Almost a year after India’s landmark Digital Personal Data Protection Act, 2023 (DPDP Act) was passed by Parliament, the law remains stalled, awaiting crucial notifications and operational rules. Far from ushering in a new era of digital rights and governance, the prolonged delay has deepened confusion among citizens, organisations, and civil society. Instead of providing clarity, the Act has triggered a heated debate on whether it genuinely upholds privacy or stealthily undermines India’s long-standing commitment to transparency under the Right to Information Act (RTI).
The Missed Deadlines and Rising Anxiety
The DPDP Act was passed in August 2023 with much fanfare, promising to protect the personal data of India’s 1.4 billion citizens. Yet, as of mid-2025, its enforcement remains in limbo. The absence of operational rules—the critical mechanisms defining how the law will be implemented—has created a regulatory vacuum. The government has now indicated the matter is under review by the Attorney General, raising further concerns of bureaucratic inertia and political hesitancy.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
This delay is not merely procedural. It stalls India’s ambitions of becoming a responsible digital power. In the meantime, organisations—both domestic and global—that hold and process Indian citizens’ data remain directionless. Businesses are left guessing compliance requirements, while citizens wait for assurance on how their data will be protected.
The RTI Act at Crossroads
The biggest casualty, however, could be India’s transparency framework. The DPDP Act’s current provisions threaten to undermine Section 8(1)(j) of the RTI Act. Under the RTI law, personal information could be withheld—but with a key safeguard: if public interest outweighed privacy concerns, disclosure was mandated. This balancing test has empowered investigative journalism, exposed corruption, and protected citizen rights for years.
By removing this balancing mechanism, the DPDP Act grants unchecked powers to public authorities to deny access to critical information under the pretext of personal privacy. Activists fear this could lead to massive erosion of accountability, effectively allowing government agencies to hide behind the veil of data protection, ironically using a privacy law to restrict public access to legitimate information. As one critic aptly described it, this may be India’s move towards an Orwellian state where “Big Brother is watching you”, but citizens are left in the dark.
Compliance Without Clarity – The Organisational Dilemma
Despite the absence of rules, experts argue that organisations must start preparing. The bulk of compliance work—75-80%—is universal: data mapping, minimisation, consent management, security protocols, and accountability structures are foundational steps that do not change with minor rule clarifications. Waiting for official rules to begin compliance is a strategic error. However, the lack of final guidance continues to hinder progress, especially for small and medium enterprises with limited resources.
A Crisis of Trust
India’s data protection journey has reached a critical crossroad. The delayed implementation of the DPDP Act, potential dilution of RTI, and ambiguity around compliance have triggered a crisis of digital trust. For a nation that houses nearly 20% of the world’s personal data, this drift is both costly and dangerous. The government must move decisively—clarify, consult, and course-correct—to restore faith in its commitment to privacy, transparency, and digital rights.