The Digital Personal Data Protection Act 2023: Consent Frameworks, Deemed Consent, and the Architecture of Data Fiduciary Obligations

Introduction

The Digital Personal Data Protection Act, 2023 (DPDP Act) represents India’s most consequential legislative intervention in data governance since the Information Technology Act of 2000. Receiving Presidential assent on 11 August 2023, it arrives after nearly six years of iterative drafting processes that produced three preceding bills, each withdrawn or revised in response to evolving constitutional interpretations, industry pushback, and civil society concerns. The Act’s arrival follows the Supreme Court’s unanimous recognition of the right to privacy as a fundamental right in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), which rendered the absence of a statutory data protection framework constitutionally untenable.

Yet the DPDP Act is not merely a delayed response to a constitutional imperative. It reflects a deliberate set of policy choices about how India wishes to balance individual autonomy over personal data against the interests of the digital economy, state surveillance capacity, and the operational realities of India’s vast technology sector. These choices are embedded most visibly in the Act’s consent framework, the expansive grounds of deemed consent, the graduated obligations imposed on data fiduciaries, and the architecture of the Data Protection Board of India. Understanding these choices, the controversies they have generated, and the gaps left by the still-pending implementing rules is essential for any practitioner or policymaker working in this space.

Legal Framework

The DPDP Act operates around a central definitional binary: the data fiduciary (any person who alone or in conjunction with others determines the purpose and means of processing digital personal data) and the data principal (the individual to whom the personal data relates). This mapping draws from the GDPR’s controller-processor distinction, though with notable departures that reflect India’s specific regulatory philosophy.

Section 4 of the Act establishes the foundational rule: personal data may be processed only for a lawful purpose, either with the consent of the data principal or for certain legitimate uses enumerated in Section 7. The Act restricts its scope to digital personal data, meaning personal data collected in digital form or collected in non-digital form and subsequently digitised. This is a narrower scope than many global counterparts and represents a deliberate choice to avoid burdening India’s vast informal economy with data protection obligations.

Section 6 governs the consent mechanism. Consent must be free, specific, informed, unconditional, and unambiguous, indicated through a clear affirmative action. Notice must precede or accompany consent, and the notice must describe in clear, plain language the personal data to be collected, the purpose of processing, and the manner in which the data principal may exercise their rights. A consent manager, an entity registered with the Data Protection Board, may manage consent on behalf of data principals. The consent manager framework is one of the more innovative elements of the Act, intended to address the practical problem of fragmented consent across multiple platforms and services.

Section 7 sets out the grounds of deemed consent, which the Act terms “certain legitimate uses.” These grounds permit processing without explicit consent for purposes including the performance of a function of the state, compliance with a legal obligation, medical emergencies or health epidemics, employment-related processing, and processing necessary for purposes related to sovereign functions. The breadth of Section 7 has attracted significant scholarly and civil society criticism, which is addressed below.

The obligations of data fiduciaries are detailed in Sections 8 through 11. Section 8 imposes general duties: ensuring accuracy of data, implementing reasonable security safeguards, providing mechanisms for data principals to exercise their rights, and erasing data when the purpose is served or consent is withdrawn. Section 9 creates a protective ring around children’s data, prohibiting the tracking, behavioural monitoring, or targeted advertising directed at children, and requiring verifiable parental consent before processing data of minors below 18 years.

Section 10 creates the category of Significant Data Fiduciary (SDF), designated by the Central Government on the basis of the volume and sensitivity of data processed, potential risk to data principals, national security implications, or impact on sovereignty. SDFs face additional obligations including the appointment of a Data Protection Officer based in India, the retention of an independent data auditor, and the periodic conduct of data protection impact assessments.

The Data Protection Board of India, established under Chapter VI, is empowered to inquire into personal data breaches and complaints, impose financial penalties, and direct remedies. The Board is an executive rather than a judicial body, with its decisions subject to appeal before the Telecom Disputes Settlement and Appellate Tribunal and thereafter to the High Courts.

Judicial Developments

The DPDP Act operates within a constitutional framework substantially shaped by the Supreme Court. The Puttaswamy judgment (2017) established that privacy is a fundamental right, and while the Court did not invalidate the absence of a data protection statute, it urged Parliament to enact one. Several subsequent decisions have refined the contours of this right in digital contexts.

In Binoy Viswam v. Union of India (2017), the Court upheld the Aadhaar Act against privacy challenges, though it read down certain provisions relating to private sector use of Aadhaar authentication. The Court’s observations about the need for a robust data protection statute provided further impetus for legislative action.

The WhatsApp India controversy deserves particular attention as an immediate catalyst. When WhatsApp updated its privacy policy in January 2021, compelling Indian users to accept data sharing with Meta entities or lose access, the Competition Commission of India initiated a suo motu investigation that eventually resulted in a Rs. 213.14 crore penalty in November 2022 for abuse of dominant position. Simultaneously, the Delhi High Court considered a PIL challenging the policy update on data protection grounds. This controversy illustrated the regulatory vacuum then existing and the patchwork use of competition law to address what were fundamentally data privacy concerns. The DPDP Act’s eventual enactment is, in part, a direct response to such controversies.

The Supreme Court in Maneka Gandhi v. Union of India (1978) had established that any procedure established by law affecting fundamental rights must be fair, just, and reasonable. This principle will almost certainly be invoked in future challenges to provisions of the DPDP Act and its implementing rules, particularly the deemed consent provisions and the government’s broad powers of exemption under Section 17.

Contemporary Issues and Analysis

The most contested provision of the DPDP Act is the deemed consent framework in Section 7. Unlike the GDPR, which specifies six distinct lawful bases for processing (consent, contract, legal obligation, vital interests, public task, and legitimate interests), the DPDP Act collapses several of these into a deemed consent paradigm. The legitimate interests basis, which under the GDPR requires a balancing test weighing the controller’s interests against the data subject’s rights, has no direct equivalent in the DPDP Act’s framework.

The deemed consent ground in Section 7(j), permitting processing for any “other legitimate uses as may be prescribed,” is particularly problematic. By delegating the definition of legitimate uses to executive rulemaking rather than setting them out in the statute itself, Parliament has created an open-ended ground whose scope is unknown until the rules are notified. Civil society organisations including the Internet Freedom Foundation have argued that this provision effectively grants the government unchecked authority to legitimise any category of data processing through subsidiary legislation, without parliamentary scrutiny.

The children’s data protection framework in Section 9 has also attracted criticism from a different direction: industry has argued that the 18-year age threshold, the highest among major data protection regimes, and the requirement for verifiable parental consent are technically burdensome and will exclude significant portions of India’s younger population from digital services. Age verification at scale without a centralised identity infrastructure that respects privacy is a genuine technical challenge that the implementing rules will need to address.

The government’s sweeping exemptions under Section 17 represent another significant concern. The section allows the Central Government to exempt any instrumentality of the state from any or all provisions of the Act in the interest of sovereignty, security, or public order. This means that the very agencies most likely to engage in mass data collection, intelligence services, law enforcement bodies, and government departments administering welfare schemes, face the weakest data protection obligations. This is the inverse of the approach taken by the GDPR, which creates specific public sector obligations and places limits on state processing of personal data.

The operationalisation of the Act depends critically on the notification of rules and the establishment of the Data Protection Board, neither of which had occurred as of early 2026. The government released a draft Digital Personal Data Protection Rules in January 2025, followed by a period of stakeholder consultation, but the final rules remained pending. This implementation gap has practical consequences: data principals cannot exercise their statutory rights because the mechanisms to do so do not yet exist, and data fiduciaries face uncertainty about compliance requirements.

Comparative and International Perspective

The GDPR provides the most frequent point of comparison. Its accountability-based framework, requiring data controllers to demonstrate compliance proactively through documentation, privacy by design obligations, and data protection impact assessments, imposes a heavier structural compliance burden than the DPDP Act. However, the GDPR offers broader protections in several respects: it applies to any processing of personal data (not just digital data), it affords stronger rights to data subjects, it requires a legal basis for each processing purpose (rather than permitting deemed consent in broad categories), and it creates genuinely independent supervisory authorities whose independence from government is constitutionally protected under EU law.

The California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), offer a different model, one focused on opt-out rights rather than opt-in consent, and on transparency through privacy notices rather than prior consent requirements. The CCPA’s right to know, right to delete, right to opt out of sale, and right to non-discrimination provide a functionally different privacy protection architecture that is more business-friendly but arguably less protective of individual autonomy.

Brazil’s Lei Geral de Proteção de Dados (LGPD), enacted in 2018, provides perhaps the closest structural comparison to the DPDP Act among large emerging economies. Both are modelled significantly on the GDPR, both operate in contexts where digital commerce is growing rapidly, and both have faced implementation delays. Brazil’s data protection authority (ANPD) is, however, more independent than the proposed Data Protection Board, which is established by executive action and whose members are appointed by and removable by the Central Government.

Section 16’s cross-border data transfer restrictions are among the Act’s most commercially significant provisions. The section permits transfer of personal data to countries notified by the Central Government as safe destinations. The default is that transfers to non-notified countries are not permitted, though the rules will likely create additional mechanisms. This whitelisting approach differs from the GDPR’s multiple adequacy and transfer mechanism pathways and creates significant compliance complexity for multinational companies.

Practical and Policy Implications

For data fiduciaries operating in India, the DPDP Act creates a set of obligations that will require substantial structural changes to data governance practices. The requirement to provide notice and obtain valid consent before processing introduces friction into data collection flows that many businesses have historically treated as automatic. The consent manager framework, once operationalised, will require integration of third-party consent management infrastructure. The appointment of Data Protection Officers by Significant Data Fiduciaries will create demand for a new professional category that India’s legal and technical talent market is not yet fully equipped to supply.

For consumers, or data principals in the Act’s terminology, the practical reality will depend almost entirely on how effectively the Data Protection Board operates and how readily accessible its complaint mechanisms are. If the Board is adequately resourced and genuinely independent, data principals will have a meaningful avenue to vindicate their rights to access, correction, and erasure. If the Board is underfunded or captured by regulated entities, the rights on paper will remain largely theoretical, as has been the experience with some sectoral regulators.

The intersection of the DPDP Act with India’s broader digital public infrastructure, including the Aadhaar ecosystem, the Account Aggregator framework, and the Open Network for Digital Commerce, will require careful attention. Each of these architectures involves large-scale processing of personal data, and aligning them with DPDP obligations will require regulatory coordination across multiple bodies.

Suggestions and Reforms

Several reforms would strengthen the DPDP Act’s protective capacity without unduly burdening legitimate processing activities. The deemed consent provisions in Section 7 should be replaced with a structured legitimate interests framework that requires an explicit balancing test, documented by the data fiduciary and reviewable by the Data Protection Board. This would align India with international best practice while preserving operational flexibility.

The independence of the Data Protection Board requires structural reinforcement. The current arrangement, where members are appointed by the Central Government and the Board exercises powers that are directly relevant to government data processing, creates an inherent conflict of interest. An appointment mechanism involving a search committee with independent judicial or expert members would enhance credibility.

The exemption in Section 17 for state instrumentalities should be narrowed to apply only where there is a specific, documented national security justification, rather than serving as a blanket carve-out. Parliamentary oversight of exemptions, through a dedicated committee with security clearances if necessary, would introduce accountability without compromising legitimate security interests.

Implementing rules should prioritise the operationalisation of child data protection mechanisms, including age verification standards that are privacy-preserving, and the consent manager registry, which is a genuinely innovative idea that deserves early implementation.

Conclusion

The DPDP Act 2023 is a significant legislative achievement in a country that has debated data protection for nearly a decade. Its consent framework, while imperfect, establishes a statutory basis for individual data rights for the first time. Its architecture of tiered obligations for Significant Data Fiduciaries represents a sensible risk-based approach. Its children’s data protection provisions, though operationally challenging, reflect an appropriate protective impulse.

Yet the Act’s weaknesses are as significant as its strengths. The breadth of deemed consent, the sweeping state exemptions, the executive-controlled Board, and the prolonged delay in implementing rules collectively risk producing a statute that protects data in theory while permitting widespread processing in practice. The test of the DPDP Act will not be in its text but in its implementation, and that test has barely begun. The judiciary, civil society, and a vigilant bar will play an indispensable role in ensuring that the Act’s promise is not hollowed out by executive discretion and regulatory inertia.

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like these