The Digital Personal Data Protection Act, 2023: Most urgent policy intervention in India

India today is home to over 800 million active internet users, one of the world’s largest digital identity systems (Aadhaar) and a rapidly scaling fintech and e-commerce economy. Yet, until August 2023, this
digital expansion was happening on top of legal infrastructure built in 2000, a time when smart phones
did not exist and cyber attacks were rare. The consequences were systemic and not merely episodic.

• 2018-Aadhaar data leak: Personal details of millions, including Aadhaar numbers, were reportedly available for as little as ₹500
• 2021-Domino’s India breach: 180 million order records leaked, exposing home addresses and GPS coordinates
• 2022-AIIMS Delhi ransom ware attack: 40 million patient records compromised; the hospital switched to paper for weeks

These were not isolated “technical glitches”. They revealed 4 structural gaps in India’s governance
framework

1. No uniform rules on what data can be collected, for what purpose or for how long
2. No clear accountability for securing personal data
3. No enforceable rights for individuals.
4. No dedicated regulator to investigate breaches
5. Low citizen awareness fewer than 20 per cent of Indians report understanding how their data is used
6. Rapid digitisation without parallel security investment India’s cyber security workforce gap is
   over 40 per cent, according to NASSCOM

As Justice B.N. Srikrishna had warned in 2018, India had created “a goldmine of data without guardrails”. The Digital Personal Data Protection Act (DPDP), 2023, is meant to fill this vacuum.

What the DPDP act attempts to fix

Passed in August 2023, DPDP aims to align India with global frameworks like the EU’s GDPR while balancing privacy with innovation. As IT Minister Ashwini Vaishnaw put it, the law seeks to “protect rights without slowing down digital growth”. But comparing it with GDPR reveals its unique design choices, particularly broader government exemptions and simplicity-first architecture intended to ease compliance for India’s diverse business ecosystem.

Core Features

• Establish the Data Protection Board (DPB) for breach adjudication
• Consent-Centric Processing: No more vague, open ended permissions. Consent must be specific
  and informed
• User Rights: Access, correction, erasure, and the right to withdraw consent.
• Fiduciary Obligations: Encryption, access controls, audits, and “reasonable security safeguards.”
• Mandatory Breach Reporting: To both the affected user and the Data Protection Board (DPB).
• Cross Border Transfers: Permitted except to blacklisted jurisdictions.
• Penalties: Up to ₹250 crore for failure to prevent breaches or notify users.

Why a two year gap before enforcement?

The delayed enforcement was not accidental; it reflects the government’s attempt to avoid the failures of previous draft laws that collapsed under compliance complexity.

Three factors explain the long runway:

1. Administrative Complexity: The Act required drafting 30+ rules: consent architecture, breach
   reporting timelines, DPB procedures, cross-border transfer criteria, exemptions and fiduciary
   classifications.
2. Building the DPB from scratch: Appointing adjudicating officers, setting up digital infrastructure
   and defining processes for hearings and appeals.
3. Preparing industry: Micro and small enterprises needed time to adjust to consent flows, data
   minimization and breach reporting norms.
4. Harmonising with CERT-In: After the 2022 CERT-In directive mandating 6-hour breach reporting,
   the government needed to avoid contradictory timelines.

This transition period mirrors global experience GDPR itself had a two-year preparatory window.

Evidence & data: Why DPDP became urgent

The AIIMS cyberattack was a turning point. As one senior doctor said, “It felt like the entire hospital was held hostage.”

The broader picture is more alarming:

• CERT-In recorded 1.39 million cyber security incidents in 2022.
• India is the 2nd most targeted country in Asia (IBM Security).
• The average cost of a breach in India reached ₹17.7 crore in 2023.
• 52 per cent of Indian companies were hit by ransom ware in the past year (Sophos)
• India’s cyber insurance market grew 60 per cent YoY a sign of rising perceived risk

As Nandan Nilekani observed, “When digital economies scale without data protection, vulnerabilities scale faster”. DPDP uses institutional accountability not just technical mandates to reduce systemic risk.

Will DPDP reduce cyber attacks? A realistic view

Where it strengthens India’s posture

• Security gets teeth

“Reasonable safeguards” may sound vague, but for the first time, there is a financial cost for negligence. Earlier, many breaches went unreported because the IT Act penalties were minuscule.

• Breach visibility improves

Timely reporting ensures faster containment. As CERT-In’s former chief Gulshan Rai noted, “Half the battle knows a breach has occurred”.

• Impact assessments for high-risk sectors

Fintech, telecom, health and large social platforms prime targets must now conduct Data Protection Impact Assessments (DPIAs).

• Centralised enforcement

A unified DPB means companies aren’t navigating fragmented regulators.

But major gaps persist:

• Security standards lack specificity

Terms like “reasonable” leave room for interpretation. Unlike GDPR or NIST-based laws, DPDP avoids prescriptive frameworks.

• DPB independence remains unclear

Appointments and removals rest with the executive raising concerns about bias, especially if government agencies are involved in a breach.

• Broad government exemptions

Consent can be bypassed for national security, public order or “any other purpose notified.” This raises another critical question: What happens if the government refuses to comply with a DPB order?
Legally, DPB orders apply to “data fiduciaries,” including state bodies, but enforcement ultimately depends on political will. There is no explicit mechanism for penalising non-compliant government departments, a gap that civil society has flagged repeatedly.

• The Aadhaar puzzle: Does DPDP apply?

Legally, yes, Aadhaar data is personal data. But in practice, the Aadhaar Act (2016) overrides DPDP for core functions, and government exemptions further complicate enforcement. This creates a regulatory blind spot around one of India’s most frequently breached datasets.

The Data Protection Board (DPB)

The DPB serves as a centralized adjudicator designed to address a longstanding lacuna where breach
enforcement was fragmented across CERT-In, sectoral regulators and police cyber cells with limited
expertise.

But how effectively can the DPB handle complaints?

This question has gained urgency as India officially notified the DPDP Rules in November 2025, more
than two years after the Act was passed.

But is DPB equipped to handle complaints?

As of 2025:

• DPB is expected to begin with 80 – 120 officers, including tech specialists.
• The government has allocated a ₹110 crore setup budget (PIB, 2025).
• MeitY projects that over 50,000 complaints annually may reach the Board.

However, capacity challenges remain:

• India has no historical precedent for privacy adjudication.
• Digital literacy among complainants varies widely.
• The Board must coordinate with CERT-In and sectoral regulators.

Realistically, DPB will take 2- 3 years to reach full operational maturity.

What happens if the government refuses to comply with a DPB Order?

This is one of the most contested grey zones. DPDP allows broad exemptions for government departments. If a dispute arises:  DPB can issue directions and penalties. However, enforcement against government agencies may face:

• delays,
• appeals to High Courts,
• National security exemptions.

In effect:

The government sits both as a regulated entity and regulator. This creates a potential accountability
vacuum.

Learning from other regulators

India has seen similar challenges before:

• SEBI and TRAI both struggled with early enforcement because of limited staff and technical expertise.
• CERT-In’s 2022 directive triggered widespread compliance confusion because of unrealistic timelines.

These precedents show that capacity, not drafting, determines regulatory success.

How DPDP can become more effective

1. Define clear cyber security baselines (NIST Zero Trust, ISO/IEC 27001, ENISA benchmarks).
2. Enhance DPB autonomy through multi-stakeholder appointments, clear tenure protections, judicial oversight of exemptions
3. Create a single breach reporting portal routing submissions to DPB, CERT-In, RBI, IRDAI. Similar to the EU’s “One-Stop Shop” model.
4. Narrow government exemptions with judicial or parliamentary review.
5. Run a national digital rights awareness program, because rights unused are rights lost.

The law is passed. Now comes the hard part

DPDP is not flawless, but it closes a 20-year gap in India’s legal architecture. As Justice D.Y. Chandrachud
said, “Privacy is the right to control one’s information”. In that sense, DPDP is India’s first systemic attempt to shift power away from institutions and back to citizens.

Successful implementation will depend on four pillars:

• A technically capable, independent and empowered DPB
• Clear & consistent security standards
• Limited and accountable state exemptions
• Citizens who understand and exercise their rights
• Industry wide compliance maturity
• Inter regulatory coordination (CERT-In, RBI, IRDAI, UIDAI)

If these fall into place, DPDP can become a foundational pillar of India’s digital state, strengthening trust,
reducing systemic risk and ensuring that the next billion Indians come online with rights and adequate safety nets, not vulnerabilities.