Published On: April 11th 2026
Authored By: Anukriti Singh
City Law College, University of Lucknow
Abstract
The Digital Personal Data Protection Act, 2023 (DPDP Act) marks a watershed moment in India’s digital governance. This article critically examines the implementation challenges of the Act, the compliance expectations for key stakeholders, and the institutional innovations that can make India’s privacy framework both effective and citizen-centric. Drawing on the constitutional foundations laid by Justice K.S. Puttaswamy (Retd.) v. Union of India,[1] it argues that without structural support and regulatory imagination, the Act risks being either under-enforced or unduly burdensome, failing the constitutional promise of privacy in either case.
Introduction
The introduction of the Digital Personal Data Protection Act, 2023 (DPDP Act) is one of the most significant regulatory developments in India’s digital sphere since liberalisation. At a moment when personal data powers governance, commerce, and artificial intelligence, the Act attempts to draw a delicate balance: permitting the free flow of data while preserving the autonomy and dignity of individuals. Yet, as history has repeatedly shown, the success of transformative legislation depends not on aspirational language but on the quality of its day-to-day implementation.
This article critically analyses the implementation challenges of the DPDP Act, examining compliance expectations for stakeholders and exploring how India can shape the future of privacy governance through innovation and a citizen-centric approach. It argues that without structural support and regulatory imagination, the Act risks being either under-enforced or unduly burdensome, failing constitutional privacy in either scenario.
I. Constitutional Basis for Data Protection in India
The DPDP Act does not emerge in a vacuum. Its constitutional foundation rests on the Supreme Court’s landmark decision in Justice K.S. Puttaswamy (Retd.) v. Union of India,[1] wherein a nine-judge bench unanimously recognised privacy as a fundamental right under Articles 14, 19, and 21 of the Constitution. The Court’s conceptualisation of informational privacy encompasses an individual’s right to control information about themselves, and it cautioned against unbridled data collection by both State and non-State actors.
Crucially, Puttaswamy did not establish data absolutism. Rather, it offered a proportionality framework, permitting restrictions on privacy provided they satisfy the criteria of legality, necessity, and adequate procedural safeguards. The DPDP Act represents the legislature’s attempt to translate that constitutional balance into enforceable law.
II. Overview of the DPDP Act, 2023
The DPDP Act adopts a principles-based approach, consciously departing from the prescriptive model of the European Union’s General Data Protection Regulation (GDPR). This choice reflects India’s regulatory pragmatism and the particular demands of its diverse digital economy.[2]
Key features of the Act include:
1. Tripartite Data Framework: The Act distinguishes clearly between data principals (individuals), data fiduciaries (entities determining purpose and means of processing), and data processors (entities processing data on behalf of fiduciaries).
2. Consent and Legitimate Use: The Act sets specific norms for “legitimate uses” of data and establishes limits on consent during data processing, placing informed consent at the heart of data collection.
3. Obligations of Data Fiduciaries: Fiduciaries must implement security safeguards, establish grievance redressal mechanisms, and comply with data localisation or transfer norms as prescribed.
4. Rights of Data Principals: Individuals are entitled to access their data, seek corrections, and request erasure, reinforcing the constitutional right to informational self-determination.
5. Data Protection Board: A statutory Data Protection Board is established to adjudicate complaints, investigate breaches, and impose financial penalties.[4]
The Act applies to digital personal data collected both online and offline (once digitised), and its extraterritorial reach covers any entity offering goods or services to individuals in India. This broad scope signals India’s intent to regulate global data actors operating within the Indian market.
III. The Implementation Gap: Enforcement as the Core Challenge
1. Uncertainty in Rule-Making
While the Act provides the statutory framework, much of its substance is to be fleshed out through subordinate legislation governing breach notification timelines, consent standards, children’s data protection, and the functioning of the Data Protection Board. Delayed or unclear rule-making creates a compliance vacuum: organisations are uncertain about what is required of them, and enforcement agencies lack clear benchmarks. The excessive delegation of substance to executive rule-making also raises concerns about legal certainty and the risk of arbitrariness. The credibility of the DPDP regime will ultimately depend on the clarity, predictability, and transparency of the rules it produces.
2. Consent Fatigue and the Illusion of Choice
Consent is the moral cornerstone of the DPDP Act. Yet in practice, consent mechanisms often fail to deliver genuine autonomy. Privacy notices are frequently lengthy, technical, and drafted more to insulate organisations from liability than to inform users of their rights. In a country with enormous linguistic diversity and varying levels of digital literacy, consent risks becoming formalistic compliance rather than meaningful choice. Unless consent interfaces are simplified, standardised, and supported by accessible technology, the Act’s heavy reliance on consent may ultimately undermine its own objectives.
3. Compliance Burdens on MSMEs and Start-Ups
India’s digital economy is dominated by micro, small, and medium enterprises, platform sellers, and early-stage start-ups. For these entities, the costs of DPDP compliance, including legal advice, audits, security infrastructure, and breach response, can be financially and operationally demanding. Without proportionate obligations and scalable compliance frameworks, the Act risks creating regulatory asymmetry: large entities absorb compliance costs easily, while smaller entities are driven toward non-compliance or informality. A privacy regime that inadvertently disadvantages market entrants is inimical to both competition and innovation.
4. Cross-Border Data Flows and Jurisdictional Complexity
Personal data now flows across borders through cloud storage, outsourcing, and international platforms. While the DPDP Act permits cross-border transfers subject to government notification, compliance involving foreign entities remains a significant challenge. Jurisdictional overlap with other regimes, such as the GDPR, leads to compliance complexity, particularly for Indian companies with international operations. Achieving harmonisation without ceding sovereignty will be among the most delicate tasks facing the regulator.
5. Artificial Intelligence and Derived Data
The Act is largely silent on AI-specific privacy risks, yet AI systems generate novel challenges. Training datasets may contain personal data; anonymised data can be re-identified through inference; and sensitive conclusions can be derived by algorithms without direct data collection. These realities strain traditional definitions of “personal data” and complicate liability attribution. Without regulatory guidance, courts and the Data Protection Board will be left to construct a legal framework incrementally, a slow and uncertain process.
6. Tensions Between Public Interest, State Data, and Transparency
Government programmes in health, welfare, and taxation depend on large personal datasets. While privacy safeguards are essential, excessively broad exemptions risk enabling surveillance or opacity. The challenge lies in crafting narrow, accountable exemptions that allow legitimate public interest data use while preserving individual rights and the transparency obligations embedded in laws such as the Right to Information Act, 2005.
IV. Practical Framework for Compliance
Despite these challenges, organisations can adopt proactive measures to achieve meaningful compliance with the DPDP Act:
1. Conduct comprehensive data mapping to identify data flows and uses;
2. Build purpose limitation and data minimisation into design from the outset;
3. Develop user-centric, layered, plain-language consent interfaces;
4. Implement security protections in line with industry standards;
5. Establish incident response protocols for breach notification;
6. Ensure vendor and processor accountability through contracts and audits;
7. Create internal governance structures, including privacy officers and review committees;
8. Maintain documentation and audit trails to evidence good-faith compliance.[3]
Early regulatory signals suggest that demonstrable intent and reasonable protective measures will weigh significantly in enforcement decisions.
V. Proposed Solutions: Consent Wallets and Data Cooperatives
To bridge the gap between legal rights and practical usability, India should consider two institutional innovations.
1. Consent Wallets
A government-certified Consent Wallet would allow individuals to manage all their data consents through a single, secure interface. Users would be able to grant, review, and revoke consent without navigating multiple platforms and obscure privacy settings. Such wallets would reduce consent fatigue, enhance transparency, and enable the real-time exercise of data rights. Just as the Unified Payments Interface (UPI) standardised digital payments, consent wallets could standardise privacy control across India’s digital ecosystem.
2. Data Cooperatives for MSMEs
Small businesses could join regulated Data Cooperatives that provide shared compliance infrastructure, including consent management, breach response, audits, and legal oversight, to member enterprises. This model would lower compliance costs, improve baseline security standards, and foster collective accountability among smaller data fiduciaries. Scalable privacy governance is essential if the Act is to serve individuals and enterprises equally.
VI. Enforcement Philosophy: Deterrence Through Legitimacy
The DPDP Act empowers the Data Protection Board to impose substantial financial penalties for violations, particularly for data breaches and violations involving children’s data. While deterrence is a necessary feature of early enforcement, a corrective and guidance-oriented approach is equally important for building trust in the regulatory regime. Publishing enforcement statistics, anonymised order summaries, and reasoned decisions will enhance both the transparency and the legitimacy of the Board’s authority.
VII. The Future of Privacy in India
Three trends are likely to shape India’s privacy landscape over the next decade:
1. Privacy treated as public digital infrastructure, rather than a compliance obligation borne by corporations;
2. Development of sector-specific standards for health, finance, and education data;
3. Judicial evolution of privacy doctrine, particularly around consent, harm, and proportionality.
The DPDP Act is not the culmination of India’s privacy journey. It is the beginning of a long constitutional conversation.
Conclusion
The Digital Personal Data Protection Act, 2023 represents a turning point in India’s digital governance. Its promise lies not in the severity of its penalties but in its capacity to build institutions, earn the trust of those it regulates, and enable regulatory innovation. If implemented with care and imagination, through tools such as consent wallets, cooperative compliance models, and AI-aware safeguards, the Act can ensure that India’s digital growth is anchored in constitutional dignity. Privacy is not an obstacle to development; it is the condition under which digital development becomes legitimate and sustainable.
References
[1] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 S.C.C. 1 (India).
[2] Digital Personal Data Protection Act, No. 22 of 2023, § 3 (India).
[3] EY India, Decoding the Digital Personal Data Protection Act, 2023 (2023).
[4] Digital Personal Data Protection Act, No. 22 of 2023, § 33 (India).
