Data Privacy And Corporate Compliance In India: Constitutional And Governance Perspectives On The Digital Personal Data Protection Act, 2023

Harshita Aggarwal, Bharati Vidyapeeth Institute of Management and Research (BVIMR)

Parth Aggarwal, Bharati Vidyapeeth Institute of Management and Research (BVIMR)

ABSTRACT

The Digital Personal Data Protection Act, 2023 (“DPDP Act”) is India’s first dedicated statute on digital personal data and is the legislative culmination of a constitutional debate that began in earnest with the Supreme Court’s recognition of privacy as a fundamental right in Justice K.S. Puttaswamy (Retd.) v. Union of India. The Act’s stated objective is to regulate the processing of digital personal data in a manner that balances individuals’ right to protect their data with the need to use such data for lawful purposes. This balance is not a neutral technical exercise. It redistributes power between data principals, corporations and the State, and it reshapes the internal governance of Indian companies that rely on data-intensive business models.

This article offers a critical study of the DPDP Act from the perspective of Indian corporate compliance, located within the broader constitutional and comparative context. It argues that the Act is best understood as a governance statute: it creates duties concerning consent, legitimate uses, accuracy, security, breach notification, erasure, children’s data and Significant Data Fiduciaries, and it establishes the Data Protection Board of India as an adjudicatory body with power to impose substantial penalties. At the same time, the statute suffers from structural weaknesses, including heavy reliance on delegated legislation, broad executive exemptions, an under-specified institutional design for the Board and limited articulation of individual rights compared to leading global regimes.