This article is written by Kaustubh Shakkarwar and Gauri Gupta, Associate, From Data>Nuance Consulting.
As India prepares to finalize the Digital Personal Data Protection (DPDP) Rules by September 28, 2025, we stand at a crucial juncture in the country’s data protection evolution. IT Minister Ashwini Vaishnaw’s recent announcement that the DPDP Rules are ready for notification marks the culmination of a remarkable journey that began with a constitutional recognition of privacy rights and has evolved through multiple legislative iterations, expert deliberations, and public consultations.
The Constitutional Foundation: Puttaswamy’s Lasting Legacy
The journey of India’s data protection framework finds its roots in the landmark case of Justice K.S. Puttaswamy (Retd.) vs. Union of India of 2017, where a nine-judge bench of the Supreme Court transformed the legal landscape by categorically establishing privacy as a fundamental right. This judgment laid the constitutional groundwork for what would eventually become the Digital Personal Data Protection Act (“DPDPA”) by establishing several key principles.
Privacy was recognized as stemming from the fundamental right to life and personal liberty guaranteed under Article 21 of the Constitution, as well as from other fundamental rights under Article 19. Crucially, the Court acknowledged “informational privacy” as a critical component of the privacy right in the digital age, recognizing that privacy threats could emanate from both state and non-state actors. The judgment also established the three-pronged test for any state intrusion based on the principles of legality, need, and proportionality. These principles later became central to debates about government exemptions.
Most importantly, the Puttaswamy judgment provided a constitutional directive for the executive to establish appropriate data protection frameworks, setting the stage for the legislative journey that followed.
From Expert Recommendations to Legislative Reality
The consequence that followed, led to the formation of the Committee of Experts chaired by Justice B.N. Srikrishna, which submitted its comprehensive report “A Free and Fair Digital Economy” along with the Draft Personal Data Protection Bill in 2018. This committee’s work established several foundational concepts that continue to influence India’s data protection regime.
The concept of a fiduciary relationship between data principals and data fiduciaries, grounded in trust, became a cornerstone of the framework. The committee emphasized consent as the primary basis for data processing while recognizing legitimate grounds for non-consensual processing. It also proposed comprehensive data principal rights, including access, correction, portability, and a limited “right to be forgotten,” along with the establishment of an autonomous Data Protection Authority for enforcement.
The Personal Data Protection Bill, 2019 underwent extensive scrutiny by the Joint Parliamentary Committee (JPC), which conducted 78 hearings over two years. The JPC’s recommendations represented a significant expansion of scope, suggesting the inclusion of non-personal data regulation, treating social media platforms as publishers, and implementing strict data localization requirements. However, these recommendations also included broad government exemptions that raised constitutional concerns about surveillance.
The DPDPA 2023: A Simplified Yet Incomplete Framework
The Personal Data Protection Bill of 2018, initially referred to the JPC for review, was ultimately withdrawn. This paved the way for the DPDPA of 2023. The 2023 legislation was swiftly passed by both Houses of Parliament within two days, receiving Presidential assent on August 11, 2023, and subsequently enacted into law which is yet to be enforced.
The DPDPA marked a decisive shift toward simplicity and principles-based regulation. Unlike the JPC’s expansive vision, the DPDPA returned to its original focus on digital personal data, dropping the controversial non-personal data provisions. The DPDPA strengthened the consent framework, requiring consent to be “free, specific, informed, unambiguous and unqualified,” while introducing the streamlined concept of “legitimate uses” for non-consensual processing.
However, the legislation’s simplicity came at a cost, leaving several critical gaps that the Rules would need to address. The broad exemptions under Section 17(2)(b) remained largely unchanged from the 2019 Bill, failing to incorporate the Puttaswamy judgment’s proportionality and necessity tests. The right to be forgotten was significantly diluted compared to earlier proposals, and the legislation remained silent on automated decision-making and profiling, critical issues in today’s AI-driven digital economy.
The Draft DPDP Rules 2025: Bridging Gaps and Creating New Expectations
The Draft DPDP Rules 2025 represented an attempt to operationalize the DPDPA’s principles and address some of its gaps. The Draft Rules introduced several innovative mechanisms, the most pivotal being the recognition of the Consent management framework.
The introduction of Consent Managers under Rule 4 represents a significant step in regulatory frameworks to simplify how citizens control their personal data across multiple companies. Instead of navigating countless consent forms on different websites and applications, individuals can use consent managers to grant, review and withdraw permissions for data processing. For the consumers, this means one centralized dashboard to manage consents with banks, e-commerce sites, healthcare providers, and other services. The Draft Rules outline comprehensive obligations for these entities, including maintaining detailed records of all consent activities, ensuring data sharing occurs without the manager accessing content, and providing machine-readable consent histories to users. While the exact mechanism and classification remains unclear, these obligations suggest Consent Managers will serve as trusted guardians of privacy rights.
Another critical piece of the DPDPA puzzle is the protection afforded to children’s data. Rules 10 and 11 maintain the blanket requirement for parental consent for anyone under 18, while providing exceptions for health and education professionals acting in children’s best interests. This approach remains contentious, with critics arguing it may be overly restrictive for teenagers’ digital engagement. While on the other hand, this mandate leaves companies scratching their heads to figure out “how” this can be implemented, and therefore, everyone looks forward to the upcoming DPDP Rules to provide clarity on this aspect.
With the internet being border agnostic, the DPDPA grants the Central Government broad powers to restrict cross-border data transfers, both the Act and draft Rules remain sparse on implementation details. In order to fully understand how the DPDP will work, the final Rules must specify excluded countries and provide reasonable guidance for cross-border data flows while balancing India’s position in the global digital economy.
Yet another aspect calls for critical understanding, the current framework does specify the cap of penalties to be issued by the Adjudicating Body but does not specify the procedures and collection of such penalties. The rules must specify the procedures relating to the issuance and collection of penalties and the process for hearing appeal. This leads to another critical question – who will be on the adjudicating body? Will the Data Protection Board be led by former judges or young technocrats?
Expectations and Reality
The finalization of the DPDP Rules represents more than a regulatory milestone; it embodies India’s commitment to creating what the Srikrishna Committee envisioned as a “free and fair digital economy.” The success of this framework will ultimately depend on whether the final Rules can balance several competing priorities- which unfortunately poses more questions than answers as of today.
Protecting individual privacy rights while enabling digital innovation; ensuring effective enforcement without creating excessive compliance burdens; maintaining national security interests while preventing unchecked surveillance; and positioning India as a responsible global digital economy participant while protecting domestic interests.
The journey from the Puttaswamy judgment’s constitutional promise to the DPDPA’s legislative reality has been marked by compromises, revisions, and evolving understanding of digital governance complexities. As the final Rules emerge, they carry the weight of expectations built over nearly eight years of deliberation and debate.
The true test of India’s data protection regime will not lie in the text of the law or its subordinate legislation alone, but in their practical implementation. The independence of the Data Protection Board, the effectiveness of Consent Managers, the clarity of cross-border data transfer guidelines, and the balance between privacy rights and state security will determine whether this framework truly delivers on its promise to empower citizens and build a fair digital economy.
As September 28 approaches, stakeholders across the digital ecosystem from individual users to multinational corporations to civil society organizations await clarity on these critical issues. The final DPDP Rules represent not just the culmination of a legislative journey, but the beginning of India’s practical experience with comprehensive data protection regulation. The enforcement of the DPDPA is expected to commence with the enactment and implementation of the final DPDP Rules.
The success of this framework will ultimately be measured not by its comprehensiveness on paper, but by its ability to protect individual rights while fostering innovation, ensuring accountability while enabling growth, and establishing India as a trusted partner in the global digital economy while safeguarding national interests. The journey that began with constitutional recognition of privacy rights is far from over; it is entering its most critical phase of practical implementation and real-world testing.
Read More: MCA Extends Deadline for Filing DIR-3 KYC and DIR-3 KYC-WEB Without Fee till October 15, 2025
