
Ask most lawyers about the Digital Personal Data Protection Act, 2023 (DPDP Act), and you’ll get answers about consent forms, data fiduciaries, and penalty amounts. Fair enough — that’s the compliance layer everyone’s scrambling to understand. But underneath the Act’s operational machinery sits something far more foundational: a constitutional story about why India needed this law in the first place, and where its boundaries actually come from.
If you’re advising clients on data protection, litigating a privacy dispute, or just trying to understand the DPDP Act at a level deeper than a compliance checklist, this is the part worth getting right.
Why the DPDP Act Exists: It Starts With Article 21
The DPDP Act didn’t emerge in a vacuum. It exists because the Supreme Court told Parliament, in no uncertain terms, that privacy needed statutory protection.
In 2017, a nine-judge Constitution Bench of the Supreme Court delivered its landmark ruling in Justice K.S. Puttaswamy (Retd.) v. Union of India, holding that the right to privacy is a fundamental right protected under Article 21 of the Constitution — the right to life and personal liberty. This wasn’t a narrow ruling about one government scheme. It was a sweeping recognition that privacy, including informational privacy, is intrinsic to human dignity and autonomy.
That judgment changed everything. Once privacy was constitutionally entrenched, India could no longer rely on a patchwork of IT Act rules and sectoral guidelines to govern how personal data is collected, used, and shared. The Court itself flagged the need for a robust data protection framework, which eventually led to the formation of the Justice B.N. Srikrishna Committee, several draft bills, and finally, the DPDP Act, which received presidential assent in August 2023.
So here’s the first thing every lawyer should internalise: the DPDP Act is not just legislative housekeeping. It is Parliament’s response to a constitutional mandate. Every provision of the Act should be read with that lineage in mind.
The Proportionality Test: The Constitutional Yardstick for Every DPDP Provision
The Puttaswamy judgment didn’t just declare privacy a fundamental right — it also laid down the test for when that right can be restricted. Any law or state action that limits privacy must satisfy a proportionality standard, generally understood to require:
- Legality — there must be a law permitting the restriction
- Legitimate aim — the restriction must pursue a legitimate state purpose
- Necessity — the least restrictive means must be used to achieve that purpose
- Balancing — the measure must not disproportionately harm the individual’s rights relative to the benefit gained
This test matters enormously when analysing the DPDP Act’s exemption provisions. The Act allows the government to exempt its own instrumentalities from several obligations — including, in some cases, obligations that would otherwise apply to private data fiduciaries — on grounds like national security, sovereignty, and public order. Critics have pointed out that some of these exemptions are broadly worded, without an explicit statutory requirement that the state apply the same proportionality test that courts require of it.
For lawyers, this is where the real constitutional analysis begins. When a client — or a government body — invokes an exemption, the underlying question isn’t simply “does the Act permit this?” It’s “would this restriction survive the proportionality test the Constitution itself demands?” The statute doesn’t automatically insulate government action from constitutional scrutiny.
Article 19(1)(a) and the Right to Information Collision
Here’s a tension that doesn’t get enough attention: the DPDP Act amends Section 8(1)(j) of the Right to Information Act, 2005. Previously, that provision allowed disclosure of personal information under RTI if larger public interest justified it, subject to a balancing exercise. The DPDP Act’s amendment removes that balancing test for personal information, making an exemption from disclosure far more absolute.
This sets up a direct constitutional friction point between two rights that both trace back to the Constitution — the right to privacy under Article 21, and the right to information, which the Supreme Court has long held flows from the freedom of speech and expression under Article 19(1)(a). Transparency advocates argue that this amendment could be used to shield information about public officials’ conduct, asset disclosures, or use of public funds — information that arguably should remain subject to public interest balancing.
Whether this amendment survives future constitutional challenge is genuinely an open question, and it’s exactly the kind of issue where DPDP compliance work and constitutional litigation intersect.
Article 14 and the Question of Reasonable Classification
The DPDP Act treats different categories of data fiduciaries differently — for instance, imposing heavier obligations on entities classified as “Significant Data Fiduciaries,” while exempting startups and certain classes of processing from some requirements. It also carves out specific treatment for the state versus private entities.
Under Article 14, differential treatment is constitutionally permissible only if it rests on an intelligible differentia that has a rational nexus to the object sought to be achieved. Most of the DPDP Act’s classifications — such as heightened obligations for entities processing large volumes of sensitive data — are likely to survive this test comfortably. But the broader exemptions available to government bodies are more susceptible to an Article 14 challenge, particularly if a court finds no rational basis for treating government processing categorically differently from private processing of similarly sensitive data.
Extraterritoriality and Constitutional Jurisdiction
One more foundational point lawyers should keep in mind: the DPDP Act applies not only to data processed within India, but also to processing outside India if it relates to offering goods or services to individuals in India. This extraterritorial reach isn’t unusual globally — it mirrors approaches like the GDPR — but it raises its own set of jurisdictional and enforcement questions that go beyond ordinary compliance advice, particularly around how Indian courts and the Data Protection Board will exercise authority over entities with no physical presence in the country.
Where Implementation Currently Stands
Understanding the constitutional foundations also means understanding the practical timeline lawyers are advising clients against. The DPDP Rules, 2025, were notified in November 2025, and the Act is being rolled out in a phased manner:
- Phase I (from November 2025): Provisions relating to the establishment and functioning of the Data Protection Board of India came into force immediately.
- Phase II (from November 2026): Provisions relating to Consent Managers — third-party intermediaries who help individuals manage and withdraw consent — become operational.
- Phase III (full compliance by May 2027): The remaining substantive obligations kick in, including consent and notice requirements, data principal rights, breach notification duties, and safeguards for children’s and disabled persons’ data.
Until the core operational provisions are fully in force, the older IT Act framework and its associated rules continue to apply alongside the DPDP Act’s phased provisions.
Why This Matters for Practising Lawyers
Understanding the constitutional scaffolding behind the DPDP Act isn’t an academic exercise — it shapes real advisory and litigation strategy:
- When advising on exemptions, don’t treat a statutory exemption as the end of the analysis. Assess whether it would independently survive proportionality scrutiny if challenged.
- When handling RTI-adjacent disputes, be alert to the tension between the amended Section 8(1)(j) and Article 19(1)(a) jurisprudence — this is fertile ground for future litigation.
- When advising government-adjacent clients, remember that broader statutory exemptions don’t equal broader constitutional immunity.
- When building compliance frameworks, anchor them in the underlying constitutional purpose — dignity, autonomy, and informational self-determination — rather than treating the Act as a mechanical checklist. This tends to produce more defensible compliance postures if a provision is later challenged or reinterpreted.
FAQs
Yes. The Supreme Court’s 2017 nine-judge Constitution Bench ruling in Justice K.S. Puttaswamy (Retd.) v. Union of India held that the right to privacy is a fundamental right protected under Article 21 of the Constitution, as part of the right to life and personal liberty
The proportionality test, laid down in the Puttaswamy judgment, requires that any restriction on privacy be backed by law, pursue a legitimate aim, use the least restrictive means necessary, and not disproportionately harm the individual relative to the benefit achieved. It’s the constitutional standard against which exemptions and restrictions under the DPDP Act can be tested.
Yes. The DPDP Act amends Section 8(1)(j) of the RTI Act, removing the earlier requirement to balance personal privacy against larger public interest before withholding personal information. This has raised concerns about reduced government transparency and potential conflict with Article 19(1)(a).
The DPDP Act allows the government to exempt its instrumentalities from certain obligations on grounds like national security, sovereignty, and public order. However, such exemptions are not automatically immune from constitutional challenge and may still need to satisfy the proportionality standard if contested in court.
Implementation is phased. The Data Protection Board became operational from November 2025, Consent Manager provisions are set to take effect from November 2026, and full compliance with the Act’s remaining substantive obligations is required by May 2027.
For further reading and detailed analysis, refer to this resource.