Published On: July 11, 2026
Authored By: Priyani Dey
University of Allahabad
I. Introduction
The Digital Personal Data Protection Act, 2023 (DPDPA) is a recent legislative development introduced by the Indian government. The Act was formed to legally enforce the fundamental right to privacy in a highly digitised economy — one that is increasingly affected by artificial intelligence and new-generation technology.[1]
Before this Act, India’s right to privacy was loosely governed by the Information Technology Act, 2000. However, with the rising demand for modernisation and the introduction of new-generation technology in the market, the above-mentioned Act failed to keep pace with high-velocity data risks, massive corporate data brokering, and cloud computing — especially with the rapid growth of the Unified Payments Interface (UPI) in India.[2] A more advanced, at-par legal framework was therefore needed, which the government established through the DPDP Act.
II. Historical Background
The first draft of the law, then known as the Personal Data Protection Bill, was released by a government-appointed committee in 2018. A revised version was formally introduced in the Lok Sabha in 2019 but faced massive backlash — from corporate tech companies, who found it too restrictive, and from privacy advocates, who found its exemptions too broad. It was consequently withdrawn by the government in 2022, and a reformed, re-written version of the framework was finally enacted in August 2023 as the Digital Personal Data Protection Act, 2023.[3]
The Ministry of Electronics and Information Technology (MeitY) officially ratified and notified the final, long-awaited DPDP Rules in November 2025, establishing an 18-month implementation roadmap.[4]
Phase 1 (November 2025): The Act was immediately implemented, and the Data Protection Board of India (DPBI) was established in the NCR to oversee enforcement.
Phase 2 (November 2026): A 12-month deadline was set for the registration and roll-out of the automated ecosystem for Consent Managers.
Phase 3 (May 2027): The final 18-month deadline was set for corporations to achieve total operational compliance, including revamped consent pop-ups, strict data-retention technology, and breach-reporting systems.
III. Legal Analysis
1. Objectives of the Act
The Act is built on the SARAL approach (Simple, Accessible, Rational, Actionable) and rests on five core principles:
Consent / Transparency: Data collected must have the person’s agreement, along with a clear, visible notice in their own language (available in 22 scheduled languages).
Purpose / Minimisation: Data collection and use must be limited to what the person has agreed to, and only the minimum data necessary should be collected to fulfil that purpose.
Accuracy / Security: Companies holding a person’s data must ensure it is accurate and protected by the highest levels of security against unauthorised access.
Storage Limitation: Once the purpose for holding a person’s data no longer exists, a company must delete it from its records.
Accountability: Companies must be held answerable for how they collect, store, and share consumers’ data, closing a gap that previously let this go largely unchecked.
2. Rights of Data Principals (Citizens)
Right to access data.
Right to correction and erasure in cases of inaccurate or outdated data.
Right to nominate a representative in the event of the data principal’s death.
Right to grievance redressal through the DPBI.
3. The Actual Motive Behind the Act
Ending the illegal business of data mining: Before the DPDP Act, companies could secretly track users, bundle endless permissions into confusing “Terms and Conditions,” and sell user profiles to data brokers without real penalties. The motive was to compel companies to request data in simple, plain language and to strictly comply with user consent.
Assigning legal accountability: By imposing fines of up to ₹250 crore for negligence, the Act sought to compel corporations to build robust cybersecurity infrastructure rather than treating data breaches as minor operational hazards.
4. Enforcement and Penalties
The Indian central government has established a data protection authority, the Data Protection Board of India (DPBI), to ensure compliance and investigate data breaches. A complainant must first approach the DPBI before pursuing further legal remedies.
Serious non-compliance or failure to establish reasonable security measures can result in a maximum fine of ₹250 crore (approx. $12 million).[5]
Appeals against a DPBI decision go before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
5. Impacts of the Act
End of indefinite data hoarding: Companies can no longer store consumer data permanently; they must automate deletion workflows once the purpose of collection is fulfilled.
Mandatory 72-hour response window: Firms must identify, contain, and report a data breach to the DPBI and affected users within 72 hours.
Heftier compliance for large tech (SDFs): Entities classified as Significant Data Fiduciaries — those handling especially large volumes or sensitive categories of personal data — must hire independent data auditors, conduct annual Data Protection Impact Assessments (DPIAs), and appoint a dedicated Data Protection Officer (DPO).
Enforceable digital freedom: Citizens can request a full log of what data a company holds on them and with whom it has been shared, along with a legal right to demand correction or deletion.
Architectural redesigns: Developers must build software using Privacy by Design principles.
IV. Supporting Authority
The developments that led to the creation of the Digital Personal Data Protection Act include the following:
Justice K.S. Puttaswamy (Retd.) v. Union of India[6]
This landmark 2017 case forms the basis of the DPDP Act. A nine-judge bench declared the right to privacy a fundamental right of citizens. It also held that India’s existing cyber and tech laws (the IT Act, 2000) were dangerously inadequate to protect citizens’ privacy and did not hold corporations sufficiently accountable, and directed the central government to evolve a strong, flexible data protection regime.
Justice B.N. Srikrishna Committee Report[7]
In response to the Supreme Court’s direction, the government formed a committee of experts headed by retired judge B.N. Srikrishna. Its 2018 report, A Free and Fair Digital Economy, laid down the foundational definitions of “Data Principals” (citizens) and “Data Fiduciaries” (companies) that remain part of the law today.
The Reporters’ Collective & Nitin Sethi v. Union of India[8]
The Supreme Court issued notice to the Centre on a plea challenging the constitutional validity of several provisions of the DPDP Act, 2023. The petitioners — the Reporters’ Collective and journalist Nitin Sethi — contend that the Act “severely dilutes” the Right to Information Act and grants the Centre sweeping powers over personal data. A bench led by Chief Justice Surya Kant agreed to examine the issues but declined to grant an interim stay on the challenged provisions.
Meta Platforms Inc. & WhatsApp v. Competition Commission of India[9]
The Competition Commission of India found that WhatsApp’s 2021 privacy policy imposed unfair terms by requiring users to accept expanded data-sharing with Meta entities, amounting to an abuse of dominant position. The CCI imposed a penalty of ₹213.14 crore and ordered WhatsApp to make data-sharing voluntary, clearly disclosed, and opt-out enabled. On appeal, the NCLAT upheld the finding of abuse of dominance and the penalty, but struck down the five-year restriction on sharing advertising data with affiliates, while rejecting “take-it-or-leave-it” consent models — reinforcing that companies operating in India must follow the consent principles under the DPDP Act.
V. Conclusion
As this analysis shows, it is essential for lawmakers to enact statutes that guarantee citizens’ right to privacy — which is precisely what the Digital Personal Data Protection Act, 2023 (with rules notified in 2025) sets out to do. Without such protection, foreign fiduciaries or third-party actors could exploit sensitive personal data for illegal or black-market purposes. As AI technologies, robotics, and automation continue to advance, strong laws will remain necessary to protect citizens’ rights while allowing corporations reasonable scope to gather information from the people they serve.
References
[1] Singhania Law, Digital Personal Data Protection Rules 2025 — Privacy, Competition & Corporate Compliance (2025), https://singhanialaw.com/digital-personal-data-protection-rules-2025-privacy-competition-corporate-compliance/.
[2] GoJuris, News Report (2025), https://gojuris.in/newsdetail.aspx?newsid=9456.
[3] Data Security Council of India (DSCI), Reference Material, https://share.google/K8n7Qutz6t4EbYeVx.
[4] Ministry of Electronics and Information Technology, Government of India (MeitY), https://share.google/SR0ppt1qCUciSjmep.
[5] Supporting Reference, https://share.google/IDybtvnuh85TK9eEv.
[6] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1; AIR 2017 SC 4161 (India).
[7] Justice B.N. Srikrishna Committee, A Free and Fair Digital Economy, Government of India (2018).
[8] The Reporters’ Collective & Nitin Sethi v. Union of India, Supreme Court of India (2026) (pending).
[9] Meta Platforms Inc. & WhatsApp v. Competition Commission of India, CCI Order (Nov. 18, 2024); NCLAT Judgment (Nov. 4, 2025) (India).




