Think about the last time you signed up for a new app. You tapped “I Agree” without reading a word, and moved on. That data — your name, phone number, location, maybe your spending habits — went somewhere. Until 2023, there was no law in India that clearly said where it could go, who could use it, or for how long. Data flowed freely, and individuals had no formal recourse. The Digital Personal Data Protection Act 2023 exists because that gap had become too large to ignore.
The foundation was laid in 2017, when the Supreme Court’s Puttaswamy judgment declared privacy a fundamental right. But a fundamental right without a corresponding law is like a constitutional promise without a delivery mechanism. For six years after that judgment, India’s digital economy grew at a remarkable pace — UPI transactions, health records, e-commerce behaviour, telecom data — all of it accumulating with no unified framework to govern its use. The DPDPA 2023 is that framework finally arriving.
What makes this law significant is not just that it exists, but what it signals. India is formally saying that personal data belongs to the individual it describes, that its use must be governed, and that the entities handling it carry real responsibility. For a country where digital adoption has outpaced digital literacy, this law is less about restriction and more about establishing the basic rules of a game that has been played without a rulebook for far too long.
