Data privacy law comes into effect, two years after Parliament approval

15 NOVEMBER 2025

The Union government notified large parts of the Digital Personal Data Protection (DPDP) Act, 2023, addressing the need for a law to protect the data privacy of Indian citizens.
The DPDP Rules, 2025 are also a significant step forward in compliance with the Supreme Court’s 2017 K.S. Puttaswamy v. Union of India judgment affirming the right to privacy.
The DPDP Act, 2023, has gone through three major drafts since 2017, with the first draft in 2018 imposing conditions like data localisation that were furiously resisted by technology firms.

Digital Personal Data Protection (DPDP) Act, 2023,

It was passed by Parliament and got Presidential assent in August 2023.
Digital Personal Data is personal data that is collected in digital form or digitized later.
It seeks to balance the right of individuals called “Data Principals” to protect their personal data, with the legitimate need of entities “Data Fiduciaries” (a person, company, government body) to process that data.
Data fiduciaries will have until November 2026 to comply with some provisions, such as putting out the details of their designated Data Protection Officer.

Territorial Reach:

The Act applies to data processed within India. It also applies to data processed outside India if it is in connection with offering goods or services to people in India.

Exemptions for the “State and its instrumentalities”

Transparency activists have said the law weakens the Right to Information Act, 2005 by removing the obligation of government bodies to provide “personal information” if the public interest outweighs a public official’s right to privacy.

Consent

Consent must be “freely given, specific, informed, unconditional, and unambiguous.”
Data fiduciaries must clearly inform data principals about what data they are collecting, for what purpose, how it will be used, and who it may be shared with.

Storage Limitation

Data should not be kept longer than necessary. Once it is no longer needed for the stated purpose, it should be deleted.

Minor’s Data

There are special provisions for processing data of minors (under 18), including stronger obligations.

Rights of Data Principals

Under the DPDP Act, data principals have various rights:

Right of Access: They can ask to see what personal data is held about them.
Right to Correction: They can ask for inaccurate or outdated data to be corrected.
Right to Erasure (“Right to be Forgotten”): They can request deletion of their data when it’s no longer needed
Right to Withdraw Consent: They can withdraw previously given consent, which should stop further processing (unless there’s another lawful basis).
Right to Nominate: A data principal can nominate someone else (a “consent manager”) to exercise these rights on their behalf, e.g., in case of death or incapacity.
Grievance Redressal: They have a right to lodge complaints or grievances – the Act provides a mechanism for this.

Data Protection Board of India

The Act establishes a Data Protection Board under the central government.
Functions of the Board include investigating data breaches, adjudicating complaints, imposing penalties, issuing directions to data fiduciaries, and providing remedial actions.
The Board’s decisions can be appealed.

Penalties & Enforcement

Depending on the type of violation, fines can go up to INR 250 crore. For example:
- failure to notify a data breach: up to INR 200 crore.
- Non-compliance related to children’s data: up to INR 200 crore.
- Other miscellaneous breaches: smaller limits (e.g., up to INR 50 crore) for some categories.

Concerns

Government Exemptions: There are concerns over broad exemptions for government processing / “instrumentalities” which could lead to surveillance risks.
Board Independence: Some critics say the Data Protection Board may not be fully independent, since government appoints its members.
Rules Pending: Many important operational rules are still to be notified by the government, which means some obligations and processes are not fully clear yet.
Compliance Cost: For startups and smaller businesses, implementing required processes (consent, DPOs, data mapping, security) can be expensive.
Ambiguity in “Legitimate Uses”: While legitimate use (other than consent) is allowed, what exactly counts as “legitimate” may be broad and somewhat undefined, leading to ambiguity.
Cross-Border Data Transfer Risk: While allowed, the rules/framing for which countries are allowed (“blocklist” approach) may create compliance complexity.

Why It Matters

In the digital age, personal data is extremely valuable (for businesses, governments, and others). Having a legal framework helps protect individuals’ privacy and gives structure to how data can be used.
This law is a step toward aligning India’s data privacy norms with global standards
It also signals to businesses that data protection is a serious priority for regulation in India.