Act, 2023 was introduced to fill this gap by creating a structured legal framework for data protection.

A central feature of the Act is the concept of consent. Personal data can be collected and processed only with clear and informed consent from the individual, known as the “data principal.” Consent must be specific, voluntary, and capable of being withdrawn. In certain situations, such as providing government services or complying with legal obligations, data may be processed without consent, but only for defined and lawful purposes. This approach attempts to balance individual rights with administrative and economic needs.

The Act grants several important rights to individuals. These include the right to access information about how their data is being used, the right to correct inaccurate data, and the right to have personal data erased when it is no longer needed. Individuals can also nominate another person to exercise these rights on their behalf. By recognising these rights, the law empowers citizens and increases transparency in data handling practices.

At the same time, the Act places clear responsibilities on organisations that collect or process data, known as data fiduciaries. They must take reasonable steps to ensure data security and prevent breaches. Certain entities classified as significant data fiduciaries are required to follow additional safeguards due to the volume or sensitivity of the data they handle. Penalties for non-compliance are substantial, which is intended to encourage responsible behaviour.

An important institutional feature of the law is the establishment of the Data Protection Board of India. This body is responsible for enforcing the Act, handling complaints, and imposing penalties. Its role is crucial in ensuring that the law is applied fairly and effectively. The independence and functioning of the Board will significantly influence public trust in the data protection system.

In the current situation, the Digital Personal Data Protection Act, 2023 is still in the early stages of implementation. Many organisations are adjusting their data practices to comply with the new requirements. At the same time, concerns have been raised about exemptions granted to the government in the interests of national security and public order. Critics argue that broad exemptions may weaken privacy protections if not carefully monitored. There are also concerns about the capacity of the regulatory authority to handle complaints efficiently.

Despite these challenges, the Act is widely seen as a positive step toward protecting privacy in India’s digital ecosystem. It brings India closer to global data protection standards and provides clarity to both individuals and businesses. However, its effectiveness will depend on transparent rule-making, responsible enforcement, and continued public awareness.

In conclusion, the Digital Personal Data Protection Act, 2023 represents a crucial effort to safeguard personal data in an increasingly digital society. By recognising individual rights and imposing obligations on data handlers, the law seeks to create a fair and trustworthy digital environment. With careful implementation and strong oversight, it has the potential to strengthen privacy while supporting India’s digital growth.