What India's Data Protection Law Actually Says
India's Digital Personal Data Protection Act, 2023 (DPDPA) — passed by Parliament on August 11, 2023 — is India's first comprehensive personal data protection legislation, bringing approximately 800 million internet users under a statutory data rights framework for the first time.
The DPDPA passed after years of legislative effort: the Justice B.N. Srikrishna committee submitted a draft Personal Data Protection Bill in 2018; the PDP Bill of 2019 was introduced in Parliament, studied by a Joint Parliamentary Committee, substantially revised, and ultimately withdrawn in 2022 before the current DPDPA was drafted from scratch.
 |
| Representational Image: What India's Data Protection Law Actually Says |
The DPDPA is a consent-based data protection framework modelled on global standards but adapted to India's digital economy and governance priorities. It gives every Indian resident (as a "data principal") the right to access information about how their data is processed; the right to correction of inaccurate data; the right to erasure of data no longer necessary for the stated purpose; the right to nominate someone to exercise data rights in case of incapacity or death; and the right to grievance redressal.
It imposes obligations on "data fiduciaries" (entities
processing personal data) to: obtain free, informed, specific, and
unconditional consent; process data only for the purpose consented to; maintain
security safeguards; report data breaches to the Data Protection Board within
prescribed timelines; and observe data minimisation. "Significant Data
Fiduciaries" — entities designated by the government based on sensitivity
and volume of data processed — face additional obligations including Data
Protection Impact Assessments, periodic audits, and appointment of Data
Protection Officers.
Before You Read On
- DPDPA
timeline: Passed August 11, 2023; DPDPA Rules notified November 13, 2025;
full applicability for all entities — May 13, 2027 (18 months from Rules
notification); MeitY Minister Ashwini Vaishnaw indicated the government
was exploring whether the deadline could be shortened.
- Data
Principal rights under DPDPA: right to access information; right to
correction; right to erasure; right to withdraw consent; right to
nominate; right to grievance redressal; right to complain to the Data
Protection Board.
- Data
Protection Board (DPB): quasi-judicial body to adjudicate complaints,
investigate breaches, and impose penalties; maximum penalty ₹250 crore per
breach for most violations; up to ₹250 crore for failure to notify breach;
up to ₹200 crore for insufficient security safeguards; the DPB has powers
of a civil court.
- Government
exemptions: Section 17 provides broad exemptions for government data
processing — instruments of the State are exempt for purposes of
sovereignty, security, friendly relations with foreign states, and public
order; these exemptions significantly limit the DPDPA's effectiveness as a
check on government data practices including Aadhaar, surveillance, and
NATGRID.
- DPDPA's
amendment to RTI: Section 44(3) of the DPDPA amended Section 8(1)(j) of
the RTI Act, removing the "larger public interest" override to
the personal information exemption; this change restricts RTI-based
disclosure of public officials' professional conduct under the privacy
banner, as analysed in Label 7.
How It Works in Practice
1. The consent manager concept: An innovative feature
of the DPDPA is the "consent manager" — a government-accredited
trusted third party through which citizens manage their consent permissions
across multiple data fiduciaries. Instead of managing hundreds of individual
consent relationships, a citizen uses a consent manager to grant, modify, and
revoke consents centrally. The DPDPA Rules elaborate on criteria for consent
manager accreditation by the Data Protection Board.
2. Significant Data Fiduciaries and enhanced obligations:
The government designates SDFs based on volume and sensitivity of personal data
processed, potential for harm, national security implications, and societal
impact. SDFs must appoint an India-resident Data Protection Officer; conduct
annual audits; conduct Data Protection Impact Assessments; and implement
heightened security measures. Tech platforms, financial service providers, and
health data processors are likely to be designated as SDFs once the SDF
notification process is complete.
3. Cross-border data transfers: The DPDPA allows
cross-border transfers to countries "whitelisted" by the central
government — countries whose data protection standards are deemed adequate;
this is a government-controlled mechanism rather than an adequacy decision
based on specific criteria; the whitelist has not been published as of May
2026, creating regulatory uncertainty for multinational businesses operating in
India.
4. Children's data provisions: The DPDPA imposes
specific obligations for data processing involving minors (under 18):
processing children's data requires parental consent; data fiduciaries must
implement age verification; targeted advertising to children is prohibited; the
DPDPA Rules elaborate on age verification mechanisms; these provisions have
significant implications for social media platforms, gaming companies, and
edtech services.
5. The DPDPA-RTI interaction: The amendment to RTI
Section 8(1)(j) is among the DPDPA's most consequential provisions for civil
society and journalism; it removes the "larger public interest" test
that previously allowed courts to order disclosure of public servants' information
despite the personal privacy exemption; the Internet Freedom Foundation and
others have challenged this amendment; its full impact on investigative
journalism and accountability will be tested through specific RTI cases and
judicial interpretation.
What People Often Misunderstand
- The
DPDPA is not yet in force: As of May 2026, the DPDPA is passed but not
yet applied; entities have until May 2027 to comply; existing data
protection obligations under IT Rules, RBI guidelines, and SEBI frameworks
continue to apply in the interim.
- The
DPDPA is significantly weaker than GDPR: India's data protection
framework differs from the EU's GDPR in important respects: broader
government exemptions; no requirement for a Data Protection Officer for
all large entities; no right to data portability; no explicit algorithmic
accountability requirements; smaller penalty maximums; and the absence of
an independent supervisory authority comparable to EU data protection
authorities.
- "Free
and unconditional consent" is harder to achieve than it sounds:
Most digital services present consent as a condition for accessing the
service; the DPDPA prohibits "conditional consent" (where access
is conditioned on consent to unnecessary processing) but enforcing this in
practice — particularly against dominant platforms with network effects —
is a significant regulatory challenge.
- The
consent manager concept is innovative but untested: India's consent
manager model — a trusted third party managing consent centrally — has no
large-scale precedent globally; its practical effectiveness depends on
whether citizens understand and use it, and whether consent managers
remain trustworthy rather than being captured by the platforms they are
supposed to check.
- The
Data Protection Board's independence is not guaranteed: The DPB is a
quasi-judicial body whose members are appointed by the government; unlike
independent data protection authorities in EU member states, the DPB's
composition and removal conditions are subject to government control; its
de facto independence will depend on the quality of appointments and the
political culture around regulatory autonomy.
What Changes Over Time
MeitY has indicated it may shorten the 18-month compliance deadline to accelerate the DPDPA's operationalisation; the actual enforcement timeline depends on both regulatory readiness and business compliance capacity. The IAPP November 2025 analysis noted that India's AI Governance Guidelines (November 5, 2025) were released within days of the DPDPA Rules, creating an integrated regulatory framework for both data protection and AI governance.
The
DPDPA's SDF designation list — when published — will be the most consequential
regulatory determination for India's technology industry.
Sources and Further Reading
- IAPP
— India DPDPA Rules and AI Governance Guidelines: https://iapp.org/news/a/notes-from-the-asia-pacific-region-india-releases-dpdpa-rules-ai-governance-guidelines
- Regulations.AI
— India AI Regulation Overview: https://regulations.ai/regulations/india-summary
- Truyo
— Governing the AI Surge India: https://truyo.com/governing-the-ai-surge-how-india-is-writing-the-rulebook-for-responsible-ai/
- ORF — Decade of Digital India: https://www.orfonline.org/research/a-decade-of-digital-india-mission-achievements-gaps-and-the-way-forward
- Saikrishna & Associates — India AI Governance Guidelines: https://www.saikrishnaassociates.com/decoding-the-india-ai-governance-guidelines/