After years of deliberation, the Indian government enacted the Digital Personal Data Protection Act, 2023 (DPDP Act), bringing India closer to a comprehensive privacy framework. The law, which received presidential assent on August 11, 2023, aims to regulate the processing of digital personal data in a manner that balances individual privacy with the legitimate needs of innovation and governance. It is the first standalone data protection legislation in India and comes in the wake of the Supreme Court’s landmark 2017 judgment in Justice K.S. Puttaswamy v. Union of India, which affirmed the right to privacy as a fundamental right.
At its core, the DPDP Act establishes a framework for how personal data can be collected, stored, and processed. It grants individuals the right to access, correct, and erase their data and mandates that data fiduciaries process data lawfully and transparently. Significantly, it introduces the concept of “consent-based processing”, requiring explicit consent before collecting personal data, unless specific legitimate grounds apply.
The Act also establishes the Data Protection Board of India, a regulatory body empowered to adjudicate non-compliance and impose penalties. Companies failing to implement reasonable security safeguards could face fines of up to ₹250 crore, signalling a clear shift toward greater accountability in the digital ecosystem.
However, the law has not escaped criticism. It permits broad exemptions for government agencies under the guise of national security, public order, or law enforcement, thereby raising fears of surveillance and dilution of privacy rights. Moreover, the absence of a right to data portability or a clear timeline for implementation has created uncertainty among stakeholders.
Despite these concerns, the DPDP Act represents a significant step forward in India’s digital governance landscape. It provides a long-overdue regulatory framework in a country with over 800 million internet users and growing concerns over misuse of personal data by both corporations and state entities.
As the rules are formulated and enforcement begins, the real test of the DPDP Act will lie in its implementation. Whether it can balance innovation with individual rights and whether the Data Protection Board can act independently, will determine if this law becomes a milestone for digital privacy or merely a symbolic gesture.
