in session · 18th LS
plate I · vol. lxxiv · bharat gazette · serial 17/2024/A day 23 of monsoon session 04 bills introduced today 02 awaiting rajya sabha last assent 09 may 2026 · telecommunications (amdt.) oldest pending bill · 2,847 days · marriage laws amdt., 2018 active acts · 3,050 17th LS median debate · 1.6 hrs / bill impressed · ★ 3,847 plate I · vol. lxxiv · bharat gazette · serial 17/2024/A day 23 of monsoon session 04 bills introduced today 02 awaiting rajya sabha last assent 09 may 2026 · telecommunications (amdt.) oldest pending bill · 2,847 days · marriage laws amdt., 2018 active acts · 3,050 17th LS median debate · 1.6 hrs / bill impressed · ★ 3,847

Reading VII of XII · Act 22 of 2023

Act No.
XXII
of MMXXIII

॥ डेटा सुरक्षा ॥

The Digital Personal Data Protection Act, 2023 Digital Personal Data Protection Act

— Tech · in force since 13 Nov 2025 —

MeitY File
22
2023
phased in force
Ministry of Electronics & IT Introduced 3 Aug 2023Assented 11 Aug 2023In force 13 Nov 2025 XVII Lok Sabha
Why this Act matters

Six years after Puttaswamy. The Act is now in phased force; core compliance obligations run into 2027.

passed · voice rules '25 phased force

Indicator Stamps

Built 15 May 2026
days · intro to assent
8
legislative velocity
debate hours · both Houses
floor time
Rajya Sabha vote
vote record pending
Lok Sabha vote
vote record pending
committee referral
none
pre-enactment scrutiny
current status
phased in force
record state

The statute is compact; the delegated architecture is not.

Editorial reading

Lifecycle · Act 22 of 2023

— first reading to living record —
Date-scaled lifecycle timeline from 2023 to 2026 2023 2024 2025 2026 Bill tabled · LS Act in force — living record —

The pitch was that India finally needed a personal data law: consent, notice, purpose limitation, breach duties, a Data Protection Board, and penalties for serious failures.

The history made the pitch heavier. The law arrived after Puttaswamy, the Srikrishna Committee draft, the 2019 Bill, a Joint Parliamentary Committee, withdrawal, and a 2022 draft. The 2023 Act is short by design, but much of its meaning lives in exemptions, rules, and the Board that enforces it.

The Bill passed in the monsoon session of 2023 by voice vote. Opposition participation was limited by the politics of the session, and the Bill was not sent to a fresh committee despite the long prior history of committee scrutiny.

The statute is compact; the delegated architecture is not.

Editorial reading
  1. Digital personal data. The Act covers digital personal data and non-digital data later digitised.
  2. Consent and notice. Processing generally requires consent backed by notice, with separate “legitimate uses” where consent is not required.
  3. Data fiduciaries. Fiduciaries must protect data, erase when purpose ends, respond to rights requests, and report breaches.
  4. Children. Processing children’s data is subject to additional restrictions, including parental consent and limits on tracking or behavioural monitoring.
  5. Board and penalties. A Data Protection Board may impose significant monetary penalties.
  6. State exemptions and RTI. Government processing receives wide exemptions; the Act also amends the RTI Act’s personal-information clause.
  • 24 Aug 2017Supreme Court recognised privacy as a fundamental right in Puttaswamy.
  • 11 Dec 2019Earlier Personal Data Protection Bill introduced and sent to a Joint Parliamentary Committee.
  • 3 Aug 2022Government withdrew the 2019 Bill.
  • 11 Aug 2023DPDP Act received assent.
  • 13 Nov 2025Commencement notification and DPDP Rules, 2025 notified; enforcement phased over 12 and 18 months.
what we still do not know

The decisive questions are institutional: how independent the Board is, how exemptions are used, and whether rights requests produce practical remedies.

In Support

Supporters read the Act as India's first workable privacy compliance framework for the digital economy.

Support reading

In Critique

Critics read it as under-protective against the State and too dependent on future rules, appointments, and executive discretion.

Critique reading

The Act closes a long legislative loop, but not the privacy debate. Its design is minimalist, enforcement is centralised, and the most important compliance dates now sit in a phased calendar.