Consensus facit legem, which means consent makes the law. Primacy of consent is not only confined to the formation of contracts but also underpins a wide array of legal relationships and highlights a philosophical commitment to individual autonomy. Our Constitution begins with the Preamble, where we promise to each other OUR collective consent, across generations, as “WE, THE PEOPLE OF INDIA, having solemnly resolved …do HEREBY ADOPT, ENACT AND GIVE TO OURSELVES THIS CONSTITUTION.” Elements of consent and free will were introduced by the British in the Indian Penal Code of 1860, the Indian Contract Act of 1872, and other codified property and personal laws. Courts, over the years, have interpreted consent and shaped the jurisprudence. The Madras High Court in Chikkam Ammiraju and Others v. Chikkam Seshamma and Anr., AIR 1918 Mad 414, held that a threat amounts to coercion and makes the agreement voidable. The Supreme Court of India in Central Inland Water Transport Corporation Ltd. & Anr. v. Brojo Nath Ganguly & Anr., AIR 1986 SC 1571, highlighted the importance of fairness and autonomy in consent and declared the unconscionable part in the contract as void as it undermined the free will of the weaker party. In a criminal matter, the Supreme Court in State of Maharashtra v. Madhukar Narayan Mardikar, AIR 1991 SC 207, asserted that every individual, including sex workers, has the right to bodily autonomy and the ability to withhold consent and thereby reinforced that consent must be explicit and free from coercion.
The Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India, 2017 INSC 801 [“Puttaswamy Case”], recognized privacy as a fundamental right protected under Articles 14, 19, and 21 of the Indian Constitution and emphasized informed consent in matters of privacy rights, holding that individuals must fully understand the implications of sharing personal data. After multiple drafts and iterations, the Digital Personal Data Protection (“DPDP”) Act, 2023, was enacted on August 11, 2023, and the government thereafter notified the DPDP Rules, 2025, on November 14, 2025, activating a phased implementation framework. The principle of consent has become central in India's privacy and data protection law, and the very structure of the DPDP Act reflects the maxim consensus facit legem: a data principal's consent is the primary lawful basis for collecting or using their personal data. The DPDP Act requires that consent be free, specific, informed, unconditional, and unambiguous, given via a clear affirmative action. The DPDP Act operationalizes consent with various safeguards and mechanisms, and the individuals have the right to withdraw consent at any time, and the data processor must then cease processing their data. To make user consent manageable in a complex digital ecosystem, the DPDP Act introduces the concept of consent managers, neutral and registered intermediaries through which individuals can give, track, and revoke consent across multiple data fiduciaries. Under the DPDP Act, consent is not just a one-off formality but an ongoing element of data governance.
The DPDP Rules were initially meant to be complied with within 18 months, but the government has advanced the compliance timeline to 12 months. The Ministry of Electronics and IT ("MeitY") has disseminated this proposal to stakeholders, requesting their feedback by March 2026. The compression of the enforcement calendar by a third indicates a shift in the government's approach. While the government claims that the stakeholders are sufficiently ready, there is a wide perceived disparity in readiness across sectors. As an illustrative example, the power sector, with its sectoral regulators, i.e., Electricity Regulatory Commissions, has not even applied its mind to the issues of data protection when many distribution companies deal with personal data. In fact, across the sector, there may be a disparity between government discoms and private discoms. Even in the healthcare sector, there are many stakeholders, especially smaller clinics and nursing homes, who may not be ready to make the expedited change. It is not clear whether a holistic sector-wise analysis has been done by the government or if MeitY is just rushing in on the expedited compliance. Critics are uncertain about the preparedness of government entities nationwide.
With any new system, there are challenges, and with the new data protection regime being enforced in India, all key stakeholders will have to manage and deal with the limited digital literacy of India's population. Operational issues in the management of consent across platforms, a rise in costs, enhanced compliance, et cetera, will all arise and put the Indian ecosystem in testing waters. The uncertain global environment makes it harder, but true consent is consensus ad idem (meeting of the minds), which can only happen when that consent is free, informed, and voluntary. Any rushed consent will neither be free nor will it be in the spirit of the DPDP Act, the purpose for which the data protection law was enacted.
This strategy of the government will be tested. Simultaneously, a well-functioning data protection regime could strengthen India's argument that data in India will adhere to strong standards. This thought process seems to indicate that the sooner companies comply, the quicker India's digital markets can claim parity with other jurisdictions qua privacy norms, potentially easing cross-border data flows for businesses. What is worth noting, however, is that industry bodies and companies have voiced reservations, arguing that an 18-month horizon was already tight given the complexity of overhauling data systems and processes.
As the level of readiness varies significantly across industries, some have a head start with their global compliance experience and existing regulations. For many others, however, it will be trial by fire. With respect to regulated sectors, sectoral compliance may also vary and increase pressurized timelines. Accelerated timelines will necessitate commitment by top management and a proactive shift in the attitudes of organizations. While the next 12 months remain compliance-intensive, the true test will come as the deadline of November 2026 nears. India will see whether its stakeholders can collectively rise to meet a modern data protection standard in time and whether it will lead to a lasting culture of privacy and accountability in the digital domain.
Authors are Advocates practicing at Supreme Court of India. Views are personal.