Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
On 13 Nov., about 800 million internet users in India — roughly 15% of the world’s digital population — came under the ambit of a privacy law following the notification of the long-awaited Digital Personal Data Protection Act Rules, 2025 by the Ministry of Electronics and Information Technology.
For readers who would like some background: India's DPDPA passed 11 Aug. 2023. However, the date of its applicability was to be specified in the downstream DPDPA Rules. With the publication of these rules, we finally have timelines: The law becomes applicable for all entities and government departments 18 months from now — 13 May 2027 to be precise.
Along with the timelines, the rules also spell out several other aspects of the law, most detailing mechanisms associated with various provisions.
Children's data has been a focus area within the DPDPA. Some aspects around this have been elaborated, like mechanisms for instituting verifiable parental consent for the processing of children's data. A few exceptions to skipping this consent have also been listed, mainly for entities and purposes related to the provision of health care and the protection of a child under specific circumstances.
Another innovative concept outlined in the DPDPA is that of a consent manager — essentially a trusted third party that enables data principals to manage consents via its infrastructure. The rules elaborate on criteria for becoming a consent manager; outline the process of applying to the regulator, the Data Protection Board; and specify what actions the board is required to take.
The rules outline specific retention schedules for certain use cases and elaborate on timelines for breach notifications and data audits that significant data fiduciaries, a class of data controllers, must carry out, among several other requirements. My colleague, Anand Krishnan, and I wrote a detailed article that takes a holistic look at the act and rules.
Interestingly, four days after the notification of the rules, Minister of Electronics and Information Technology Ashwini Vaishnaw said the government was in talks with the industry to see if the 18-month deadline for compliance can be further shortened to 12 months. So, the weeks ahead promise to be interesting as the country settles into the era of the DPDPA.
Lest the excitement of the DPDPA Rules overshadow other developments in India's digital trust and governance arena, there has been action in other areas as well.
MeitY released the India Artificial Intelligence Governance Guidelines 5 Nov. Released under the aegis of the IndAI Mission, the guidelines are "a comprehensive framework to ensure safe, inclusive, and responsible AI adoption across sectors."
While these guidelines are not a compliance requirement per se, they are "envisioned as a foundational reference for policymakers, researchers, and industry to foster greater national and international cooperation for safe, responsible, and inclusive AI adoption." This is in line with the previously articulated direction of the government, reiterated by MeitY Secretary Shri S. Krishnan who said, "Our focus remains on using existing legislation wherever possible."
There are four key components in the framework:
- Seven "sutras" or guiding principles — trust, human centricity, responsible innovation, fairness and equity, accountability, understandability by design, and safety, resilience and sustainability — that have been adapted from the Reserve Bank of India's Framework for Responsible and Ethical Enablement of AI Committee report
- Six pillars of key recommendations that cover infrastructure, capacity building, policy and regulation, risk mitigation, accountability and institutions
- An action plan that is mapped to short, medium, and long-term outcomes
- Practical guidelines for various stakeholders
MeitY also proposed a draft amendment to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 that requires mandatory labeling of synthetic content that is AI-generated by social media companies. The reaction to this has been mixed. We will have to wait and see if this ever comes to fruition.
In another interesting development, the National Commission for Women released its Review of Cyber Laws Relating to Women. The report is the result of a year-long exercise looking at India's cyber law framework from a gender lens. It is one of the most comprehensive reviews the NCW has undertaken at this scale and scope. The report proposes reforms to strengthen women's digital rights and privacy, enhance platform accountability and transparency, upgrade law enforcement and forensic capacities and promote greater public awareness.
On the adjudication and enforcement front, there was some resolution in early November in the long-drawn-out court battle between Meta and India's competition watchdog, the Competition Commission of India.
The case dates from January 2021 when WhatsApp updated its privacy policy to share user data with Facebook. The CCI's position was that this action was exploitative, giving Meta an unfair advantage in digital advertising given WhatsApp has a dominant position in India. Following this, in an order passed in November 2024, the CCI fined Meta and WhatsApp Rs 213-crore, approximately USD24 million. Further, the CCI disallowed WhatsApp from sharing data for five years.
Meta challenged this with the National Company Law Appellate Tribunal, which upheld the penalty and agreed with the CCI on the abuse of market dominance and violating the Competition Act. However, it reversed the five-year ban on data sharing, saying it was unjustified.
Just as an early winter sets in here, it is time to hunker down and chew on all these developments, working out the implications on businesses and organizations in the coming years.
Shivangi Nadkarni is senior vice president and general manager, digital trust at Persistent Systems Ltd.
This article originally appeared in the Asia-Pacific Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
