While India’s first dedicated data protection law promises individual control over personal data, critics warn of state overreach, vague exemptions, and inadequate regulatory mechanisms.
In an age where data is considered the new oil, the Digital Personal Data Protection (DPDP) Act, 2023 was long overdue. To operationalize the law, the government has released the Draft Digital Personal Data Protection Rules, 2025, which lay out the practical framework for enforcement and compliance. Positioned as a landmark piece of legislation, the Act seeks to safeguard the digital privacy of Indian citizens by regulating how personal data is collected, processed, and stored by both private entities and the state.
However, like any law, it comes with its share of complexities and concerns. Beneath its intricate language lie loopholes and ambiguities that could have far-reaching consequences for India’s digital landscape. A data protection law is expected to strike a careful balance between a citizen’s right to privacy and their right to information—both fundamental rights enshrined in the Constitution. Unfortunately, this Act appears to falter on both fronts.
The DPDP Act enshrines crucial rights for individuals—termed Data Principals—such as the right to access, correct, delete, and limit the use of their personal data. It introduces a consent-based framework, requiring organizations to obtain clear and informed consent before collecting personal data. The creation of a Data Protection Board suggests an institutional attempt to oversee compliance and address grievances.
Moreover, the Act has a global outlook. It applies not only to data collected within India but also to data processed overseas if it pertains to Indian citizens, mirroring the extraterritorial ambitions of laws like the European Union’s GDPR.
Despite these merits, the Act contains several troubling gaps. Most notably, the central government has sweeping powers to exempt any of its agencies from the law in the interest of national security, public order, or for “any other reason” it deems fit. These vague and broadly defined clauses risk being misused and significantly weaken the foundation of data protection.
One of the more concerning aspects is the potential impact on the Right to Information (RTI). The Act appears to broaden the exemptions available to Public Information Officers, allowing them to reject RTI applications on the basis that the request “relates to the personal information of an individual.” This threatens to undermine the delicate balance the RTI Act currently maintains between the right to privacy and the right to information—both essential pillars of democratic transparency.
The Act no longer mandates data localization—a requirement present in earlier drafts. This rollback has raised red flags among policy experts who argue that allowing data to be stored overseas may compromise the sovereignty of Indian data and make regulatory enforcement more challenging.
Another critical concern is the lack of robust checks on the Data Protection Board, whose members will be appointed solely by the central government. Legal scholars and Supreme Court judgments have consistently emphasized the need for tribunal independence. Without structural safeguards, the board’s impartiality and credibility remain in doubt.
Perhaps the most glaring omission is the lack of a defined timeline for breach notifications. Unlike international standards, the Act does not require entities to inform affected individuals within a specific period after a data breach. While the law does impose financial penalties, critics argue that the fines may be insufficient to deter large tech companies with deep pockets.
Civil society organizations have also flagged the lack of transparency and consultation in the law’s passage. A legislation meant to empower individuals cannot succeed without public trust—and that trust hinges on transparency, deliberation, and stakeholder involvement.
A Fork in the Digital Road
The DPDP Act is undeniably a necessary step in India’s digital journey. In a world increasingly shaped by algorithms and AI profiling, the need to protect personal data is paramount. But data protection must not become a mirage—granting rights with one hand while revoking them with the other.
India now stands at a critical juncture: will this law serve as a shield for its citizens or a sword in the hands of an unaccountable state? The answer will depend not just on legal text, but on judicial oversight, political will, and a vigilant civil society.
A good data protection law must do more than regulate—it must inspire confidence. The DPDP Act, while commendable in intent, must evolve in practice. To truly protect India’s digital future, privacy must be a non-negotiable principle, not a conditional promise.
(The views expressed in this article are the author’s own and do not necessarily reflect the editorial position of The Chenab Times.)
❤️ Support Independent Journalism
Your contribution keeps our reporting free, fearless, and accessible to everyone.
Or make a one-time donation
Secure via Razorpay • 12 monthly payments • Cancel anytime before next cycle
(We don't allow anyone to copy content. For Copyright or Use of Content related questions, visit here.)
Graduate in travel and tourism management from Jamia Millia Islamia and a passionate storyteller.
