With the Digital Personal Data Protection (DPDP) Act now active, India has declared a profound truth: Your data is your property. Your consent is not a formality, it is a right. And your digital identity belongs to you, not the platforms that happen to store fragments of it.
The privacy revolution didn’t arrive with noise. It arrived with a checkbox
Every day, millions of Indians tap “I Agree” faster than they blink.
A food delivery login. A telecom form. A loan app signup.
A thousand digital moments where data moves quietly.
But something historic has changed.
With the Digital Personal Data Protection (DPDP) Act now active, India has declared a profound truth: Your data is your property. Your consent is not a formality, it is a right. And your digital identity belongs to you, not the platforms that happen to store fragments of it.
It is a generational shift, but a complicated one.
Because while the law is clear in principle, the technology required to honour it simply does not exist today.
The illusion of control: You think you shared data with one app. Reality says otherwise.
Consider a simple scenario:
You open a food delivery app and share your name, phone number, address, and payment information.
In your mind, this data goes to one brand.
But the real journey looks like this:
- A cloud provider stores the data
- An SMS gateway sends your OTP
- An email service sends your receipt
- An analytics SDK tracks your behaviour
- A staffing vendor accesses details for customer support
- A payment processor handles your card
- A logistics partner receives your address
You didn’t give your data to one entity, you unknowingly gave it to an ecosystem of 10+ invisible actors, each leaving digital footprints you never see.
And under DPDP, every one of them becomes responsible for their part in the chain.
This simple truth triggers the core problem:
If data travels through a maze of disconnected systems… how will anyone track, revoke, or erase it when the user demands it?
DPDP gives you the right to revoke and erase. But today’s tech stack can’t do either.
DPDP empowers you with rights that were unimaginable a decade ago:
- Purpose-specific, informed consent
- The right to withdraw consent anytime
- The right to know who has your data
- The right to demand deletion
However, our current infrastructure wasn’t built to support these rights.
Revoking consent is hard not because companies resist, but because no one actually knows where your data ended up or how many copies exist.
Erasing data is hard not because businesses won’t, but because data is continuously:
- Copied
- Cached
- Stored
- Logged
- Processed
- Passed through multiple vendors
The law says your data must be deleted. The architecture says your data is already everywhere. This isn’t a legal challenge. It is a deep, structural technology challenge.
“Possession doesn’t mean ownership.” — Tapan Sangal, Chief Visionary, Kwala
One crucial dimension missing from most public debates is the difference between possession and ownership.
As Tapan Sangal, the Chief Visionary at Kwala, frames it:
“Just because a company is in possession of my data does not mean it owns my data. When my data sits with a bank, a telecom company, or any app, it still remains my property. They are only holding it in fiduciary capacity.”
This is the philosophical core of DPDP, and also its biggest implementation challenge.
If data remains the user’s property:
- It must remain encrypted everywhere it travels
- It cannot be accessed without explicit, purpose-bound consent
- Every layer of infrastructure holding it — server, vendor, SaaS tool — inherits fiduciary responsibility
- Every use of data requires renewed consent
Even if the data is sitting in a third-party system or across layers of cloud infrastructure, its usage cannot occur without your permission.
This introduces a powerful new paradigm:
Data does not change ownership when it moves, responsibility does.
This is a seismic shift in how India will conceptualise data governance.
The compliance noise is loud. The tech conversation is silent.
Legal firms, Big Four consultancies, and policy commentators immediately flooded the market with checklists and compliance timelines.
But none of these answer questions such as:
- Through which API did a phone number travel?
- How many vendors stored a copy?
- Where was it logged?
- How do we prove deletion across all systems?
- What cryptographic evidence confirms revocation?
DPDP cannot be fulfilled through documentation alone. It requires programmable, interconnected, auditable technology.
From “Tick Here” to “I Decide”: Consent becomes a digital asset
DPDP transforms consent from a static checkbox into a revocable, reusable, user-governed asset.
A new economy is emerging, the “Consent Economy”, where:
- Users regain full control over their data
- Consent is portable and standardised
- Revocation triggers automated workflows
- Deletion (or encryption-based wiping) becomes a verifiable event
- Businesses integrate with common consent rails rather than building fragmented systems
The question is no longer “Did the user agree?”
It is “How will you prove they agreed, withdrew, or limited that agreement?”
India needs a DPDP Wallet — a universal concenter for a billion people
To bring DPDP to life, India needs something simple yet powerful:
A DPDP Wallet — a universal consent dashboard.
A single interface on every smartphone where a user can:
- See every app that holds their data
- See what purpose was approved
- Track every usage of their information
- Revoke consent instantly
- View confirmations of deletion or encryption
- Securely store purpose-specific permissions
As Tapan Sangal puts it:
“The DPDP Wallet flips the internet.
Apps no longer decide how they use your data.
You decide how apps may use your data.”
Just as “Sign in with Google” changed onboarding for apps,
“Connect with DPDP Wallet” will change data rights for citizens.
Importantly, this wallet is not an authentication platform. It is a universal concenter — the keeper of consent.
The tech stack that must be built (rights need rails, not PDFs)
To support the DPDP Wallet, India needs new infrastructure rails:
1. Consent Ledger
A tamper-evident log that tracks every consent given, withdrawn, or modified.
2. Data Journey Mapper
Maps how a single piece of data travels across services, vendors, and infra layers — essential for revocation and deletion.
3. Revocation Engine
A programmable workflow that communicates consent withdrawal across all connected systems.
4. Encryption-Based Deletion Layer
Since true deletion is rarely possible, data must be encrypted such that it becomes inaccessible without user consent — a DPDP-compliant form of “digital forgetting.”
5. Standardised APIs for Developers
Turn a complex legal mandate into a simple technical integration.
This is not aspirational — it is essential. And someone must build these rails.
Why India can lead the world
- No other country has:
- A billion-person digital footprint
- A new privacy law arriving at the peak of AI adoption
- A thriving ecosystem of builders
- A culture of public digital infrastructure (UPI, ONDC, DigiLocker)
- A government willing to push large-scale data rights forward
India is not just responding to global trends — India is defining them.
DPDP gives India the opportunity to create the world’s first population-scale consent infrastructure.
Where Kwala stands
Kwala believes that DPDP is not just compliance — it is the blueprint for the next decade of digital India.
We see a future where:
- Data journeys are traceable
- Consent is programmable
- Revocation is instant
- Data is encrypted unless permissioned
- Businesses earn trust through transparency
- Users own a single universal consent identity
Tapan Sangal says:
“Digital footprints may exist everywhere,
but the ownership of those footprints must always remain with the individual.”
Kwala’s programmable backend is purpose-built for this future.
Conclusion: The consent economy is here; and the user finally sits at the centre
DPDP is more than a law. It is a statement of values. But values need infrastructure.
India now has the chance to build:
- A consent-first internet
- A user-owned identity layer
- A secure, encrypted, and accountable data ecosystem
- A model that the world can follow
And at the centre of that ecosystem sits one simple question:
If data belongs to the user, why shouldn’t the dashboard belong to the user too?
The time has come to build that dashboard.
And Kwala is ready to help lay the rails.
Topics
