| The Digital Personal Data Protection Act, 2023 (DPDP Act) received Presidential assent on August 11, 2023, but remains not yet enforced—awaiting notification of its implementation rules |
India’s Digital Personal Data Protection Act is entering a critical phase with the unveiling of the 2025 Draft Rules. These proposed guidelines operationalize the Act—transforming framework into enforcement and empowering individuals while outlining robust Data fiduciary obligations. Here’s what stakeholders must know to stay compliant and ready.
The Bigger Picture: Act Meets Rules
The Digital Personal Data Protection Act, 2023 (DPDP Act) received Presidential assent on August 11, 2023, but remains not yet enforced—awaiting notification of its implementation rules1. The Draft Digital Personal Data Protection Rules, 2025 were published in early January 2025 for public consultation. These are designed to operationalize the Act, with feedback received from over 6,900 citizens and stakeholders as of July 2025.
Key Highlights of the 2025 Draft Rules
1. Data Fiduciary Obligations & Consent Requirements under DPDPA
- Clear notice for consent is mandatory: fiduciaries must inform data principals about data collected, processing purpose, and withdrawal mechanisms.
- Entry of Consent Managers: registered with the Data Protection Board and responsible for managing consent transparently and securely.
2. Data Governance and Accountability
- Significant Data Fiduciaries must conduct Data Protection Impact Assessments (DPIAs), undergo annual audits, maintain documentation (e.g., RoPA), and comply with algorithmic fairness and cross-border protocols.
3. Personal Data Breach Notification
- Obligatory breach notification: notify data principals and, within 72 hours, report to the Data Protection Board with breach details and mitigation steps.
4. Cross-Border Data Transfer Rules India
- Draft Rules reinstated data localisation provisions for certain categories and allow exports only by government orders.
5. Sensitive Personal Data Processing & Child Data Safeguards
- Verifiable parental consent is required for minors under 18 on social platforms; automated age self-declarations must be authenticated.
- Special processing rules for children and disabled persons—extra safeguards and verifiable consent.
6. Data Principal Rights India
- Individuals can access, correct, erase data, withdraw consent, complain, and appoint digital nominees to exercise rights.
7. Penalties under DPDPA 2025
- Though not fully detailed in the Rules, the Act mandates significant financial penalties (minimum ₹50 crore) for breaches.
- Non-compliance, such as public collection of phone numbers without safeguards, now risks violation under new privacy norms.
8. Time Period for Data Retention
- e-commerce entities (with at least two crore registered users in India);
- online gaming intermediaries (with at least fifty lakh registered users in India); and
- social media intermediaries (with at least two crore registered users in India).
9. DPO Information
- Must publish the business contact details of their Data Protection Officer (DPO) or an authorized representative on their website or app.
What It Means for You: A Privacy Compliance Checklist for Indian Businesses
| Area | What to Do |
| Notices & Consent | Publish clear privacy notices on all digital touchpoints. Implement Consent Managers. |
| Security Safeguards | Encrypt data, maintain access controls, backups, and compliance contracts with processors. |
| Breach Response | Establish breach detection and reporting systems (notify within 72 hours). |
| Documentation & Accountability | Maintain RoPA, conduct DPIAs, audits, and algorithmic fairness checks. |
| Cross-Border Transfers | Monitor localisation requirements and legal channels for international data flow. |
| Child & Sensitive Data | Enable verifiable parental consent and adhere to specialised safeguards. |
| Rights Management | Implement mechanisms for data principals to access, erase, or nominate. |
| Industry Engagement | Stay updated on lobbying concerns, such as IAMAI’s request to exempt AI-data processing from DPDP Act |
Complexity & Implementation Challenges for Organisations
While the 2025 Draft Rules promise clarity in many areas, several recent studies show that organisations — especially small and medium ones — will face substantial challenges in complying. These include:
High cost and resource demands
Research in the healthcare sector (e.g. “DPDP Challenges on Healthcare Data Security,” IJERCSE, December 2024) shows that compliance requires not only secure infrastructure (encryption, intrusion detection systems, secure cloud or on-premises storage), but also staff training, regular audits, and impact assessments. Smaller hospitals or clinics struggle with both financial resources and skilled personnel.
Operational complexity across stakeholders
Many organisations do not control their entire data lifecycle. For instance, in healthcare, data flows across hospitals, third-party labs, insurers, research institutions. Ensuring compliance across all links (i.e. ensuring that each third-party processor meets required security, breach notification, etc.) becomes very complex.
Ambiguities in definitions and responsibilities
Studies (e.g. “Navigating India’s Digital Personal Data Protection Act: Critical Implications and Emerging Challenges,” IJLSSS, 2025) point out that terms like “public interest,” “national security,” “reasonable purpose,” and what constitutes a “significant data fiduciary” are open to interpretation. Ambiguity creates legal risk and makes compliance planning difficult.
Cross-border compliance burdens
Organisations that operate internationally may have to comply not only with India’s DPDP plus Rules, but also with foreign jurisdictions’ data protection laws (e.g. GDPR, others). Differences in adequacy, contractual requirements, or standard data transfer mechanisms can lead to complex legal, logistical, and technical work. Research on cross-border data protection law comparisons show that this is one of the major hurdles.
Infrastructure & digital literacy gaps
In sectors or regions with less developed digital infrastructure (or smaller entities without dedicated IT/security teams), meeting the obligations (e.g. breach detection, documentation, audits) will be harder. Also, ensuring that consent is “informed” and “comprehensible” for data principals in lower literacy / rural areas is non-trivial.
AI Training and Data Protection: A Complex Intersection
The Digital Personal Data Protection Act (DPDPA) presents unique challenges for AI developers. Training modern AI systems requires massive datasets, much of which may qualify as personal or sensitive personal data. Under DPDPA, companies must ensure lawful basis for processing, obtain valid consent, and follow purpose limitation—which may conflict with the broad, open-ended nature of AI training.
- Problem: Consent requirements and restrictions on repurposing data make it difficult to use large datasets without violating the Act.
- Impact: Indian AI startups may face higher compliance costs, delays in product development, and dependence on synthetic or anonymized data.
- Possible Solutions: Leveraging federated learning, data anonymization techniques, and consent managers; collaborating with the upcoming IndiaAI Mission for compliance-friendly datasets.
Loopholes, Gaps & Novel Perspectives in the DPDP / Draft Rules
This section suggests areas where the law or the Draft Rules leave room for issues; these are not always deeply explored in other articles, so providing this perspective will add value.
Limited to digitalpersonal data
One often-underlooked gap is that the DPDP Act (and the Draft Rules) applies only to digital personal data. Non-digital data that has never been digitised may fall outside scope2. This raises questions for sectors with paper-based records that are gradually digitizing: when does the law apply? What about mixed record systems?
This gap can allow organisations to argue that certain data is outside the DPDP obligations if it remains in analog form. On the flip side, as soon as data is digitised, compliance kicks in. This transition may create uncertainty3.
Exemptions for government or for “public order / national security / public interest”
Multiple papers (e.g. IJLSSS 2025) point out that the law grants broad exemptions in favour of government/state bodies under public interest, national security, public order4. These may be necessary, but poorly defined. They may become loopholes for surveillance or for weakening citizen protections.
Thresholds or risk criteria for breach notification
Some laws in other jurisdictions require only reporting breaches that cross a harm or risk threshold. Under current DPDP/Draft Rules proposals, every breach may need notification, regardless of magnitude or risk. That increases burdens and may lead to over-reporting or noise5. Organisations will need clarity regarding what is a “material” breach or “significant risk” to data principals.
Consent fatigue and quality of consent
The higher standard of consent (informed, specific, and explicit) is beneficial, but real-world consent notices are often lengthy and written in legalese. Data principals may accept without understanding. There is the risk of “consent fatigue,” especially in digital ecosystems where multiple entities request consent. Novel factor: how UI design, behavioural economics, and default options will shape how consent works in practice under DPDP / Draft Rules.
Scalability and auditability of data governance
Large organisations may have many applications, data sources, legacy systems. Ensuring that all data flows, storage, access, deletion policies etc., are documented, auditable, and monitored is complex. Novel concern: how emerging technologies like AI, machine learning, profiling, algorithmic decision making will fit into rules on fairness, transparency, and whether the Draft Rules address algorithmic accountability explicitly enough.
Digital Divide & Access Issues
Another perspective: the law’s requirement for notice and consent presumes a digitally literate population, or at least one with access to digital channels. Rural areas, linguistic diversity, and digital divide may limit meaningful enforcement of rights (like data access, correction, deletion). Also, low awareness of rights among data principals could weaken the effectiveness of the law.
Global Perspectives on India’s Data Protection Journey
International commentators have closely observed India’s DPDPA, often drawing comparisons with the EU’s GDPR and Brazil’s LGPD. For instance, a recent commentary by Graham Greenleaf, Professor of Law & Information Systems at UNSW Sydney, noted that India’s Act is “narrower in scope, applying only to digital data, yet potentially broader in its governmental exemptions.6”
This global critique highlights two points:
- While India’s law is seen as a major step forward, its limited coverage (digital data only) leaves gaps in protection.
- The broad government exemptions could reduce trust in enforcement.
Such comparative insights are crucial for Indian businesses operating internationally, as compliance frameworks must often align with GDPR and other global standards.
Final Thoughts
India’s evolving data privacy landscape promises a stringent, yet innovation-friendly, regulatory regime. The 2025 Draft Rules translate foundational Act principles into actionable compliance pathways—anchoring data governance, fiduciary accountability, and individual empowerment.
As enforcement nears, proactive implementation of the compliance checklist will be vital for businesses. Stay vigilant, engage with industry discussions, and align your operations with this emerging era of privacy legislation.
FAQ
Q1. What is the Digital Personal Data Protection Act, 2023, and how do the 2025 Draft Rules relate?
The Act is India’s landmark legislation for digital personal data, passed in August 2023 but not yet enforced. The 2025 Draft Rules detail its implementation and await formal notification.
Q2. Who must comply with the Draft Rules?
All Data Fiduciaries—including online businesses, social platforms, and those processing digital personal data—especially those defined as Significant Data Fiduciaries.
Q3. What are the key highlights of the 2025 Draft Rules?
They include notice and consent rules, Consent Manager roles, breach notifications, DPIAs, data localisation, child data safeguards, and data principal rights, with enforcement via the Data Protection Board and penalties.
Q4. What rights do individuals (data principals) have?
Rights include access, correction, erasure, consent withdrawal, grievance redressal, and nominating digital representatives
Q5. Are there restrictions on storing or transferring data outside India?
Yes—draft rules propose data localisation and limit exports unless authorized by government orders
