Why the DPDP Act, in India, and why now? The long answer.

People keep asking me a version of the same question. Why is India suddenly serious about data protection? The honest answer is that India has been not-quite-serious about it for nearly two decades, and the DPDP Act 2023 is the moment when several long-running pressures finally lined up at the same time. To understand the law, you have to understand what made it inevitable — and why none of the earlier attempts got over the line.

I want to spend this post on the long view. Not the section-by-section walkthrough — there's plenty of that already on the rest of the site. The story instead. Where Indian privacy law came from, what stopped it from arriving sooner, and why “why now?” has a precise answer.

The IT Act years

Indian privacy law in the 2000s was effectively a vacuum. The Information Technology Act, 2000 had a few thin provisions. Section 43A introduced civil liability for negligent handling of “sensitive personal data or information”, defined later in the SPDI Rules of 2011. Section 72A created a criminal penalty for disclosure of personal information in breach of contract. That was the structure: a narrow definition of “sensitive” data, a soft civil liability regime for mishandling it, and a thin slice of criminal exposure for outright betrayal of trust.

The SPDI Rules covered passwords, financial information, health information, sexual orientation, biometric data, medical records, and a handful of other fields. Almost everything else — your name, your address, your phone number, your purchase history, your browsing data, your location — sat outside the protected category. If your favourite e-commerce site lost your phone number to a hacker, the law had effectively nothing to say about it.

This worked, in a thin sort of way, because the Indian internet economy in 2011 was small. Aadhaar enrolment was just beginning. The smartphone wave was a year away. The data centre buildout that defined the next decade hadn't started. The mismatch between what the law protected and what was actually being processed was a future problem.

The future arrived faster than anyone expected.

The decade of explosive data processing

Between 2014 and 2020, India became one of the largest data-producing populations in the world. Aadhaar enrolment crossed a billion. Smartphones became cheaper than feature phones. UPI happened. The Jio launch in late 2016 made mobile data one of the cheapest commodities in the world, and the average Indian's daily data consumption multiplied by an order of magnitude in under three years. Every Indian now had a digital shadow that grew by megabytes per day, and most of them had no idea who was reading it.

Through the same window, the IT Act framework looked increasingly absurd. The narrow SPDI definition of “sensitive” data had nothing to say about location traces, app usage patterns, behavioural profiles, or any of the new categories that the post-Jio internet economy ran on. Civil liability under Section 43A was not, in practice, being enforced. Section 72A had produced almost no criminal cases. The regulator did not exist.

The mismatch was visible to everyone who worked with data in India. The big consumer platforms knew it. The fintech companies knew it. The government knew it — in fact, the government often complained about it because Indian Data Principals were being processed under foreign privacy laws (mostly GDPR) by global platforms, while Indian law gave the same Principals less protection. The legal asymmetry was an embarrassment.

The Puttaswamy moment

The thing that broke the impasse was a Supreme Court judgment, not a parliamentary bill.

In August 2017, a nine-judge bench of the Supreme Court of India delivered the Justice K.S. Puttaswamy v. Union of India judgment — unanimously holding that the right to privacy is a fundamental right under the Constitution of India, intrinsic to the right to life and personal liberty under Article 21. It overruled two earlier decisions that had held the opposite. The Court did not just affirm a generic right; it specifically called out informational privacy as a core component, and it observed that India needed a comprehensive data protection statute to give effect to that right.

I cannot overstate how much that judgment changed the political weather around privacy in India. Until Puttaswamy, “data protection” was a topic that legal academics and the occasional civil society group cared about. After Puttaswamy, it was a constitutional obligation. The government could no longer credibly argue that India did not need a privacy law — the Court had said it did.

The same week the judgment came down, the Ministry of Electronics and Information Technology constituted an expert committee under Justice B.N. Srikrishna to draft a data protection bill. The first draft landed in July 2018. The second, more refined version came in 2019. A third version (called the Personal Data Protection Bill 2019) was introduced in Parliament. Then it stalled. A Joint Parliamentary Committee took over. Two years later, in late 2021, the JPC published a substantially altered version with a different name (the Data Protection Bill 2021) and a much wider scope. Then that stalled too.

By mid-2022, the bill was withdrawn entirely. The government said it would draft a fresh, simpler version. People who had spent four years tracking the previous drafts groaned audibly.

Why the earlier drafts failed

It's worth dwelling for a moment on why the 2018, 2019, and 2021 versions all failed to become law, because the answer is the key to why the 2023 version finally did.

The earlier drafts were ambitious. They tried to do everything at once: comprehensive consent obligations, sensitive personal data carve-outs, hard data localisation rules (forcing certain categories of personal data to be stored only on servers in India), a strong independent regulator, civil and criminal penalties, exemptions for state surveillance, exemptions for journalism, a Data Protection Authority of India with broad investigative powers, and a complicated set of cross-border transfer rules. Each individual provision was defensible. The combination was politically unaffordable.

The opposition came from several directions at once:

• The big tech industry lobbied hard against hard data localisation, which would have required them to maintain expensive in-country infrastructure and would have complicated their global compliance posture.
• The Indian IT services industry worried that strong cross-border restrictions would make their offshore work for global clients harder.
• Civil society worried that the government's surveillance exemptions were too broad.
• The government itself wanted broad carve-outs for state agencies that the civil society groups hated.
• The fintech and consumer internet industry wanted the consent regime to be looser than what the early drafts proposed.

The result was a bill that nobody fully supported. Each interest group was willing to live with most of it but had at least one clause they would die for. The political coalition required to pass an ambitious version of the bill never came together.

So the government did the rational thing in 2022. It scrapped the ambitious draft and started over with a much narrower one. The DPDP Act 2023, when it landed, was about a quarter of the length of the 2021 version. Hard data localisation was gone — replaced with a softer “the government can restrict transfers to specific countries by notification” provision (Section 16). Sensitive personal data was gone as a separate category — all personal data is treated the same way. Criminal penalties were gone — only civil penalties under Section 33. The independent regulator was simplified into a more compact Data Protection Board (Section 18).

What the Act gave up in ambition, it gained in passability. And in August 2023, it passed both houses of Parliament and received presidential assent within a few weeks. The DPDP Rules followed in 2025. By 2026, the Act is in force.

Why now?

Let me try to answer the original question as cleanly as I can. India got a data protection law in 2023 — and not 2018, 2019, or 2021 — because four conditions had to be true at the same time:

1. The constitutional pressure had to be unavoidable. That happened in 2017 with Puttaswamy. After Puttaswamy, doing nothing was no longer politically viable. Each year of inaction was a public reminder that the government had not honoured a constitutional obligation.

2. The economic cost of inaction had to become visible. That happened gradually through the late 2010s as Indian Data Principals were repeatedly notified about breaches at global platforms — breaches that were being investigated under GDPR or CCPA, while Indian law looked away. The optics were bad. Indian businesses started losing deals to vendors who could credibly claim a privacy posture, while their Indian competitors had nothing to show. The cost of not having a law was now showing up in business outcomes.

3. The regulatory ambition had to be calibrated to what could actually pass. That's the lesson the government learned between 2018 and 2022. The 2023 Act is short and unambitious on purpose — every provision that would have triggered organised opposition was either dropped or softened. The law is what passes. Anything else is a draft.

4. The next ten years of Indian data growth had to be in scope. This is the part most people miss. The DPDP Act is not really designed for the India of 2023. It's designed for the India of 2030 — when AI is woven into every consumer service, when biometric authentication is the default, when the average Data Principal generates an order of magnitude more data than they did at the time the law was drafted. The architecture of the Act (broad personal data definition, no special category for “sensitive” data, soft cross-border regime that the Government can tighten by notification) makes much more sense if you assume the law has to scale up gradually over the next decade. The government did not draft a 2023 law; it drafted a 2030 law and notified it in 2023 so the country would have time to adapt.

The fourth point is the one I want every reader to internalise. The DPDP Act is not primarily about catching the violators of 2023. It is about establishing the legal infrastructure that India will need by 2030. The early enforcement actions in 2026 and 2027 are partly about precedent-setting and partly about building the operational muscle of the Data Protection Board. The big enforcement wave — the one that will reshape the Indian data economy — is a few years away.

This is also why I keep telling Indian organisations to start their compliance work now. Not because the 2026 enforcement is going to be brutal (it won't be), but because the 2028 enforcement wave will be, and the gap between organisations that quietly built their programme during the “light-touch” phase and those that waited will be enormous when the heavy phase arrives.

What this means in practice

If you've been paying attention to the Act and thinking “why does this matter to me right now,” here's the practitioner answer:

• The law has finally been codified after twenty years of false starts. There will not be a fresh draft. There will not be another Joint Parliamentary Committee. The version we have is the version we live with for at least the next decade.
• The Data Protection Board is being constituted right now, in real time, behind the scenes. By the time you read about its first major enforcement action, the Board will have been operational for months and your compliance posture on the day of investigation will be whatever existed before the news broke.
• The Act is calibrated to scale up. The first few enforcement actions will be calibrated to send a message rather than to maximise revenue. The later ones will be calibrated to maximise the Board's effectiveness, and the Board's effectiveness depends on Fiduciaries voluntarily complying. That is the leverage point.
• The window for “quietly building a programme before anyone is watching” closes in 2026 or early 2027. After that point, building a programme is no longer a strategic choice — it is a panic response.

I think the people who designed the DPDP Act understood all of this. The law's quietness is not an accident. It is an invitation to comply on your own terms before the Board begins compelling you to comply on theirs.

That invitation is open right now. It will not be open forever.

If you want to know where you stand against the Act today, our free DPDP assessment will tell you in five minutes — 40 questions, every one mapped to a specific section, no signup required.