Abstract
India’s Digital Personal Data Protection Act, 2023 marks the country’s first full attempt at managing personal data in the digital space. It specifies what people can expect when it comes to their data and what’s expected from organizations that use it. But there’s a catch, the law also gives the government a lot of wiggle room, letting state agencies dodge these rules or limit people’s rights with a simple government order. This paper delves into that uneasy middle ground. The Supreme Court has recognized privacy as a fundamental right in K.S. Puttaswamy v. Union of India while this same new law hands the State broad powers to sideline that right. A close look at the law itself and comparing it to Europe’s General Data Protection Regulation and Singapore’s Personal Data Protection Act, the paper tests whether the Indian Act really meets the Constitution’s demands for legality, necessity, and proportionality. The takeaway? Some of these wide-ranging exemptions don’t hold up, especially when you stack them against both constitutional principles and international expectations. The paper concludes by suggesting a few ways to strike a better balance helping the government do its job, while making sure privacy doesn’t get quietly written off.