India stands at a pivotal crossroad today as it navigates its fastest-growing digital economy and the
operationalisation of the Digital Personal Data Protection (DPDP) Act. With over one billion internet
subscribers, the nation has emerged as one of the world’s three largest digital societies. Initiatives like the
IndiaAI Mission and newly created Centres of Excellence for AI are accelerating this transformation,
weaving data flows through every layer of daily life-from classroom learning to citizen-government
interactions. This unprecedented digital adoption raises a fundamental question: Who is truly responsible
for safeguarding this vast ocean of personal data?
India’s DPDP Act: Bringing Clarity and Ambition
The Digital Personal Data Protection Act, 2023 (DPDP Act), along with its recently unveiled rules,
represents a decisive step in India’s pursuit of a modern, enforceable privacy framework. With the initial
provisions in effect, including the establishment of the Data Protection Board, the appointment process
for its leadership, and new procedural frameworks, India is moving away from years of fragmented
guidelines and judicial interpretations. The DPDP Act’s operational framework is set to roll out in phased
stages, with some obligations taking effect after an 18-month window (subject to change), allowing
stakeholders to build compliance.Countries with established digital economies have long had comprehensive privacy frameworks. India’s
DPDP Act arrives, however, amidst technological leaps like generative AI, real-time facial recognition, and
widespread algorithmic governance. Against this backdrop, the DPDP Act’s significance lies in its attempt
to balance innovation and economic growth with the inalienable right to individual privacy.
Strengthening Individual Rights and Consent
At the core of the DPDP Act is the recognition of a citizen’s right to control their personal data. People are
entitled to know when, how, and why their data is collected, how long it will be stored, and what their
remedies are in cases of misuse. Historically, consent forms have been couched in technical jargon, and
privacy notices have been difficult to locate. The DPDP Act addresses this by requiring companies to
redesign consent workflows, ensuring that users are informed in clear, plain language about what they
are agreeing to. Consent must be explicit, specific, and easy to revoke, making it seamless to withdraw and
give.For children and persons with certain disabilities, the DPDP Act introduces even more robust safeguards.
Companies must secure consent from parents or lawful guardians before processing a child’s data, with
exemptions outlined only for essential services like healthcare and education. This extension ensures
India’s privacy framework is genuinely inclusive, protecting some of the most vulnerable users in the
digital ecosystem.
Data Breaches: New Standards for Corporate Governance
A critical challenge under the DPDP Act is the management and reporting of data breaches. India has seen
a rise in cyber incidents affecting customer data, finance, government, and healthcare. The new law
mandates organizations to detect breaches swiftly, and report them to the Data Protection Board of India
(DPBI) without delay, with comprehensive updates required within 72 hours. Affected individuals must
also be notified thereby elevating data governance from a technical afterthought to a legal and ethical
responsibility at the heart of corporate oversight.
Special Responsibilities and Structural Shifts
Certain sectors, like e-commerce platforms and large social media intermediaries, face heightened
expectations. They may need to re-engineer their business models, including mechanisms to delete user
data within 48 hours’ notice and provide options for users to object or download their information.
A pivotal innovation in the DPDP Act is the identification of “Significant Data Fiduciaries” (SDFs),
organisations processing vast volumes of, or especially sensitive, data. SDFs are required to appoint a
Data Protection Officer stationed in India, conduct regular data protection impact assessments,
commission independent audits, and potentially face restrictions on cross-border data transfer. These
provisions may drive investment in local data infrastructure and necessitate a reassessment of global
data flows.
Impact, Penalties, and the New Digital Culture
Financial ramifications under the DPDP Act are considerable. Penalties for violations such as failing to
implement robust security, neglecting timely breach reporting, or mishandling children’s data can reach
up to INR 250 crore. This marks a clear departure from the past, where penalties were symbolically light;
now, the consequences are tangible, driving real accountability for companies of all sizes.
Crucially, the DPDP Act signals a broader cultural and ethical shift in India’s digital landscape. AI-based
technologies are rapidly shaping domains like governance, health, finance, and entertainment. Data
protection must become hardwired into the fabric of India’s digital advancement, not as a tick-box
exercise but as a cornerstone of innovation built on trust.
As India’s digital economy accelerates towards its next phase, especially with increased AI adoption, the
DPDP Act compels all stakeholders to raise their game. The ultimate impact will depend not just on
regulatory clarity and enforcement by the DPBI, but also on the readiness of businesses and the
awareness of individual rights among citizens. The full impact of the law will emerge over time as
implementation details and jurisprudence evolves. Yet if India navigates this transition effectively, the
DPDP Act could well become an international benchmark—blending innovation with dignity and paving
the way for a new era of digital trust.
(Views are personal)
