ANIRUDH BURMAN
INTRODUCTION
In early August 2023, the Indian Parliament passed the Digital Personal Data Protection (DPDP) Act, 2023.1 The new law is the first cross-sectoral law on personal data protection in India and has been enacted after more than half a decade of deliberations.2 The key question this paper discusses is whether this seemingly interminable period of deliberations resulted in a “good” law—whether the law protects personal data adequately, and in addition, whether it properly balances, as the preamble to the law states, “the right of individuals to protect their personal data” on one hand and “the need to process such personal data for lawful purposes” on the other.
To answer this question, the paper first details the key features of the law and compares it to earlier versions, especially the previous official bill introduced by the government in Parliament in 2019.3 The second part of the paper then examines the DPDP Act from two perspectives. First, it highlights certain potentially problematic features of this law to understand its consequences for consumers and businesses as well as the Indian state. Second, it places the act in context of the developments and deliberations that have taken place over the last five years or so. The third part speculates on the key factors that will influence the development of data protection regulation in India in the next few years.