Our Blogs

Know Your Rights | Feb. 26, 2026

Your Data, Your Rights: Understanding India’s New Digital Personal Data Protection Framework

Every day, millions of Indians unlock smartphones, transfer money through UPI platforms, access educational portals, and interact on social media—rarely pausing to reflect on where their personal data travels.Phone numbers, Aadhaar-linked financial information, browsing histories, and location data are routinely collected, stored, analysed, and often shared in ways invisible to theindividual. While digitalisation has undeniably improved efficiency and access, it has also intensified risks of surveillance, profiling, fraud, and identity theft.

 Against this backdrop, the enactment of the Digital Personal Data Protection Act, 2023, followed by the notification of the Digital Personal Data Protection Rules, 2025, marks a significant contemporary legal development. Together, they seek to operationalise constitutional privacy guarantees within India’s rapidly expanding digital ecosystem.

 

Everyday Digital Harms: Why Data Protection Matters

Consider a familiar scenario. A student registers for a “free webinar” by submitting basic personal details. Within days, unsolicited calls offering loans and employment opportunities begin flooding in. Consent was never provided for such outreach, yet the data has clearly travelled across unknown corporate networks.

In another common instance, families receive phone calls from individuals impersonating bank officials who already possess partial account details and transaction histories. This insider information is then weaponised to manipulate one-time passwords, leading to substantial financial losses. 
These examples underscore that data misuse is no longer hypothetical—it has tangible consequences. Importantly, such harms often stem not from individual negligence, but from weak institutional data practices and inadequate accountability mechanisms.

 

Privacy as a Constitutional Imperative

The legal foundation for India’s data protection regime lies in the Supreme Court’s landmark judgment in K.S. Puttaswamy v. Union of India (2017), where privacy was recognised as an intrinsic component of the right to life and personal liberty under Article 21 of the Constitution.

The Court acknowledged that in the digital age, unchecked data processing, surveillance, and profiling can chill free speech, enable discrimination, and erode decisional autonomy.

Privacy, therefore, was not framed as an elitist concern, but as a necessary condition for dignity and democratic participation. The judgment created a constitutional mandate for a comprehensive legislative framework regulating personal data.

 

The DPDP Act: A Rights-Based Framework

The Digital Personal Data Protection Act, 2023, represents India’s first standalone legislation dedicated exclusively to digital personal data. At its core lies a simple but powerful principle: personal data belongs to the individual, even when processed by others.

 

Under the Act, entities classified as Data Fiduciaries are required to:

1. Provide clear and accessible notice specifying the purpose of data collection

2. Obtain free, informed, and unambiguous consent prior to processing

3. Enable individuals, termed Data Principals, to access, correct, and erase their data

4. Implement reasonable security safeguards to prevent breaches

5. Establish effective grievance redressal mechanisms

Further, Significant Data Fiduciaries, identified based on the volume and sensitivity of data processed, are subject to enhanced compliance obligations such as data protection impact assessments and periodic audits.

This framework signals a shift away from the earlier “notice-and-forget” approach towards a more accountable and participatory model of data governance.

 

Enforcement and Penalties: From Paper Rights to Real Consequences

A recurring criticism of Indian regulatory regimes has been weak enforcement. The DPDP framework attempts to address this gap through the establishment of a specialised Data Protection Board of India, empowered to investigate complaints, order corrective measures, and impose monetary penalties.

Penalties under the Act range from ?50 lakh to ?250 crore, particularly in cases involving failure to prevent data breaches or comply with core obligations. By introducing substantial financial consequences, the law incentivises organisations to treat data protection as a governance priority rather than a procedural formality.

 

Children, Sensitive Data, and Heightened Protection

One of the more progressive aspects of the DPDP framework is its treatment of children’s data. The law mandates verifiable parental consent and prohibits profiling, behavioural tracking, and targeted advertising directed at children—an important safeguard given the increasing digitisation of education and entertainment.

Additionally, sensitive personal data, including biometrics, health records, caste, and financial information, is accorded higher protection. This recognises that certain categories of data, if misused, can result in irreversible harm and systemic discrimination.

 

Balancing Privacy and Innovation

A central policy challenge in data protection law lies in balancing individual rights with innovation. Excessively rigid regulation risks stifling start-ups, research, and digital public infrastructure, while lax regulation undermines trust and accountability.

The DPDP regime adopts a calibrated approach through proportionate obligations—lighter compliance requirements for smaller entities and stricter duties for large platforms. It also allows narrowly tailored exemptions for national security and public health, subject to judicial review, thereby retaining constitutional oversight over executive discretion.

 

Contemporary Relevance: AI, Algorithms, and the Future

The relevance of the DPDP framework is heightened by the rapid expansion of artificial intelligence and algorithmic decision-making. Questions surrounding consent for training data, transparency in automated decisions, and protection against opaque profiling are becoming increasingly urgent.

Whether the DPDP regime can adequately address these challenges will depend on regulatory interpretation, enforcement practices, and future judicial engagement. As India positions itself as a global digital economy, data protection will play a decisive role in shaping public trust.

 

Conclusion

The Digital Personal Data Protection Act and Rules represent a pivotal moment in India’s digital constitutionalism. By translating the principles articulated in Puttaswamy into enforceable statutory rights, the framework offers individuals meaningful control over their digital identities.

However, the success of this regime will ultimately depend on robust enforcement, institutional capacity, and public awareness. The true measure of India’s data protection law lies not merely in its text, but in its ability to safeguard dignity, autonomy, and trust in everyday digital life.

 

Disclaimer

This article reflects the author’s academic interpretation of the Digital Personal Data Protection Act, 2023, the Digital Personal Data Protection Rules, 2025, judicial decisions, and government notifications. It is intended solely for informational and educational purposes and does not constitute legal advice.