Published On: March 12th 2026
Authored By: Sohani Sah
Maharishi Arvind University
Abstract
The Digital Personal Data Protection Act, 2023 represents a landmark shift in India’s approach to informational privacy and digital governance. While the Act was enacted in 2023, its true legal significance has emerged during 2024–2025 through phased implementation, rulemaking, and the operationalisation of enforcement mechanisms. This article analyses the implementation of the DPDP Act as a recent legal development within the last one year (January 2025 to January 2026). It critically examines the constitutional, institutional, and societal implications of the Act, with particular focus on individual privacy rights, State accountability, and corporate compliance. The article argues that while the DPDP Act strengthens India’s digital regulatory framework, its effectiveness will ultimately depend on judicial oversight, institutional independence, and public awareness.
Keywords: Digital Personal Data Protection Act, Informational Privacy, Data Protection Board of India, Consent Framework, Cyber Law, Technology Regulation
I. Introduction
The digitalisation of governance, commerce, and communication has resulted in the large-scale collection and processing of personal data. Individuals routinely share sensitive personal information through mobile applications, online platforms, and government portals, often without full awareness of how such data is stored, shared, or monetised. This increasing dependence on digital systems has heightened concerns regarding surveillance, data misuse, and security breaches.
In response to these concerns, India enacted the Digital Personal Data Protection Act, 2023 (DPDP Act).[1] However, the enactment of a law does not, by itself, create legal impact. The real legal consequences arise when statutory provisions are implemented, enforced, and interpreted. During 2024–2025, the DPDP Act entered this crucial phase through the formulation of rules, the establishment of the Data Protection Board of India, and the imposition of compliance obligations on data fiduciaries.
This article analyses the implementation of the DPDP Act during 2025 as a recent legal development, evaluates its implications for law and society, and examines the challenges that may shape the future of data protection jurisprudence in India.
II. Evolution of the Digital Personal Data Protection Framework
Constitutional Background: Right to Privacy and Data Protection
The legal foundation of data protection in India lies in constitutional jurisprudence. In Justice K.S. Puttaswamy v. Union of India (2017),[2] the Supreme Court unanimously recognised the right to privacy as a fundamental right under Article 21 of the Constitution.[3] The Court held that informational privacy (control over personal data) is intrinsic to human dignity and personal autonomy.
The judgment also laid down the test of proportionality, requiring any restriction on privacy to be lawful, necessary, and proportionate. The DPDP Act must therefore be evaluated against this constitutional backdrop, particularly in relation to State exemptions and surveillance powers.
Data Protection under Indian Law: The Pre-DPDP Framework
Until the enactment of the DPDP Act, there was no exclusive legislation in India specifically dedicated to the protection of individual privacy. The only broadly applicable instrument was the Information Technology Act, 2000, which primarily addresses cybercrimes and provides remedies against violations. While the IT Act contains certain provisions related to individual privacy, these are not exhaustive in nature.
Under Section 43A of the Information Technology Act, 2000, a body corporate that possesses, deals with, or handles any sensitive personal data or information of an individual, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, may be held liable to pay damages to the affected party. Notably, the IT Act specifies no maximum limit on the compensation that may be claimed in such circumstances.
Section 69 of the IT Act, 2000 allows the government to intercept or monitor electronic communication for reasons of state security, subject to procedural safeguards. While the DPDP Act recognises consent-based data processing, exemptions for government access must be reconciled with constitutional privacy guarantees under Articles 14, 19, and 21.
Section 72 of the IT Act, 2000 penalises the unauthorised disclosure of confidential electronic information by individuals or entities who have lawful access, with penalties of up to two years’ imprisonment, a fine, or both. It protects informational privacy by ensuring that data obtained lawfully cannot be shared without consent. The Digital Personal Data Protection Act, 2023 builds on this foundation by codifying structured rights for data principals and imposing stricter penalties for non-compliance, reflecting India’s shift towards a consent-driven and accountable data governance framework.
Overview of the Digital Personal Data Protection Act, 2023
The DPDP Act governs the processing of digital personal data, whether collected online or subsequently digitised. Its major features include:
1. A consent-based framework for data processing
2. Rights of data principals, including access, correction, erasure, and grievance redressal
3. Obligations on data fiduciaries to ensure data accuracy, security, and accountability
4. Designation of Significant Data Fiduciaries based on volume and sensitivity of data
5. Establishment of the Data Protection Board of India (DPBI)
6. Imposition of monetary penalties up to Rs. 250 crore for serious violations
Unlike earlier legislative drafts, the DPDP Act adopts a relatively concise structure, focusing on operational efficiency rather than detailed procedural regulation.
III. Phased Implementation of the DPDP Act, 2023
Rule-Making and Operationalisation
A key legal development within the last one year has been the issuance of draft and final rules to operationalise the DPDP Act.[4] These rules clarify crucial aspects such as:
1. The manner in which consent must be obtained and withdrawn
2. Obligations relating to data breach reporting
3. Time limits for grievance redressal
4. Compliance mechanisms for data fiduciaries
The transition from statutory text to enforceable rules marks the point at which the DPDP Act began producing tangible legal effects, making its implementation a valid and significant legal development during 2025.
Establishment of the Data Protection Board of India
The constitution and functioning of the Data Protection Board of India represents another major institutional development. The Board is empowered to inquire into data breaches, impose penalties, and direct remedial measures. Proceedings before the Board are designed to be digital and summary in nature, reflecting a move towards technology-driven adjudication.
While this approach promotes efficiency, it also raises concerns regarding procedural safeguards, principles of natural justice, and the independence of the adjudicatory body from executive influence.
IV. Constitutional Dimensions of Data Protection
The constitutionality of the DPDP Act must be assessed against the proportionality framework established in Puttaswamy. The Court’s ruling requires that any legislative restriction on privacy be lawful, necessary, and proportionate to the objective pursued. While the Act’s consent framework and data minimisation principles are broadly consistent with this standard, two areas require closer constitutional scrutiny.
First, the broad exemptions granted to the State and its instrumentalities risk enabling data processing that may not satisfy the proportionality test. The absence of clearly defined limits on government access to personal data creates a gap between constitutional expectation and statutory reality.
Second, the power granted to the executive to exempt agencies from the Act’s purview raises questions of accountability and legislative oversight. Future constitutional challenges are likely to examine whether such exemptions strike a fair balance between national interest and individual privacy.
V. Comparative Perspective: GDPR and the DPDP Act
A stable data protection regime enhances consumer trust and aligns India with global standards, most notably the European Union’s General Data Protection Regulation (GDPR).[5] A comparison of the two frameworks reveals both convergences and meaningful distinctions.
Right to Erasure: Under the GDPR, data subjects have the right to request the deletion of their personal data from any data controller or processor. The DPDP Act similarly confers a right of erasure on data principals, though the procedural contours differ.
Right to Data Portability: Under the GDPR, data subjects have the right to receive their personal data in a structured, machine-readable format and to transmit it from one data controller or processor to another. The DPDP Act does not currently provide an equivalent right to portability, representing a notable gap in comparison with international standards.
More broadly, the GDPR applies to both digital and non-digital personal data, whereas the DPDP Act is limited to digital personal data. This distinction has implications for the scope of protection available to individuals in India and may need to be revisited as the regulatory framework matures.
VI. Legal and Societal Impact
Strengthening Informational Privacy
The DPDP Act gives statutory recognition to the constitutional right to privacy by regulating how personal data may be processed. Consent requirements and data minimisation principles enhance individual control over personal information and promote responsible data practices. However, broad exemptions granted to the State may dilute these protections if not subjected to strict judicial scrutiny.
Practical Implications in Digital Governance
The implementation of the DPDP Act has had tangible effects on everyday digital interactions between individuals, private entities, and the State. Government platforms providing services such as digital identity verification, welfare delivery, and online grievance mechanisms now operate within a statutory framework that recognises personal data as a legally protected interest. This represents a shift from unchecked data collection towards regulated digital governance.
For private entities, particularly in sectors such as fintech, e-commerce, edtech, and healthtech, compliance with the DPDP Act has become a legal necessity rather than a voluntary best practice. Companies are increasingly required to reassess how user consent is obtained, whether privacy notices are understandable, and how long personal data is retained. Failure to meet these obligations exposes organisations to substantial monetary penalties and reputational harm.
From the perspective of individuals, the Act introduces enforceable rights that empower users to question, correct, and seek erasure of their personal data. Although awareness remains limited, the legal recognition of such rights marks a step towards enhancing informational self-determination in India’s rapidly expanding digital ecosystem.
State Accountability and Constitutional Concerns
For the first time, government bodies are brought within a data protection framework, albeit with exceptions. The power of the State to exempt agencies from the Act raises serious constitutional questions, particularly in light of the proportionality doctrine laid down in Puttaswamy. Future constitutional challenges are likely to examine whether such exemptions strike a fair balance between national interest and individual privacy.
Corporate Governance and Economic Impact
The DPDP Act has significantly altered corporate practices during 2025. Companies handling personal data have revised privacy policies, implemented consent management systems, and conducted internal compliance audits. Data protection has thus become a core element of corporate governance rather than a purely technical concern. From an economic perspective, a stable data protection regime enhances consumer trust and aligns India with global standards.
Societal Implications
While the DPDP Act strengthens legal protections, its societal impact depends on public awareness and digital literacy. A large segment of the population remains unaware of data protection rights and remedies. Additionally, the Act’s limited application to digital data may exclude vulnerable groups who rely on non-digital systems. Without adequate awareness initiatives, the promise of data protection may remain largely theoretical for many citizens.
VII. Critical Analysis and Emerging Concerns
Exemptions and Accountability
The most significant concern regarding the DPDP Act is the extent of exemptions granted to the State. These exemptions, if broadly interpreted, could allow government agencies to process personal data without the consent-based safeguards that the Act mandates for private entities. This creates an asymmetry that may undermine the Act’s stated commitment to informational privacy.
Cross-Border Data and Global Compliance
The Act permits cross-border data transfers to countries notified by the central government, but the criteria for such notifications remain unclear. This ambiguity poses compliance challenges for multinational organisations and may create friction with international data protection standards. Clearer frameworks for cross-border data governance are needed to ensure legal certainty for businesses and adequate protection for individuals.
Implementation Gaps
Despite its strengths, the DPDP Act faces several implementation challenges:
1. Broad Government Exemptions: These create a potential conflict with constitutional privacy standards and the proportionality doctrine.
2. Institutional Independence: Concerns remain regarding executive influence over the Data Protection Board of India, which may affect the impartiality of its adjudications.
3. Limited Scope: The exclusion of offline and non-digital personal data leaves a significant portion of privacy-related concerns unaddressed.
4. Enforcement Capacity: Effective enforcement requires technical expertise, adequate resourcing, and transparent adjudication processes that are still being developed.
These challenges will shape the future trajectory of India’s data protection framework.
VIII. Future Roadmap and Recommendations
For the DPDP Act to fulfil its constitutional promise, several steps are recommended:
1. Judicial Oversight: Courts should actively scrutinise State exemptions against the proportionality standard established in Puttaswamy to prevent the erosion of individual privacy rights.
2. Institutional Independence: Mechanisms should be established to insulate the Data Protection Board of India from executive influence, including security of tenure for its members and transparent appointment processes.
3. Public Awareness: The government and civil society must invest in digital literacy campaigns that inform citizens of their rights under the Act and how to exercise them.
4. Legislative Expansion: Future amendments should consider extending the Act’s protections to non-digital personal data, bringing India’s framework closer to the comprehensive coverage offered by the GDPR.
5. Clearer Cross-Border Rules: The criteria for permitting cross-border data transfers should be codified and made publicly accessible to ensure legal certainty and alignment with international standards.
IX. Conclusion
The phased implementation of the Digital Personal Data Protection Act during 2024–2025 constitutes a significant legal development within the last one year. While the Act strengthens informational privacy and corporate accountability, its long-term success depends on transparent enforcement, institutional independence, judicial interpretation, and public awareness.
As India continues its digital transformation, the DPDP Act will play a critical role in defining the relationship between the individual, the State, and the digital economy. Its implementation phase, rather than its enactment, will ultimately determine whether India’s data protection regime lives up to its constitutional promise.
References
[1] Digital Personal Data Protection Act, No. 22 of 2023, INDIA CODE (2023).
[2] Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 (India).
[3] Constitution of India, arts. 14, 19, 21.
[4] Ministry of Electronics and Information Technology, Draft Digital Personal Data Protection Rules (2025).
[5] Council Regulation 2016/679 of the European Parliament and of the Council on the Protection of Natural Persons with Regard to the Processing of Personal Data, 2016 O.J. (L 119) 1 (EU) (GDPR).
