India’s evolving data protection landscape: The DPDP Act, 2023, and The DPDP Rules, 2025

India’s digital ecosystem is undergoing a historic transformation. With the enactment of the Digital Personal Data Protection (DPDP) Act, 2023, and the notification of the DPDP Rules, 2025, the nation now has a comprehensive legal framework governing digital personal data. The Act establishes rights for individuals (Data Principals) and obligations for organizations (Data Fiduciaries), while the Rules operationalize those provisions with timelines, compliance obligations, and procedural clarity.

Together, they aim to protect citizens’ personal data, ensure accountability for entities processing such data, and promote a secure yet innovation-friendly digital economy.

1. Introduction: The Rise of Data Governance in India

India’s rapid digital expansion—marked by over 760 million internet users and deep penetration of mobile-first services—has amplified both opportunities and risks. Data breaches, unauthorized profiling, and privacy violations prompted calls for a legal overhaul.

Earlier, the Information Technology Act, 2000 and its SPDI Rules of 2011 offered limited safeguards focused on sensitive personal data. However, the Supreme Court’s 2017 judgment recognising privacy as a fundamental right changed the trajectory of Indian data policy.

This led to multiple iterations of data protection draft laws, culminating in the DPDP Act, 2023. The Act provided the legal foundation, while the DPDP Rules, 2025 supplied detailed operational mechanisms to fully activate the framework.

2. The DPDP Act, 2023: Foundation of India’s Data Protection Regime

The DPDP Act covers digital personal data, whether collected online or digitised offline. It also applies extraterritorially to organizations outside India processing data in connection with services offered to individuals in India.

Key Roles Under the Act

• Data Principal: The individual to whom the personal data relates.

• Data Fiduciary: Any entity determining the purpose and means of processing.

• Significant Data Fiduciary (SDF): Large or high-risk processors subject to enhanced obligations.

• Data Protection Board of India (DPBI): The enforcement and adjudication authority.

Core Principles

The Act is built on universally recognised privacy principles:

• Lawful purpose and consent-based processing

• Purpose limitation

• Data minimisation

• Accuracy and completeness

• Security safeguards

• Storage limitation

• Accountability

Rights of Data Principals

Individuals gain the rights to:

• Access their personal data from fiduciaries

• Seek correction and erasure

• Withdraw consent

• Nominate another person to act on their behalf

Children (under 18) require verifiable parental consent, and entities must not track or perform behavioural monitoring of children.

Obligations of Data Fiduciaries

Fiduciaries must:

• Provide clear and itemised consent notices

• Implement reasonable security safeguards

• Maintain accurate and up-to-date records

• Report data breaches without undue delay

• Comply with deletion requests once the data is no longer necessary

• Assist the DPBI with investigations

SDFs additionally must appoint an India-based Data Protection Officer, conduct periodic audits, and perform Data Protection Impact Assessments (DPIAs).

Penalties

The DPBI can impose penalties up to ₹250 crore for severe breaches, depending on nature, gravity, and duration.

3. The DPDP Rules, 2025: Operationalising the Act

Notified on November 14, 2025, the Rules provide detailed procedures for applying the Act.

Phased Implementation Timeline

The Rules adopt a staggered rollout:

• Immediate (Nov 2025): DPBI operational rules

• 12 Months (Nov 2026): Consent Manager provisions

• 18 Months (May 2027): Core compliance—consent, breach notifications, transparency duties, erasure mechanisms

This phased structure helps organisations gradually transition their systems.

Notices and Consent Requirements

Fiduciaries must:

• Provide standalone, simple, multilingual notices

• Clearly explain the purpose of data collection

• Facilitate easy withdrawal of consent

• Maintain logs of consent actions

Consent Managers—India-based registered entities—enable users to centrally manage consents across platforms.

Breach Reporting Obligations

Fiduciaries must notify:

• The DPBI within 72 hours with a detailed report

• Affected individuals without delay, outlining risks and mitigation steps

Children’s Data Rules

• Verifiable parental or guardian consent required

• Targeted advertising and behavioural profiling of children prohibited

• Additional safeguards for services accessible to minors

Data Retention and Erasure

• Data must be deleted once its purpose is fulfilled

• Sectors may have minimum retention periods

• Platforms must erase inactive accounts after three years unless legally required otherwise

Cross-Border Data Transfers

Data transfers are allowed except to countries restricted by the Central Government. Additional conditions may apply to SDFs.

4. High-Impact Changes Introduced by the Rules

1. Stricter Data Minimisation

Fiduciaries must justify each data element collected; excessive fields in forms must be eliminated.

2. Enhanced Safeguards for Children

Robust age verification and parental consent systems are required.

3. Stronger Breach Response Systems

Breach reporting is more rigorous and time-bound, pushing organisations to invest in detection systems and crisis protocols.

4. Clearer Cross-Border Transfer Pathways

A negative-list approach (restricted countries) simplifies global operations while retaining sovereignty.

5. Government Access Procedures

The Rules standardise the process for government data requests. Civil rights advocates call for more independent oversight in future revisions.

5. India’s DPDP Framework Compared to Global Models

Convergence with the GDPR

• Emphasis on consent and rights

• Definitions of data controller (as fiduciary) and processor

• Breach reporting and accountability

• Extraterritorial applicability

Key Distinctions

• Scope: DPDP applies only to digital data; GDPR covers all personal data

• Legal bases: DPDP primarily uses consent and legitimate uses, while GDPR offers six bases

• Sensitive data: DPDP does not differentiate, unlike GDPR

• Enforcement: India uses a single central DPBI; EU uses national DPAs

• Children’s protections: India has a higher age threshold (18) and bans targeted ads to children

These differences reflect India’s unique demographic, regulatory philosophy, and digital priorities.

6. Persistent Challenges and Criticisms

A. Government Exemptions

Wide powers for state agencies in sovereignty and national security matters raise concerns about potential overreach.

B. DPBI Capacity and Independence

Successful enforcement requires robust technical expertise, staffing, and independence from executive influence.

C. Undefined Concepts

Terms like “necessary” processing or adequacy for transfers require future guidance.

D. AI Governance Gap

The Act does not address:

• Algorithmic profiling

• Inferences generated by AI

• Data used for machine learning training

Supplementary AI-specific regulations may be forthcoming.

7. Practical Compliance Roadmap for Organisations

1. Data Mapping: Document data flows, storage, and transfers.

2. Consent Redesign: Update banners, forms, and privacy notices.

3. Data Minimisation: Remove unnecessary data collection practices.

4. Cross-Border Readiness: Review contracts and safeguards.

5. Breach Response: Build rapid detection and reporting workflows.

6. SDF Readiness: Prepare for DPIAs, audits, and appointment of a DPO.

7. Rights Management: Set up processes for erasure, correction, and access requests.

8. Vendor Management: Update contracts with processors and cloud providers.

9. Staff Training: Build a privacy-aware organisational culture.

8. Enforcement Trends and Expected Regulatory Behaviour

Initial regulatory focus is likely to target:

• High-impact data breaches

• Children’s data violations

• Major digital platforms

• Failure to report breaches or comply with DPBI orders

Sectors such as fintech, telecom, ed-tech, and health may face earlier scrutiny.

9. Broader Policy Implications

Digital Sovereignty

India strengthens control over its citizens’ data while balancing global interoperability.

Competition Dynamics

Large corporates may find compliance easier, but uniform rules level the field for startups long-term.

Innovation and AI

Clearer rules encourage trusted digital products, but AI regulation must evolve alongside DPDP.

10. What Lies Ahead?

Key developments to monitor:

• DPBI guidance on adequacy, breach formats, and SDF classifications

• Judicial interpretation of state exemptions

• Sectoral regulators aligning domain rules

• International data transfer agreements

• Emergence of India’s AI governance framework

11. Strategic Recommendations

For Policymakers

• Strengthen oversight of exemptions

• Publish detailed implementation guidelines

• Build capacity within DPBI

For Businesses

• Adopt privacy-by-design

• Automate compliance and audits

• Regularly update privacy processes

For Civil Society

• Promote awareness of user rights

• Advocate transparency in state access

• Monitor enforcement consistency

12. A Foundation for India’s Digital Future

The DPDP Act, 2023 and DPDP Rules, 2025 mark a historic milestone for India’s digital governance. By granting individuals meaningful rights, imposing strict responsibilities on organizations, and creating a capable enforcement body, India positions itself among global leaders in data protection.

While challenges remain—such as refining government exemptions and developing AI governance—the framework establishes a strong, future-ready foundation. As India moves toward full implementation by 2027, adherence, accountability, and continuous evolution will shape a secure and innovation-driven digital future.