Introduction

India is now among the world’s fastest-growing digital economies. From UPI payments and e-commerce to Aadhaar-linked services and digital health records, citizens generate enormous volumes of personal data every day. With this rapid digitisation comes an equally important responsibility—protecting the personal data of every individual.

To address growing privacy concerns and align India with global data-protection standards, the Government of India enacted the Digital Personal Data Protection (DPDP) Act, 2023. Later, on 14 November 2025, the Government notified the DPDP Rules 2025, completing the law’s operational framework.

Together, the DPDP Act 2023 + DPDP Rules 2025 establish a modern, citizen-first, consent-based data protection system, ensuring personal data is handled lawfully, responsibly, and transparently.

Understanding the DPDP Act 2023

Enacted in August 2023, the Digital Personal Data Protection (DPDP) Act 2023 is India’s primary law governing the protection of digital personal data.

It applies to:

• All Indian citizens (called Data Principals)

• All organisations, companies, startups, and government bodies that collect or process personal data (Data Fiduciaries)

• Personal data processed within India

• Personal data processed outside India if it involves offering goods or services to Indians

The DPDP Act is built on the SARAL principle:

• S – Simple

• A – Accessible

• R – Rational

• A – Actionable

• L – Legally compliant

This ensures the law is easy for both citizens and organisations to understand and follow.

---

1.1 Objectives of the DPDP Act 2023

The DPDP Act 2023 has five major objectives:

1. Safeguard Individual Privacy

• Protect personal data from misuse

• Prevent unauthorised access, data mining, and surveillance

• Strengthen constitutionally guaranteed privacy under Article 21

2. Ensure Responsible Digital Data Processing

• Data can be processed only for lawful, specific, and clear purposes

• Organisations must delete data once the purpose is fulfilled

3. Create a Consent-Centric Framework

• Consent must be informed, specific, unambiguous, and revocable

• Parents must give consent for children under 18

• Guardians must give consent for persons with disabilities

4. Support Digital Innovation with Privacy

• Reduces compliance burden for startups

• Stricter obligations on major platforms like social media, digital commerce, etc.

5. Enable Secure Cross-Border Data Transfer

• Personal data can be transferred to government-approved nations

• Ensures global business continuity with safeguards

Key Features of the DPDP Act 2023

Here are the major features of the Act explained simply:

1. Consent-Based Data Processing

• Organisations must collect clear, informed consent before processing data

• Consent withdrawal must be simple and available at all times

2. Individual Rights (Data Principal Rights)

Citizens get legal rights to:

• Access their data

• Correct or update data

• Request data deletion

• Know who has their data and why

• Nominate someone to exercise rights on their behalf

3. Children's Data Protection

• Parental consent required

• No behavioral monitoring or targeted advertising for children

• Harmful data processing is strictly prohibited

4. Significant Data Fiduciaries (SDFs)

Large digital platforms handling high-risk or large-volume data must:

• Appoint a Data Protection Officer (DPO)

• Conduct regular data audits

• Carry out Data Protection Impact Assessments (DPIA)

5. Government Exemptions

Under specific situations (national security, public order, emergencies), the government may process personal data without consent—but with safeguards.

6. Cross-Border Data Transfers

Allowed only to countries approved by the central government.

7. Penalties

Stringent, graded penalties apply for violations—ranging from ₹10 crore to ₹250 crore.

Concepts & Definitions Under the DPDP Act

Understanding simple key terms helps decode the law easily:

Personal Data

Any data that identifies a person—name, mobile, email, Aadhaar, location, preferences, biometrics.

Data Principal

The individual whose data is collected.

Data Fiduciary

Any organisation that decides why and how personal data is processed.

Data Processor

An entity that processes personal data on behalf of a Data Fiduciary.

Processing

Any activity performed on data—collection, storage, organisation, sharing, deletion, etc.

Provisions of the DPDP Act 2023 (Explained in Detail)

Below is the complete breakdown of the Act's main provisions.

1. Consent and Lawful Processing

Valid consent must be:

• Freely given

• Clear and unambiguous

• Specific to a purpose

• Revocable anytime

• Accompanied by a notice

Consent Exception:

Data may be processed without consent for:

• Government functions (benefit schemes, subsidies)

• Medical emergencies

• Court orders

• Public interest

2. Data Principal Rights (Your Digital Rights)

1. Right to Access Information

You can ask:

• What data an organisation has

• Why they collected it

• Who they shared it with

2. Right to Correction and Updating

Incorrect or outdated data must be corrected within 90 days.

3. Right to Erasure

You can request deletion of data if:

• Purpose is completed

• Consent is withdrawn

• Data is no longer needed

4. Right to Grievance Redressal

Every organisation must have a grievance officer or DPO.

5. Right to Nominate

A nominee can exercise rights after your death or incapacity.

3. Data Fiduciary Obligations (Organisations Must)

• Collect only necessary data (data minimisation)

• Ensure accuracy

• Maintain security safeguards to prevent breaches

• Notify breaches to the DPBI and affected users

• Delete data when purpose is over

• Ensure transparency in data practices

4. Data Retention

• Data may be retained for up to 3 years from the last interaction

• Before deletion, the user must receive a 48-hour prior notice

5. The Data Protection Board of India (DPBI)

Structure

• Appointed by the Central Government

• Members serve 2-year terms

• Digital-first functioning

Functions

• Investigate breaches

• Handle complaints

• Impose penalties

• Ensure compliance

• Collaborate with organisations during breach events

• Route appeals to TDSAT

DPDP Rules 2025: Implementation Mechanism

The DPDP Rules 2025, notified on 14 November 2025, operationalise the Act.

These Rules provide:

• Compliance timelines

• Formats for notices and consent

• Data breach reporting procedure

• Data Principal request handling standards

• Obligations of Significant Data Fiduciaries

• Security practices

• Parental consent verification mechanisms

These Rules serve as the “operating manual” for the law.

How DPDP Rules 2025 Empower Individuals

1. Clear Consent Rights

Citizens can:

• Approve or deny consent

• Withdraw anytime

• Access consent history

2. Right to Know

Organisations must provide:

• Simple notices

• Clear purpose descriptions

• Contact details of the DPO/grievance officer

3. Mandatory 90-Day Resolution

All rights requests (access, correction, deletion) must be fulfilled within 90 days.

4. Breach Notification

Users must be informed promptly in clear language.

5. Child & Disability Data Protection

• Parental consent required

• Harmful processing prohibited

• Guardian consent required for persons unable to decide independently

Penalties Under the DPDP Act 2023

Penalties follow a graded model:

1. Up to ₹250 Crore

• Failure to implement reasonable data-security safeguards

2. Up to ₹200 Crore

• Breach of obligations related to children’s data

• Failure to report data breaches

3. Up to ₹50 Crore

• All other forms of non-compliance

Penalties depend on:

• Severity

• Nature of data

• Impact on users

• Repetition of violations

Cross-Border Data Transfers Under DPDP

• Permitted only to government-notified countries

• Ensures adequate protection standards

• Supports global digital commerce

Challenges & Criticisms of the DPDP Act 2023

Even though the law is a strong step forward, experts highlight certain concerns:

1. Wide Government Exemptions

Government agencies may bypass consent and processing limitations.

2. Limited Regulatory Independence

DPBI is not fully independent; its appointment is government-controlled.

3. Broad Definitions

Some terms (e.g., “reasonable security safeguards,” “harm”) are vague.

4. Cross-Border Flexibility

Few restrictions may expose data to foreign surveillance.

5. Compliance Challenges for Startups

Small organisations worry about cost and complexity.

The Way Forward for India’s Data Protection Ecosystem

1. Strengthen DPBI Independence

India may consider a UK-style ICO independent commission.

2. Increase Citizen Awareness

A mass “Digital Data Suraksha” literacy campaign can help.

3. Simplify Startup Compliance

Government toolkits and models can support MSMEs.

4. Stronger Security Standards

Mandating ISO-like certifications for high-risk processors.

5. Encourage Privacy-by-Design

Businesses must embed privacy from the start—minimised data, encrypted by default, transparent UI.

Impact of the DPDP Act on Everyday Citizens

1. More Control Over Your Digital Data

Citizens can now:

• Know what data apps collect

• Stop unwanted data sharing

• Delete their data anytime

2. Safety from Data Misuse

• No more hidden data transfers

• No unauthorised tracking

• Better safeguards against leaks

3. Transparent Privacy Notices

Privacy policies must be simple, not confusing legal jargon.

4. Improved Digital Trust

Citizens can use digital services with greater confidence.

Impact of the DPDP Act on Businesses

Businesses must:

1. Update privacy policies

2. Implement consent dashboards

3. Appoint Data Protection Officers (for SDFs)

4. Conduct audits and risk assessments

5. Build breach-reporting systems

6. Set up 90-day user request mechanisms

This promotes:

1. Better security

2. Higher trust

3. Lower legal risk

4. Improved brand reputation

Comparison with Global Data Protection Laws

 

Feature	DPDP Act 2023	GDPR (EU)	CCPA (US)
Consent-Based	Yes	Yes	Partially
Right to Erasure	Yes	Yes	Limited
Children’s Data	Strong	Strong	Moderate
Cross-Border Rules	Government-approved	Adequacy decisions	Open
Fines	Up to ₹250 Crore	% of global turnover	Fixed monetary

 

India’s DPDP Act is now one of the strongest privacy laws in Asia.

Conclusion

The DPDP Act 2023 and DPDP Rules 2025 mark a historic shift in India’s digital governance. For the first time, citizens receive clear, enforceable rights over their personal data. Organisations receive a transparent, structured, and predictable system for data compliance.

As India moves deeper into the digital era—AI, fintech, telemedicine, digital learning—this law ensures that privacy remains at the centre of digital growth.

The DPDP framework is not just a law—it is a commitment:

1. To protect citizens

2. To build a trusted digital economy

3. To promote innovation responsibly

4. To align India with global privacy standards

With proper implementation, citizen awareness, and business compliance, the DPDP ecosystem will strengthen India’s digital future.