India Governance, Risk, Compliance and Regulatory Services

Compliense logo

COMPLIENSE ADVISORS

Compliense Advisors

Call Us:

(+91) 22-3568-1752
Menu
Book an Appointment
compliense logo

COMPLIENSE ADVISORS

Call Us:

(+91) 22-3568-1752
Menu
Menu

India’s Digital Personal Data Protection Act, 2025 – A Summary and Current Status

“…the right to privacy safeguards the inner sphere of the individual from interference by both State and non-State actors, ensuring that individuals can make autonomous decisions about their lives, beliefs, and personal information.”  Hon’ble Supreme Court in the landmark Puttaswamy judgement. 

The Digital Personal Data Protection (DPDP) Act, 2023, together with the DPDP Rules, 2025 once notified, will form the core of India’s privacy law framework.  

It aims to balance two objectives — protecting individuals’ right to privacy over their digital personal data, and enabling lawful, transparent, and responsible processing of such data in line with consent or legitimate purposes.

A. Background
Current Data Privacy Framework under the IT Security Practices Rules 

Until the DPDP law becomes effective (i.e., is notified), India’s data privacy landscape continues to be primarily governed by the Information Technology Act, 2000, particularly Section 43A, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (collectively ‘IT Rules’). 

These provisions require organisations handling sensitive personal data (SPD)—such as financial, health, biometric, and sexual orientation information—to: 

  • implement reasonable security practices and procedures, 
  • obtain consent prior to data collection, 
  • collect information only for lawful and specific purposes, and collect SPD only if necessary, and 
  • ensure adequate protection against unauthorised access, misuse, or disclosure. 

Cross-border transfer of SPD or information is permitted only to countries that ensure the same level of data protection as that adhered to by the transferee body corporate. 

Entities are also mandated to publish a privacy policy, appoint a grievance officer, and adopt recognised security standards such as ISO/IEC 27001 for information security. 

While these IT Rules provided the first formal privacy safeguards in India, they are quite limited in scope and enforcement, applying primarily to entities engaged in commercial or professional activities. This gap also highlighted the need for a comprehensive, rights-based data protection law, ultimately leading to the introduction of the Digital Personal Data Protection Act, 2023. 

Note: Until the DPDP Act becomes fully operational, the provisions of IT Rules continue to apply.  

Privacy – A Fundamental Right under the Constitution  

India’s current privacy law emerged following the landmark judgment of the Hon’ble Supreme Court in Justice K.S. Puttaswamy (Retd.) vs. Union of India (2017), where a nine-judge Constitution Bench unanimously held that the right to privacy is a fundamental right under Article 21 of the Constitution — intrinsic to the right to life and personal liberty, and as a part of the freedoms guaranteed by the Constitution.

The Hon’ble Supreme Court concluded that the right to privacy safeguards the inner sphere of the individual from interference by both State and non-State actors, ensuring that individuals can make autonomous decisions about their lives, beliefs, and personal information. 

It would perhaps not be an exaggeration to say that the judgment marked a constitutional turning point, establishing privacy as a cornerstone of human dignity, autonomy, and informational self-determination. It also underscored the urgent need for a comprehensive data protection framework to regulate how personal information is collected, processed, stored, and shared in an increasingly digital environment. 

Justice BN Srikrishna Committee, and early Draft of the DPDP Law 

The Government of India, cognizant of the growing importance of data protection, and articulating the need to ensure growth of the digital economy while keeping citizens’ personal data secure and protected being of utmost importance, constituted a Committee of Experts to deliberate on a data protection framework in India. The Committee, appointed in July 2017, was led by the former Supreme Court Judge, Justice BN Srikrishna (called Justice BN Srikrishna Committee) to identify key data protection issues in India and recommend methods of addressing them.  

The Committee’s terms of reference included making specific suggestions on principles to be considered for data protection in India and suggesting a draft Data Protection bill. 

The Committee’s recommendations, delivered[i] in a report on 27 July 2018 alongwith draft of a Bill, formed the foundation for what ultimately became the Digital Personal Data Protection Act, 2023, which embodies the core principles articulated in the Puttaswamy judgment.

[i] Refer to the related Press Note here.

The DPDP law, and its Current Status 

The DPDP Act was passed by Parliament and subsequently assented to by the Hon’ble President of India on 11 August 2023.   

However, the law is yet to be notified to become effective. This is expected to happen once the DPDP Rules, which will provide subsidiary rules to operationalise the law, have been issued.  

The draft DPDP Rules (and the Explanatory Statement) were issued by the Ministry of Electronics and Information Technology (MeitY) in January 2025 for public consultation. The public consultation closed in March 2025. Following the consultation process, it is expected that the Government will issue the final Rules, which are now awaited. That will pave the way to operationalise the privacy regime.  

This article discusses the features and highlights of the DPDP Act as it currently stands. 

B. The DPDP Act 
Scope and Applicability 

The DPDP Act applies to the processing of digital personal data within India, whether originally collected in digital form, or in physical form if later digitised. It also extends extraterritorially to processing outside India if done in connection with the offering of goods or services to individuals in India. However, it excludes from the scope processing for personal or domestic use by an individual and data made publicly available by a data principal or by someone under a legal obligation. 

Thus, the DPDP Act is applicable only with regard to the personal data that is in digital form. That being so, non-personal and non-digital data are outside the scope of the DPDP law.  

 Core Concepts
  • Data Principal: The individual to whom the personal data relates. 
  • Data Fiduciary: The entity determining the purpose and means of processing personal data. 
  • Data Processor: An entity processing personal data on behalf of a fiduciary. 
  • Consent Manager: A registered intermediary that enables individuals to give, manage, or withdraw consent on a standardised platform. 
  • Personal Data: any data about an individual identifiable by or in relation to such data.  
  • Digital Personal Data: Personal data in digital form. 
  • Specified Purpose: Purpose mentioned in the Consent Notice.  
Single level data classification – Personal data 

The DPDP law encompasses in its scope only ‘personal data’. There are no tiered or multi-classifications like information or sensitive information or highly sensitive personal data. Thus, all data that is personal data within the scope of the law stands on a uniform plane.  

Consent and Processing 

The architecture of DPDP law provides that the personal data of a Data Principal may be processed only as per DPDP law and for a lawful purpose, based on: 

  • Consent — free, specific, informed, unconditional, and unambiguous with a clear affirmative action, with easy withdrawal options. 
  • Certain legitimate uses.  

Requests for consent made to a Data Principal shall accompany (or be preceded by) a Consent Notice, informing the personal data to be collected, the purpose of processing, manner in which the Data Principal may exercise certain rights, and the manner in which a complaint can be made to the Data Protection Board.   

Consent must be obtained in plain and simple language in English (or in any language recognised under the Constitution). Any part of the Consent that infringes the DPDP law, will be invalid to that extent.  

The law specifies that the Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager. Where the Consent is withdrawn, the Data Fiduciary shall in reasonable time cease processing the personal data of such Data Principal, unless authorised by the law.  

The Data Fiduciary has an obligation under the law which directs that a Data Principal should be able to withdraw her consent with comparable ease with which it provided such consent.  

Processing for Legitimate Use 

The law specifies a range of circumstances to be considered as legitimate use of the personal data, where the Data Fiduciary may process the personal data of a Data Principal. These include: 

  • data provided voluntarily by a Data Principal for a specified purpose and for which there is no indication of non-consent; 
  • for the State to provide subsidy, benefits, licenses, etc, to Data Principal; or with regard to the legal obligations of the State; or in the interest of sovereignty and integrity of the nation; 
  • compliance with a judgement or decree; 
  • responding to medical emergencies involving a threat to the life or immediate threat to the health of a Data Principal, or for taking measures to provide treatment or health services in cases of epidemic, outbreak etc; taking steps in the case of any disaster or breakdown of public order; 
  • for the purpose of employment or related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. 

Thus, the legitimate uses act as deemed consent.  

Responsibility of a Data Fiduciary 

The law provides a range of responsibilities and obligations of a Data Fiduciary, which include: 

  • ensure that the personal data is processed in accordance with the consent and the provisions of the law; 
  • can engage Data Processor under a valid contract to process the personal data  
  • implement appropriate technical and organisational measures (ie governance, data security etc for effective compliance with law), as prescribed under the law and the Rules; 
  • protect personal data by taking reasonable security measures and steps to prevent personal data breach; 
  • erase personal data in its custody following withdrawal of consent by a Data Principal, or when the specified purpose is no longer served; 
  • Establish an effective redress procedure for grievances of the Data Principal. 
Children and Persons with Disabilities – Consent Requirements 

When processing the personal data of children or of persons with disabilities who have a lawful guardian, a Data Fiduciary must obtain verifiable consent from the parent or lawful guardian, as applicable. The law also empowers the Central Government to specify exceptions to this requirement for certain categories of processing. 

Further, the DPDP Act imposes specific restrictions in respect of children’s personal data. A Data Fiduciary must: 

  • not process personal data in a manner likely to cause any detrimental effect on the well-being of a child; 
  • not undertake tracking, behavioural monitoring, or targeted advertising directed at children. 

The Government may, however, exempt specified classes of Data Fiduciaries or Data Processors from the requirement of obtaining parental consent in certain cases. Additionally, the Government may notify exemptions for processing data of children above a specified age but below 18 years, where such processing is carried out in a verifiably safe manner. 

Rights and Duties of Individuals (Data Principals)  

The law provides a range of rights of the Individuals (Data Principals). These include having the right to: 

  • obtain a summary of their personal data and the processing activities; 
  • obtain the identity of data fiduciaries and processors with whom a data fiduciary has shared (outsourcing, for instance) the personal data (exceptions apply); 
  • obtain any prescribed information relating to personal data of the Data Principal, or its processing; 
  • access information about their data and its processing; 
  • request correction, completion, updating, or erasure; 
  • must have readily available means of grievance redressal by the Data Fiduciary or Consent Manager in relation to their obligations, or Data Principal’s rights; 
  • nominate another person to exercise their rights in case of death or incapacity. 

On request of a Data Principal, a Data Fiduciary must: 

  • correct inaccurate or misleading personal data; 
  • complete or update the personal data; 
  • Erase data, unless retention is required for the purpose or by law. 

While Data Principals are bestowed with the rights mentioned above, they must also abide by the following: 

  • not to impersonate another person; 
  • follow the law; 
  • not to suppress any required information or data; 
  • not to make false or frivolous complaints or grievances; 
  • provide information that is verifiably authentic. 

A failure by a Data Principal to observe their duties or not carrying out their obligations may result in the levy of a penalty of up to Rs 10,000. 

Significant Data Fiduciary (SDF)  

The Central Government may designate certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on an assessment of factors such as: 

  • the volume and sensitivity of personal data processed, 
  • the risk to the rights of Data Principals, 
  • the potential impact on the sovereignty and integrity of India, 
  • the risk to electoral democracy, 
  • the security of the State, and 
  • considerations of public order. 

Once designated, an SDF must comply with additional governance and accountability requirements. Specifically, an SDF is required to: 

  • Appoint a Data Protection Officer (DPO) who must be based in India, represent the SDF under the DPDP Act, report to the Board of Directors or equivalent governing body, and act as the primary point of contact for grievance redressal; 
  • Appoint an independent Data Auditor to conduct data audits and evaluate compliance with the obligations under the DPDP law; 
  • Undertake periodic Data Protection Impact Assessments (DPIAs), regular data audits, and other prescribed data protection and compliance measures to identify and mitigate privacy and security risks. 

These enhanced obligations aim to ensure that SDFs which handle large-scale or high-risk personal data operate with greater accountability, transparency, and oversight, while embedding strong controls, risk mitigation and governance protocols. 

Data Protection Impact Assessment (DPIA) 

A Significant Data Fiduciary (SDF) is required to conduct periodic Data Protection Impact Assessments (DPIAs) to evaluate the potential risks to personal data and the rights of Data Principals arising from the collection, storage, use, and processing of such data. 

A DPIA assesses the adequacy and effectiveness of the technical, organisational, and procedural safeguards implemented by the SDF to ensure appropriate protection of personal data. It serves as a tool to identify, manage, and mitigate privacy and data security risks associated with data processing activities. 

As part of this assessment, a DPIA may incorporate or reference independent data audits and other risk mitigation measures that strengthen the SDF’s overall data protection framework. 

Cross-Border Data Transfers 

Under the Digital Personal Data Protection (DPDP) Act, the Central Government has the authority to restrict the transfer of personal data to certain countries or territories outside India. By default, cross-border transfers of personal data are permitted for processing purposes, except to those jurisdictions that the Government may specifically notify as restricted. 

This represents a “negative list” approach — the Government will expressly blacklist / greylist countries where data transfers are prohibited. Accordingly, personal data may be transferred to any non-blacklisted or non-greylisted country, subject to applicable contractual, technical, and security safeguards ensuring lawful and secure processing. 

Data Breach 

Where a data breach occurs in regard to the personal data, a Data Fiduciary has an obligation to intimate the Data Protection Board, and the Data Principal required information on such breach. It is expected that more clarity on the mechanics and framework will be specified in the Rules or otherwise.  

Data Protection Board of India (DPB) 

The DPDP Act establishes the DPB as an apex regulatory and enforcement forum for the DPDP regime. The DPB is vested with a range of powers that include:  

  • directing urgent remedial or mitigation measures on receipt of an intimation regarding personal data breach; 
  • on a complaint made by a Data Principal and other specified persons, inquire into breaches by Data Fiduciaries and Consent Managers, and impose penalties; 
  • inquire into breach of conditions of registration of a Consent Manager and impose penalties. 

Orders of DPB can be appealed by an aggrieved party in the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), an appellate forum constituted under the Telecom Regulatory Authority of India (TRAI) Act. Further appeal against the order of the TDSAT may be preferred before the Hon’ble Supreme Court of India. 

Alternative Dispute Resolution (ADR) and Voluntary Undertaking 

As an ADR mechanism, the DPDP law empowers the DPB to direct in suitable situations a matter to be resolved through mediation amongst the aggrieved parties. Such mediation can be undertaken in accordance with the contractually or mutually agreed mediation norms.  

The DPDP law also provides a framework where the DPB may accept a voluntary undertaking from a person in regard to any matter related to compliance or obligations under the law from any person. The voluntary undertaking can be given at any stage of a proceeding, and may prescribe actions and their timelines, or that a party will refrain to do something. This then becomes a binding obligation of such person, and a breach of such undertaking will be considered a breach of the law. 

Penalties for breach of the law

The law provides stiff penalties for a range of breaches of the law. These include penalties which may be up to the following amounts for: 

  • ₹250 crore failure in observing obligations of Data Fiduciary to take security measures to prevent breach; 
  • ₹200 crore for non-reporting breaches or violating children’s data provisions; 
  • ₹150 crore for Significant Data Fiduciary’s lapses in other obligations; and 
  • ₹50 crore for breaches generally of the DPDP law. 

The law also provides penalties of up to Rs 10,000 on Data Principals where they fail to observe their duties.  

Notably, the law does not provide for payment of any compensation to a Data Principal, whose data was compromised in a breach.  

Interplay between the DPDP Act and the Sectoral Regulations  

The DPDP Act introduces India’s first comprehensive, rights-based framework for personal data protection. It is a horizontal legislation that applies across all sectors and entities. However, there are existing sector-specific regulations that touch on or impact the subject. It is essential that the interplay between these two sets of norms is aligned and be harmonious.  

For example, regulated entities under financial sector regulators such as the IRDAI, SEBI, and RBI operate under a detailed set of cybersecurity and information technology governance guidelines. These frameworks mandate strong technical and organisational data and information security protocols. Likewise, there are also customer interest protection norms. These may overlap with or have an interplay with the DPDP law requirements.  

Over time, it is expected that the sectoral regulations will align, harmonising with the DPDP framework, thus creating a unified regime where information security and privacy protection operate as complementary pillars for privacy and data security. 

So now all eyes are on the Rules and notification to operationalise the DPAA… 

 

This article made as on 24 Oct 2025 

 

Note: The above article is for general informational purposes only and does not constitute professional or legal advice. Please seek specific advice for your situation. We do not warrant on the accuracy or completeness of the subject matter discussed above and disclaim all liability for any losses or damages caused to or incurred by any person.  

Compliense Advisors is a Compliance Advisory firm. We advise on compliance and regulatory matters and our subject matter expertise includes Privacy (DPDP), AML (PMLA) and Anti-Financial Crime; and Insurance and Mutual Fund regulations. We can assist in your compliance framework and obligations. Write to us on info@compliense.com. 

Visit our website for more such knowledge resources. If you liked this update, sign up for new articles and updates.