Published On: February 17th 2026
Authored By: Swarnadeep Das
Techno India University
Abstract
The ruling in K.S. Puttaswamy v. Union of India[1] recognized privacy as a fundamental right, marking a significant shift in India’s approach to informational autonomy. In response, India enacted the Digital Personal Data Protection Act, 2023. For any rights-based law to be effective, however, it is not merely a matter of enactment; implementation and enforcement play crucial roles. This article critically examines India’s data protection framework as it operated between January 2025 and January 2026, focusing on rule-making, institutional enforcement, and exemptions for the State.
The paper examines whether the DPDP framework truly aligns with constitutional principles such as proportionality and accountability, particularly given the wide discretion afforded to the executive. It assesses the Data Protection Board of India’s role, the compliance burden on private businesses, and the increasingly data-driven nature of governance. Additionally, the article identifies ongoing concerns including automated decision-making, consent fatigue, and lack of citizen awareness, which remain inadequately addressed in the current system.
By connecting recent regulatory developments to India’s evolving privacy jurisprudence, the paper argues that while the DPDP Act represents significant progress, its long-term credibility depends on robust judicial oversight, institutional independence, and a stronger emphasis on substantive data protection rather than merely procedural compliance.
A Simplified Framework: Balancing Efficiency and Rights
The DPDP Act represents a clear departure from previous efforts to develop India’s data protection regime along the lines of comprehensive frameworks like the EU’s GDPR. It applies exclusively to digital personal data and deliberately avoids creating an exhaustive catalog of individual rights. On its face, this simplicity appears pragmatic, particularly since regulatory complexity can often impede effective enforcement.
Under the Act, consent serves as the cornerstone of lawful data processing. Data principals are granted several important rights, including the right to access their information, correct inaccurate data, and lodge complaints. Simultaneously, the Act shifts from criminal to civil penalties, reflecting a preference for securing compliance over punitive measures. While this approach may ease the compliance burden, it raises an important question: is administrative expediency being prioritized over deeper constitutional protections?
Developments During 2025–2026
The active phase of DPDP Act implementation commenced with the issuance of the Draft Digital Personal Data Protection Rules, 2025, which sought to clarify processes including consent notices and data security measures. Concurrently, the Data Protection Board of India was established as the primary enforcement body under the Act.
Despite these developments, many critical aspects of data protection remain governed by delegated legislation rather than primary law. Questions concerning compliance standards, exemptions, and safeguards are largely left to executive determination. Given that this legal framework engages fundamental rights, such heavy reliance on delegated legislation constrains legislative accountability. The Act attempts to balance individual rights with administrative flexibility, but whether this balance proves effective in practice remains an open question.
Privacy and the State: An Uneasy Balance
One of the most contentious aspects of the DPDP Act concerns State exemptions. While the Act affirms the rights of data principals, it simultaneously empowers the government to exempt State agencies from compliance requirements on grounds including national security and public order. These exemptions are broadly worded and lack detailed procedural safeguards.
This approach stands in tension with established constitutional principles. The Supreme Court in Puttaswamy held that any limitation on privacy rights must satisfy tests of legality, necessity, and proportionality.[2] This principle was reinforced in Anuradha Bhasin v. Union of India, where the Court emphasized that procedural safeguards are essential when fundamental rights are at stake.[3] The exemption provisions in the DPDP Act do not appear to reflect these constitutional requirements, raising concerns that privacy rights may be overridden by administrative convenience rather than demonstrable necessity.
Judicial Oversight and the Role of Courts
Given the DPDP Act’s reliance on executive rule-making, the judiciary’s role is likely to assume greater importance. Indian courts have historically served as a check against executive overreach, particularly where fundamental rights are concerned. As data governance becomes increasingly pervasive, courts may need to clarify the scope of State exemptions, assess the proportionality of surveillance measures, and evaluate whether procedural safeguards are genuinely being implemented.
Future legal challenges may test whether the exemptions in the DPDP Act satisfy the standards established in Puttaswamy. Courts may also scrutinize the functioning of the Data Protection Board, particularly in cases involving alleged misuse of personal data by State entities. This judicial engagement will be critical in determining whether the Act evolves into a rights-protective instrument or remains primarily administrative in character.
Through constitutional review and judicial interpretation, courts can help ensure that data protection becomes more than a policy aspiration, transforming into enforceable rights grounded in constitutional principles.
Businesses, Compliance, and Ground-Level Reality
For businesses, the DPDP Act finally provides long-awaited regulatory clarity. Companies now have defined responsibilities regarding consent management, data security, and grievance redressal. The classification of Significant Data Fiduciaries represents an effort to impose heightened obligations on entities processing large volumes of sensitive personal data.[4]
However, compliance is unlikely to be uniform. Smaller enterprises and startups often lack the legal and technical infrastructure necessary to implement sophisticated consent frameworks. There is also a risk that companies will treat compliance as a box-ticking exercise, motivated more by fear of penalties than genuine commitment to protecting user data. Over time, such superficial adherence may erode public trust in the data protection regime.
The Data Protection Board: Authority Without Independence?
The Data Protection Board of India occupies a central position in enforcing the DPDP Act, being responsible for adjudicating complaints, imposing penalties, and ensuring compliance. However, concerns persist regarding its independence. The appointment mechanism and composition of the Board remain closely tied to the executive, with no mandatory requirement for independent or judicial representation.
Experience from jurisdictions such as the European Union underscores the importance of independent regulatory bodies in building public confidence.[5] In the absence of such safeguards, the Board may struggle to function as a truly autonomous regulator, particularly in cases involving government agencies.
The Gaps That Remain
Despite its significance, the DPDP Act leaves several critical questions unresolved. One major gap is the absence of a clearly articulated right to be forgotten. In an era where personal data can persist online indefinitely, the ability to request deletion of outdated or irrelevant information is increasingly important. While some remedies may be available through grievance mechanisms, the absence of a statutory right diminishes individual control over digital identities.
The Act also provides limited guidance on data localization. Given India’s growing reliance on cross-border data flows—particularly in sectors like fintech and e-commerce—this ambiguity creates uncertainty for both individuals and businesses. Without clear guidelines, data protection may vary significantly across jurisdictions.
Additionally, the Act does not meaningfully engage with issues related to artificial intelligence and automated decision-making. Algorithms increasingly mediate access to credit, employment, and public services, yet the DPDP Act is largely silent on questions of algorithmic fairness, transparency, and accountability. Individuals affected by automated decisions may find it difficult to understand or challenge outcomes that significantly impact their lives.
These concerns are not merely theoretical. Government initiatives such as Aadhaar-linked systems, DigiYatra, and application-based welfare programs demonstrate how deeply data-driven governance is embedded in everyday life. While these systems can enhance efficiency, they also raise the stakes for robust data protection. Without adequate safeguards, the risks of misuse, profiling, and exclusion increase substantially.
A related challenge is what might be termed “consent fatigue.” Individuals are frequently asked to consent to lengthy terms and conditions that offer little genuine choice. Consent, in such contexts, becomes a formality rather than an informed decision. Unless greater emphasis is placed on transparency and public education, the consent model underlying the DPDP Act may fail to meaningfully empower data principals.
This tension is likely to become more pronounced as data-driven governance extends across sectors.
Public Awareness and the Missing Citizen Perspective
A functional data protection framework cannot thrive without informed citizen participation. Currently, public awareness regarding data protection rights in India remains limited. Many individuals are unaware of the remedies available under the DPDP Act or the role of the Data Protection Board. This gap between legal provision and public understanding risks transforming data protection into a domain accessible only to the legally sophisticated, rather than a right exercisable by all.
For the DPDP regime to succeed, it is essential to invest in digital literacy and awareness initiatives. Transparency requirements should not merely constitute legal obligations, but should also be communicated in accessible language. Without active citizen engagement, even well-intentioned legal protections may fail to achieve their intended purpose.
Conclusion: A Step Forward, Not the Destination
The Digital Personal Data Protection Act, 2023, undoubtedly represents a significant milestone in India’s evolving approach to informational privacy. The developments between 2025 and 2026 demonstrate a commitment to moving beyond symbolic legislation toward establishing a functional regulatory framework. Nevertheless, the manner of its implementation raises structural concerns that cannot be ignored.
Broad State exemptions, reliance on executive rule-making, and limited institutional independence threaten to undermine the constitutional promise articulated in Puttaswamy. For the DPDP framework to mature into a genuinely rights-protective regime, it requires clearer statutory provisions, stronger oversight mechanisms, and sustained judicial engagement. Without these elements, the law risks devolving into a framework that emphasizes procedural compliance over substantive protection in an increasingly data-dependent society.
References
[1] K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
[2] K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
[3] Anuradha Bhasin v. Union of India, (2020) 3 SCC 637.
[4] Digital Personal Data Protection Act, 2023, s. 10 and Schedule.
[5] Regulation (EU) 2016/679 (General Data Protection Regulation), arts. 51–59.
