The Ministry of Electronics and Information Technology (MeitY) has officially operationalized India’s Digital Personal Data Protection (DPDP) Act, 2023, by notifying the comprehensive DPDP Rules. The Act itself isn’t new. Parliament passed the Digital Personal Data Protection Act, 2023, on August 11, 2023, when the President gave her assent. This marks the transition of India’s digital economy from a previous, compensation-focused liability regime (like the now-sidelined Section 43A of the Information Technology Act) to a comprehensive and modern regulatory framework. Notably, the law will not be fully enforced for 18 months, providing organizations with a substantial transition period to adapt their data handling practices for over 800 million Indians.
Understanding What the Law Actually Does
At its core, the DPDP Act establishes a straightforward premise: individuals (referred to as “Data Principals”) have rights over their personal data, and organisations handling that data (referred to as “Data Fiduciaries”) are subject to clear obligations. The framework recognises consent as fundamental, but also codifies “certain legitimate uses”; government services, medical emergencies, and public health measures don’t require consent. Critically, the law carves out additional exemptions (Section 17) for processing personal data without permission, such as for enforcing legal claims, judicial functions, or preventing, detecting, investigating, or prosecuting any offense.
The law replaces India’s fragmented privacy patchwork, which previously relied on Section 43A of the Information Technology Act, 2000, and hasn’t been substantially updated since 2011. By comparison, the DPDP Act reads like it was written for the actual internet, not for the technology that existed when flip phones dominated Indian markets.
Data Fiduciaries must now provide clear, standalone notices before processing anyone’s data. Consent, when required, must be “free, specific, informed, unconditional, and unambiguous,” with withdrawal mechanisms as easy as the consent process itself. The act bans dark patterns and manipulative designs. Organisations must respect rights to access, correct, update, or erase data principals for their information within a maximum of 90 days of a request. The Act also grants a thoughtful Right to Nominate, allowing individuals to designate a person who can step in to exercise these rights on their behalf should they die or become incapacitated.
Data retention takes center stage: personal data must not linger beyond its lawful, specified purpose unless required by other Indian laws. Significant Data Fiduciaries, those managing sensitive or vast amounts of user data, face more substantial obligations, including the appointment of dedicated Data Protection Officers, independent audits, and regular impact assessments. The intent: translate privacy ideals into fixed operational standards
For minors, the law draws a hard line. Processing children’s data requires verifiable parental consent, and organisations cannot track children’s behaviour or direct targeted advertising at them without breaching the law.
Yet, the Act does something unusual by defining not just rights, but also duties for the Data Principal. Individuals must not file false or frivolous complaints with the Board, nor should they impersonate another person to access data. Failure to observe these civic responsibilities also carries a financial sting: a breach of these duties can attract a penalty of up to ₹10,000.
The Penalty Structure: When Fines Bite
The DPDP Act’s enforcement teeth are sharpened by the Data Protection Board of India, now established with a Chairperson and four members, headquartered in the National Capital Region. The Board wields the power to impose monetary penalties scaled to violation severity.
The maximum fine? ₹250 crore (approximately USD 30 million) for failing to implement reasonable security safeguards to prevent data breaches, even if no actual breach occurs. Failure to notify the Board or affected users within 72 hours of a breach carries a penalty of up to ₹200 crore. Similar penalties apply to violations involving children’s data. Organisations classified as “Significant Data Fiduciaries” (think major tech platforms, e-commerce giants, and large fintech firms) face additional ₹150 crore penalties for missing audit or data protection officer obligations.
These aren’t cautionary figures. They’re designed to sting.
The Three-Phase Implementation Roadmap
The law’s staggered rollout reflects regulatory pragmatism. Phase 1, effective immediately from November 13, 2025, establishes the Board’s basic functioning and definitions. Organisations face no immediate compliance burdens.
Phase 2, arriving November 13, 2026, brings the Consent Manager framework online. Consent Managers, independent platforms helping individuals manage their permissions across multiple services, must register with the Board. These entities face strict requirements: institutional independence from Data Fiduciaries, institutional independence from Data Fiduciaries, “data blindness” (they cannot access actual personal information), and a minimum net worth of ₹2 crores.
Phase 3, the substantive heavy-lift, takes effect May 13, 2027. This is when all core obligations are activated: notice requirements, consent mechanisms, breach notification, data retention limits, and the full powers of the Data Protection Board to investigate and penalize.
For Significant Data Fiduciaries, the obligations intensify further. They must appoint independent Data Protection Officers, conduct annual Data Protection Impact Assessments, engage independent auditors, and maintain detailed audit trails.
Why This Matters for India
India’s digital economy is expanding faster than most regulators can track. With over 800 million internet users and growth rates outpacing regulatory capacity, the DPDP Act represents an attempt to build guardrails before the car crashes. The law applies not just to data collected in India, but also to personal data processing outside India that relates to Indians or aims to offer goods or services in India.
The framework also introduces the explicit use of gender-inclusive pronouns (“she/her”) instead of the traditional “he/him,” reflecting a deliberate effort to center individuals rather than institutions.
Debate surrounds the DPDP Act’s amendment of Section 8(1)(j) of the Right to Information (RTI) Act, which exempts “personal information” from mandatory disclosure under RTI requests. As a result, information linked to identifiable individuals receives enhanced privacy protection, even when public interest considerations exist. Critics argue that this change limits transparency, while the government contends it balances privacy and openness.
The Takeaway
India’s data protection law is finally real. Companies operating in India have eighteen months to transition from incremental compliance patches to structural change. That timeline is both generous and punishing; it is generous for those moving now, but punishing for those waiting until 2027 to start. The Board exists, the rules are published, and the framework clarified; the effectiveness of the law will depend on whether organizations approach compliance as a genuine transformation or merely a procedural requirement.
The privacy right recognized by the Supreme Court in 2017 has now been implemented. Organizations are advised to take appropriate action in response to these developments.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
