The government’s release of Draft DPDP Rules in January 2025 was a welcome step, outlining the practical mechanisms for enforcing data subject rights, consent architecture, data fiduciary obligations, and breach response protocols. However, these rules are yet to be finalised or notified, and the Data Protection Board of India—a statutory adjudicatory body envisioned under the Act—remains non-functional. This delay has significant implications for enforcement, legal clarity, and public trust.

The Act introduces key rights for individuals, now termed as “Data Principals.” These include the right to access, correct, and erase personal data; the right to withdraw consent; and the right to nominate another person to exercise these rights in the event of death or incapacity. These rights mirror global best practices, especially those in the European Union’s General Data Protection Regulation (GDPR), but are tailored to India’s federal and socio economic context.

On the other side, the Act creates extensive obligations for “Data Fiduciaries,” particularly for those classified as “Significant Data Fiduciaries.” These obligations include mandatory data audits, appointment of Data Protection Officers, impact assessments, and security safeguards. The goal is to embed accountability and ethical stewardship in digital data processing.

However, concerns persist. The Act’s reliance on delegated legislation means much of its substance is deferred to future rule-making. This legislative skeleton creates uncertainty and leaves space for executive overreach. Moreover, the broad exemptions granted to the State under Section 17—allowing government agencies to bypass consent and processing restrictions in the name of national interest—have sparked apprehensions about surveillance and erosion of privacy. The lack of categorisation of sensitive personal data, which was present in previous drafts, also raises questions about the adequacy of protections for health, biometric, and financial data.

The judiciary is poised to play a critical role in ensuring that the Act’s constitutional underpinnings are not diluted in implementation. High Courts have already been approached through writ petitions seeking the enforcement of the Act’s timelines and the establishment of the Data Protection Board. Should the government continue to delay critical notifications, judicial intervention may be inevitable. Moreover, questions relating to the compatibility of certain provisions—especially the wide-ranging State exemptions—with the right to privacy are likely to reach constitutional benches in the coming months.

The appellate structure under the Act designates the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) as the forum for appeals against decisions of the Data Protection Board, with a further appeal to the Supreme Court. While this multilayered framework aims to streamline adjudication, the delay in setting up the primary adjudicatory body renders the process ineffective for now.

At the policy level, regulators must move with urgency and clarity. There is a pressing need to finalise the rules, define roles for consent managers, establish standardised notice formats, and clarify data localisation obligations. Trade bodies have already expressed concern that certain proposed rules might hinder cross-border data flows and create compliance burdens for startups and MSMEs.

In conclusion, the DPDP Act represents a monumental shift in India’s legal landscape, one that seeks to empower individuals and bring accountability to the digital economy. But without timely implementation, robust institutional architecture, and vigilant judicial oversight, the Act’s promise may remain on paper. The future of India’s digital rights depends on not just the strength of its legislation, but the commitment of its institutions—executive, legislature, and judiciary—to uphold the spirit of the Constitution in the digital realm.