Top 10 operational impacts of India’s DPDPA – Scope, key definitions and lawful data processing

This article is part of a series that explores components of the DPDPA.

Since the Supreme Court of India declared the right to privacy a fundamental right in a landmark 2017 judgement and urged the national government to establish a data protection regime, policymakers have worked toward passing central legislation to protect privacy. India achieved its goal with the enactment of the Digital Personal Data Protection Act on 11 Aug. 2023, followed by the notification of the Digital Personal Data Protection Rules, 2025 on 13 Nov. 2025 to enforce and operationalize the law.  

The DPDPA replaces a set of rules made under Section 43A of the Information Technology Act, 2000 — which superficially resemble a data protection law with a non-functioning enforcement system and no reported cases to date.  

In crafting the DPDPA, India’s government reviewed established privacy frameworks in other countries including the EU General Data Protection Regulation, whose influence is evident through some of the legal concepts in the act.  That said, while individual data privacy and consumer rights lie at the heart of the GDPR and other data protection laws, the DPDPA appears to have also been driven by India’s concerns around national security and other political issues. This may explain the unique and distinct features of the act that depart from the GDPR and similar data privacy regimes.

Scope