Opinion: India’s Data Protection Act — Building trust or missed opportunity?
Broad exemptions, delayed implementation, and weak oversight raise doubts about whether India’s Digital Personal Data Protection Act can truly protect privacy
By Dr Tuhinsubhra Giri
India stands at a crossroads. With 971 million internet users, 185 billion UPI transactions annually worth USD 3 trillion, and a digital economy projected to reach USD 1 trillion by 2027, the country has orchestrated one of history’s most ambitious digital transformations.
Also Read
Yet this explosive growth rests on a fragile foundation, ie, trust. The Digital Personal Data Protection Act, 2023, enacted but still unimplemented two years later, represents India’s first attempt to codify that trust into law. The question is whether it will succeed, or whether its compromises ultimately undermine the very digital future it aims to enable.
Simplicity at a Cost
After years of legislative false starts, the DPDPA represents a deliberate pivot toward pragmatism. The 2019 Personal Data Protection Bill contained over 90 clauses with extensive data localisation mandates that threatened to balkanise India’s digital economy (Carnegie Endowment, 2023). The DPDPA, by contrast, offers just 44 sections with a streamlined, consent-centric approach that industry has largely welcomed. Nasscom (2023) hailed it as a ‘significant milestone that will bolster trust and solidify India’s position as a global innovation hub.’
This simplicity, however, comes at a cost. Unlike the European Union’s General Data Protection Regulation (GDPR), which provides six legal bases for processing, including the flexible ‘legitimate interests’ ground, the DPDPA offers essentially two: explicit consent or narrow ‘legitimate uses’ (Latham & Watkins, 2023).
For businesses accustomed to GDPR’s operational flexibility, this consent-centricity represents a fundamental architectural difference. Every routine business operation, from fraud prevention to service improvement, must either obtain explicit consent or squeeze into one of nine tightly defined exemptions. As Latham & Watkins (2023) explained, ‘the legitimate interests ground is often the first port of call for businesses complying with GDPR,’ making the DPDPA’s exclusion of this basis ‘the big difference’ requiring substantial compliance restructuring.
Exemption Paradox
Here lies the Act’s most troubling contradiction. While ordinary businesses face strict consent requirements and penalties up to Rs 250 crore, Section 17 grants sweeping exemptions to government instrumentalities for national security, public order, and preventing offences, with virtually no independent oversight. The Data Protection Board, with members appointed by the central government, lacks the structural independence mandated by Article 52 of the GDPR for European supervisory authorities.
The Act illustrates a familiar policy pattern — ambitious in intent, pragmatic in design, yet vulnerable to implementation failures
This asymmetry has drawn sharp criticism. The Internet Freedom Foundation (IFF) argues the Act ‘fails to address many data protection concerns and instead puts in place a regime to facilitate data processing activities of state and private actors.’ The Carnegie Endowment (2023) warns that ‘certain provisions can effectively undermine benefits if the government does not act in the most scrupulous manner possible.’ Moreover, the European Data Protection Supervisor declined data transfers to India in 2024, citing concerns about the adequacy of India’s framework and regulatory independence (Tyagi, 2025).
The Act’s rigid consent framework creates particularly troubling implications for investigative journalism and public interest reporting. Journalists investigating corruption or financial scams could theoretically face penalties up to Rs 250 crore for processing personal data of alleged wrongdoers without their consent, even when reporting serves the public interest (DPDPA, 2023, Section 33).
While the Act provides exemptions for processing ‘for any genuine journalistic purpose,’ the ambiguity of what constitutes ‘genuine’ could have chilling effects on investigative reporting, particularly when powerful individuals claim privacy protections to suppress inconvenient truths. This represents a dangerous asymmetry — the government enjoys broad exemptions while journalists navigating the same consent requirements as commercial entities face potentially devastating penalties.
For a nation aspiring to lead democratic innovation globally, this represents a strategic vulnerability. India’s Aadhaar system already covers 1.4 billion people, facilitating over 80 million transactions per day, and the JAM Trinity enables approximately Rs 2.39 lakh crore, an increase of over 15 times since its inception. These systems generate unprecedented volumes of sensitive data. Without robust checks on state access, the DPDPA risks enabling what PRS India (2023) describes as ‘data collection beyond what is necessary’ that ‘may violate the fundamental right to privacy’ established in the landmark Puttaswamy judgment.
Digital Growth
The stakes extend far beyond abstract privacy concerns. Trust is the invisible infrastructure upon which India’s digital ambitions rest. Studies show that consumers worldwide, including those in India, value data protection enough to decline financial incentives in exchange for sharing their personal information (UNCDF, 2024). When India’s fintech sector, growing at 87 per cent adoption rates versus 64 per cent globally, processes sensitive financial data for 350 million UPI users, any breach of trust could cascade into reluctance that stalls the entire ecosystem.
India’s startup ecosystem — 100 unicorns, and the world’s third-largest startup hub with 16.6 lakh direct jobs — depends on this trust dynamic. The DPDPA’s potential to standardise data practices and position India as GDPR-aligned could accelerate international partnerships. It may provide Indian startups a great level playing field to expand into the US and European markets.
Yet implementation delays create mounting uncertainty. Enacted on August 11, 2023, the Act remains unimplemented as of October 2025, with Draft Rules only released in January 2025 after consultation periods during which business groups sought two-year transition periods. This limbo leaves data fiduciaries unable to plan compliance investments.
Comparison with GDPR
Both laws establish consent standards (free, specific, informed, unambiguous), individual rights to access and correction, breach notification requirements, and extraterritorial reach (Latham & Watkins, 2023). However, the GDPR applies to all personal data regardless of format, while the DPDPA covers only digital data; the GDPR provides explicit rights to data portability and to contest automated decision-making that the DPDPA omits.
The GDPR’s penalties can reach 20 million euros or 4 per cent of global turnover — potentially exponentially higher than the DPDPA’s Rs 250 crore cap for large multinationals. Most critically, the GDPR requires ‘complete independence’ of supervisory authorities while the DPDPA’s Board lacks such structural guarantees. The DPDPA is stricter on children’s data, setting the age threshold at 18 versus 13-16 and prohibiting behavioural monitoring entirely.
Path Forward
The DPDPA is neither the disaster that privacy advocates fear nor the panacea that the industry might hope for. It represents a characteristically Indian compromise — ambitious in scope, pragmatic in design, yet vulnerable to implementation failures. The Act’s success depends entirely on factors beyond the text itself — how the government exercises discretionary exemptions, whether the Data Protection Board functions independently in practice, and whether final rules address current ambiguities without reimposing the localisation requirements that Draft Rules 2025 controversially suggested for Significant Data Fiduciaries.
For India to achieve its Viksit Bharat 2047 vision of a USD30 trillion economy with a significant amount of digital contribution, data protection cannot be an afterthought. It must be the foundation. The DPDPA creates that foundation’s blueprint. Whether it ultimately supports or constrains India’s digital century depends on the wisdom with which it is implemented and the restraint with which power is exercised.
The question is no longer whether India will have a data protection law, but whether that law will serve power and profit, or truly protect people.
(The author is an Assistant Professor of Economics at Christ University, Bengaluru)
