlier drafts of India’s privacy bill demanded that certain sensitive data must stay within India’s borders. The final law is more flexible. It allows your data to move abroad, unless the government decides to block transfers to certain countries for security or policy reasons. This openness makes life easier for global tech companies and outsourcing businesses but also leaves some uncertainty about when new restrictions might pop up.
One big concern is the government’s wide powers under the Act. For reasons like national security or maintaining public order, the government can exempt its own agencies from some rules. Critics worry this could weaken privacy protections when the state collects data on citizens. In the Aadhaar judgment (part of the larger Puttaswamy saga in 2018), the Supreme Court stressed that state data collection must follow the test of necessity and proportionality. Many believe similar checks and balances should be clearly built into this new law too.
Another challenge is enforcement. The Data Protection Board is brand new. Its independence, resources, and power to act quickly will decide how seriously companies take the law. If the Board becomes a rubber stamp, the rights promised on paper may mean little in practice.
For businesses, the law brings new duties and costs. Companies must rewrite privacy policies, redesign consent forms in simple language, train staff, and build systems to handle requests from users who want to see, correct, or delete their data. Bigger companies can manage this. For small startups, the burden might feel heavier — though the law promises to ease some rules for new businesses.
Despite its flaws, the Digital Personal Data Protection Act, 2023 is a big leap for India. For the first time, people have clear legal rights over their data, and companies can be punished for playing fast and loose with private information. It’s not perfect — the government’s wide exemptions and the real-world test of the Board’s independence still worry privacy experts. But it brings India closer to global standards, and it shows that your privacy is no longer just a nice idea — it is a right, backed by law.
Contributed by Vaibhav Goyal (Intern)