Rising social media use and rapid internet penetration have made data protection a central concern in India’s digital policy regime. For a country of 1.4 billion people, safeguarding personal information is not just a regulatory aspiration but a vital component of public trust. Repeated breaches in recent years have exposed the Aadhaar numbers, financial histories and health records of millions, underlining the urgency for a credible protection regime.
The government’s notification of rules under the Digital Personal Data Protection (DPDP) Act, 2023 is therefore an important milestone. After years of deliberation, India finally has an overarching framework to govern personal data in a digital economy that is among the fastest-growing in the world. The Act draws on global principles of consent, purpose limitation and accountability. Yet the challenge lies not in drafting the law, but in building the institutional capacity required to enforce it.
READ | Sheikh Hasina death sentence sparks a regional geopolitical shift
DPDP act implementation gaps
The effectiveness of any privacy regime rests almost entirely on its enforcement capacity. In India’s case, the responsibility falls on the newly created Data Protection Board (DPB). This body will be expected to respond to breaches, adjudicate disputes, and ensure compliance across one of the largest and most diverse digital ecosystems in the world. The scale of that task contrasts sharply with India’s experience in building regulatory institutions.
Many of the country’s watchdogs—whether in telecom, environment or financial markets—have struggled with small teams, limited technical expertise and tight budgets. A privacy regulator will need extensive cybersecurity capability, digital forensics strength, legal sophistication and multilingual grievance systems. The question is whether such capacity can be built rapidly enough to match the law’s expedited compliance timelines.
The risk is that an ambitious statute may end up under-enforced, turning the DPDP Act into a symbolic gesture rather than a robust shield for citizens.
Government exemptions and the problem of deemed consent
One area of contention concerns the broad exemptions provided to government agencies. Ministries and state departments are allowed wide latitude to process personal data for reasons of national security, public order and service delivery. Critics argue that such provisions tilt the balance sharply in favour of state power, weakening the privacy protections affirmed by the Supreme Court.
The Act also introduces the concept of “deemed consent”, under which data can be processed without explicit approval in specified situations. Without strict oversight, such discretion may expand in practice, diluting the very rights the law seeks to guarantee. Ensuring transparency in these exemptions will be central to building public confidence.
Cross-border data flows and the missing framework
The law’s approach to cross-border data flows also remains ambiguous. Earlier drafts of the data protection bill proposed strict localisation requirements. The final version shifts to a “trusted geographies” model, where India will permit data transfer to countries placed on an approved list. The criteria for determining which jurisdictions qualify as trusted remain unclear, leaving businesses to navigate uncertainty.
Given the geopolitical complexity of digital trade, this ambiguity may affect investment decisions and complicate compliance for firms that operate across borders. A coherent, rules-based approach to international data flows is essential if India wants to remain competitive in global value chains.
Handling large-scale breaches
India’s success in implementing the DPDP Act will depend on whether breach response systems can operate with the speed and sophistication seen in the European Union’s GDPR regime. The country has significant ground to cover. CERT-In, the central cybersecurity agency, has limited manpower relative to the scale of incidents it is expected to handle.
State-level cyber forensic laboratories face significant backlogs, and coordination between enforcement agencies is uneven. Unless India strengthens its cybersecurity backbone, even a well-designed privacy law will struggle to withstand the growing volume and complexity of digital attacks.
Children’s data and the EdTech ecosystem
The treatment of children’s data presents another notable challenge. The Act requires companies to obtain verifiable parental consent before processing data belonging to minors. However, the law provides little clarity on what constitutes “verification” or how EdTech platforms—many of which collect sensitive behavioural and performance data—should comply.
India is home to one of the world’s largest EdTech user bases, and weak enforcement could leave children exposed to profiling, targeted advertising and manipulation. The sector’s rapid growth makes it particularly important for the DPB to develop detailed, sector-specific guidance.
SMEs and the hidden compliance crisis
Although multinational technology firms are well positioned to absorb compliance costs, the bulk of India’s digital economy is driven by Small and Medium Enterprises (SMEs). These businesses, which range from retail aggregators to logistics start-ups, function as Data Fiduciaries under the Act and are subject to the same requirements for consent management, breach reporting and security safeguards. Many SMEs operate with minimal technical staff and have little exposure to data governance concepts.
Compliance will require time, skill and money—resources they do not always have. India’s entrepreneurial culture, built on quick, improvised solutions or “jugaad”, clashes with the structured record-keeping and audit trails required under modern privacy standards. Unless SMEs receive substantial support, they risk being pushed into non-compliance, undermining the credibility of the law.
Sectoral vulnerabilities in banking, health and telecom
Certain sectors face disproportionately high compliance pressures. Banks and fintech firms already operate under strict Reserve Bank of India norms, yet the widespread sharing of user data with third-party applications creates new vulnerabilities. Health data, among the most sensitive categories of personal information, is being digitised rapidly under the Ayushman Bharat Digital Mission, but India still lacks a dedicated health data protection framework.
Telecom companies hold vast stores of location and identity data and work closely with law-enforcement agencies. Without sector-specific rules, these industries will struggle to interpret their obligations consistently.
State-level weaknesses: A federal capacity gap
A significant share of personal data is held not by private companies but by state governments. Digital welfare systems—ranging from property registries to police portals and public distribution networks—store enormous volumes of information. Many state IT departments are understaffed, conduct irregular security audits and rely heavily on low-cost external vendors.
Breaches in state databases are frequent and often poorly disclosed. Unless state governments build their own institutional capacity, the protection offered by the DPDP Act will remain uneven across the country.
Behavioural challenges and public awareness
A final barrier to effective implementation lies in public behaviour. Many users continue to share sensitive information such as Aadhaar copies and OTPs through unsecured channels. Phishing attacks, deepfake impersonations and fraudulent apps have become common. Without a broad campaign to build digital hygiene, India’s privacy regime will remain vulnerable.
A national public-awareness initiative—similar in scale to the campaigns that promoted UPI adoption—will be essential to reduce risk and strengthen compliance.
The DPDP Act is a commendable legislative achievement and an important step in affirming privacy as a fundamental right. But legislation is only the foundation. India now needs to build the institutional muscle and behavioural safeguards required to make the law meaningful. That will involve strengthening the Data Protection Board’s technical abilities, investing in cybersecurity infrastructure, supporting SMEs through phased and simplified compliance paths, and raising public awareness about digital risks.
Only a combination of capable institutions and informed citizens can translate policy intent into real, enforceable data protection. India has written the law; the harder task now is to build the system that will give it life.