Abstract
For over ten years, India debated whether it required a data protection law. So, after this debate, the Digital Personal Data Protection Act 2023 was enacted, well, you know, it followed from there. It seems to take some inspiration from the Supreme Court’s big 2017 ruling in K.S. Puttaswamy v. Union of India, which in turn, essentially, leaned into the idea that privacy counts as a fundamental right. That is because the Court recognised privacy under Article 21 of the Indian Constitution, in a way that mattered a lot. The DPDP Act establishes a legal framework for processing personal data, requiring consent or lawful grounds. It also grants individuals four rights over their data: access, rectification, erasure and restriction. It also sets up a Data Protection Board to deal with complaints about possible infringements of privacy rights and to make sure compliance with the DPDP Act is actually followed. In fact, people are comparing this kind of rule with the GDPR in the EU and the California Consumer Privacy Act (CCPA), kind of right away, as if it is a near match.