Data Protection in India: Analysis of Current Legal Framework and the Need for Reform

This paper critically examines the evolution of data protection laws in India, with a focus on the recently enacted Digital Personal Data Protection Act, 2023. Tracing the legal journey from the Information Technology Act and the Puttaswamy judgment to the present framework, it analyses how the DPDP Act addresses core privacy principles like consent, purpose limitation, and data minimisation. While the Act represents progress in codifying digital rights, it also raises concerns—particularly regarding its sweeping government exemptions, limited regulatory independence, and lack of provisions for sensitive data and algorithmic harms. By comparing India’s framework with global models like the EU’s GDPR and the U.S. sectoral approach, the paper highlights both alignment and divergence. It concludes with recommendations to strengthen the legal architecture through risk-based safeguards, institutional reforms, and protections against AI-era threats, emphasising the need for a more robust, rights-based, and future-ready data protection regime in India.