Digital Personal Data Protection Act (DPDPA) 2023 And Rules, 2025, In India: An Analysis

Abstract

The Digital Personal Data Protection Act (DPDPA), 2023, and the DPDP Rules, 2025, signifies a landmark change in India’s governance, transitioning from a split and sectoral approach to a integrated Data Governance Framework. This article analyses the legal evolution post the Supreme Court’s Puttaswamy judgment and assesses India’s "Third Way", a strategic balance between the rights-based European GDPR and the market-driven American model.

The analysis explores key operational mechanism, including the role of Data Fiduciaries, the greater rights of Data Principals and the adjudicatory role of the Data Protection Board of India (DPBI). It further examines the phased 18-24month implementation timeline and the significant technical challenges facing MSMEs, large corporations and government entities. The article concludes with recommendations for achieving compliance and fostering a "privacy-by-design" culture.

Introduction

The enactment of DPDPA, 2023, means a key step in creating a mature and accountable data economy. The legislation aims to complement the Right to Privacy, which was recognized by the Supreme Court in the landmark Puttaswamy Judgment (2017). The governing structure DPDP Rules, 2025, launches clear obligations and penalties, transforming the landscape of digital business within and related to India. The DPDPA 2023 and the DPDPA Rules 2025, together creates a comprehensive, consent‑centric framework for processing digital personal data, with phased but strict obligations for organizations and meaningful rights for individuals. This aligns India with global privacy mechanics and “Digital India” policy objectives.

Background: Concept & Existing Governing Laws for Privacy in India

Concept of Privacy in India

In India, the concept of privacy was not clearly defined in a single ruling but rather a piecemeal of sectoral explanations. The categorization of privacy or an understanding not suitable for development of the country, has been a challenge for the judicial system. The defining moment was digitization of public services (such as Aadhaar), shifting the concept of privacy from physical autonomy to control over one's own data. As of today, privacy in India is viewed through a dual lens of Fundamental Value (Privacy as a fundamental human right) and Active Value (Privacy as a prerequisite for innovation, trust in the digital economy and the protection of other rights).

Milestones in Privacy & Governing Laws

Prior to the enactment of the DPDPA, 2023, privacy regulation in India was fragmented. The legal landscape was primarily governed by the following columns:

The Constitutional Cornerstone: K.S. Puttaswamy v. Union of India (2017). This nine-judge bench judgment by the Supreme Court is the bedrock of modern Indian privacy law

The Ruling: The Court unanimously held that the Right to Privacy is a fundamental right flowing from the Right to Life and Personal Liberty under Article 21 of the Constitution.

The Impact: It established that any state invasion of privacy must satisfy a triple test:

• Legality: Existence of a law.
• Necessity: A legitimate state aim
• Proportionality: A rational link between the object and means.

The Information Technology Act, 2000 (IT Act)

Prior to DPDPA, IT Act served as the primary statutory framework, primarily through Section 43A.

SPDI Rules (2011): Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 required corporate entities to maintain reasonable security practices.

Limitation: These rules were restricted to corporate bodies and sensitive data, leaving enormous amounts of personal" data largely unregulated.

Sectoral Regulations

In the absence of a central law, various regulators enforced privacy standards within their specific domains:

Financial Sector: The Reserve Bank of India (RBI) mandates data localization and strict confidentiality for payments data.

Telecom: The Unified License agreement imposes confidentiality obligations on telecom service providers regarding subscriber information.

Healthcare: The Digital Information Security in Healthcare, Act (DISHA) (draft stage) and Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, govern patient confidentiality.

Shift to a Comprehensive Management

The limitations of Section 43A of the IT Act, specifically lacking an independent regulator and weak enforcement mechanisms, necessitated a dedicated law. This journey began with the Justice B.N. Srikrishna Committee (2017), which drafted the initial Personal Data Protection Bill. Multiple draft data protection bills between 2018 and 2022 (Srikrishna Committee bill, 2019 PDP Bill, 2022 draft DPDP Bill) were discussed and withdrawn, before the current DPDPA 2023 was passed in August 2023 and notified with limited sections in 2023-24. The DPDP Rules, 2025 translated mandate of the DPDP Act into execution by detailing procedures, thresholds, governance structures and timelines.

Overview of DPDPA 2023

DPDPA 2023 regulates processing of digital personal data in India, including data digitized from non‑digital form and has extraterritorial reach. It applies to public and private entities, with exemptions for notified state functions, research and certain low‑risk processing.

Key Concepts:

Data Principal: Individual to whom the data relates (with provisions for children and persons with disabilities).

Data Fiduciary: Entity determining purpose and means of processing; Significant Data Fiduciaries (SDFs) carry enhanced obligations.

Data Processor, Consent Manager and Data Protection Board of India (DPBI) as adjudicatory authority.

Highlights of DPDPA 2023

Consent and legitimate use: Consent must be free, specific, informed, unambiguous and signified through clear affirmative action, with clear notice in plain language, including in any Eighth Schedule language. Certain “legitimate uses” allow processing without consent (eg, state functions, medical emergencies, employment and compliance).

Data Principal rights: Right to access, correction, completion and erasure, grievance redress and right to nominate another person to exercise rights in case of death/incapacity.

Children’s data: No tracking, behavioral monitoring or targeted advertising directed at children, processing requires verifiable parental consent, with room for future relaxations via rules.

Duties of individuals: Obligations not to file false complaints, suppress material information or impersonate others.

Penalties: Monetary penalties up to 250 crore INR per type of contravention, including higher slabs for security breaches and children‑related violations.

DPDPA Rules 2025

The rules explains how the Act will operate in practice, including board composition, complaint handling, classification criteria and operational mechanisms. They also define technical and organizational requirements (security, consent management, record‑keeping) and phased enforcement.

Highlights

• Data Protection Board of India (DPBI): Rules on its office, member composition, selection process and procedures for inquiries, hearings, and penalties.
• Significant Data Fiduciary designation criteria: Thresholds based on volume/sensitivity of data, risk to rights, national security concerns and systemic importance. In addition, obligations for DPO appointment, independent audits and DPIAs.
• Consent Managers: Registration criteria, technical standards, interoperability and grievance redress mechanisms.
• Cross‑border transfers: Mechanism for government‑notified “Negative List” countries and sectors.
• Notice, rights and grievance workflows: Detailed timelines, modalities (electronic, app‑based, assisted) and tracking obligations.

Enforcement and Implementation Timeline

The enforcement has been structured in phases to give organizations time to align.

• Certain “enabling” sections of the Act and the DPBI‑related rules are effective from the date of Gazette notification (13 November 2025).
• Rules 1, 2 and 17-21 (mainly preliminary, DPBI and procedural aspects) are effective immediately on publication.
• Rule 4 (likely linked to registration or specific compliance obligations such as Consent Managers) comes into force 1 year, after publication.
• Rules 3, 5-16, 22 and 23, which cover the bulk of operational duties (rights handling, security controls, classification, penalties procedures), come into force 18 months, after publication.
• An overall 18-24month period, implying full obligations in force by 2027, although sectoral regulators may compress timelines for critical industries.

Global Privacy Landscape: Contextualizing DPDPA

The operationalization of DPDPA initiates India’s entrance in global ecosystem of regulated data sovereignty and individual rights. DPDPA's significance can be understood with three data governance models:

European Model: "Rights-Based" Approach

• European Model: "Rights-Based" Approach.
• Viewpoint: Privacy is a fundamental human right. The focus is on comprehensive protection, coarse user control and heavy penalties for non-compliance.
• Impact on DPDPA: The GDPR is the primary architect of modern privacy. Concepts in DPDPA as Data Fiduciary (Controller), Data Principal (Subject) and the requirement for Consent are directly from the European framework. However, the DPDPA is more concise, business-friendly and compliance burden compared to the GDPR.

US Model: "Market-Driven" Collaged

• Key Legislation: No single federal law; relies on state laws like the California Consumer Privacy Act (CCPA) and sectoral laws (HIPAA for health, GLBA for finance).
• Viewpoint: Privacy is a consumer protection issue rather than a fundamental right. The focus is on preventing harm and regulating specific industries rather than blanket data control.
• Contrast with DPDPA: Unlike the US sectoral approach, India has opted for a singular, federal framework applicable to all sectors, from government bodies to startups aligning closer to the EU structure than the US model.

Authoritarian/Sovereign Model: "Security-First" Approach

• Key Legislation: China’s Personal Information Protection Law (PIPL), Russia’s Data Laws.
• Viewpoint: Data is a national asset. The focus is on Data Localization-keeping data within national borders for national security and state access.
• India's Shift: Early drafts of the Indian law (2018/ 2019) leaned heavily toward this model, mandating strict localization. The final DPDPA, however, pivots toward a "trusted geography" approach, allowing cross-border data flows to notified countries unless specifically restricted.

India’s Position: "Third Way"

The DPDPA attempts to strike a pragmatic balance between these models. It avoids the immense compliance complexity of the GDPR and the fragmentation of the US model. 

• Simplicity: Unlike the 99 articles of the GDPR, the DPDPA is a short, principle-based legislation.
• Digital-First: It is one of the few laws explicitly acknowledging the "digital" nature of modern data, excluding offline records to ease the administrative burden.
• Global Interoperability: By shifting from a "whitelist" (only allowed countries) to a "blacklist" (all countries allowed except those restricted) for data transfers, India signals its intent to integrate with the global digital economy while retaining the power to "pull the plug" for geopolitical reasons.

Conclusion:

The DPDPA, 2023 and the DPDP Rules, 2025 mark a decisive shift in India’s approach to privacy from fragmented, sector-specific safeguards to a unified, consent-centric data governance framework. Rooted in the Puttaswamy judgment, the law balances individual rights, economic growth and state interests through India’s pragmatic “Third Way.” While phased implementation offers breathing room, organizations must act early to address governance, consent management and security challenges. Ultimately, sustained compliance will depend not just on legal alignment, but on embedding privacy-by-design as a core organizational value strengthening trust in India’s rapidly evolving digital economy.

Wait for our next blog regarding impact and challenges of DPDP Rules..