Introduction
The recognition of privacy as a fundamental right in India marked a pivotal moment in
constitutional law and governance. The Supreme Court’s unanimous verdict in Justice K.S.
Puttaswamy v. Union of India [1] reshaped the relationship between individuals, the State,
and private entities in the digital era. Informational privacy was recognized not as a modern
luxury, but as a vital condition for dignity, autonomy, and participation in democracy.
The Digital Personal Data Protection Act, 2023 (DPDP Act) aimed to put this constitutional
vision into action. By 2026, however, the Act’s practical application shows mixed results.
While it provides India with its first comprehensive personal data protection framework, its
implementation has revealed structural weaknesses, uncertainties in interpretation, and
limitations in institutions.
This progress report looks critically at the The Digital Personal Data Protection Act DPDP Act as it exists in 2026, examining whether
the law has effectively balanced privacy, governance, innovation, and national interest in
practice, rather than just theory.
Constitutional Foundations of Data Protection in India
The The Digital Personal Data Protection Act DPDP Act derives its legitimacy from constitutional law. In Justice K.S. Puttaswamy v.
Union of India the Supreme Court determined that privacy is part of Article 21 and other
fundamental freedoms. The Court emphasized that informational privacy is a distinct aspect,
warning against the excessive collection of data without limits or safeguards.
Before Puttaswamy, Indian courts had recognized concerns related to privacy in the context
of State surveillance. In People’s Union for Civil Liberties v. Union of India, the Supreme
Court placed procedural safeguards on telephone tapping, recognizing that unchecked
surveillance undermines civil liberties.
These decisions established two key principles:
(1) Data collection must adhere to proportionality, and
(2) Procedural safeguards are as crucial as substantive rights.
Thus, the DPDP Act should be evaluated against these constitutional standards.
Legislative Design and Key Features of the DPDP Act
The The Digital Personal Data Protection Act DPDP Act takes a straightforward legislative approach. Unlike previous bills or the
European Union’s GDPR, the Act avoids complex definitions and compliance layers. It
emphasizes consent-based processing, limitation of purpose, storage restrictions, and systems
for addressing complaints. The Act defines clear roles such as Data Principals, Data
Fiduciaries, and Significant Data Fiduciaries. It also allows the Central Government to set
obligations through delegated rules. This design aims to enhance business ease and clarity in
regulation.
However, this simplicity comes with risks. Lack of detailed statutory guidance increases
reliance on executive rules, raising worries about inconsistent interpretations and excessive
power.
Rule-Making and Delegated Authority
By 2026, much of how The Digital Personal Data Protection Act DPDP Act functions relies on rules set by the Central
Government. While rules regarding consent mechanisms, breach notifications, and grievance
redress have been created, stakeholders still report confusion about compliance expectations.
The Supreme Court has repeatedly cautioned against giving too much power to the executive
in essential legislative roles. In Madras Bar Association v. Union of India, the Court stressed
that design and independence in decision-making cannot be left solely to executive power.
Similar concerns arise when important data protection safeguards are mainly put into effect
through rules instead of laws.
The Data Protection Board of India: Enforcement in Practice
The creation of the Data Protection Board of India is a significant step for enforcement. The board has the authority to investigate non-compliance, impose fines, and issue corrective directions. Despite these powers, questions about the Board’s independence remain. The appointment, job security, and removal processes are mostly under executive control. Given the Board’s role in quasi-judicial functions, these issues carry constitutional
weight. Past judicial decisions indicate that bodies making decisions must earn public trust through
their independence, especially when dealing with rights-related matters. Consent is central to the DPDP framework. The Act requires that consent must be free, informed, specific, and
clear. However, consent has become increasingly formal and superficial in practice.
Digital platforms often present users with long consent notices, which are frequently
overlooked or misunderstood. This “consent fatigue” weakens the autonomy the Act seeks to
secure. In Internet and Mobile Association of India v. Reserve Bank of India, the Supreme Court stressed proportionality and the need for a rational connection between regulatory goals and individual burdens. Following this reasoning, consent mechanisms that overwhelm users
may not provide real choices.
Judicial Engagement with Data Protection Post-2023
Although judicial interpretation of the Digital Personal Data Protection Act DPDP Act itself is limited by 2026, courts continue to
draw on constitutional privacy rules to evaluate data disputes.
In Anuradha Bhasin v. Union of India, the Supreme Court emphasised the importance of
transparency and necessity when digital restrictions impact fundamental rights. These principles will likely influence how courts interpret data retention, surveillance, and access under the DPDP framework. Judicial scrutiny acts as a vital external check on executive exceptions.
State Exemptions and National Security Concerns
A controversial element of the Digital Personal Data Protection Act DPDP Act is the broad exemption provided to State agencies under Section 7. The government can exempt itself from compliance for reasons such as sovereignty, public order, and security.
This raises serious constitutional issues. In the Aadhaar case (K.S. Puttaswamy v. Union of India), the Supreme Court warned against unchecked data centralisation and emphasised the need for limits in purpose and proportionality. Without independent oversight or
parliamentary review, State exemptions could undermine privacy protections. From a regulatory viewpoint, the DPDP Act has reduced uncertainty for businesses in India’s digital economy. Standardised consent rules and clear penalties have encouraged
compliance-oriented practices.
However, smaller businesses face disproportionate compliance costs, especially in setting up grievance redress systems and breach reporting processes. The lack of tailored guidance heightens these challenges.
Data Localization and Cross-Border Data Transfers
One of the most debated aspects of the Digital Personal Data Protection Act DPDP Act is its stance on cross-border data transfers. Unlike earlier drafts that favoured data localisation, the Digital Personal Data Protection Act DPDP Act takes a more flexible approach, allowing transfers to countries approved by the Central Government. While this supports global digital trade and cross-border services, it raises concerns about adequacy and enforcement. The lack of a clear framework for assessing adequacy creates uncertainty about how recipient countries meet data protection standards. This could lead to Indian citizens’ data being sent to places with weaker enforcement, limiting effective remedies in cases of misuse or breaches. By 2026, this issue will have become particularly pressing as Indian tech companies increasingly operate in global data networks. Without reciprocal enforcement or international cooperation, cross-border data protection remains inconsistent and largely at the mercy of executive control.
Data Breach Reporting and Accountability Mechanisms
The Digital Personal Data Protection Act DPDP Act requires timely reporting of personal data breaches to both the Data Protection Board and affected individuals. In theory, this enhances transparency and responsibility. However, in practice, enforcement challenges persist.
Many data fiduciaries continue to underreport breaches or delay notifications due to reputational concerns. The lack of clear benchmarks for what constitutes “harm” complicates compliance. Consequently, data principals may be unaware of breaches impacting their personal information until real damage has occurred.
By 2026, effective breach reporting remains one of the weakest links in the data protection chain framework, highlighting the need for clearer rules and stricter enforcement.
Digital Inclusion and the Privacy Divide
An often-ignored aspect of data protection law is its effect on digitally vulnerable groups. The Digital Personal Data Protection Act DPDP Act assumes a basic level of digital literacy, but many people lack the knowledge or means to fully exercise their data rights. Elderly individuals, rural residents, and first-time internet users often have difficulty managing consent, navigating grievance mechanisms, and requesting access to data. This creates a “privacy divide” where legal rights exist on paper but
are not reachable in reality. Closing this gap requires not just legal measures but ongoing public education and institutional outreach. Without these, the promise of informational self-determination will remain unevenly fulfilled.
Conclusion
By 2026, the Digital Personal Data Protection Act represents a necessary yet incomplete
response to India’s privacy issues. While the Act lays out a legal framework based on
constitutional principles, its long-term success hinges on transparent governance, institutional
independence, and vigilant judicial oversight.
Privacy protection in India will ultimately depend not just on legal texts, but on how
consistently constitutional values are upheld in practice.
Written by
Himanshi Sharma
About the Author
