%20Redacto%20logo_New.png)
The Evolution of India’s Digital Personal Data Protection Act, 2023: A Two-Decade Journey Toward Data Privacy
India’s Digital Personal Data Protection (DPDP) Act, 2023 marks a pivotal moment in the country’s legislative history, ushering in a modern, rights-based approach to personal data protection. But this historic law didn’t emerge in isolation. It is the result of more than two decades of gradual evolution involving judicial pronouncements, committee recommendations, stakeholder feedback, and shifting technological landscapes.
This blog traces the key milestones that led to the formulation of the DPDP Act, highlighting how India’s approach to privacy and data protection has matured over time.
2000: The First Digital Law – Information Technology Act
India’s digital legislative journey began with the Information Technology (IT) Act, 2000, a pioneering move aimed at regulating cyber activities and digital transactions. While it addressed cybercrime and e-commerce, its treatment of personal data was limited and reactive.
Notable privacy-related provisions included:
- Section 43A: Provided compensation for failure to protect sensitive personal data.
- Section 72A: Penalized unauthorized disclosure of information by service providers.
However, these clauses lacked a cohesive structure or a broader data protection framework, signaling the need for more comprehensive legislation.
2012: A Roadmap Emerges – Justice A.P. Shah Committee Report
Recognizing the importance of privacy in a digital world, the Justice A.P. Shah Committee was constituted to recommend a robust privacy framework. In its 2012 report, the committee proposed a technology-agnostic and sector-neutral legal architecture grounded in nine privacy principles, including:
- Notice
- Consent
- Purpose limitation
- Collection limitation
- Access and correction
- Disclosure limitation
- Security
- Openness
- Accountability
These principles were inspired by international frameworks like the OECD Guidelines and the EU Data Protection Directive, laying the conceptual groundwork for a future data protection law in India.
2017: Constitutional Recognition – The Puttaswamy Judgment
A transformative moment came in August 2017, when the Supreme Court of India, in Justice K.S. Puttaswamy vs. Union of India, unequivocally declared privacy as a fundamental right under Article 21 of the Constitution.
The judgment laid down three essential tests that any privacy-infringing law must meet:
- Legality
- Legitimate aim
- Proportionality
This ruling provided a constitutional mandate to enact a comprehensive data protection law.
2018: A Draft Takes Shape – Justice B.N. Srikrishna Committee
In response to the Puttaswamy verdict, the Ministry of Electronics and Information Technology (MeitY) formed a Committee of Experts led by Justice B.N. Srikrishna. In July 2018, the committee submitted a detailed report along with the draft Personal Data Protection Bill, 2018, which emphasized:
- Data localization
- User consent as the core of data processing
- Rights of individuals (data principals)
- Accountability of data fiduciaries
- Oversight by a Data Protection Authority
This marked the first comprehensive draft legislation focused solely on personal data protection in India.
2019–2021: Legislative Engagement – PDP Bill and JPC Review
Building on the Srikrishna Committee’s work, the Personal Data Protection (PDP) Bill, 2019 was introduced in Parliament in December 2019. Given its far-reaching implications, it was referred to a Joint Parliamentary Committee (JPC) for deeper analysis.
Over two years, the JPC conducted extensive stakeholder consultations and clause-by-clause review. In December 2021, it submitted a revised draft, renamed the Data Protection Bill, 2021, which included several significant amendments and broadened the scope of the law.
2022: Rebooting the Framework – Withdrawal and New Draft
Despite progress, the government withdrew the PDP Bill in August 2022, citing the need for a more contemporary and simplified framework. The JPC’s report had suggested over 80 amendments, and concerns from startups and the tech industry prompted a rethinking of the approach.
In November 2022, MeitY released the Digital Personal Data Protection Bill, 2022, a cleaner, principle-based draft that retained key elements like consent, data fiduciaries, and cross-border transfer mechanisms, while simplifying obligations for smaller entities.
2023: The Law is Enacted – Digital Personal Data Protection Act
The revised bill was introduced in Parliament in 2023 as the Digital Personal Data Protection Bill, 2023, and passed by both houses. It received Presidential assent, officially becoming the Digital Personal Data Protection Act, 2023.
Key highlights of the Act include:
- Rights-based approach: Data principals (individuals) have clearly defined rights like access, correction, and grievance redressal.
- Duties of data fiduciaries: Organizations must follow lawful processing, ensure data security, and handle user consent responsibly.
- Significant penalties: For data breaches and non-compliance.
- Cross-border transfers: Governed by government-approved jurisdictions.
- Children’s data: Special protections for processing data related to minors.
2025: Draft DPDP Rules Released for Public Consultation
To operationalize the DPDP Act, MeitY released the Draft Digital Personal Data Protection Rules in early 2025 for public consultation. These draft rules aim to provide practical implementation guidance and further clarity on compliance requirements.
The draft rules cover:
- Privacy notices: Format, language, and delivery requirements
- Consent management: How to record, update, and withdraw consent
- Data security and breaches: Timelines for breach notification and grievance redressal
- Cross-border transfers: Jurisdiction-specific restrictions and safeguards
Conclusion: Privacy at the Heart of India’s Digital Future
The Digital Personal Data Protection Act, 2023 represents a monumental leap in India’s digital governance journey. It is not just a law, it is a rights-based framework that seeks to strike a balance between innovation and individual privacy.
India has taken the constitutional recognition of privacy seriously, and the DPDP Act stands as a testament to its commitment to safeguarding the personal data of over a billion citizens in the digital age.
