From initial draft to Legislation: Tracing the evolution of Digital Personal Data Protection Act, 2023

Abstract

The timeline of the evolution of the Indian privacy and personal data protection regime includes several constitutional‚ philosophical and legislative developments culminating in the passing of the Digital Personal Data Protection Act (DPDP Act)‚ 2023 and the Digital Personal Data Protection Rules (DPDP Rules)‚ 2025․ The article traces the evolution of the privacy jurisprudence in India from the philosophical concepts of dignity‚ autonomy and informational self-determination to the ultimate recognition of privacy as a fundamental right in Justice K․S․ Puttaswamy v․ Union of India‚ the recommendations of the Srikrishna Committee‚ the controversial provisions of the 2019 Personal Data Protection Bill‚ the scrutiny by the Joint Parliamentary Committee and its subsequent withdrawal‚ and the transition to the simplified compliance-based structure under the DPDP Act‚ 2023․ The paper analyses the fiduciary model of the Act‚ legal and transparent data processing‚ simplified rights of the Data Principal‚ cross-border data transfer‚ enforcement mechanisms before the Data Protection Board‚ and how these impact the regulation of consent‚ data breach notifications‚ and child data protection under the DPDP Rules‚ 2025․ Furthermore‚ it traces India's journey of balancing personal privacy‚ economic innovation‚ and state interests to establish itself as a leading global player in digital governance and data regulation․