This article offers a critical examination of the Indian Digital Personal Data Protection (DPDPA) Act, 2023 (Act) and the DPDP Rules, 2025 (Rules). The analysis is organized into two principal critiques. First, an endogenous critique interrogates the Act and Rules, highlighting concerns such as broad exceptions and exemptions, lack of transparency and accountability, adverse impacts on data principals’ rights, and limited technical, organizational, and security measures. Second, an exogenous critique addresses the legislative silences and structural omissions, including the absence of key fundamental data processing principles, lack of heightened protection for sensitive data, and inadequate responses to emerging harms, such as algorithmic decision-making (ADM), algorithmic management, and behavioural profiling. Finally, the article contextualizes these shortcomings within India’s broader digital authoritarian turn and its digital political economy, arguing that the Act reinforces a state-centric architecture of control and facilitates data extractivism, concentrating power in the hands of the state and private entities, especially ‘domestic champions’.
Global Privacy Law Review