When Parliament cleared the Digital Personal Data Protection (DPDP) Act in August 2023, it was hailed as India’s most ambitious attempt to regulate how personal data is collected, processed, and safeguarded. The law received Presidential assent on August 11, 2023. Yet, more than a year later, the statute has not been formally notified, leaving its provisions dormant and its promises unfulfilled.
A division bench of Chief Justice D.K. Upadhyaya and Justice Tushar Rao Gedela, hearing a petition on the matter, directed the Union government to clarify whether notification under Section 1(2) of the Act is even under consideration. The case, filed by working professional Vikas Mittal, contends that without enforcement, businesses remain free to engage in practices that compromise citizens’ privacy.
The Petition and Its Implications
The petitioner urged the court to issue a mandamus compelling the Centre to operationalize the law, arguing that citizens’ rights to privacy—already affirmed by the Supreme Court as a fundamental right—are at risk. The plea stressed that, under the Act, personal data can only be processed with consent or for defined “legitimate uses.”
By withholding notification, the petition claimed, businesses and intermediaries are exploiting the legal vacuum to collect and misuse personal data. The plea also underscored the growing urgency, given India’s rapid digitalization and the exponential rise in data-driven services.
Government’s Position and Court’s Response
During the hearing, the Centre’s counsel admitted that no notification has yet been issued. The court pressed for details, instructing government representatives to confirm not only whether any notification had been made but also if any steps toward implementation were underway.
The judges noted the Act’s clear wording: it comes into force on dates appointed by the Central Government. Different provisions may take effect on different dates, offering the government flexibility. Still, the prolonged delay, they observed, casts doubt on the administration’s commitment to establishing the proposed Data Protection Board of India and enforcing compliance obligations.
What Enforcement Could Mean
If implemented, the DPDP Act would govern both domestic and cross-border processing of personal data, applying to entities that collect data digitally or digitize physical records. It mandates consent-driven processing, lays out rules for legitimate uses, and requires the creation of a national Data Protection Board to monitor compliance, impose penalties, and manage grievances.
The court’s intervention highlights not only the legal vacuum but also the broader tension between legislative intent and executive action. The matter will next be heard on November 12, with the Centre expected to clarify its timeline. For now, India’s landmark privacy law remains in limbo, its potential to reshape the country’s digital governance unrealized.
