Right to Life and Freedom from Arbitrary Imprisonment
The Digital Personal Data Protection Act (DPDPA), enacted in 2023, marks a significant stride in India's data privacy landscape. However, as of mid-2025, the Act is yet to be fully implemented or enforced, with critical rules and operational mechanisms still pending finalization.
Enforcement Delay and Ongoing Data Breaches
Despite the Act’s enactment, enforcement including mandatory breach notification, grievance redressal, and data protection board adjudication remains largely inactive. This delay has contributed to ongoing data breaches, such as the June 2025 incidents at companies like Zoomcar, highlighting regulatory gaps and the urgent need for implementation.
Impact on Industries
The Act imposes stringent data privacy obligations, especially on sectors like financial institutions, fintechs, and e-commerce companies. Compliance requires significant investments in new systems and processes to meet lawful processing, consent management, data minimization, and grievance redressal requirements.
Challenges in Children’s Data Protection
The Act introduces provisions aimed at protecting children’s personal data, notably requiring verifiable parental consent and age verification mechanisms. However, practical challenges include increased compliance burdens due to extensive data collection of both children and parents, difficulties in generating/verifying virtual IDs (VIDs) due to digital literacy issues, and privacy concerns stemming from the persistent nature of biometric or virtual tokens.
Policy and Regulatory Outlook
Final DPDP Rules are still awaited following public consultations by the Ministry of Electronics and Information Technology (MeitY). Immediate operationalization and enforcement are critical to preventing further data breaches and protecting citizens’ privacy rights as India’s digital economy grows rapidly.
The Need for Robust Digital Governance and Comprehensive Regulation
Robust digital governance and comprehensive regulation are needed to ensure the DPDPA's effectiveness. Key aspects include swift finalization of accompanying rules, operational mechanisms, and enforcement protocols, especially regarding breach notifications, grievance redressal, and protections for children’s data.
In summary, the Digital Personal Data Protection Act, 2023 provides a strong legal framework for data privacy in India but remains largely unimplemented. Its full impact is contingent on swift finalization of accompanying rules, operational mechanisms, and enforcement protocols, especially regarding breach notifications, grievance redressal, and protections for children’s data. Meanwhile, sectors affected by the Act face increasing compliance challenges requiring significant effort and investment.
Right to Die with Dignity
Separately, the Right to Die with Dignity is recognized in the case Common Cause (A Regd. Society) v. Union of India (2018). Passive euthanasia (withdrawal of life support) is allowed under strict guidelines (Aruna Ramchandra Shanbaug v. Union of India & Ors., 2011). The process for making living wills and withdrawing life-sustaining treatment has been simplified (Common Cause v. Union of India & Ors., 2023).
Other Recognized Rights
Several other fundamental rights have been recognized by the Indian judiciary over the years. These include the Right to Education in the cases Mohini Jain v. State of Karnataka (1992) and Unni Krishnan J.P. v. State of Andhra Pradesh (1993), the Right Against Custodial Violence in the case K. Basu v. State of West Bengal (1997), the Right to a Clean and Healthy Environment in the case Subhash Kumar v. State of Bihar (1991), the Right to Privacy in the case S. Puttaswamy v. Union of India (2017), the Right to Shelter in the case Chameli Singh v. State of Uttar Pradesh (1996), the Right to Health in the case State of Punjab v. Mohinder Singh Chawla (1997), and the Right to Livelihood in the case Olga Tellis v. Bombay Municipal Corporation (1985).
Expansion of Gender and Sexuality Rights
Gender and Sexuality Rights have also been expanded in the case Navtej Singh Johar v. Union of India (2018).
Balancing Interests and State Apprehensions
The Supreme Court of India, through Chief Justice DY Chandrachud, has suggested establishing equilibrium between individuals' interests and valid apprehensions of the state. This balancing act is evident in the BN Srikrishna committee's emphasis on a careful balancing between the right to privacy and the right to information.
Data Protection and the Digital Economy
The Digital Personal Data Protection Act protects the privacy of the individual (Article 21), safeguards the legitimate aim of the state, promotes digital economy, establishes an independent authority to enforce compliance, and follows the global minimum standard, matching with the international regime. The Act provides exemptions for security of the state and public order, and research, archiving, or statistical purposes.
Independence of the Data Protection Board of India
However, the independence of the Data Protection Board of India is a concern, as it is responsible for monitoring compliance, imposing penalties, directing data fiduciaries to take necessary measures in the event of a data breach, hearing grievances made by affected persons, and appeals against its decisions will lie with TDSAT (Telecom Disputes Settlement and Appellate Tribunal).
In conclusion, the Digital Personal Data Protection Act, 2023, while a promising step, requires swift and comprehensive implementation to effectively safeguard citizens' data privacy rights in India's rapidly growing digital economy. Meanwhile, the right to die with dignity and various other fundamental rights continue to be recognised and expanded by the Indian judiciary.
- The lack of full implementation of the Digital Personal Data Protection Act (DPDPA) has resulted in ongoing data breaches, with incidents such as the June 2025 breach at Zoomcar highlighting the urgency for effective enforcement.
- With the DPDPA aiming to protect children's personal data by requiring verifiable parental consent and age verification mechanisms, challenges persist, including increased compliance burdens, data collection issues, digital literacy difficulties, and privacy concerns.
