India finds itself at a crucial juncture in the regulation of digital personal data. With the passage of the Digital Personal Data Protection Act, 2023 (DPDP Act) in August 2023, the country established a statutory framework for how “digital personal data” must be processed. However, actual operationalization has been delayed, generating uncertainty for businesses, individuals, and regulators alike. This article examines the Act’s key features, the implementation challenge, and its significance for law, policy, and society in India.
Background and Key Features
The DPDP Act was enacted to provide a standard regime for “digital personal data”—meaning data processed by means of digital devices—recognizing individuals’ rights while acknowledging the necessity of processing for lawful purposes. Among its key features:
Consent-based processing: Data must generally be collected and processed with the informed consent of the individual (the “data principal”).
Rights of data principals: The Act gives rights such as access to, correction of, and deletion of one’s data, and the right to appoint a digital nominee.
Localization and extraterritorial applicability: The law applies to entities processing data of Indian residents (even outside India) and has implications for cross-border data flows.
Hefty penalties: Non-compliance may trigger significant fines (up to ₹250 crore in some drafts) and other regulatory consequences.
Government or public interest exceptions: The Act allows data processing in cases of national security, public order, and legal obligations.
These features mark a significant shift in India’s legal regime: from fragmented sectoral regulation of data (via the IT Act, sector rules, and archived drafts) to a dedicated statutory framework focused on individual rights, fiduciary duty, and digital governance.
The Implementation Gap
Despite enactment, the DPDP Act has not yet become fully operational. The crux: its effectiveness depends on the notification of rules and establishment of the institutional machinery (such as the proposed Data Protection Board of India). The Ministry of Electronics and Information Technology (MeitY) released draft rules in January 2025, and by July the public-consultation phase had reportedly closed with ~6,915 comments. Yet as of mid-2025, the rules remain un-notified, leaving the regulatory regime in limbo.
This delay creates multiple challenges:
- Business uncertainty: Start-ups, digital platforms, and companies dealing with cross-border flows are unsure of the precise compliance obligations. For example, data localization, consent mechanisms, and breach-notification frameworks are still being finalized.
- Regulatory vacuum: Without notified rules and a functional authority, enforcement remains theoretical, which may impact data subjects (individuals) who expect protection and may weaken deterrence for malpractices.
- Divergence of expectations: While the law signals a rights-based approach aligned with global norms (e.g., the EU’s GDPR), India’s regime must balance developmental imperatives, innovation, and the digital-economy context. The delay complicates that balancing.
- Legal interpretive risks: The law also amends other statutes (e.g., it affects the Right to Information Act, 2005, by narrowing certain disclosure rights when “personal information” is involved). The lack of operational clarity may lead to litigation or regulatory ambiguity.
Why This Matters
The DPDP Act’s significance reaches beyond mere data compliance; it has implications for constitutional rights, business practices, technological innovation, and global integration of India’s digital economy.
Privacy as a right: The Indian judiciary has recognized a fundamental right to privacy (in K.S. Puttaswamy v. Union of India [2017]). The DPDP Act operationalizes aspects of that right in the digital realm, granting individuals agency over their personal data.
Digital economy and trust: India’s growth in fintech, e-commerce, digital payments, remote work, and international platforms depends on robust data protection. Firms need legal certainty to invest and process data across borders.
Global alignment: As India positions itself as a global digital hub, aligning its data-protection regime with international norms helps in data transfers, global partnerships, and technology investment.
Rights versus regulation tension: The Act reflects a key tension: enabling innovation and data-driven business models (analytics, AI, platforms) while preserving individual rights, preventing misuse of data, and ensuring accountability.
State power and exceptions: The Act’s public-interest or national-security carve-outs raise concerns about the scope of state access to personal data. Transparency around those exceptions is vital to preserve democratic norms.
Key Challenges and Critiques
Despite its promise, the DPDP framework has drawn criticism:
Delay and uncertainty: As discussed, the lag in rule notification undermines the law’s effectiveness. Industry actors lament the lack of clarity around obligations.
Journalistic and RTI concerns: Critics argue that amendments linked to the Act weaken the Right to Information Act’s ability to probe public-interest disclosures because “personal information” may be exempted.
Start-up burden: Smaller firms may struggle with cost and compliance burden (e.g., hiring data-protection officers, building consent and breach-reporting mechanisms), potentially stifling innovation.
Government exemptions: The law allows government bodies certain exemptions (e.g., national security, public order), which critics say could be used broadly, compromising privacy.
Enforcement and institutional capacity: The success of data-protection laws depends not just on the statute but on an independent regulatory authority, a complaint-redress mechanism, technical expertise, and cross-border enforcement—elements that require significant investment and design.
Implications for Legal Practice and Education
For law students, practitioners, and scholars, the DPDP Act invites multiple lines of inquiry:
Drafting data-fiduciary agreements, privacy notices, consent forms, and data-audit frameworks will become legal-practice staples.
Litigation around exemptions, interpretation of “personal data,” cross-border transfers, and government access will generate new jurisprudence.
Comparative regulatory studies (India vs. EU GDPR vs. US HIPAA/CCPA) become richer and more relevant for teaching.
Firms operating internationally will need to embed “privacy-by-design” and “data-protection impact assessments” into contracts and compliance regimes.
Conclusion
The Digital Personal Data Protection Act, 2023, marks a watershed in India’s legal-regulatory architecture. It heralds a shift to recognizing individuals’ rights over digital personal data, while also imposing obligations on entities that collect, process, or store such data. However, the law’s promise is contingent on its full activation: rule-making, institutional mechanisms, enforcement, and clarity. Until then, the regulatory environment remains in transition.
For India’s legal ecosystem—students, academics, practitioners, and regulators—the period ahead is critical. The interplay between privacy, innovation, state power, and big-data business models will define the next era of digital law in India. Engagement with the DPDP Act is not optional; it is central to understanding how law meets technology, business meets rights, and regulation meets growth.
Contributed By: Lalit (Intern)