India today is home to 881 million internet subscribers — the second-largest connected population on earth. Digital payments process over 14 billion transactions a month through UPI. Aadhaar has enrolled more than 1.3 billion residents. WhatsApp, with 500 million Indian users, is how families, businesses, and government departments communicate. And yet, until August 2023, no comprehensive law governed what could be done with the personal data generated by all of this activity.
That gap was not an oversight. It was the product of two decades of deferred legislation, competing interests, and constitutional debate. Understanding how India finally arrived at the Digital Personal Data Protection Act 2023 — and why it took so long — is essential context for any enterprise now working out what compliance actually requires.
The IT Act 2000: A Law Built for a Different Internet
India's first attempt to regulate the digital space was the Information Technology Act 2000, enacted when the country had fewer than five million internet users. Section 43A of the IT Act, added by amendment in 2008, created a rudimentary obligation on companies handling "sensitive personal data or information" (SPDI) to implement reasonable security practices. The accompanying Rules of 2011 defined SPDI to include passwords, financial information, health data, and biometrics.
The problem was that the IT Act was drafted primarily to enable e-commerce and address cybercrime — not to give citizens rights over their data. It had no consent framework. It did not require purpose limitation. It provided no right to access, correct, or erase personal information. And its definition of who counted as a "body corporate" subject to the SPDI rules excluded government entirely.
By 2016, India was processing billions of biometric enrolments under Aadhaar, running a national payment identity system, and generating healthcare data at scale — all without a data protection framework fit for purpose.
The Srikrishna Committee and the PDP Bill (2018–2022)
The turning point was a 2017 Supreme Court judgment — Justice K.S. Puttaswamy v. Union of India — which unanimously held that privacy is a fundamental right under the Indian Constitution. The judgment specifically noted the absence of a data protection law as a legislative gap requiring urgent remedy.
The government responded by constituting a Committee of Experts on Data Protection chaired by Justice B.N. Srikrishna. The committee's 2018 report — "A Free and Fair Digital Economy" — was a rigorous and thoughtful document. It proposed a framework modelled partly on GDPR but adapted to Indian conditions: a Data Protection Authority, a consent-based processing model with legitimate interest exceptions, data localisation requirements, and rights for data principals including access, correction, erasure, and portability.
"Personal data is the new oil of the digital economy, but unlike oil it can be reused, replicated, and recombined infinitely — amplifying both its value and its potential for harm." — Srikrishna Committee Report, 2018
The Personal Data Protection Bill 2019 was introduced in Parliament but immediately referred to a Joint Parliamentary Committee. Over three years of deliberation, it grew from 98 to 99 clauses and accumulated 81 amendments. Industry lobbied against data localisation. Civil society pushed for stronger rights. The government sought carve-outs for its own processing activities. In August 2022, the government withdrew the entire bill, citing the need to start again with a "comprehensive legal framework."
The Incidents That Made Inaction Untenable
While Parliament debated, a series of high-profile incidents made the absence of a data protection law increasingly difficult to defend politically.
The Aadhaar Data Exposures
Between 2017 and 2019, multiple media investigations revealed that Aadhaar numbers and linked demographic data were accessible through poorly secured government portals and third-party APIs. The Tribune reported in 2018 that Rs. 500 paid to an anonymous WhatsApp network could buy access to Aadhaar details for any of 1 billion enrolled citizens. The UIDAI disputed the characterisation but acknowledged security vulnerabilities requiring remediation. Without a data protection law, affected citizens had no legal recourse and no right to know what had been compromised.
Cambridge Analytica and the Indian Angle
The global Cambridge Analytica scandal of 2018 — in which Facebook data on 87 million users was harvested without consent for political profiling — had a specific Indian dimension. Cambridge Analytica's parent company, SCL Group, had worked on Indian election campaigns. A Parliamentary Standing Committee summoned Facebook's India head. The episode demonstrated that the lack of meaningful consent requirements left Indian users as exposed as their counterparts in jurisdictions that at least had sectoral protections.
WhatsApp's 2021 Privacy Policy Update
When WhatsApp updated its privacy policy in January 2021 to mandate data sharing with Facebook for business users — on a take-it-or-leave-it basis — the Competition Commission of India launched an investigation, and the government threatened to regulate the platform. The episode exposed a fundamental gap: India had no law requiring that consent for data sharing be freely given, specific, or withdrawable. WhatsApp's approach would have been unlawful under GDPR. In India, it was merely controversial.
The DPDPA 2023: What Finally Changed
The Digital Personal Data Protection Act 2023 received Presidential assent on 11 August 2023. At 30 sections — deliberately shorter than its predecessor bills — it is a principles-based framework rather than a prescriptive rulebook, with detail delegated to Rules yet to be fully notified.
Key Architecture of the DPDPA 2023
Data Principal: The individual whose data is processed. Has rights to access, correction, erasure, grievance redressal, and nomination. Data Fiduciary: Any entity that determines the purpose and means of processing. Must obtain consent, honour rights, and implement security safeguards. Data Processor: Processes data on behalf of a Fiduciary. Significant Data Fiduciary: Designated by government based on volume, sensitivity, and risk — subject to enhanced obligations including a Data Protection Officer and periodic audits. Data Protection Board: Adjudicatory body with power to impose penalties up to ₹250 crore per instance.
The Act's most significant departures from the failed PDP Bill are pragmatic. It drops mandatory data localisation for most categories (retaining the government's power to restrict cross-border transfers by notification). It eliminates the "legitimate interest" basis for processing — in India, consent or a specific statutory ground is required. It takes a more restrained approach to children's data, requiring verifiable parental consent for users under 18.
What It Means for Regulated Enterprises Now
The DPDPA is in force. The Data Protection Board is being constituted. Draft Rules have been published for comment, and final Rules are expected imminently. Penalties of up to ₹250 crore per instance of non-compliance are not hypothetical — the Board will have investigative and adjudicatory powers from the moment it is constituted.
For enterprises, the immediate obligations are clear even before the Rules are finalised. You must have a lawful basis — predominantly consent — for every instance of personal data processing. That consent must be obtained through a notice that is specific, plain-language, and purpose-linked. Data principals must be able to withdraw consent, access their data, and seek correction or erasure. You must have security safeguards proportionate to the sensitivity of the data you hold. And if you suffer a breach, you must notify the Board and affected data principals.
None of this can be retrofitted onto existing systems in a compliance sprint. It requires changes to how data is collected, stored, processed, and deleted — and it requires the infrastructure to demonstrate that those changes have actually taken effect. That is precisely the problem ClearConsent was built to solve.
Is Your Organisation Ready for DPDPA Enforcement?
ClearConsent's DPDPA Readiness Assessment maps your current data processing activities against the Act's requirements in under 48 hours. Identify your highest-risk gaps before the Data Protection Board is operational.
