Evolution of Data Protection Laws in India
Data’s a flood that never ends, but history hides around the bends.
Certainly, privacy has been the hero of talk and has evolved as a concept, but where did it all begin?
India's first step towards data protection can be traced back to the late 1990s with the rise of the IT sector which raised concerns and the need to protect digital data. At present we have a Data Protection law with its ever-evolving rules.
Information Technology Act 2000
The first cyber law enacted in India was the Information Technology Act in 2000 which provides for legal recognition of e-commerce and data; with its major amendment it inserted Section 43(A) which set forth the liability for data breaches and introduced the term 'sensitive personal data'.
The Information Technology Rules, 2011 (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information)
In 2011 India got the notified rules under the Information technology act specifically on the rules introduced key concepts of- privacy policy, consent, collection limitations, notices, data retention purpose limitations, right to access and correct, right to opt-out and withdraw consent, Grievance officer, Disclosure with consent, Requirements for transfer of Sensitive Personal Data.
Justice A.P. Shah Committee, 2012
In 2012, Justice A.P. Shah Committee was constituted to review the best international practices and policy framework.
The report had five salient features-
- Technological neutrality and interoperability- The laws should be tech-neutral and align with the global standards, and ensure consistency, trust, and value from cross-border ata flows.
- Multi-dimensional Privacy- This privacy framework should address concerns about data protection ,surveillance, bodily and physical privacy.
- Horizontal applicability- It must apply equally to both public and private sectors.
- Conformity with Privacy principles- The nine core privacy principles will guide the law emphasizing on accountability of data controllers to protect individuals’ personal data.
- Co-regulatory enforcement regime- A dual system is proposed- The Privacy Commissioners for oversight and sectoral Self-Regulatory Organizations (SROs) for compliance and awareness-building.
The report also recommended the nine principles for a privacy law- Notice, Collection Limitation, Choice and Consent, Purpose Limitation, Access and Correction, Disclosure of Information, Security, Openness and Accountability and served as a foundational basis for data privacy laws in India.
K.S. Puttaswamy landmark judgement, 2017
In 2017, Supreme Court's landmark judgement on K.S. Puttaswamy v. Union of India declared the right to privacy as a Fundamental Right under Article 21 of the Constitution of India and emphasized on a separate legislation on the data protection to uphold the needs of individuals with respect to the state's legitimate concerns.
Justice B.N. Shrikrishna Committee, 2018
In 2018, Justice B.N. Shrikrishna Committee was constituted to study issues on data protection and draft comprehensive legislation. The committee submitted a report- "A Free and Fair Digital Economy" and drafted a Personal Data Protection Bill. The Report focuses on Fiduciary relationships; Obligations of the Fiduciaries, Definition of Personal Data, consent-based processing. The draft Bill introduced the key recommendations on- rights of data principals, obligations of data fiduciary, Data Protection Authority, grounds for processing of personal data and sensitive personal data, cross border data transfer, offences and penalties.
Personal Data Protection Bill, 2019
In 2019, The draft bill- Personal Data Protection Bill was introduced in the Lok Sabha incorporating several changes from the B. N. Srikrishna Committee draft. The provisions mentioned in this draft Bill are-
- Obligations Of Data Fiduciary
- Grounds For Processing of Personal Data Without Consent
- Personal Data and Sensitive Personal Data of Children
- Rights Of Data Principal
- Transparency and Accountability Measures
- Restriction on Transfer of Personal Data Outside India
- Power of Exemption to the Central Government
- Data Protection Authority of India
- Offences, Penalties and Compensation
- Establishment of Appellate Tribunal
Joint Parliamentary Committee Report, 2020
In 2021, the Joint Parliamentary Committee submitted a report on the draft Personal Data Protection Bill, 2019 and the key recommendations and suggestions were –
- The ‘Personal Data Protection Bill’ name was changed to the ‘Data Protection Bill’- broadening the scope to non-personal data as well.
- A definite timeline for implementation of the 2021 Bill
- The government must exercise its power of exemption only following a just, fair, reasonable and proportionate procedure.
- A 72-hour data breach reporting timeline
- Parental Consent on processing of children's data and certain additional obligations on Data fiduciary processing children’s data.
- It emphasized the regulation for social media platforms where these platforms work not as mere intermediaries
- Strongly suggested the government to take active steps and stricter laws for Data localization.
Following the JPC Report in 2022, The Personal Data Protection Bill of 2019 was withdrawn from the Parliament and later in 2022 a draft bill- ‘Digital Personal Data Protection Bill, 2022’ was released and open for Public consultation, suggestions and recommendation.
Digital Personal Data Protection Act, 2023
In 2023, after the consultations and suggestions the Draft Digital Personal Data Protection Bill was tabled at the parliament, which was passed by both the houses- The Lok Sabha and the Rajya Sabha and received the assent of the President on 11th August, 2023. This marks a significant step in India's data privacy regime.
The Digital Personal Data Protection Act, 2023 lays down the legal framework for the processing of digital personal data in a manner that recognizes individuals' right to protect their personal data. The act majorly focuses on-
- Digitized personal data of person
- Obligations of Data Fiduciary and Significant Data Fiduciaries
- Rights and duties of Data Principal
- Special powers to the central government with respect to processing of personal data outside India
- Establishment of Data protection Board of India and its powers, functions and duties.
- Provision for Appeal and Alternate Dispute Resolution
- Offences and Penalties
Digital Personal Data Protection Rules, 2025
The Digital Personal Data Protection Act, 2023 (DPDPA) marked a moment in India’s data governance regime, establishing a legal framework on personal data. However, as with most framework legislations, the DPDPA relies heavily on subordinate rules and notifications for its actual operationalization. As of July 2025, the Draft DPDP Rules, 2025 remain under review and have not yet been officially notified. These rules underwent public consultation through April 2025. These rules are vital for clarifying procedural aspects, ensuring enforceability, and offering compliance guidance to regulated Public as well as Private entities.Until notified, full implementation of the Act remains incomplete, leaving stakeholders in a preparatory but uncertain phase.
How Ardent Privacy’s TurtleShield Suite Aligns with India’s Evolving Data Protection Landscape
As India’s data protection framework has matured from the IT Act, 2000 to the landmark Digital Personal Data Protection Act (DPDPA), 2023, compliance demands have shifted from broad legal recognition to precise, principle-driven, accountable data handling. Ardent Privacy has proactively evolved its TurtleShield product suite to support this transformation.
Here’s how TurtleShield helps enterprises stay DPDPA-ready:
1) Unified Data Discovery & Classification
Our tool “TurtleShield” innovates with the ability to discover data at scale and helps to take quick action. It will help enterprises reduce cost of data security & privacy compliance. It makes it possible to reach datasets otherwise would not have been possible with traditional discovery methods. It distinguishes between personal and sensitive personal data, as defined under DPDPA, enabling accurate data mapping and risk profiling.
2) Consent & Purpose Management
In line with the consent-based processing model of DPDPA, TurtleShield CM (Consent Management) automates required user privacy notices, the gathering and management of consent/opt-out privacy preferences, and the operational honoring of preferences by both internal and downstream third-party data sharers.
3) Data Principal Rights Management
TurtleShield DSAR streamlines the Data Principal Rights Management (DPRM) process, ensuring efficient compliance with DPDP Act. It offers a centralized portal for intake, automated data discovery, and secure response delivery. Users can submit requests through customizable forms, with identity verification ensuring authenticity. TurtleShield automates the discovery and mapping of personal data across systems, compiles it into organized reports, and facilitates secure delivery while maintaining detailed audit logs for accountability.
4) Breach Reporting
TurtleShield DBM (Data Breach Management) helps organizations efficiently verify, assess, contain, manage and respond to data breaches including notifying affected individuals and regulatory bodies as per the legal requirements. TurtleShield ensures that organizations are prepared to meet DPDPA’s incident response expectations, including timely breach notifications and recordkeeping.
5) Localization & Cross-Border Controls
The suite supports data localization policies and enforces rules around data flows, including tagging and tracking of personal data transfers outside India, helping businesses align with governmental processing and transfer obligations under the DPDPA.
6) Compliance Dashboard & Readiness Reports
TurtleShield's centralized dashboard offers a real-time view of compliance posture, alerts for risk areas, and auditable reports to demonstrate accountability, crucial as India moves towards rule-based enforcement in 2025.
Ardent Privacy’s commitment to privacy-by-design and compliance automation ensures that businesses using TurtleShield are not just reactive to data protection mandates, but strategically prepared for the future of responsible data governance in India.