Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Following close to eight years of intense deliberation, India's government has operationalized a Personal Data Protection Framework specifically designed to meet the needs of residents and businesses alike. With the Ministry of Electronics and Information Technology's 13 Nov. official notification of the Digital Personal Data Protection Rules, 2025, India's Digital Personal Data Protection Act has come into effect.
Though the DPDPA passed 11 Aug. 2023, it was not operational until the notification of the rules, as timelines specifying its applicability were relegated to be outlined in the rules. Thus, the notification of the rules was critical to the DPDPA taking effect.
Alongside the rules, the government issued notifications to bring key provisions of the act into force and set out phased implementation timelines over the next 18 months. Minister of Electronics and Information Technology Ashwini Vaishnaw has stated intent to seek an amendment that would shorten the compliance transition period.
The final rules are more or less similar to the draft released for consultation earlier in the year, though a few changes have been made in certain provisions.
The final rules include an additional requirement to clearly mention the specified purpose(s) of personal data processing. With respect to data retention provisions, a new one-year minimum retention requirement is imposed on data fiduciaries. This inclusion primarily aims to facilitate responses to state agency requests related to national security, investigations and the determination of significant data fiduciary status.
The rules also include a purpose-based exemption regarding children's data processing. These exemptions are narrowly defined to only cover health- and safety-specific purposes.
For the execution of grievance redressal mechanisms, the rules now include a defined 90-day window for responding to requests.
And most importantly, the rules operationalize the establishment of the regulator, the Data Protection Board, and the process for selecting committee members with immediate effect.
Protecting the fundamental right to privacy
From the outset, the India's government sought to use terms that showcase the framework's intent to protect individuals' fundamental right to privacy. Hence, the term " data subject" was re-imagined as "data principal" to communicate that the individual is at the heart of this law and not a mere subject of its requirements. The term "data fiduciary" was used over its global counterpart "data controller" to create a fiduciary responsibility for an organization while processing a data principal's personal data. Hence, holding data fiduciaries to a higher standard in line with constitutional commitments under the fundamental right to privacy.
These novel interpretations and supporting compliance mechanisms are characteristic of how the act codifies use of regulatory technology like consent managers toenable greater transparency around organizations' personal data use by enabling auditable provision and withdrawal of consent. The consent manager can also be utilized by the principal to make requests for grievance redressal. It is also reflected in how the act does away with the globally prevalent data classification approach of bifurcating compliance requirements between personal data and sensitive personal data, or special categories of data. This establishes a framework that holds all digital personal data at the same threshold.
It is fair to say the law focuses more on classification of entities to affix compliance requirements over classification of personal data and linking such data classification to additional compliance measures. Such a novel interpretation is deeply rooted in enabling meaningful compliance by assigning differential compliance burdens for the participant entities.
The law further classifies data fiduciaries and significant data fiduciaries — the latter having to comply with additional compliance requirements by virtue of their size, business operations and scale of data processing. Processors are still a part of the regulatory ecosystem, but their compliance requirements flow through the data fiduciary.
The territorial and extra-territorial scope of the law is much in line with what has been articulated in the EU General Data Protection Regulation. India's DPDPA applies to any data processing activity taking place within India, with a notable exemption for processing digital personal data of non-resident individuals in India.
This exemption primarily applies to foreign nationals, who are not physically present in India, but their digital personal data is processed by a service provider in India. The extra-territorial scope of the law is limited to data processing connected to any activity related to the offering of goods or services to data principals within India.
The global view
The law advances the global discussion on posthumous data rights, extending a codified right to the data principal to nominate a person to execute their rights in the event of their death.
With respect to processing the data of children and individuals with disabilities, the law incorporates global mechanisms for obtaining parental consent. The mechanisms for operationalizing a parent or guardian's consent have been specified in the rules. To create a law that covers all datacentric regulatory considerations, a specialized separate law was not considered, as in the U.S. with the Children's Online Privacy Act. However, India's law significantly differs regarding the age of majority, considering any individual under the age of 18 years old a child.
The DPDPA adopts an open approach towards the regulation of dataflows, allowing the free flow of personal data outside India, unless a transfer is expressly restricted by the central government. The rules have added that the government retains the power to impose additional safeguards for certain transfers it may deem high-risk or to restrict a type of transfer, including those to specific countries.
Unlike other frameworks, like the EU GDPR, the DPDA does not create a principle-level compliance obligation. However, certain core principles, such as informed consent, transparency, and individual participation rights, have been represented in the law — the most prominent being the requirement for notice to the data principal. Notice is expected to represent the linguistic diversity of India and ensure it is accessible and explainable to an individual in their colloquial language of choice. The rules also include further specifications on the contents of the notice.
Enforcement
India's Data Protection Board will be established with the operationalization of the DPDPA. The DPBis tasked with the adjudication and enforcement of the DPDPA and is planned to be an independent body capable of handling complaints against industry and government entities alike. However, the central government maintains control over the composition and operations of the board. The powers of rulemaking and proposing amendments to the act remain with the government. Many of the specific details pertaining to the above aspects have been elaborated in the rules.
Takeaways
The creation and operationalization of a stand-alone personal data protection regulation is a watershed moment in India's digital regulation journey. The DPDPA is a cornerstone regulation that establishes a firm foundation for digital innovation and e-governance services for India.
Industry response has been mostly positive. However, it remains to be seen if the lean nature of the regulation and the reliance on subsequent rulemaking to enforce the law will ensure adequate protections for data principals.
It is also yet to be determined if the centralization of control over rulemaking and framing of requirements around regulating dataflows will undermine the DPB's power and authority to appropriately govern the use of digital personal data in India.
Anand Krishnan, FIP, CIPM, CIPP/E, is senior manager — digital trust and Shivangi Nadkarni is senior corporate vice president — digital trust at Persistent Systems Ltd.
