Published On: June 12th 2026
Authored By: Ayushi Rathore
Acropolis Institute of Law
Abstract
India’s Digital Personal Data Protection Act, 2023 represents a landmark development in the country’s digital governance and privacy law. Enacted against the backdrop of the Supreme Court’s recognition of privacy as a fundamental right in Justice K.S. Puttaswamy (Retd.) v. Union of India,[1] the Act seeks to regulate the collection, storage, and processing of personal data through a consent-based framework. However, as India moves through 2025, significant legal, institutional, and technological challenges continue to complicate effective implementation. This article examines those challenges, drawing on constitutional foundations, legislative analysis, comparative perspectives, and the current state of regulatory readiness.
I. Introduction
India has been witnessing rapid digital transformation that is reshaping how people communicate, conduct transactions, and access basic services. With the mass adoption of digital payment systems, e-commerce platforms, social media applications, cloud storage, and government-led digital initiatives, the collection and handling of personal data has expanded at an extraordinary scale. While India possesses one of the fastest-growing digital economies in the world, this growth has been accompanied by a troubling rise in data misuse, cyber-attacks, and privacy violations. Recent years have seen a series of leaks involving sensitive user data and opaque data-sharing practices, creating serious risks for individuals in the digital ecosystem and raising urgent questions about informational privacy and accountability.
It was against this backdrop that the Supreme Court, in Justice K.S. Puttaswamy (Retd.) v. Union of India, affirmed privacy as a fundamental right under Article 21 of the Constitution of India, making the case for an overarching data protection framework both constitutionally compelling and practically urgent.[1] To address these concerns, Parliament enacted the Digital Personal Data Protection Act, 2023, to govern the processing of digital personal data and strengthen user privacy rights. However, while the legislation is an important step toward establishing an orderly data governance regime, its implementation in 2025 continues to face multiple legal, institutional, and practical obstacles. These challenges raise key questions about regulatory preparedness, compliance burdens on businesses, cybersecurity enforcement, and the effective protection of individual privacy rights in a rapidly evolving India.
II. Constitutional and Legislative Framework
The enactment of the Digital Personal Data Protection Act, 2023 is a milestone in India’s digital governance. Prior to this legislation, India lacked a consolidated statute regulating the collection, storage, and processing of personal data. The existing provisions under the Information Technology Act, 2000[2] and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011[3] were widely criticised as inadequate for addressing the complexity of the modern digital ecosystem.
The constitutional underpinning for data protection in India was firmly established in Justice K.S. Puttaswamy (Retd.) v. Union of India, where the Supreme Court recognised the right to privacy as a fundamental right under Article 21 of the Constitution.[1] This judgment not only broadened the scope of personal liberty but also recognised informational privacy as a conscious expression of individual autonomy and dignity. The DPDP Act is, in many ways, a legislative response to the constitutional principles set out in Puttaswamy. The law aims to balance the legitimate use of data for economic and administrative purposes against the protection of individual privacy rights.
Consent-based data processing is one of the defining features of this framework. The Act requires Data Fiduciaries to obtain consent from individuals before processing their personal data. It also grants Data Principals several rights, including the right to access information, rectify inaccuracies in data, seek grievance redressal, and request the erasure of personal data. These provisions reflect an attempt to give citizens greater control over their digital identities and, in theory, bring India in line with global privacy standards.
The recommendations of the Justice B.N. Srikrishna Committee[4] also shaped the eventual framework, emphasising the need to balance innovation and economic growth with the protection of privacy rights. A comparative perspective is offered by the General Data Protection Regulation[5] of the European Union, which is widely regarded as one of the strongest data protection regimes in the world. Unlike the GDPR, which provides detailed specifications for transparency and user rights with strict enforcement mechanisms and independent supervisory authorities, India’s framework adopts a relatively flexible approach, aimed at balancing privacy protections with economic growth and ease of doing business.
III. Implementation Challenges in 2025
Despite its progressive aspirations, significant challenges continue to impede effective implementation of the DPDP framework in 2025. These may be analysed across several dimensions.
1. Regulatory Uncertainty and Institutional Readiness: No data protection regime can function effectively without robust and independent enforcement mechanisms. The Act provides for the establishment of a Data Protection Board, but serious questions remain regarding its independence, procedural specificity, and enforcement capabilities. Given the limited regulatory infrastructure currently in place, there is considerable uncertainty about how complaints will be handled, how penalties will be enforced, and how compliance standards will be maintained in practice.[1]
2. Compliance Burden on Businesses: A second significant challenge relates to the mandatory compliance burden on businesses, particularly small enterprises and start-ups. Large technology companies may have the capacity to establish sophisticated data protection systems, hire compliance officers, and conduct regular cybersecurity audits. Smaller businesses, however, lack such resources. Complying with data protection obligations, including legal counsel, technical setup, and employee training, can be costly. There is therefore a risk that excessively demanding compliance obligations may deter innovation and create an uneven playing field between smaller firms and larger corporations. This concern is particularly acute in India, where the start-up ecosystem is expanding rapidly and most businesses are data-intensive.
3. The Problem of Meaningful Consent: The concept of meaningful consent presents a major practical challenge. The Act’s emphasis on consent as the basis for lawful data processing raises serious doubts about whether that consent is truly informed in the context of everyday digital behaviour. The vast majority of users tend to accept lengthy and complex privacy policies without reading them. The problem is compounded by low digital literacy among large sections of the population, for whom complex legal language and limited awareness of privacy rights render formal consent little more than a procedural formality. While the framework formally recognises user choice, its practical effectiveness remains limited so long as users lack adequate digital awareness.
4. Cybersecurity Vulnerabilities: Implementation of the Act is further complicated by persistent cybersecurity vulnerabilities. India has witnessed a marked increase in cyber-attacks, phishing incidents, ransomware, and data breaches in recent years. Several companies, particularly in the financial services and digital platforms sectors, have suffered leaks of sensitive user data. In this context, establishing legal obligations alone may not deliver adequate data protection. Robust technical safeguards, infrastructure, and incident response processes are indispensable for meaningful privacy protection. The inadequacy of technological preparedness thus risks reducing the enforcement of privacy rights to a largely symbolic exercise, and illustrates the inextricable link between cybersecurity and data protection within any credible digital governance framework.
5. Cross-Border Data Transfers: The cross-border transfer of personal data presents another contested dimension of the framework. Many international companies process and store data of Indian users on servers located outside India. This raises concerns about jurisdictional reach, regulatory oversight, and enforcement. The Act has attracted criticism for not incorporating stringent data localisation provisions, with opponents warning that data of Indian citizens may remain vulnerable to foreign interception or misuse. At the same time, overly restrictive rules on cross-border data access could harm international business and digital trade. India must therefore navigate the difficult balance between asserting informational sovereignty and maintaining the openness that a globalised digital economy demands.
6. Broad Governmental Exemptions: The framework also faces criticism regarding the wide exemptions granted to the State. Certain provisions empower the government to exclude specified agencies from the Act’s applicability on grounds such as national security, public order, and the prevention of offences. While national security is a legitimate state interest, broad exemption powers create risks of unchecked surveillance and undermine safeguards against arbitrary state intrusion. Critics argue that this may erode the rigorous standards set by Puttaswamy, which held that any governmental restriction on privacy must satisfy the tests of legality, necessity, and proportionality. The concentration of broad surveillance powers without sufficient accountability mechanisms risks undermining public confidence in a data protection regime that ought to be a cornerstone of a democratic society.
IV. Conclusion
The Digital Personal Data Protection Act, 2023 marks a significant chapter in the evolution of India’s digital governance and the recognition of privacy as an essential dimension of individual liberty in the digital age. By establishing a consent-driven mechanism for processing personal data, the legislation aims to strengthen user rights, foster accountability, and create an organised regulatory structure around data privacy. In many ways, the Act signals India’s movement toward global norms of digital privacy and data governance.
Nevertheless, significant legal, institutional, and technological bottlenecks remain in 2025. Concerns relating to regulatory readiness, compliance costs, cybersecurity risks, digital illiteracy, and broad governmental exemptions all raise fundamental questions about whether this framework can function effectively in practice. While the Act lays a solid legal foundation, its long-term success will ultimately depend on transparent enforcement mechanisms, institutional independence, public awareness, and a strong cybersecurity infrastructure.
For India, the broader challenge lies in ensuring that the constitutional guarantee of informational privacy can coexist with the imperatives of innovation, economic growth, and national security in a rapidly evolving digital economy. How well the DPDP framework is implemented will determine whether India succeeds in building a secure, rights-oriented digital ecosystem for the years ahead.
References
[1] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
[2] Information Technology Act, No. 21 of 2000, India Code (2000).
[3] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, G.S.R. 313(E) (India).
[4] Justice B.N. Srikrishna Committee, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (Ministry of Electronics and Information Technology, Government of India, 2018).
[5] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
