1. Brief History of the DPDP Act

India’s journey towards establishing a dedicated personal data protection law spans more than a decade and reflects the country’s transformation into one of the world’s largest digital societies.

The roots of the Digital Personal Data Protection Act, 2023, can be traced back to the early 2010s, when India began experiencing an unprecedented surge in digital connectivity driven by affordable smartphones, expanding internet infrastructure, and mass adoption of digital public platforms such as Aadhaar, UPI, FASTag, DigiLocker, and CoWIN. These platforms enabled seamless access to identity, financial inclusion, and health services—but also highlighted emerging concerns around privacy, data misuse, and unregulated collection of personal information.

The turning point came in 2017, when a nine-judge bench of the Supreme Court delivered the historic Justice K.S. Puttaswamy (Retd.) vs. Union of India judgment. The Court unanimously held that the Right to Privacy is a fundamental right under Article 21 of the Constitution. This landmark decision established the constitutional obligation of the State to protect informational privacy and catalyzed the need for a formal privacy law. The judgment clearly stated that India required a comprehensive data protection regime comparable to other global democracies.

In response, the Government of India constituted the Justice B.N. Srikrishna Committee on Data Protection in 2017. After one year of extensive consultations, the Committee submitted the Personal Data Protection (PDP) Bill, 2018—India’s first structured attempt at a privacy framework. Building on this, the Government introduced the Personal Data Protection Bill, 2019 in Parliament.

Although ambitious and detailed, the 2019 Bill faced criticism for being over-regulatory, bureaucratically heavy, and misaligned with India’s innovation-driven technology sector. As technological ecosystems rapidly evolved—with expanding EdTech, FinTech, HealthTech, AI platforms, and gig-economy models—the 2019 Bill was deemed outdated even before implementation. The Government withdrew the Bill in 2022, stating the need for a “comprehensive, modern, and simplified framework.” This reset allowed India to rethink privacy regulations from first principles, focusing on clarity, ease of implementation, innovation enablement, and digital-first governance.

In 2023, the Government introduced the Digital Personal Data Protection (DPDP) Bill, which adopted a principle-based, technology-agnostic, minimalistic drafting approach. The DPDP Bill departed from earlier versions by simplifying definitions, streamlining rights and obligations, and reducing compliance burdens—especially for startups, MSMEs, and educational institutions. After debate and approval by both Houses of Parliament, the Bill became the Digital Personal Data Protection Act, 2023—India’s first complete privacy legislation.

To operationalize the Act, the Government prepared a detailed set of implementing guidelines called the DPDP Rules, released in November 2025. These Rules provide procedural clarity regarding notice formats, consent standards, security obligations, age verification processes, breach notifications, grievance redressal timelines, data retention norms, cross-border transfer restrictions, and operational functioning of the newly formed Data Protection Board of India (DPB).

Today, the DPDP Act and DPDP Rules represent India’s most significant step toward building a rights-respecting, innovation-friendly digital economy. They reflect global best practices while addressing India’s unique social, demographic, and technological realities.

2. Why the Act Was Enacted

India’s digital landscape experienced extraordinary growth over the past decade, with millions of citizens transitioning to online financial services, digital government platforms, educational applications, healthcare portals, and e-commerce ecosystems. As digital participation expanded, so did the volume of personal data being collected, stored, and exchanged—often without clear consent, meaningful transparency, or adequate safeguards. This rapid datafication of daily life highlighted the urgent need for a legal framework that placed individual privacy and autonomy at its center. The absence of a unified privacy law meant that personal information was governed by fragmented sectoral rules, allowing inconsistencies, regulatory confusion, and widespread misuse of personal data.

A significant driver for the DPDP Act was the rising number of data breaches across sectors—banking, telecommunications, healthcare, e-commerce, and educational institutions. Millions of records containing sensitive personal information, including Aadhaar numbers, financial details, medical histories, and student records, were exposed in high-profile incidents. These breaches revealed gaps in cybersecurity readiness and the lack of enforceable obligations governing how organizations collect, store, and handle personal data. The government recognized that without a strong data protection system, citizen trust in digital services would erode, potentially hindering India’s broader digital transformation.

Another influencing factor was the Supreme Court’s recognition of privacy as a fundamental right in the landmark Puttaswamy (2017) judgment. The Court emphasized that the State carries a constitutional obligation to safeguard informational privacy. This judgment placed direct responsibility on Parliament to create a robust privacy law, thereby catalysing the introduction of multiple draft bills leading up to the DPDP Act. The Act is therefore a fulfilment of a constitutional mandate—not merely a policy decision but a rights-driven legislative necessity.

The government also sought to create a framework that aligns India with global data protection ecosystems. As Indian companies increasingly serve international clients—particularly in the EU, US, and APAC regions—they faced compatibility challenges with foreign privacy laws like GDPR. Without a comparable domestic law, Indian companies risked losing international business opportunities and facing compliance barriers. The DPDP Act was thus crafted to improve global interoperability, strengthen India’s digital trade prospects, and position the country as a trustworthy data-processing hub.

The Act’s design reflects India’s intention to balance innovation with protection. Earlier versions of the bill, such as the 2019 PDP Bill, contained heavy compliance burdens and controversial data localization mandates. The DPDP Act, in contrast, adopts a minimalist, principles-based approach—prioritizing clarity, reducing ambiguity, and simplifying obligations while retaining essential safeguards. The goal was to create a law that protects citizens without stifling digital growth, ensuring that privacy and innovation operate in harmony.

Additionally, the proliferation of EdTech platforms during and after the COVID-19 pandemic made it clear that India lacked adequate mechanisms to regulate the collection and processing of children’s data. Millions of minors were using learning apps, classroom tools, biometric attendance systems, and online exams without a structured consent model or safety net. The DPDP Act directly addresses this vulnerability by introducing strict rules on children’s data processing, requiring parental consent, prohibiting harmful tracking, and mandating safe processing practices. This alone required a dedicated, modern legal framework suitable for India’s demographic realities.

Finally, the Act was enacted to establish a legally empowered, centralized authority—the Data Protection Board (DPB)—to enforce compliance, adjudicate breaches, impose penalties, and provide citizens with recourse. Without a regulatory body, India’s digital ecosystem lacked accountability and enforcement capacity. The DPDP Act’s implementation ensures that data protection responsibilities are not optional guidelines but enforceable legal obligations.

The DPDP Act emerged from the increasing risk of cybercrime, data theft, identity fraud, and commercial misuse of personal information. With rising digital ecosystem, India needed a law that protects individuals while enabling safe business innovation. The Act serves several core purposes:

• Protecting citizens from unauthorized or harmful data processing.
• Building trust in digital services such as banking, e-commerce, EdTech, and healthcare.
• Providing businesses clear, consistent, unified compliance standards.
• Ensuring safe use of children’s data—especially relevant amidst booming EdTech sectors.
• Aligning India with global frameworks like GDPR.
• Providing enforcement power through an independent Data Protection Board.
• Ensuring data-driven innovation continues with transparency and accountability.

3. Overall Summary of the Act

The Digital Personal Data Protection (DPDP) Act, 2023 is India’s first comprehensive and modern privacy law created to regulate how personal data is collected, processed, stored, shared, and deleted in the digital environment. Unlike earlier drafts, the DPDP Act is designed to be simple, principle–based, and technology-neutral, enabling it to evolve alongside India’s fast-changing digital ecosystem. It applies exclusively to digital personal data, whether collected online or digitized from physical form, ensuring clarity and easier compliance for organizations of all sizes—from schools and small businesses to large enterprises and multinational companies.

The Act introduces clear terminology, defining the roles and responsibilities of all stakeholders involved in personal data processing. These definitions are critical for determining accountability, liability, and compliance obligations. The four key entities defined in the Act are Data Principal, Data Fiduciary, Data Processor, and Consent Manager, along with a special category called Significant Data Fiduciary (SDF). The Act grants individuals core rights: the right to access personal data, correct inaccuracies, request deletion, seek grievance redressal, and appoint nominees.

1. Data Principal

A Data Principal is the individual to whom personal data relates. In simple terms, this is the person whose data is being collected or processed.

Examples:

• A student using a school app
• A patient visiting a hospital
• A customer purchasing online
• A citizen using a government service

For minors, the Data Principal becomes the parent or lawful guardian. For persons with disabilities, an appointed guardian becomes the Data Principal.

Significance: This definition places the individual at the centre of the DPDP framework, ensuring that privacy rights belong to the person, not the organization handling the data.

2. Data Fiduciary

A Data Fiduciary is the entity (organization, institution, company, government body) that decides the purpose and means of processing personal data. They are the primary custodian of user data and must ensure ethical, fair, lawful processing.

Examples:

• Schools & colleges (processing student data)
• Banks (processing customer financial data)
• Hospitals (processing patient health data)
• E-commerce platforms (processing customer purchase data)
• Apps & websites collecting user information

Responsibilities of Data Fiduciaries:

• Provide clear notice
• Obtain lawful consent
• Protect data through security measures
• Process data for legitimate purposes only
• Ensure accuracy and correction
• Delete data when the purpose is over
• Report data breaches
• Maintain grievance redressal

This entity carries the highest responsibility under the Act. Data Fiduciaries must ensure proper notice, lawful consent, data minimization, data security, timely breach notification, and purpose-based usage. SDFs face additional responsibilities such as appointing a Data Protection Officer (DPO) and conducting audits. Children’s data receives heightened protection—requiring parental consent, banning tracking/profiling, and prohibiting harmful processing.

3. Data Processor

A Data Processor is an entity that processes personal data on behalf of a Data Fiduciary.

Examples:

• Cloud service providers (AWS, Azure, GCP)
• IT service agencies
• ERP software vendors
• Data analytics agencies
• Payroll service companies

Important: A Data Processor cannot independently decide:

• Why data is processed
• How data is processed
• Whether data can be transferred or used elsewhere

Their actions must strictly follow the Data Fiduciary’s written instructions.

4. Consent Manager

A Consent Manager is a Meity-authorised platform that enables users to give, manage, review, and withdraw consent through a single dashboard.

Features:

• Standardized interface
• Interoperable across apps
• Transparent logs of consent
• User-friendly and auditable

This concept is inspired by India’s successful Account Aggregator system under RBI.

Consent Managers become especially important for:

• Health data management
• FinTech
• EdTech
• Insurance
• Large-scale personal data flows

Significant Data Fiduciary (SDF)

An SDF is a Data Fiduciary that handles large-scale, high-risk, or sensitive-impact personal data. This classification ensures that high-impact data handlers follow stricter controls.

The Central Government may classify an organization as an SDF based on:

• Volume of personal data processed
• Sensitivity of data
• Risk to national security
• Impact on public order
• Potential harm to individuals

Additional Obligations of SDFs:

• Mandatory appointment of a Data Protection Officer (DPO)
• Data Protection Impact Assessments (DPIA)
• Annual audits
• Strong governance and risk management

Rights Granted to Data Principals

The DPDP Act grants Data Principals—individual users—several critical rights designed to strengthen transparency, autonomy, and control over their digital presence in an increasingly data-driven environment. Collectively, these rights enhance user trust, ensure meaningful participation in the digital economy, and promote responsible data-handling practices by organizations.

• Right to Access: Individuals are entitled to request clear information regarding what personal data is being collected about them, the specific purposes for which it is processed, and the third parties or entities with whom such data is shared.
• Right to Correction: Empowers individuals to rectify incorrect, incomplete, or outdated information such as address changes, contact updates, or corrections to identity details.
• Right to Erasure: Allows individuals to request deletion of their personal data once the original purpose of collection has been fulfilled, when consent has been withdrawn, or when retention is no longer legally necessary.
• Right to Grievance Redressal: Mandates every organization to appoint a grievance officer, maintain a structured complaint-handling mechanism, and respond within defined timelines to resolve user concerns.
• Right to Nominate: Enables individuals to appoint a trusted nominee who may exercise their data rights in the event of the user’s death or incapacity.

Obligations of Data Fiduciaries

Data Fiduciaries under the DPDP Act are required to comply with rigorous obligations that promote responsible and ethical data handling. Together, these obligations establish a framework that enforces accountability, protects user privacy, and ensures ethical data governance.

• Must begin by issuing a clear and easily understandable privacy notice before collecting any personal data, informing individuals about the purpose of processing, categories of data collected, retention periods, and grievance mechanisms.
• Consent must be free, specific, informed, unbundled, and easily revocable, ensuring that individuals knowingly and voluntarily agree to the processing activities.
• Expected to follow the principle of data minimization, collecting only the information necessary to achieve the stated purpose, and must adhere to purpose limitation, meaning the data cannot be used beyond what was initially disclosed.
• Ensuring accuracy of personal data is another core obligation, requiring timely updates and corrections to maintain correctness.
• Must implement appropriate security safeguards, including encryption, access controls, regular audits, and cyber hygiene practices, to protect personal data from unauthorized access or breaches.
• In the event of a data breach, they are legally required to notify both the Data Protection Board of India and the affected individuals promptly.
• Must also establish clear data retention and deletion practices, ensuring that personal data is erased once the purpose is accomplished unless continued storage is legally mandated.

Additional Controls for Significant Data Fiduciaries

Significant Data Fiduciaries (SDFs) are subject to heightened compliance obligations due to the scale, sensitivity, or potential impact of their processing activities. These enhanced controls ensure that entities handling large datasets or performing high-risk processing maintain higher levels of responsibility and accountability.

• Must appoint a qualified Data Protection Officer (DPO) who will serve as the primary liaison with the Data Protection Board and oversee internal compliance.
• Required to conduct Data Protection Impact Assessments (DPIAs) to evaluate and mitigate risks arising from high-risk processing activities.
• Must also undergo regular independent audits, adopt advanced cybersecurity frameworks, and implement comprehensive monitoring of algorithmic and automated decision-making systems to avoid discriminatory or harmful outcomes.

Protection of Children’s Data

The Act provides strong protections for children’s data, recognizing that minors are particularly vulnerable in digital environments. These measures collectively create a safer digital ecosystem for children, ensuring their data is handled with the highest degree of care and sensitivity.

• All processing of data relating to individuals under 18 requires verifiable parental consent, ensuring that guardians have full visibility into how their children’s data is being used.
• The Act prohibits tracking, profiling, or behavioral analysis of children, preventing educational profiling, personality mapping, or algorithmic manipulation.
• It also bans targeted advertising directed at minors, ensuring that children are not commercially exploited based on their digital behavior.
• Furthermore, the Act strictly prohibits any data processing that may cause physical, psychological, or financial harm, a crucial safeguard given the increasing use of EdTech apps, digital classrooms, gaming platforms, and child-oriented applications.

Penalties under the Act

The DPDP Act imposes large financial penalties, which emphasize accountability and trust.

Purpose and Design Philosophy of the Act

The DPDP Act is built on a design philosophy centered on simplicity, flexibility, and scalability, ensuring it remains practical and future-ready. This thoughtful design encourages broad national compliance and supports India’s digital transformation while protecting individual rights.

• Simplicity: Reflected in the use of plain, accessible language, standardized notice formats, and straightforward compliance requirements that avoid the complexity of earlier drafts. This makes the law easier for citizens to understand and for organizations—including schools, startups, and small enterprises—to implement.
• Flexibility (Technology-Neutral): Ensures its principles apply consistently across current and future digital systems, from mobile apps to AI-driven platforms.
• Scalability: Ensures it can be adopted uniformly by entities of all sizes—small startups, SMEs, educational institutions, multinational corporations, and government departments—without imposing disproportionate burdens.

Conclusion

The Digital Personal Data Protection Act, 2023 represents one of the most significant legal reforms in India’s digital governance landscape. By establishing a structured framework for the processing of digital personal data, the Act strengthens the fundamental right to privacy declared in the Putta swamy judgment and provides India with its first unified data-protection statute. The Act introduces a rights-based architecture—granting individuals powers such as access, correction, erasure, and grievance redressal—while ensuring that organizations processing personal data meet strict obligations of notice, consent, purpose limitation, data minimization, and security safeguards.

Its emphasis on protecting children’s data, along with the creation of a national Data Protection Board, marks a major shift toward accountability and digital trust. The DPDP Act is intentionally simple, principle-driven, and technology-neutral, making it adaptable for India’s diverse digital ecosystem, which ranges from startups and MSMEs to large enterprises and government institutions. Its penalty structure—going up to 250 crore—acts as a strong deterrent against misuse and systemic negligence.

However, the Act’s broad government exemptions, absence of a sensitive-data classification, and lack of certain advanced rights (such as portability and objection to automated processing) indicate areas where future reforms may be needed. Despite these limitations, the Act lays a solid foundation for India’s long-term digital policy vision. In essence, the DPDP Act signals India’s transition towards a privacy-conscious, rights-respecting digital economy, enhancing public trust while supporting innovation and economic growth. It is a foundational law that will evolve over time, but it already positions India as a major global contributor to contemporary data protection standards.

Bibliography

1. Digital Personal Data Protection Act, 2023 – Government of India (https://www.meity.gov.in)
2. Justice K.S. Puttaswamy (Privacy) Judgment, Supreme Court of India (https://indiankanoon.org/doc/127517806/)
3. Justice B.N. Srikrishna Committee Report – A Free and Fair Digital Economy (https://www.meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_18122017.pdf)
4. European Commission – GDPR Overview (https://gdpr.eu/)
5. Press Information Bureau – DPDP Bill introduction & explanation (https://pib.gov.in)
6. NASSCOM – Industry Analysis of DPDP Act Compliance (https://nasscom.in)
7. PRS Legislative Research – Summary of DPDP Act (https://prsindia.org)