Introduction

In the digital age, data is often called the new oil. As more personal information is collected, processed, and leveraged by businesses, governments, and digital platforms, the need for a robust legal framework to protect individuals’ rights becomes paramount. India’s journey toward a statutory data protection regime has been long, winding, and constitutionally grounded. The turning point was the Supreme Court’s landmark decision in Justice K. S. Puttaswamy v. Union of India (2017), which recognized the right to privacy as a fundamental right. Over the subsequent years, that decision spurred multiple policy proposals, draft bills, debates, and consultations. The culmination (so far) is the Digital Personal Data Protection Act, 2023 (DPDP Act) — India’s first standalone legislative attempt to regulate digital personal data. This article traces that trajectory: how India moved from constitutional doctrine to legislative design, the key intervening proposals, and how the DPDP Act resonates with — and departs from — the principles articulated in Puttaswamy.

1. The Constitutional Moment: Puttaswamy & Informational Privacy

The Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) held that the right to privacy is an intrinsic component of Article 21 of the Constitution. The Court laid down a three-fold test for any restriction on privacy: legality, necessity, and proportionality. This landmark case overturned earlier rulings such as Kharak Singh and M.P. Sharma that denied privacy as a fundamental right. Importantly, it introduced the concept of informational privacy, acknowledging threats not only from the State but also from private entities. The Court urged the government to establish a data protection framework — laying the foundation for legislative reform.

2. From Policy Proposals to Draft Bills

In 2017, the Government of India formed an Expert Committee under Justice B.N. Srikrishna to draft a data protection framework. The Committee released its report and draft Personal Data Protection Bill in 2018, proposing individual rights, fiduciary duties, consent requirements, and a Data Protection Authority. This evolved into the 2019 Personal Data Protection Bill tabled in Parliament. However, it drew criticism for excessive state exemptions and complex compliance burdens. The Bill was withdrawn in 2022, leading to a redrafted Digital Personal Data Protection Bill, 2022, which after consultation became the DPDP Act, 2023.

3. The DPDP Act, 2023: Features, Strengths & Gaps

The DPDP Act governs digital personal data processing in India. It mandates consent-based processing, defines data fiduciaries and significant data fiduciaries, ensures data minimization and purpose limitation, and introduces the Data Protection Board of India. Key features include rights to access, correction, and erasure, penalties up to ₹250 crore, and restrictions on cross-border data transfer. However, concerns remain — particularly wide state exemptions (Section 17), lack of differentiation for sensitive data, and limited independence of the Data Protection Board.

4. How the DPDP Act Relates to Puttaswamy’s Legacy

The DPDP Act translates the constitutional principles of Puttaswamy into a statutory regime. It provides legal basis (legality), restricts processing to legitimate aims, and incorporates proportionality via purpose limitation and consent. Yet, gaps persist: state exemptions may violate proportionality, and independent oversight remains weak. The Act’s success will depend on interpretation consistent with Article 21 and judicial review ensuring constitutional compliance.

5. What’s Next & The Road Ahead

The next phase involves drafting implementing rules, establishing the Data Protection Board, and fostering compliance culture. Judicial scrutiny is expected on state exemptions and institutional independence. Sector-specific norms for AI, fintech, and health tech will evolve. Future amendments may strengthen rights like data portability and improve Board autonomy. Ultimately, data protection in India must evolve from mere compliance to a culture of privacy-by-design.

Conclusion

The evolution from Puttaswamy to the DPDP Act, 2023 reflects India’s effort to reconcile constitutional ideals with technological realities. The Supreme Court recognized privacy as a living right requiring institutional safeguards. The DPDP Act gives this recognition legislative form, embedding consent, minimalism, and accountability. Its success, however, will rest on vigilant enforcement, judicial oversight, and citizen awareness. The journey towards a mature data protection ecosystem in India has just begun.

References

1. Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors., (2017) 10 SCC 1.
2. Report of the Justice B.N. Srikrishna Committee of Experts, ‘A Free and Fair Digital Economy’ (2018).
3. Personal Data Protection Bill, 2019 (Withdrawn 2022).
4. Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023).
5. PRS Legislative Research, ‘The Digital Personal Data Protection Bill, 2023’.
6. Carnegie India, ‘Understanding India’s New Data Protection Law’ (2023).
7. Legal500, ‘India’s Privacy Landscape Post-Puttaswamy’ (2023).

Global Investigations Review, ‘India: Examining the Digital Personal Data Protection Act’ (2024).