Introduction And Background
For many decades, Indian law did not have a comprehensive data protection framework, and issues relating to personal data were addressed only indirectly through constitutional provisions, sectoral regulations, and general principles of administrative and criminal law.
This changed decisively with the landmark judgment of the Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), where a nine-judge Bench unanimously held that the right to privacy is a fundamental right under Article 21 of the Constitution.
The Court recognised privacy not merely as a negative right against State interference, but also as a positive right that requires the State to put in place a strong legal framework to protect individuals against misuse of their personal data by both State and non-State actors.
Srikrishna Committee And Policy Foundation
Pursuant to this judgment, the Government constituted a Committee of Experts under the chairmanship of Justice B.N. Srikrishna to examine issues relating to data protection and to propose a comprehensive legal framework for India.
The Committee’s work laid the intellectual and policy foundation for a dedicated data protection statute.
Enactment And Operational Framework
This legislative process resulted in the enactment of the Digital Personal Data Protection Act, 2023, which aims to regulate the processing of digital personal data in a manner that balances individual privacy with lawful and necessary data use.
To operationalise the Act, the Central Government subsequently notified the Digital Personal Data Protection Rules, 2025, which lay down detailed procedural and compliance requirements relating to notice, consent, security safeguards, breach reporting, and special protections for children and persons with disabilities.
Objectives Of The Digital Personal Data Protection Act, 2023
The main objectives of the DPDP Act are:
- To recognise and protect the right of individuals to their personal data in the digital environment.
- To regulate the processing of digital personal data in a lawful, fair, and transparent manner.
- To impose clear obligations and accountability on entities processing personal data.
- To confer enforceable rights on individuals in relation to their personal data.
- To establish an effective enforcement mechanism through the Data Protection Board of India.
- To provide for penalties and remedies in cases of non-compliance and personal data breaches.
- To balance individual privacy with legitimate business, governance, and public interest needs.
Applicability And Scope Of The Act
According to Section 3, the DPDP Act applies to the processing of “digital personal data” in India, including personal data that is collected in non-digital form but is subsequently digitised.
It also has extra-territorial reach and applies to processing outside India if such processing is connected with offering goods or services to individuals in India.
At the same time, the Act does not apply to personal data processed by an individual for purely personal or domestic purposes, nor to personal data that is made publicly available by the individual herself or under a legal obligation.
Quick Overview Of Scope
| Aspect | Coverage |
|---|---|
| Type Of Data | Digital personal data and digitised data |
| Territorial Scope | India and extra-territorial (if linked to goods/services in India) |
| Exclusions | Personal/domestic use; publicly available data |
Key Definitions Under the DPDP Framework
The DPDP Act contains a detailed definition clause in Section 2.
- Digital Personal Data (Section 2(n)): This means personal data that exists in digital form. The DPDP Act mainly deals with this category of data, such as data stored on computers, mobile phones, servers, or cloud platforms.
- Data Principal (Section 2(j)): A Data Principal is the individual to whom the personal data relates. If the individual is a child or a person with disability, the term also includes the parent or lawful guardian acting on their behalf.
- Data Fiduciary (Section 2(i)): A Data Fiduciary is any person or entity that decides the purpose and means of processing personal data. In practical terms, this is the organisation or person who is in control of why and how the data is used.
- Data Processor (Section 2(k)): A Data Processor is any person or entity that processes personal data on behalf of a Data Fiduciary. For example, a cloud storage provider or an IT service company processing data for another company is a Data Processor.
- Processing (Section 2(x)): Processing means any operation performed on digital personal data, such as collecting, storing, using, sharing, analysing, or deleting the data.
- Consent Manager (Section 2(g)): A Consent Manager is a person registered with the Data Protection Board who helps a Data Principal give, manage, review, and withdraw her consent through an accessible and transparent platform.
- Significant Data Fiduciary (Section 2(z)): A Significant Data Fiduciary is a class of Data Fiduciaries that may be notified by the Central Government under section 10. Such entities are subject to additional compliance duties under the Act.
Notice And Consent Under The DPDP Framework
The DPDP Act is based on the principle that personal data should normally be processed only after the individual is properly informed and has agreed to such processing. For this reason, the law first lays down rules on notice in Section 5, and then deals with consent in Section 6.
Notice Under Section 5
Section 5 makes it mandatory for every Data Fiduciary to give a notice to the Data Principal before or at the time of seeking consent. This notice must clearly inform the individual about what personal data will be processed and for what purpose. It must also explain how the individual can exercise her rights under the Act and how she can make a complaint to the Data Protection Board. In everyday life, we usually see such notices as privacy notices or privacy pop-ups on websites and mobile apps.
Illustration
Suppose X opens a new mobile banking app. Before asking X to click “I agree”, the bank shows a screen explaining that it will collect X’s name, identity details, and transaction information to open and operate the account, and also tells X how she can withdraw consent later. This screen is the notice required under Section 5.
Rule 3 of the DPDP Rules, 2025, further explains how this notice should be given. The Rules require the notice to be presented in a clear and understandable manner, independent from other information, and in simple language. The notice must also provide easy ways for the Data Principal to withdraw consent, exercise her rights, and approach the Board in case of grievance.
Consent Under Section 6
Section 6 provides that consent must be free, specific, informed, unconditional, and unambiguous, and must be given through a clear affirmative action. In practice, consent is what we usually give when we click “Accept” or “Allow” after reading (or being shown) a privacy notice on an app or website. Consent is valid only for the specific purpose mentioned in the notice and only for such data as is necessary for that purpose. The Act also gives the Data Principal the right to withdraw consent at any time, and the process of withdrawing consent must be as easy as the process of giving it. If consent is withdrawn, the Data Fiduciary must stop processing the data within a reasonable time, unless the law allows such processing to continue.
Illustration
If a fitness app takes a user’s consent to process her health data only to track daily steps, it cannot use the same consent to send marketing messages or share the data with advertisers. If the user later withdraws her consent, the app must stop using her health data for tracking steps as well.
The Act further allows consent to be managed through a Consent Manager, who acts on behalf of the Data Principal and must be registered with the Data Protection Board.
Rule 4 of the DPDP Rules, 2025, deals with the registration and functioning of Consent Managers and lays down their duties and responsibilities.
Obligations Of Data Fiduciaries
Under the DPDP Act, the Data Fiduciary carries the primary responsibility for lawful and safe processing of personal data. Section 8 provides general obligations of Data Fiduciaries:
- Overall responsibility for compliance (Section 8(1)): The Data Fiduciary remains responsible for compliance with the Act even if the data is processed through a Data Processor. Outsourcing does not shift legal responsibility.
- Engaging Data Processors only under valid contracts (Section 8(2)): A Data Fiduciary can use a Data Processor only under a valid contract that ensures compliance with the DPDP framework.
- Ensuring accuracy and completeness of data (Section 8(3)): Where personal data is likely to be used for making decisions affecting the Data Principal or is likely to be shared, the Data Fiduciary must ensure that the data is accurate, complete, and consistent.
- Implementing technical and organisational measures (Section 8(4)): The Data Fiduciary must put in place appropriate technical and organisational measures to ensure effective compliance with the Act.
Taking Reasonable Security Safeguards (Section 8(5) And Rule 6)
- Use of measures like encryption, masking, or similar safeguards,
- Controlled access to systems and data,
- Logging, monitoring, and review of access,
- Backup and recovery measures,
- Security-related clauses in contracts with Data Processors, and
- Organisational and technical steps to ensure security are actually followed.
Reporting Personal Data Breaches (Section 8(6) And Rule 7)
- Inform the Data Protection Board without delay, and
- Inform the affected Data Principals in a clear and concise manner.
Rule 7 specifies that the information must include the nature of the breach, its possible impact, and the steps taken to reduce harm.
Erasure Of Personal Data When No Longer Needed (Section 8(7))
- The Data Principal withdraws consent, or
- The purpose for which the data was collected is no longer served,
unless retention is required by law.
Publishing Contact Details For Queries And Grievances (Section 8(9))
The Data Fiduciary must publish the business contact details of the Data Protection Officer (if applicable) or of a person who can answer questions about data processing.
Significant Data Fiduciaries (SDFs)
The DPDP Act under section 10 creates a special category called Significant Data Fiduciaries (SDFs) for entities whose data processing activities pose higher risks to individuals.
A Data Fiduciary may be classified as an SDF by the Central Government based on factors such as:
- The volume of personal data processed,
- The sensitivity of the personal data processed,
- The risk of harm to the rights of Data Principals,
- The potential impact on the sovereignty and integrity of India,
- The risk to electoral democracy, security of the State, or public order, and
- Any other factor that indicates a higher level of risk from the data processing activity.
For example, large social media platforms handling data of millions of users, major e-commerce marketplaces processing customer behaviour and payment details, big fintech or banking platforms dealing with financial data, may be classified as Significant Data Fiduciaries because of the scale, sensitivity, and impact of their data processing activities.
Once an entity is classified as a Significant Data Fiduciary, it becomes subject to additional compliance obligations. These include
- Appointing a Data Protection Officer, who will be responsible for ensuring compliance with the Act and will serve as a point of contact for grievance redressal.
- Appoint an independent data auditor to carry out a data audit and evaluate the compliance of the SDFs.
Source: :contentReference[oaicite:0]{index=0}
Rights And Duties Of The Data Principal
The DPDP Act gives important rights to the Data Principal, that is, the individual to whom the personal data relates. These rights are meant to give people real control over their personal data and to ensure that Data Fiduciaries remain accountable.
Rights Of The Data Principal
Major rights of the Data Principal include:
- Right to access information about processing: Under section 11, a Data Principal has the right to obtain information about what personal data is being processed and the identities of the Data Fiduciaries and Data Processors with whom such data has been shared. For example, if X uses an online shopping app, she can ask the company to tell her what personal data of hers is stored and with whom it has been shared, such as delivery partners or payment service providers.
- Right to correction and erasure: Under section 12, a Data Principal has the right to get inaccurate or misleading personal data corrected, completed, updated, or erased, depending on the purpose for which the data is being processed. Illustration: If X finds that her address is wrongly recorded on a banking app, she can ask the bank to correct it. If she closes her account and the data is no longer needed, she can ask for erasure, unless the law requires the bank to keep it. Rule 8 Further states that at least 48 hours before the data is erased, the Data Fiduciary must inform the Data Principal that the data will be deleted
- Right to grievance redressal: Under section 13, a Data Principal has the right to raise a grievance with the Data Fiduciary and, if not satisfied, to approach the Data Protection Board of India.
Duties Of The Data Principal
Section 15 of the Act places certain duties on the Data Principal. These include:
- Not impersonating another person while providing personal data,
- Not suppressing material information while providing personal data for documents, services, or benefits,
- Not filing false or frivolous complaints, and
- Furnishing only such information that is verifiably authentic.
These duties ensure that the data protection system is not misused and that Data Fiduciaries can rely on the information provided to them.
Special Categories: Children And Persons With Disabilities
The DPDP Act recognises that children and persons with disabilities require a higher level of protection in matters relating to personal data. Section 9 of the Act provides that before processing the personal data of a child, who is defined as a person below eighteen years of age, the Data Fiduciary must obtain verifiable consent of the parent or lawful guardian. Rule 10 of the DPDP Rules, 2025, explains how such verifiable consent should be obtained and requires the Data Fiduciary to adopt appropriate technical and organisational measures to ensure that the person giving consent is actually the parent or guardian.
Illustration
If a child wants to create an account on an online learning platform, the platform must first verify and obtain consent from the child’s parent or guardian before collecting and using the child’s personal data.
A similar protective approach is taken in the case of persons with disabilities who have lawful guardians. Under Section 9 of the Act read with Rule 11 of the Rules, where a person with disability has a lawful guardian, the Data Fiduciary must obtain verifiable consent from that guardian before processing the personal data of such person, and must take due care to verify the authority of the guardian under the applicable law.
Cross-Border Data Transfers
Section 16 allows digital personal data to be transferred outside India, subject to conditions notified by the Central Government. The Act follows a permissive approach and permits cross-border data flows unless a country or territory is specifically restricted by the Government. This ensures continuity of global digital services while keeping regulatory control with the State.
Exceptions And Exemptions Under The DPDP Act, 2023
The DPDP Act provides certain exclusions and exceptions to ensure that the law does not interfere with private life and essential State functions:
| Category | Provision | Description |
|---|---|---|
| Personal or domestic purposes | Section 3(c)(i) | The Act does not apply to personal data processed by an individual for purely personal or domestic use, such as private contacts or personal communications. |
| Publicly available data | Section 3(c)(ii) | The Act does not apply to personal data that is made publicly available by the Data Principal herself or by any person under a legal obligation to disclose such data. |
| Certain legitimate uses | Section 7 | Processing without consent is permitted for: Providing subsidies, benefits, services, certificates, licences, or permits by the State, Performing functions under law, Compliance with court orders or legal obligations, Medical emergencies, public health situations, disasters, and breakdown of public order, Employment-related purposes and safeguarding the employer from loss or liability. |
The Data Protection Board Of India
The Data Protection Board of India is established under Chapter V of the Digital Personal Data Protection Act, 2023. Under Section 18 of the Act, the Board is established as a statutory body. It is a body corporate, having perpetual succession and a common seal, with the power to acquire, hold, and dispose of property, and to sue or be sued in its own name.
Nature And Composition Of The Board
The Board shall function as a digital office, meaning that its proceedings and operations are conducted in an electronic mode rather than through traditional physical hearings. The Act allows the Board to regulate its own procedure, provided it follows the principles of natural justice.
According to Section 19, the Board should consist of a Chairperson and such other Members as the Central Government may notify. The Government prescribes their qualifications, method of appointment, terms of service, and other conditions. Members are expected to possess knowledge and experience in fields such as data governance, information technology, law, public administration, or related areas.
Powers And Functions Of The Board
The Board has important powers to:
- Inquire into complaints filed by Data Principals regarding violations of their rights.
- Inquire into personal data breaches reported under Section 8(6) of the Act.
- Issue directions to Data Fiduciaries or other persons to ensure compliance with the Act.
- Call for information, documents, and records necessary for conducting an inquiry.
- Summon and examine persons relevant to the proceedings.
- Impose monetary penalties where non-compliance is established.
- Issue a warning or impose costs on the complainant if the Board finds that a complaint is false or made with malicious intent,
The Board also has powers similar to those of a civil court while conducting inquiries. Under Section 28, the Board has the same powers as are vested in a civil court under the Code of Civil Procedure, 1908, in matters relating to:
- Summoning and enforcing the attendance of any person and examining them on oath,
- Requiring the discovery and production of documents,
- Receiving evidence on affidavits,
- Requisitioning public records from any office.
Penalties And Consequences Of Non-Compliance
Section 33 provides that if the Board finds a breach of the Act, it may impose monetary penalties as specified in the Schedule. Below is a summary of the penalties provided in the Schedule:
| Type Of Violation | Maximum Penalty |
|---|---|
| Failure to take reasonable security safeguards to prevent personal data breach (Section 8(5)) | Up to ₹250 crore |
| Failure to notify the Board and affected Data Principals of a personal data breach (Section 8(6)) | Up to ₹200 crore |
| Failure to fulfil additional obligations in relation to children’s data (Section 9) | Up to ₹200 crore |
| Failure to fulfil additional obligations of Significant Data Fiduciaries (Section 10) | Up to ₹150 crore |
| Failure to comply with the duties of the Data Principal (Section 15) | Up to ₹10,000 |
| Breach of any other provision of the Act not specifically listed above | Up to ₹50 crore |
The Act follows a civil penalty model, meaning penalties are monetary and not criminal in nature.
Appellate Structure
If a person or organisation is aggrieved by an order of the Data Protection Board, Section 29 provides the right to appeal before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within sixty days from the date of receipt of the order. The Tribunal has the power to confirm, modify, or set aside the Board’s order. Further appeal lies to the Supreme Court of India on substantial questions of law.
Compliance Roadmap Under The DPDP Act And Rules
With the notification of the DPDP Rules on 14 November 2025, India’s digital personal data protection framework became fully operational and entered a phase-wise compliance timeline that gives organisations and other entities time to adjust systems and adopt responsible data practices. The Rules specify an 18-month phased compliance period to allow a smooth transition to full enforcement.
Key Implementation Timeline
- 14 November 2025: Rules 1-2 (Title & Definitions) and Rules 17-21 (Administrative rules for Data Protection Board setup) are immediately active and enforceable.
- 13 November 2026: Rule 4 (Registration of Consent Managers) becomes active.
- 13 May 2027: The 18-month compliance deadline for all substantive obligations under the DPDP Act and the Rules, such as notices, consent mechanisms, security safeguards, breach reporting, data principal rights, and obligations for Significant Data Fiduciaries (SDFs), becomes effective.
Challenges In Implementation
- Updating Existing Systems: Many organisations will need to redesign their websites, apps, consent forms, privacy policies, and internal systems to meet the new notice and consent requirements.
- Managing User Rights Efficiently: Companies must create simple systems for users to access, correct, erase, or withdraw consent. Handling large volumes of such requests can be difficult.
- Data Security Readiness: Organisations must strengthen their technical safeguards such as encryption, access controls, logging, and monitoring. Smaller businesses may struggle with the cost and expertise required.
- Breach Detection And Reporting: The law requires quick reporting of personal data breaches. Companies must have proper internal processes to detect breaches and inform the Board and affected individuals without delay.
- Awareness And Training: Employees and management must understand their responsibilities under the Act. Lack of awareness may lead to accidental non-compliance.
Conclusion
The Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, bring an important change in how personal data is protected in India. For the first time, India now has a clear legal framework that explains how digital personal data should be collected, used, stored, and deleted. The law gives individuals specific rights over their personal data and places clear responsibilities on organisations that handle such data.
The phased compliance timeline gives companies enough time to prepare and update their systems. The creation of the Data Protection Board and the system of Consent Managers helps ensure that the law is properly implemented and monitored. By May 2027, when full compliance becomes mandatory, data protection will become a regular and essential part of how organisations operate.
Properly implemented and monitored. By May 2027, when full compliance becomes mandatory, data protection will become a regular and essential part of how organisations operate.
References
- Press Release: Press Information Bureau
- https://static.pib.gov.in/WriteReadData/specificdocs/documents/2025/nov/doc20251117695301.pdf
- https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
- https://dpo-india.com/Resources/privacy_laws_in_India/DPDP-Rules-2025-Handbook.pdf
- https://dpo-india.com/Resources/privacy_laws_in_India/A-Guide-DPDP-Act-Rules-2025.pdf
- https://cdnbbsr.s3waas.gov.in/s3ec0490f1f4972d133619a60c30f3559e/documents/aor_notice_circular/43.pdf
- https://prsindia.org/files/bills_acts/bills_parliament/2019/Committee Report on Draft Personal Data Protection Bill, 2018_0.pdf
FAQs on the DPDP Act and Rules
- What is the DPDP Act?
The Digital Personal Data Protection Act, 2023, is India’s primary law regulating the processing of digital personal data with a focus on consent, transparency, accountability, and individual rights. - When were the DPDP Rules notified?
The DPDP Rules, 2025, were notified on 14 November 2025, operationalising most of the substantive provisions of the Act. - What is a Consent Manager?
A Consent Manager is a registered entity that helps Data Principals give, manage, review, and withdraw consent across multiple Data Fiduciaries through interoperable platforms. - Who is a Data Protection Officer (DPO)?
A Data Protection Officer is a person appointed by a Significant Data Fiduciary under Section 10 of the DPDP Act. The DPO is responsible for ensuring that the organisation complies with the Act and the Rules. The DPO also acts as a contact point for Data Principals who want to raise grievances or ask questions about the processing of their personal data. - Does the Act apply to personal or family use of data?
No. The Act does not apply to personal data processed by an individual for purely personal or domestic purposes. - What happens if a company fails to comply with the Act?
If a company fails to comply, the Data Protection Board of India can impose monetary penalties. The amount depends on the nature and seriousness of the violation.
