Laws have backstories, and the DPDP Act's is unusually instructive. The choices made along the way — what to include, what to drop, how prescriptive to be — explain the shape of the final law.
This guide traces the arc from a constitutional ruling, through a withdrawn bill, to the Act and Rules in force today.
Reading the history is not an academic exercise. The compromises baked into the Act — simplicity over comprehensiveness, a single regulator, a negative-list for transfers — directly shape your obligations today, and they hint at how the law is likely to evolve. The sections below follow the story chronologically and draw out the practical lessons at each step.
Before the Act: a thin patchwork
Before the DPDP Act, India regulated personal data mainly through Section 43A of the Information Technology Act, 2000 and the 2011 SPDI Rules. These covered a narrow band of “sensitive personal data” and relied heavily on contractual safeguards.
For a country with one of the world's largest online populations, that patchwork was widely seen as inadequate — both for protecting citizens and for giving businesses clear rules to follow.
The inadequacy of the old regime was not merely academic. High-profile data leaks and the absence of meaningful penalties left individuals with little recourse and businesses with little guidance, which is precisely the vacuum the DPDP Act was designed to fill.
2017: Puttaswamy recognises privacy as fundamental
The turning point was the Supreme Court's 2017 judgment in Justice K. S. Puttaswamy v. Union of India, which held that the right to privacy is a fundamental right under the Constitution. The ruling explicitly contemplated informational privacy and called for a data protection framework.
That judgment transformed data protection from a policy preference into a constitutional obligation.
Puttaswamy also set boundaries for the State itself, insisting that any intrusion into privacy be lawful, necessary and proportionate. That constitutional test echoes through the Act's structure and its treatment of exemptions.
2018: the Srikrishna committee and first draft
The Government constituted an expert committee chaired by Justice B. N. Srikrishna, which delivered a report and a draft Personal Data Protection Bill in 2018. The draft borrowed heavily from global models and proposed a comprehensive, rights-based regime.
It set the agenda for everything that followed, even as the specifics were debated and revised. Designing a privacy programme today still benefits from understanding these origins, because the principles behind dpdp compliance were largely settled in this period.
The Srikrishna report is still worth reading for context: it articulated the philosophy of the data fiduciary — the idea that those who hold personal data owe a duty of care to the people it concerns — which survived into the final Act.
2019-2021: the PDP Bill and its critics
A Personal Data Protection Bill was introduced in Parliament in 2019 and referred to a Joint Parliamentary Committee. Over the next two years it attracted extensive scrutiny — on data localisation, on exemptions for the State, on the breadth of its definitions, and on the burden it placed on smaller businesses.
The debate revealed a tension that runs through Indian data protection: how to protect individuals robustly without imposing rules so heavy that they choke innovation and burden small firms.
The localisation debate in particular shaped the final design. India ultimately rejected blanket localisation in favour of a lighter negative-list model, a decision that directly affects how businesses handle cross-border transfers today.
2022: a reset to a simpler design
In August 2022, the Government withdrew the 2019 Bill, signalling a deliberate reset. Later that year it released a new, markedly simpler draft — the Digital Personal Data Protection Bill — for consultation.
The new approach stripped out much of the complexity, dropped the separate “sensitive data” category, and adopted a leaner, principles-based structure with plain-language drafting. This is the lineage of the law in force today.
The 2022 reset is the single most important moment for understanding the current law. By choosing simplicity, the drafters accepted some loss of granularity in exchange for a statute that ordinary businesses could actually implement.
2023: the DPDP Act becomes law
The Digital Personal Data Protection Act, 2023 was passed and received assent on 11 August 2023. The final text kept the simpler design: a consent-centric framework, a single Data Protection Board for enforcement, a negative-list approach to cross-border transfers, and tiered penalties.
It was a pragmatic compromise — strong on individual rights and accountability, but lighter and more business-friendly than its predecessors.
The choice of a single Data Protection Board, rather than a sprawling authority, reflects the same pragmatism: a focused, digital-first regulator intended to act quickly rather than a bureaucracy that might struggle to keep pace.
2025: the Rules complete the framework
The Act still needed operational detail. Draft Rules appeared for consultation in January 2025, and the final Digital Personal Data Protection Rules, 2025 were notified on 13 November 2025, introducing a phased compliance window of roughly eighteen months.
Only with the Rules did the framework become fully operational and enforceable.
The two-year gap between the Act and the Rules was itself instructive, reminding businesses that a statute on the books is not the same as an enforceable regime. The lesson for the future is to watch the Rules, not just the Act, for the detail that governs day-to-day compliance.
Free resource
The Ultimate Guide to the DPDP Act
A practical, plain-English handbook to the DPDP Act & 2025 Rules — scope, roles, consent, safeguards and a readiness path.
What the history tells us
The journey from the PDP Bill to the DPDP Act is a story of simplification. India chose clarity and pragmatism over comprehensiveness, betting that a leaner law would be easier to comply with and to enforce.
For businesses, the lesson is reassuring: the Act is demanding but navigable, and its principles — notice, consent, security, rights — are stable enough to build a lasting programme around.
Knowing this history also helps anticipate the future. A law built on a fundamental right and a duty of care is likely to be interpreted protectively, so erring toward transparency and restraint with personal data is the posture most aligned with the Act's spirit.
Why the history still matters
The arc from the PDP Bill to the DPDP Act is ultimately a story about balance: protecting individuals robustly while keeping the law light enough to implement. Every major design choice in the Act can be traced to a lesson learned during that long process.
For practitioners, the value of knowing this lineage is anticipation. A law rooted in a fundamental right and a duty of care will be read protectively, so the safest long-term strategy is to lean toward transparency, minimisation and genuine accountability rather than the bare legal minimum.
It also helps to remember that the framework will keep evolving through guidance, Board decisions and possible amendments. Treating the current Act and Rules as a living regime — one you monitor rather than implement once and forget — is the posture most likely to keep you compliant as interpretation matures over the coming years. Watching how the Board exercises its powers in its first cases will tell you a great deal about where the practical compliance bar truly sits.
Free consultation
Need help getting DPDP-ready?
Talk to our compliance team — we’ll map your gaps against the Act and the 2025 Rules.