As India moves ahead in the Fourth Industrial Revolution with Digital advancements, it will not barter away the privacy of its citizens or the sovereignty of its data. On August 11, 2023, India achieved a milestone which had been pending for many decades after IT revolution. The Digital Personal Data Protection (DPDP) Act, 2023, a comprehensive law regulating the processing of digital personal data finally received the President’s assent. This was not a mere policy formality. It was a strong step taken during, a rapidly digitising economy, privacy and accountability, where national interest must go hand in hand.
This law roots trace back to the Supreme Court’s landmark of 2017 when Justice KS Puttaswamy (Retd.) vs Union of India judgment elevated privacy to the status of a fundamental right. From that moment, present parliamentary committees, expert panels and public consultations were continuously observed and steps taken to shape the framework that aimed to protect citizens without stifling innovation.
Groundwork for Digital Protection
The DPDP Act is built on two pillars:
- Rights of individuals: to control, correct or delete their personal data.
- Duties of data handlers: to collect and process data lawfully, by safeguarding against misuse.
Every lawmaker knows, passing an Act is only the first step. Its provisions must be operationalised through rules, enforcement bodies and citizen awareness. That operational phase began on January 3, 2025, when the Ministry of Electronics and Information Technology (MeitY) released the Draft Digital Personal Data Protection Rules, 2025. The government invited feedback until February 18. The response was overwhelming and total of 6,915 submissions from across the country were received, Jitin Prasada submitted this figure in Rajya Sabha on 25 July 2025.
Among the proposed rules, one important rule for future of India is the mandatory parental consent for social media access by anyone under 18. Under this clause platforms must verify parental identity through government-approved documents before a minor can open his or her account. Supporters see it as a shield against online harms, cyberbullying, exploitation and adultery content. Critics question its feasibility by warning of fake accounts and privacy complications that can be breached.
Comparison with other countries consent law
India’s draft of Digital Personal Data Protection Rules 2025, are the strictest in setting age threshold, in the world for online parental consent, requiring verification for all users under 18. This is significantly higher than the US standard under COPPA, which applies to children under 13, and the EU/UK frameworks under GDPR, which set the “digital age of consent” between 13 and 16 or rely on design-based safeguards. The verification requirement is a major point of divergence. India’s draft demands “verifiable” parental consent by implying government-grade ID checks, while the GDPR/UK models require only “reasonable efforts” and COPPA permits a limited form of methods. Implementing such verification at scale presents a significant operational and user experience challenge for platforms.
COPPA targets services specifically directed at children, while GDPR/UK rules extend to any service likely to be accessed by minors and impose broad design and responsibility standards. India’s draft applies across all platforms processing minors’ data and adds explicit prohibitions on profiling and behavioural targeting. This means building robust age-verification and parental-consent flows, an expensive and complex compliance undertaking. For policymakers the challenge are to balance the child safety with access, ensuring protection without overburdening legitimate use for education or civic engagement. Ultimately, enforcement bodies such as FTC in the US, DPAs in the EU, ICO in the UK and the forthcoming Data Protection Board in India, will determine the law’s real-world impact through guidance, oversight and penalties. Yet culturally, the move resonates in a nation where protecting childhood is woven into social norms, this provision reflects a shared belief that online world cannot be a lawless playground for our children.
Multi-Layered Cybersecurity Framework
The DPDP Act is part of a larger cybersecurity ecosystem that India has been reinforcing over the last decade. Union Minister of State for Electronics and Information Technology Shri Jitin Prasada told the Rajya Sabha in July 2025 that the approach is both human-centric and infrastructure-driven. Capacity building measures include Cyber Shakti Programme (Oct 2024) for developing women’s skills in cybersecurity. Under ISEA Programme 3,637 workshops have reached over 8.2 lakh+ participants. National campaigns like cyber security awareness month and Safer Internet Day are organized to educate citizens. Multilingual materials including handbooks, posters and videos are available on the portals like staysafeonline.in and csk.gov.in.
Institutional Safeguards proposed in the framework:
- National Critical Information Infrastructure Protection Centre (NCIIPC): Protects necessary systems and infrastructure. (IT Act, Sec 70A).
- Indian Computer Emergency Response Team (CERT-In): National incident response agency.
National Cyber Coordination Centre (NCCC): Threat detection and inter-agency coordination. - Cyber Swachhta Kendra: Citizen-focused bot-net cleaning and malware removal services.
Industry stakeholders are engaged in a dialogue with the government. Digital payment platforms such as Google Pay, PhonePe, Amazon Pay and the National Payments Corporation of India (NPCI) have sought exemptions from certain consent provisions, especially the requirement to secure consent for every transaction user. They argue that while privacy is necessary, excessive consent requirements could slow down India’s globally admired digital payments ecosystem. The challenge is to strike a balance between safeguarding rights and sustaining innovation.
Another achievement of the DPDP framework is data localisation where certain categories of sensitive personal data are kept within India’s jurisdiction. This aligns with the principle that data generated in India should be governed by India’s laws. For a country that has built pioneering digital public infrastructure from Aadhaar to UPI to ONDC, they have local control over data is not just a regulatory preference, but it is a strategic requirement.
Public Consultation as a Democratic Participation
Total of 6,915 feedback submissions were received on the draft rules, which reflects a healthy democratic practice. In country like India broad-based consultation is not procedural formality but it is essential to a frame a law that are both effective and implementable. The public engagement also ensures that citizens feel ownership over the framework thus strengthening its legitimacy and acceptance. Once this DPDP Act is implemented, it promises transformation in three key areas:
- Citizen Empowerment: Individuals gain rights over their digital data
- Trust in the Digital Economy: Clear and consistent rules for businesse to protect user data.
- National Security: Integration of personal data protection into larger aspects of cybersecurity framework.
Enforcement of this law is now the immediate priority. This will require notification of final rules which gives the law full legal force. Operationalising the Data Protection Board of India which will act as the enforcement authority. Sector-Specific Compliance Plans for Tailoring the requirements of fintech, health tech, education tech, etc. India ability to deliver on these fronts will determine whether the DPDP Act becomes a global benchmark or a missed opportunity.
The DPDP Act is not just legislation, it is a statement of national intent. It tells the world that India will be a leader in the digital age not only in scale and innovation, but also in responsibility and governance. The online world must not be a lawless playground for our children. The sovereignty of our data is the sovereignty of our nation. When the final law is notified and the enforcement machinery clicks into gear, India will not just have a data protection law, it will have a digital control crafted in India for India and by India.
Comments