Digital Personal Data Protection Act, 2023, creates new rights for every citizen over their personal data. Whether those rights translate into genuine protection depends on three things: enforcement capacity, regulatory design, and how the Supreme Court resolves the constitutional questions the law has already generated. This article is the first in a ten-part series examining the DPDP Act from every angle that matters.
Overview
Every time a citizen downloads an app, books a cab, orders food, they hand over personal data. Their name, GPS location, and financial details flow into systems they cannot see or challenge. Until recently, you had very little control over what happened to it.
That’s where the Digital Personal Data Protection (DPDP) Act, 2023 steps in. Enacted in August 2023 and operationalised through rules notified in November 2025, it is India’s first standalone data protection law. It establishes a legal framework for how digital personal data is collected, used, stored, and shared. For the first time, citizens have enforceable rights against the organisations that hold their data.The law introduces two terms citizens should know. Every citizen is a Data Principal, the individual to whom the data belongs. Every company, institution, or government body that processes that data is a Data Fiduciary. Against every Data Fiduciary, regardless of size or sector, the Act grants the same six enforceable rights to every citizen.
Why It Matters
India’s digital economy is the context without which the DPDP Act cannot be understood. The term digital economy refers to economic activities enabled by the extensive web of online interactions among individuals, businesses, governments, machines, data, and systems that occur daily. India’s digital economy is vast. It is driven by the internet, digital technologies, and digital data. Digital activity in India is not primarily social media consumption. It is the infrastructure of daily life. According to the Internet and Mobile Association of India (IAMAI) and Kantar’s Internet in India Report 2025, India’s active internet user base crossed 950 million in 2025. Of these, over 500 million use UPI (Unified Payments Interface) for financial transactions. Aadhaar, the biometric identity system, promotes access to banking, welfare, and government services for over 1.4 billion residents. Digital activity at this scale generates personal data at a volume and sensitivity that has no precedent in Indian regulatory history.
The data generated spans every consequential domain of a citizen’s life. Banks hold transaction histories and credit records. Hospitals and health applications hold diagnoses, prescriptions, and test results. Telecom providers hold location data and communication patterns. E-commerce platforms hold purchase behaviour, address histories, and payment credentials. Government portals hold income, caste, identity, and welfare entitlement data. Each of these categories, in the hands of an institution with inadequate controls or compromised systems, poses a direct threat to the citizen whose data it contains.
Before the DPDP Act, the regulatory framework governing all of this was the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Both predated the smartphone era, the rise of UPI, Aadhaar-linked digital services, and the explosion of health technology. They offered no right of access, correction or erasure of data, and no independent enforcement body. The DPDP Act replaces this framework with one built on a different foundational premise: that personal data belongs, in the first instance, to the citizen.
The constitutional basis for this shift is the The Supreme Court’s 2017 judgment in K.S. Puttaswamy v. Union of India which held that the right to privacy is a fundamental right protected under Article 21 of the Constitution. The DPDP Act is the legislative response and hence an attempt to translate constitutional principle into actionable citizen rights.
Citizen’s Six Rights Under the DPDP Act
Sections 11 to 14 of the Act grant every citizen six enforceable rights. Under Rule 14 of the DPDP Rules, 2025, Data Fiduciaries must acknowledge requests within seven days and resolve them within ninety days.
| Right | What it means for the citizen |
|---|---|
| Access | Ask any Data Fiduciary to confirm what personal data they hold about you, for what purpose it is being processed, and to whom it has been disclosed. This is the foundational right from which all others flow. |
| Correction | Demand that inaccurate, incomplete, or outdated data be corrected. This right matters most in high-stakes contexts — wrong diagnosis in a hospital record, an error in a credit report, an incorrect address on a government database, basically where errors carry direct, measurable consequences. |
| Erasure | Request deletion of personal data when the purpose for which it was collected has lapsed or when consent is withdrawn. The Data Fiduciary may refuse only if retention is mandated by law or if the data is necessary for an active service. If neither condition applies, deletion is a right, not a discretionary favour. |
| Withdraw Consent | Revoke consent at any time, and the process must be as simple as giving that consent was. Once consent is withdrawn, processing must stop. |
| Grievance Redressal | Every Data Fiduciary must provide a visible, accessible grievance mechanism- a named officer, a portal, or a helpline. If the complaint is unresolved at that level, the citizen may escalate to the Data Protection Board of India, which can impose penalties of up to ₹250 crore for the most serious violations. |
| Nomination | Appoint another individual to exercise all data rights on one’s behalf in the event of death or incapacity. Digital rights do not become ownerless. They transfer, by nomination, to a designated person. |
What the Law Does Not Give the Citizens
One right conspicuously absent from the DPDP Act is data portability. Under the EU’s General Data Protection Regulation (GDPR), citizens can demand that their data be transferred directly to a competitor in a machine-readable format. This right has structural economic significance when switching banks, healthcare providers, or telecommunications operators. The DPDP Act does not include this right. A citizen can access data and delete it, but cannot compel its transfer.
The absence is not incidental. Data portability is a structural enabler of market competition. Without it, large platforms that already hold vast data stores face no legal obligation to ease user exit. A citizen wishing to migrate their insurance history, their banking transaction records, or their health data to a new provider remains entirely dependent on the willingness of the incumbent organisation. The law protects your right to be forgotten; it does not protect your right to leave with what is yours.
The Enforcement Architecture and its Gaps
‘A law is only as strong as its enforcement. The Data Protection Board exists, but its full powers will not be operational until 2027. For now, the rights are real, the remedies are still being assembled.’
The DPDP Act’s implementation follows a three-phase schedule notified on 13 November 2025. Phase 1, effective immediately, established the Data Protection Board of India (DPBI) and launched its digital complaint portal. Phase 2, effective November 2026, operationalises the consent manager framework. Phase 3, effective 13 May 2027, brings all remaining substantive provisions into force: consent obligations, data fiduciary duties, breach notification requirements, individual rights handling, and the full penalty regime.
The structural consequence of this phasing is that citizens’ rights are legally in force, but the machinery designed to enforce them is not yet fully operational. A citizen who files a complaint with the DPBI in 2025 or 2026 will face slower, less consequential resolution than one who files after May 2027. The rights exist in statute. The remedy is still being assembled. Citizens who experience data violations during this transitional period have a legal basis to complain, but the institutional capacity to act on that complaint is limited.
With rights, come responsibilities. The Act also places explicit duties on citizens. Under Section 15, Data Principals may not file false or frivolous grievances, impersonate another individual, or furnish fabricated information when exercising their rights. Violations attract a penalty of up to Rs 10,000. The law treats citizens as responsible actors, not merely as passive beneficiaries of state protection.
Where This Leaves Citizens Today: Three Developments That Will Determine the Act’s Real Value
The practical value of the DPDP Act’s citizen rights will be shaped by three near-term institutional developments, each of which carries significant uncertainty.
1) Data Protection Board credibility (by mid-2027)
The DPBI’s legal architecture exists. Its enforcement powers will fully activate only in May 2027. The Board’s first wave of adjudications — how many complaints it receives, how quickly it resolves them, whether it imposes meaningful penalties on large fiduciaries will determine whether the grievance redressal right functions as a genuine citizen remedy or as a nominal one. The DPBI must establish a credible track record, not merely an institutional existence.
2) Significant Data Fiduciary designations (by end of 2026):
The government has the power to designate certain large data fiduciaries (major social media platforms, health aggregators, financial technology companies) as Significant Data Fiduciaries (SDFs), triggering heightened compliance obligations. No designations have been made as of the time of writing. These designations are essential to the law’s operation: the entities most capable of causing harm at scale are, until designated, subject only to baseline obligations.
3) The Supreme Court’s constitutional ruling:
Four petitions are currently before the Supreme Court challenging several provisions of the DPDP Act, including Section 44(3), which amended the Right to Information Act to remove the public interest override on personal data disclosures, and Section 36, which allows the government to demand data from any fiduciary without independent oversight. The Court referred these matters to a larger bench and declined to stay the Act. The central question in the proceeding though was what constitutes “public data” and “private data” which is crucial to deciding the validity of the act. The judgment will determine the boundary between the DPDP Act’s privacy protections and the citizen’s right to scrutinise the state.
The DPDP Act has created a legal architecture within which citizens can, for the first time, demand answers from the institutions that hold their data. Consent notices must now be shown in plain language, in any of India’s 22 scheduled languages, before data is collected. A notice that is deliberately opaque or buried in technical/legal jargon may itself constitute a violation. Incorrect data such as a wrong medical record, an erroneous credit entry, a lapsed address can now be formally challenged. These are our new rights as citizens to protect our digital data.
Whether the architecture holds and who it ultimately serves, will depend on the enforcement record of the DPBI, the scope of the Significant Data Fiduciary designations, and the constitutional ruling by the Supreme Court. The law has been enacted, its value is still being determined.
About DPDP Explained
This article is the first in DPDP Explainer, a ten-part series that examines the Digital Personal Data Protection Act from every angle that matters to citizens, firms and constitutional order. healthcare data, comparison with global frameworks, the RTI challenge, and more. The series moves from the accessible to the analytical: it begins with citizen rights, moves through compliance implications for startups and healthcare, examines global comparisons, and closes with the structural and constitutional questions the law has generated.
Inflect 
Leave a comment