The Supreme Court’s 2017 verdict, which held privacy to be a fundamental right, set the ball rolling for a comprehensive structure for protecting digital personal data. Eight years later on November 13, 2025, the MeitY (Ministry of Electronics and Information Technology) formally notified the Digital Personal Data Protection (DPDP) rules 2025, putting India’s first comprehensive data law into full effect.
It was a culmination of several years of rule making aimed at establishing a clear and practical system for managing digital personal data, safeguarding individual privacy, and curbing unauthorised commercial use of data, reducing digital harms, fostering a safe space for innovation while strengthening trust in India’s digital economy.
Getting India’s data protection law across the finish line took years of hard work – and a lot of back-and-forth. It started with multiple draft versions (three major ones, actually), endless rounds of public and stakeholder consultations, fierce debates in Parliament, and constant tweaks to make the rules practical instead of a compliance nightmare. After all that grinding, the Digital Personal Data Protection Act finally became law on August 11, 2023.
The detailed rules that followed have now created something genuinely balanced: a framework that puts citizens at the centre, protects their rights seriously, but doesn’t choke legitimate businesses or innovation.
It defines lawful processing, obligations of data fiduciaries, entities that handle such data, and the rights and duties of data principles or the individuals and cross-border transfer norms. This paradigm shift from organisational responsibility to individual empowerment places India in closer alignment with global privacy regimes.
The Need
In today’s technology-driven environment, robust privacy governance has evolved far beyond mere reputational or compliance risk mitigation. It is now a foundational strategic imperative for any organisation aspiring to achieve genuine transparency, enduring stakeholder trust, and long-term sustainability
India is a perfect example with nearly 900 million people online and the planet’s biggest biometric database with Aadhaar touching the lives of 1.4 billion people, UPI doing over 12 billion transactions a month, and exploding fintech, health-tech, and e-commerce.
With that much personal data flying around, getting privacy right was no longer optional. Additionally, high-profile breaches – Aadhaar leaks and Star Health 2024 breach exposing personal details of 3.1 crore customers, showed that existing laws have been inadequate.
The DPDP Act and its rules, which seem to mimic both the EU’s GDPR and Singapore’s Personal Data Protection Act, 2012, but with important Indian adaptations, demonstrates the nation’s resolve to cultivate a safe, reliable digital environment that protects citizens and inspires confidence among businesses.
India took its time, watched the rest of the world trip over GDPR-style regulations and an overly restrictive regime – heavy on paperwork, light on real-world flexibility, and arguably a drag on innovation, to come up with a deliberately pragmatic law to govern privacy. It sets clear red lines on consent, children’s data, and government access, but doesn’t drown businesses in endless prescriptive detail. There’s breathing room built in — enough for startups to experiment, for global companies to adapt without rewriting their entire stack, and for the law itself to evolve as AI and new tech throw curveballs.
The Act also applies to processing that happens outside India, if it concerns offering goods or services to people in India. This ensures that foreign entities targeting Indian data principals remain subject to the Act’s obligations and protections, regardless of where the actual processing occurs. This is reflective of the geopolitical environment and concerns around India’s tech sovereignty.
The Data
Data includes any information that relates to an identified or identifiable individual – name, phone number, email, Aadhaar, PAN, location, IP address, health records, financial transactions, browsing history, biometric data, sexual orientation and religious beliefs.
It has become the new currency, powering AI and machine learning models, enabling hyper-personalised advertising and services, driving business decisions, credit scoring, insurance pricing, hiring, policing, and even governance. Governments and companies also use it for surveillance, national security, and public policy.
Research shows that almost all websites gather automatic information – browser type, device information, operating system version, IP address, click patterns, time spent on the website and bandwidth usage. Although these may appear harmless, when analysed together, they can reveal deep insights into an individual’s online behaviour, preferences and even personality traits. In essence, they create a ‘digital clone’ of the user.
This apart, when we share personal information with a bank, that data is often passed on to third parties and used to market products to us. Until now, this practice has largely gone unregulated, and data breaches have been frequent — yet companies rarely faced real consequences.
That’s about to change. Under the new rules, companies must report any data breach to affected users and authorities within 72 hours or face substantial penalties for non-compliance. This will ensure far greater transparency on how personal data is handled and stored, while setting strict new standards for cross-border data transfers.
More Power to Individuals
The Internet has turned into a black box with people rarely realising when their data is being taken or how it is being used. Since modern technology and digital services cannot function without data, the Act doesn’t ban data usage—it simply insists on proper consent and transparency, leading to accountability.
The stress is on seeking specific and informed consent in “clear and plain language”.
A company or an entity has to disclose the purposes of processing, the specific uses of the data, and any intended disclosure to third parties along with the corresponding purposes. Without your permission, none of this will be allowed.
The individuals can also request access to their data, seek corrections and updates and even ask for data to be erased in certain situations. Once a user withdraws consent, personal data has to be deleted unless a legal obligation to retain data applies. The individual rights also include appointing someone who, in case of your death or mental incapacity, can request deletion of your data on your behalf. This effectively treats personal data as an asset over which you retain rights even after death.
These apart, companies must provide an effective mechanism to address your complaints and protect your data with reasonable security measures.
Non-compliance with any of these provisions, can attract penalties up to Rs 50 crore.
In short, the DPDP Act shifts control back to the individual, makes data practices visible and accountable, recognises personal data as something you own and can control—even beyond your lifetime—and backs these rights with heavy financial penalties for violations.
Obligations & Timeline
To realise this vision, the DPDP rules introduce several key provisions, including a 18-month phased compliance period to help organisations upgrade their systems and adopt responsible data practices. They prescribe a simple, time-bound process for reporting personal data breaches. In the event of a breach, a data fiduciary must promptly inform all affected individuals. Every data fiduciary must also display clear contact information for data related queries.
The staggered implementation timeline not only gives businesses sufficient time to prepare but also enables management to review and update their internal processes. It provides an opportunity to conduct a thorough data protection impact assessment (or data mapping exercise) to clearly identify what personal data is being processed, by whom, and for what specific purposes—especially as we transition to a stricter notice-and-consent framework combined with purpose limitation requirements.
Besides identifying gaps against the new law, they also have to redesign consent mechanisms, build user-rights infrastructure and strengthen security.
Significant Data Fiduciaries (SDFs) have extra obligations, including appointing a Data Protection Officer (DPO) based in India, conducting periodic Data Protection Impact Assessments (DPIAs), and undergoing independent audits.
Level of Preparation
Compliance involves substantial costs for system overhauls, training, and documentation, with penalties up to Rs 250 crore for breaches adding financial pressure.
According to experts, the majority of companies are already well-prepared for the new compliance requirements. They have been reviewing and updating their workflows, internal processes, and the entire ecosystem of tools they use.
The global conversation around data protection gained real momentum with the introduction of GDPR, and today it has evolved far beyond mere regulatory compliance—it has become a genuine competitive advantage.
In India especially, as we step into the AI era where vast amounts of data are being collected and processed for diverse purposes, most companies now see strong data protection practices as a key way to build trust with Indian citizens and users.
Compliance To Competitive Edge
Implementing the compliance requirements under the Act and its rules will come with a substantial cost — not just financially, but also in terms of the time and mental bandwidth that startups will need to invest in understanding and meeting these obligations.
Unlike large corporations with dedicated compliance teams, small and medium enterprises (SMEs) often operate with lean budgets and lack in-house experts in data privacy law and technology. Hiring specialists or consultants is prohibitively expensive. This uneven preparedness risks “compliance fatigue” and could stifle innovation, as startups divert resources from growth to regulatory adherence.
However, adhering to the Act has become ever more critical—not only to keep their operations running smoothly, but also to remain fully compliant and “clean” when venture capital firms perform due diligence ahead of potential investment.
That said, there’s real inherent value in the trust this framework creates.
In conversations about the digital economy, concerns like “am I the product?” or “how is my data being used?” have traditionally favoured big companies, which were perceived as safer and more trustworthy, while startups were often seen as riskier. Now, with these regulations applying equally to everyone, the playing field is level.
Both large corporations and small startups have to comply in the same way, which means they will all face similar burdens in terms of money, time, and cognitive load. The key upside, especially for startups, is that they gain a significant boost in credibility and trust.
Compliance becomes a way for smaller players to signal to users that they are just as serious about privacy and security as the giants are.
However, the Act also acknowledges challenges faced by startups and small enterprises. And this recognition has paved the way for some sensible exemptions for DPIIT-recognised startups, which are not required to issue detailed notices to data principals before processing their data, helping them streamline operations without excessive paperwork. This apart, startups are also not mandated to ensure the accuracy and completeness of personal data to the same extent as applicable to big-tech giants.
These carve-outs reflect a pragmatic, risk-based approach in the DPDP framework, balancing robust privacy protection with the need to foster a conducive environment for emerging digital businesses in India.
Exemptions & Gaps
The central government has the authority to exempt certain agencies from compliance obligations if their data processing activities are deemed necessary for safeguarding the sovereignty, integrity, or security of the state, maintaining friendly relations with foreign nations, or preserving public order. For private entities handling data in collaboration with the government, there may be a reduced compliance burden.
Currently, ten law enforcement and intelligence agencies are authorised under the relevant legal frameworks to intercept, monitor, and decrypt all information on any computer within the country. However, the law remains conspicuously silent on whether entities outside this closed list possess parallel or residual powers of surveillance over citizens. Equally opaque is the procedural safeguard—or lack thereof—governing future expansions: should the government choose to enlarge the cohort of authorised agencies or augment the toolkit (through new techniques, methods, or the procurement of foreign-origin surveillance technologies). That reduces transparency right now.
The Act also recognises the importance of research and data-backed studies, allowing processing of personal data for research, archiving or statistical purposes as long as the processing does not lead to a decision that affects a person directly.
While strict mandatory data localisation has been largely avoided, the government can still impose localisation requirements or outright transfer restrictions in targeted scenarios where national interest or security concerns arise. The DPDP Act adopts a ‘negative list’ approach to cross-border data transfer, allowing the central government the explicit authority to notify the restricted jurisdictions. In addition, it priorities existing laws with stricter data protection when evaluating the permissibility of international data flows.
However, adopting a purely notification-based approach devoid of any mandated standards or independent oversight, creates more risks and uncertainty for global businesses.
The Act and rules do not mandate publication of transparency reports by data fiduciaries or public authorities on access requests, algorithmic decision-making, or surveillance-enabling processing, which is a significant departure from the global best practices.
The Data Protection Board is conceived purely as a post-facto adjudicatory body rather than a proactive regulator. It has no supervisory or audit powers. Its jurisdiction is triggered almost entirely reactively — only after a breach or complaint is reported. This ex-post orientation severely constrains preventive and systemic enforcement.
The board is the only route for grievance redressal. There is also no ombudsman-like institution or dedicated privacy tribunal, which limits the access to justice and may delay dispute resolutions.
Critics argue that the DPDP Act weakens the RTI Act, whose existing framework adequately addresses privacy concerns. The exceptionally broad and ambiguous definition of “personal information” grants public authorities’ considerable discretionary latitude to reclassify previously accessible data as private, reducing scrutiny.
The Ministry, however, has asserted that the amendment does not restrict disclosure of personal information but instead ensures a balanced coexistence between privacy rights and the right to information. It stressed that citizens can still get information if public interest outweighs private concerns.