Background

India’s journey towards a comprehensive data protection law began after the Supreme Court’s landmark nine-judge bench verdict in K.S. Puttaswamy v. Union of India (2017), which declared the right to privacy a fundamental right under Article 21. Justice B.N. Srikrishna Committee was constituted in August 2017 to draft a data protection framework, and it submitted its report along with the draft Personal Data Protection Bill in July 2018.

The first version — the Personal Data Protection Bill, 2019 — was introduced in Lok Sabha on December 11, 2019 and referred to a Joint Parliamentary Committee (JPC). The JPC submitted its report in December 2021 with 93 amendments and 12 recommendations, significantly expanding the Bill’s scope to include non-personal data. The government withdrew this Bill in August 2022, citing the need for a “comprehensive legal framework.”

A fresh Digital Personal Data Protection Bill, 2023 was introduced on August 3, 2023, passed by Lok Sabha on August 7 and Rajya Sabha on August 9, and received Presidential assent on August 11, 2023. It is India’s first standalone data protection legislation, replacing the inadequate Section 43A and related rules under the IT Act, 2000.

Key Concepts

  • Data Principal: The individual to whom the personal data relates; in the case of a child (below 18 years), their lawful guardian acts on their behalf
  • Data Fiduciary: Any person (individual, company, state) that alone or jointly determines the purpose and means of processing personal data
  • Significant Data Fiduciary (SDF): A Data Fiduciary designated by the Central Government based on volume/sensitivity of data processed; subject to additional obligations including appointing a Data Protection Officer (DPO), conducting periodic Data Protection Impact Assessments (DPIA), and independent data audits
  • Consent Manager: An entity registered with the DPBI that acts as a single point of contact for Data Principals to manage, review, and withdraw consent given to multiple Data Fiduciaries
  • Data Processor: Any person who processes personal data on behalf of a Data Fiduciary (e.g., cloud service providers, analytics firms)
  • Personal Data Breach: Any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises its confidentiality, integrity, or availability

Important Provisions

  • Section 4 (Consent): Personal data may be processed only for a lawful purpose after obtaining free, specific, informed, unconditional, and unambiguous consent from the Data Principal. Consent must be limited to data necessary for the stated purpose.
  • Section 5 (Legitimate Uses): Data processing without consent is permitted for specified legitimate uses — voluntary sharing by the Data Principal, state functions (subsidies, permits, licences), compliance with court orders, medical emergencies, employment purposes, and public interest.
  • Section 6 (Notice): Every Data Fiduciary must provide an itemised notice describing the personal data being collected, the purpose of processing, and the manner of exercising rights — in English or any of the 22 Eighth Schedule languages.
  • Section 8 (Rights of Data Principal): Right to access information about processing, right to correction and erasure, right to grievance redressal (response within 30 days), right to nominate another individual to exercise rights in case of death/incapacity.
  • Section 9 (Duties of Data Principal): Data Principals must not register false or frivolous complaints, must not suppress material information, and must provide only verifiably authentic information while exercising rights.
  • Section 10 (Children’s Data): Processing of children’s data requires verifiable parental consent. Behavioural monitoring, tracking, and targeted advertising directed at children are prohibited. Government may exempt certain Data Fiduciaries from these requirements if processing is verifiably safe.
  • Section 16-17 (Cross-border Transfer): Personal data may be transferred to any country except those specifically restricted by the Central Government through notification. This is a significant departure from the 2019 Bill’s data localisation mandate.
  • Section 18-27 (Data Protection Board of India): Established as an independent body to adjudicate complaints, impose penalties, and direct remedial actions. Chairperson and members appointed by Central Government for 2-year terms (renewable). DPBI functions as a digital office and proceedings are conducted digitally.
  • Section 33 (Penalties): Up to Rs 50 crore for failure to take security safeguards; up to Rs 200 crore for failure to notify the Board and Data Principals of a breach; up to Rs 250 crore for non-compliance by Significant Data Fiduciaries; up to Rs 10,000 for Data Principals filing false complaints.

Landmark Judgments

  • K.S. Puttaswamy v. Union of India (2017): Nine-judge bench unanimously declared the right to privacy a fundamental right under Article 21. This verdict is the constitutional foundation of the DPDP Act. The Court directed the government to formulate a data protection regime.
  • K.S. Puttaswamy v. Union of India (2018 — Aadhaar judgment): Five-judge bench upheld Aadhaar’s constitutional validity under Article 21 but struck down Section 57 of the Aadhaar Act (private sector use). The judgment emphasised the need for a robust data protection law to govern Aadhaar data.
  • Justice K.S. Puttaswamy v. Union of India (WhatsApp Privacy Policy, 2021): Delhi High Court noted the absence of a comprehensive data protection law while examining WhatsApp’s updated privacy policy, reinforcing urgency for legislation.
  • Google LLC v. Competition Commission of India (2023): While primarily a competition law case, the Supreme Court’s observations on data dominance and user consent reinforced the principles codified in the DPDP Act.

Recent Amendments / Developments

  • DPDP Rules, 2025 (Notified November 14, 2025): The Ministry of Electronics and IT notified the final Digital Personal Data Protection Rules, 2025 on November 14, 2025, giving full effect to the DPDP Act, 2023. The rules replace the draft rules that were released for public consultation in January 2025. Key provisions include consent manager registration framework, breach notification timelines, Data Principal verification via DigiLocker/virtual tokens, and enhanced duties for Significant Data Fiduciaries.
  • Phased Implementation Timeline: The rules adopt a three-phase rollout: Phase 1 (November 13, 2025) — establishment of the Data Protection Board of India (DPBI), its powers, processes, and operational framework; Phase 2 (November 13, 2026) — consent manager registration, obligations, and DPBI enforcement powers over consent management breaches; Phase 3 (May 13, 2027) — all remaining core obligations including consent/notice requirements, Data Principal rights, Data Fiduciary duties, SDF obligations, breach notification, data retention/erasure, and security safeguard mandates.
  • DPBI Constitution (November 2025): The Data Protection Board of India was formally constituted on November 13, 2025 as part of Phase 1. It is headquartered in New Delhi and consists of a chairperson and four members serving renewable two-year terms. A government-appointed search-cum-selection committee was constituted in December 2025 to appoint permanent members. Appeals from DPBI decisions go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
  • RTI Act Amendment (Section 44(3)): The DPDP Act, 2023 through Section 44(3) amended Section 8(1)(j) of the RTI Act, 2005, replacing the earlier “public interest override” for personal information with a blanket exemption. This has been widely criticised by transparency activists as undermining RTI’s core purpose — details of conduct, performance, and assets of government officials can now potentially be shielded under the guise of data protection.
  • Comparison with Global Laws: The DPDP Act is often compared with the EU’s GDPR (2018) — key differences include India’s broader state exemptions, absence of a “right to data portability,” and opt-out rather than opt-in approach to cross-border transfers.

UPSC Relevance

Prelims: Key provisions (consent, penalties, DPBI), Section numbers, Data Principal rights, children’s data protections, cross-border transfer provisions, comparison with GDPR Mains GS-2: Right to privacy (Article 21), data governance framework, independent regulatory bodies, state surveillance vs. individual rights, federalism (Centre vs. State jurisdiction over data) Mains GS-3: Cybersecurity ecosystem, digital economy regulation, IT Act evolution, data localisation debate, impact on startup ecosystem and innovation Interview: Is the DPDP Act sufficient to protect privacy in the age of AI? Should India adopt data localisation like China or free flow like the EU? How do you balance national security exemptions with individual privacy rights?