Navigating India’s Data Privacy Landscape:

Leave a Comment / Constitutional Law / By

An Analysis of the Digital Personal Data Protection Act, 2023 and Draft Rules, 2025

I. Introduction: The DPDP Act 2023 and Draft Rules 2025 – India’s New Data Protection Paradigm

India has entered a new era of data governance with the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act or the Act).1 Assented to by the President on August 11, 2023, this legislation (Act No. 22 of 2023) represents the nation’s first comprehensive, cross-sectoral law dedicated to protecting personal data.1 It replaces the limited framework previously provided under Section 43A of the Information Technology Act, 2000, and its associated Sensitive Personal Data or Information (SPDI) Rules.13

The core objective of the DPDP Act is to establish a framework that recognizes and balances the fundamental right of individuals to protect their personal data with the legitimate need for organizations (Data Fiduciaries) to process such data for lawful purposes.1 The government has articulated its intent to achieve this with minimum disruption, enhancing the ‘Ease of Living’ for citizens and ‘Ease of Doing Business’ for organizations, through a principles-based, digital-first approach.18

Following the Act’s passage, the Ministry of Electronics and Information Technology (MeitY) released the Draft Digital Personal Data Protection Rules, 2025 (Draft Rules) on January 3, 2025, opening them for public consultation until March 5, 2025.5 These Draft Rules are crucial as they provide the necessary details and procedural framework to operationalize the Act’s provisions.6

The DPDP Act and the forthcoming Rules represent a landmark development, poised to significantly reshape data handling practices across India’s burgeoning digital economy, impacting businesses of all sizes, government entities, and the rights and responsibilities of individuals.4 However, a notable delay occurred between the Act’s passage in August 2023 and the release of the Draft Rules in January 2025, a gap of over 16 months.7 As the Act’s provisions cannot be fully enforced without the finalized Rules, this delay has created a period of considerable uncertainty for businesses attempting to prepare for compliance and has effectively prevented individuals from exercising their newly granted rights, rendering the Act temporarily ineffective despite its enactment.35 This extended period suggests potential complexities in formulating the detailed operational guidelines required to implement the Act’s principles-based framework.

II. Foundational Elements: Scope, Principles, and Key Definitions

Understanding the DPDP Act requires grasping its scope, the principles guiding its interpretation, and the definitions of key terms.

Scope & Applicability:

  • Data Covered: The Act’s purview is specifically limited to digital personal data. This includes personal data collected directly in digital form, as well as data collected offline (e.g., on paper) but subsequently digitized.3 Consequently, personal data that remains purely in a non-digitized, physical format falls outside the Act’s scope.5 Furthermore, the Act does not apply to anonymized data, provided the anonymization prevents the identification of the individual.3
  • Territorial Reach: The Act applies to the processing of digital personal data within the territory of India.5
  • Extraterritoriality: Crucially, the Act also extends its reach beyond India’s borders. It applies to the processing of digital personal data outside India if such processing is connected with offering goods or services to individuals (Data Principals) located within India.3 This necessitates compliance from foreign entities targeting the Indian market.
  • Exclusions: The Act explicitly excludes certain types of processing: (i) personal data processed by an individual for any personal or domestic purpose, and (ii) personal data that is made publicly available either by the Data Principal themselves or by another person under a legal obligation to do so.5

The exclusive focus on digital personal data 2 and the exclusion of publicly available data 5 represent significant limitations compared to frameworks like the EU’s General Data Protection Regulation (GDPR), which covers personal data in certain structured physical filing systems and does not automatically exempt publicly available data from its principles.2 This narrower scope under the DPDP Act might simplify compliance by allowing organizations to concentrate efforts on digital systems and automated processing.3 However, it also creates potential regulatory gaps concerning the handling of extensive offline records or the ethical implications of scraping and using data from public sources.10

Core Principles: The DPDP Act is built upon several fundamental principles that guide its application 5:

  1. Lawful, Fair, and Transparent Processing: Data processing must have a lawful basis (consent or legitimate use) and be conducted transparently.
  2. Purpose Limitation: Personal data should only be processed for the specific, stated purpose for which it was collected.
  3. Data Minimisation: Only personal data necessary for the specified purpose should be collected.
  4. Accuracy: Reasonable efforts must be made to ensure personal data is accurate and kept up-to-date.
  5. Storage Limitation: Personal data should not be stored indefinitely; retention is limited to the duration necessary for the specified purpose.
  6. Reasonable Security Safeguards: Organizations must implement appropriate security measures to prevent data breaches.
  7. Accountability: The Data Fiduciary is responsible for ensuring compliance with the Act’s provisions.

Key Definitions:

  • Personal Data: Defined broadly as any data about an individual who is identifiable by or in relation to such data.1
  • Data Principal: The individual to whom the personal data relates. If the individual is a child (under 18) or a person with a disability, the term includes their parent or lawful guardian.1
  • Data Fiduciary: Any person (individual, company, firm, government entity, etc.) who, alone or jointly with others, determines the purpose and means of processing personal data. This role is analogous to the ‘Data Controller’ under GDPR.1
  • Data Processor: Any person who processes personal data on behalf of a Data Fiduciary.3
  • Significant Data Fiduciary (SDF): A Data Fiduciary or class of Data Fiduciaries notified as such by the Central Government based on an assessment of factors like data volume/sensitivity and risk.3
  • Processing: Defined as a wholly or partly automated operation or set of operations performed on digital personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, sharing, disclosure, alignment, combination, indexing, restriction, erasure, or destruction.3 This definition is slightly narrower than GDPR’s, which includes certain specific non-automated processing.3

A notable aspect of the DPDP Act is the absence of distinct categories for ‘sensitive personal data’ (like health, financial, or biometric information) or ‘critical personal data’, which were features of earlier drafts or are present in GDPR.2 This uniform application of rules to all types of digital personal data simplifies the legislative structure.54 However, it potentially offers less inherent protection for data types that carry higher intrinsic risks.45 The mechanism intended to address this appears to be the designation of Significant Data Fiduciaries (SDFs).16 The criteria for designating SDFs include the volume and sensitivity of data processed 8, suggesting that heightened obligations are applied at the entity level based on risk assessment, rather than being triggered automatically by the type of data being processed.

III. Data Principal Rights and Obligations

Chapter III (Sections 11-14) of the DPDP Act grants individuals specific rights over their personal data, while Section 15 imposes certain duties.2

Rights Granted to Data Principals:

  1. Right to Access Information (Sec 11): Data Principals have the right to request and receive information from the Data Fiduciary. This includes:
  • A summary of the personal data being processed and the processing activities undertaken.2
  • The identities of all other Data Fiduciaries and Data Processors with whom their personal data has been shared, along with a description of the data shared.4
  • Any other prescribed information related to their data and its processing.43
  • The Draft Rules (Rule 13) mandate that Data Fiduciaries and Consent Managers must publish clear instructions on their website or app detailing how individuals can exercise this and other rights.38
  1. Right to Correction and Erasure (Sec 12): Data Principals can request Data Fiduciaries to:
  • Correct inaccurate or misleading personal data.2
  • Complete incomplete personal data.56
  • Update personal data.4
  • Erase personal data.2 Erasure must be performed unless retention is necessary for the specified purpose or required under any applicable law.51 The Draft Rules (Rule 13) specify that requests for erasure can be made using the means published by the Fiduciary.71 It is important to note that the right to erasure and the obligation of storage limitation do not apply to government entities in certain processing contexts.52 Erasure is also mandated when consent is withdrawn or the processing purpose is fulfilled.5
  1. Right of Grievance Redressal (Sec 13): Data Principals are entitled to readily accessible means for grievance redressal provided by the Data Fiduciary or Consent Manager.4 The Fiduciary/Manager must respond to grievances within a prescribed timeframe.12 Crucially, a Data Principal must first attempt to resolve their grievance with the Data Fiduciary or Consent Manager before escalating a complaint to the Data Protection Board.16
  2. Right to Nominate (Sec 14): Data Principals have the right to nominate another individual to exercise their rights under the Act on their behalf in the event of their death or incapacity.12 ‘Incapacity’ is defined as the inability to exercise rights due to unsoundness of mind or physical infirmity.12 The Draft Rules (Rule 13) require Fiduciaries/Managers to publish details on how to make such nominations.38
  3. Right to Withdraw Consent (Sec 6(4)): As intrinsic to the consent framework, Data Principals can withdraw their previously given consent at any time.2 The process for withdrawal must be as easy as the process for giving consent.22 Upon withdrawal, the Data Fiduciary must cease processing the personal data within a reasonable time, unless continued processing is required or authorized by law.5 The Draft Rules (Rule 3) stipulate that the consent notice must include a link or description of how to withdraw consent.6

While the DPDP Act provides these core rights, its offering is less extensive compared to GDPR. Notably absent are the right to data portability (allowing individuals to receive their data in a usable format and transfer it to another service provider) and rights related to automated decision-making and profiling (such as the right to object or demand human intervention).10 This omission might limit an individual’s agency in an increasingly automated digital environment where data mobility and algorithmic accountability are growing concerns.

Data Principal Duties (Sec 15):

Uniquely, the DPDP Act imposes specific duties on Data Principals when exercising their rights 8:

  • Must comply with all applicable laws.
  • Must not impersonate another person while providing personal data for a specified purpose.
  • Must not suppress material information when providing personal data for state-issued documents (e.g., identity/address proofs).
  • Must not register false or frivolous grievances or complaints with a Data Fiduciary, Consent Manager, or the Board.
  • Must furnish only verifiably authentic information when exercising the right to correction or erasure.

Violation of these duties can attract a penalty of up to ₹10,000.12 This imposition of duties and penalties on individuals is a departure from international norms like GDPR, which primarily focus obligations on data controllers and processors.9 While intended to prevent abuse of the rights framework, such as filing baseless complaints 52, there is a potential risk that these duties, particularly the penalty for “frivolous” complaints, could inadvertently discourage individuals from raising genuine concerns or exercising their rights due to fear of misinterpretation or penalty.

IV. Data Fiduciary Obligations: Consent, Security, and Accountability

The DPDP Act places significant responsibilities on Data Fiduciaries, centering around lawful processing, robust consent mechanisms, data security, and overall accountability.

Lawful Basis for Processing (Sec 4):

A Data Fiduciary can process digital personal data only if it is for a ‘lawful purpose’ AND one of the following conditions is met 3:

  1. The Data Principal has given consent to the processing (Section 6).
  2. The processing is for certain specified ‘Legitimate Uses’ (Section 7).

Consent Requirements (Sec 5, 6):

Consent is the primary legal basis under the Act.

  • Notice: Before or at the time of requesting consent, a Data Fiduciary must provide the Data Principal with a clear and plain notice.3 This notice must specify:
  • The personal data to be collected and the purpose(s) of processing.3
  • How the Data Principal can exercise their rights (including withdrawal of consent) and make a complaint to the Data Protection Board.20
  • The notice must be accessible in English and/or any of the 22 languages specified in the Eighth Schedule of the Constitution, at the option of the Principal.20
  • The Draft Rules (Rule 3) add further specificity, requiring the notice to be a standalone document, provide an itemized description of the data collected and the specific purpose/goods/services enabled by each, and include a direct link or description for exercising rights, withdrawal, and lodging complaints with the Board.6
  • Standard for Valid Consent: Consent must be freely given, specific, informed, unconditional, and unambiguous, signified through a clear affirmative action.1 It must relate to a specified purpose and be limited to the personal data necessary for that purpose.1 This standard closely mirrors the GDPR requirements.55
  • Withdrawal: Data Principals must be able to withdraw consent easily.2 The Draft Rules (Rule 3) require the mechanism to be accessible via the notice.6
  • Pre-Act Consent: For consent obtained before the DPDP Act comes into force, Data Fiduciaries must provide the required notice (detailing data processed and purpose) to the Data Principal “as soon as it is reasonably practicable”.1 This implies a need for organizations to review and potentially re-paper consent for their existing user base.

The DPDP Act’s strong emphasis on consent 1, combined with the relatively narrow scope of ‘Legitimate Uses’ compared to GDPR’s lawful bases (which include ‘contractual necessity’ and ‘legitimate interests’) 22, means that organizations may need to obtain explicit consent for a wider range of processing activities in India than they do in the EU. Activities often justified under contractual necessity (e.g., using an address for delivery) or legitimate interests (e.g., certain types of fraud monitoring or analytics) might require specific consent under the DPDP Act unless they fall squarely within one of the defined ‘Legitimate Uses’. This reliance on consent could increase operational complexity and potentially lead to ‘consent fatigue’ among users.91

Consent Managers (Sec 6(7), 6(8)):

The Act introduces Consent Managers as registered, interoperable platforms enabling Data Principals to give, manage, review, and withdraw their consent centrally.1 They act as a single point of contact, accountable to the Principal.1 The Draft Rules (Rule 4, Schedule 1) lay out stringent eligibility criteria (e.g., India incorporated, ₹2 Cr net worth, certified platform) and operational obligations (record keeping, security, transparency).6

This Consent Manager framework is a novel feature specific to the Indian legislation.63 It aims to empower users and potentially streamline consent management across multiple services.3 However, it also introduces a new category of regulated entities, adding a layer to the data ecosystem. The success of this model will depend on the effective registration and oversight of these managers and their seamless integration with Data Fiduciary platforms 38, balancing user empowerment against potential added complexity for businesses.

Legitimate Uses (Processing without Consent) (Sec 7):

The Act permits processing without explicit consent in specific situations termed ‘Legitimate Uses’ 3:

  • Voluntary Provision: For the specific purpose for which the Data Principal voluntarily provided the data (and has not indicated refusal of consent).
  • State Functions: For the State or its instrumentalities to provide benefits, services, licenses, permits, certificates, etc., based on prior consent or data already held by the State. Rule 5 of the Draft Rules elaborates on this, requiring adherence to standards in Schedule 2 (lawful, transparent, secure, limited purpose/data/retention, accessible rights).17
  • Legal Compliance: To comply with any judgment, order, or law in India.
  • Emergencies: To respond to medical emergencies involving a threat to life or immediate health threat to the Data Principal or others; or during epidemics, disasters, or breakdowns of public order.
  • Employment: For purposes of employment, safeguarding employers from loss/liability (e.g., preventing corporate espionage, maintaining confidentiality), or providing employee benefits.

General Obligations of Data Fiduciaries (Sec 8):

Beyond consent and lawful basis, Data Fiduciaries have several ongoing obligations 4:

  • Data Accuracy and Completeness: Must make reasonable efforts to ensure data processed is accurate and complete, particularly if it’s likely to be used for decisions affecting the Data Principal or if disclosed to another Fiduciary.4
  • Reasonable Security Safeguards (Sec 8(5)): Must implement reasonable technical and organizational measures to protect personal data in their possession or control (including data handled by processors) from breaches.4 The Draft Rules (Rule 6) specify minimum safeguards like encryption, access controls, log maintenance (minimum 1 year), secure data destruction, and ensuring processor compliance via contract.6 Ambiguities regarding the interpretation of “reasonable” and the prescriptive nature of the rules are discussed in Section XII.
  • Personal Data Breach Notification (Sec 8(6)): In case of a personal data breach, the Fiduciary must notify the Data Protection Board and each affected Data Principal.4 The Draft Rules (Rule 7) detail a two-phase notification process: prompt notification to Principals (with breach details, consequences, mitigation advice, contact info) and immediate notification to the Board, followed by a comprehensive report within 72 hours (or longer if permitted) detailing circumstances, remediation, and confirmation of individual notification.6 Ambiguities regarding the lack of a reporting threshold and the feasibility of timelines are discussed in Section XII.
  • Data Retention and Erasure (Sec 8(7)): Must cease to retain personal data (and ensure processors do too) as soon as the purpose for collection is served and retention is no longer necessary for legal or business purposes, or upon withdrawal of consent.4 The Draft Rules (Rule 8) introduce specific 3-year retention limits for certain large intermediaries (e-commerce, social media, gaming) after last interaction, unless legally required otherwise, and mandate a 48-hour notice before deletion.7
  • Grievance Redressal Mechanism: Must establish an effective system and appoint an officer or contact person to respond to Data Principal queries and grievances.3
  • Accountability for Processors: The Data Fiduciary remains accountable for compliance, even when processing is outsourced to a Data Processor. A valid contract must be in place between the Fiduciary and Processor.8 Rule 6 of the Draft Rules requires processors to adhere to security safeguards via contract.35

V. Significant Data Fiduciaries: Heightened Responsibilities

Recognizing that certain data processing activities pose higher risks, the DPDP Act introduces the concept of Significant Data Fiduciaries (SDFs), subjecting them to more stringent compliance obligations.

Designation (Sec 10):

The Central Government holds the authority to designate any Data Fiduciary or class of Data Fiduciaries as an SDF.3 This designation is based on an assessment of relevant factors, including:

  • The volume and sensitivity of personal data processed.
  • The risk of harm to Data Principals.
  • Potential impact on the sovereignty and integrity of India.
  • Risk to electoral democracy.
  • Security of the State.
  • Public order.

It is anticipated that entities handling large volumes of sensitive data, such as those in the financial technology (fintech), health technology (healthtech), large e-commerce, and social media sectors, are likely candidates for SDF designation.45

Additional Obligations (Sec 10(2)):

Once notified as an SDF, an entity must comply with additional obligations beyond those applicable to all Data Fiduciaries 3:

  1. Appoint a Data Protection Officer (DPO): The DPO must be based in India and serve as the point of contact for grievance redressal. This individual must be responsible to the Board of Directors or equivalent governing body of the SDF.3 The Draft Rules (Rule 9) require SDFs to publish the DPO’s business contact information.42
  2. Appoint an Independent Data Auditor: An independent auditor must be appointed to evaluate the SDF’s compliance with the DPDP Act.3
  3. Conduct Data Protection Impact Assessments (DPIAs): SDFs must undertake DPIAs to systematically assess and mitigate risks associated with their data processing activities.3
  4. Conduct Periodic Data Audits: Regular audits are required to verify compliance.3
  5. Other Prescribed Measures: The Draft Rules (Rule 12) add further obligations, including conducting DPIAs and audits annually and submitting reports to the Board.7 They also require due diligence on algorithmic software used for processing personal data to ensure it doesn’t infringe Data Principal rights 7 and introduce the possibility of data localisation requirements for certain data categories.7

Failure to comply with these additional SDF obligations can result in penalties of up to ₹150 crore per instance.59

The creation of the SDF category allows the DPDP framework to implement a risk-based, tiered regulatory approach.18 This structure aims to impose stricter controls and higher compliance burdens on entities whose data processing activities inherently carry greater risk due to the volume, sensitivity, or potential impact of the data involved, without overburdening smaller businesses or those handling less sensitive data.18 This differentiation acknowledges the varying capacities and risk profiles across the business landscape.

However, the process for SDF designation introduces a degree of uncertainty. The criteria listed in Section 10 involve qualitative assessments (e.g., “risk of harm,” “potential impact”) rather than clear quantitative thresholds.8 Furthermore, the ultimate power to designate rests with the Central Government through notification.61 This lack of precise, predefined criteria means that organizations, particularly those operating at scale or handling potentially sensitive data, may face uncertainty about their potential classification as an SDF and the associated significant compliance costs until a notification is issued. This ambiguity can complicate long-term strategic planning and resource allocation for compliance.

VI. Special Focus: Protecting Children’s Data

The DPDP Act places a strong emphasis on protecting the personal data of children, defined as individuals who have not completed the age of eighteen years.1

Key Provisions (Sec 9):

  • Verifiable Parental Consent: Data Fiduciaries must obtain verifiable consent from the parent or lawful guardian of a child before processing their personal data.8
  • Verification Mechanisms (Draft Rules R.10): The Draft Rules propose methods for achieving verifiable consent. If the parent is already a registered user of the platform, the Fiduciary can rely on the identity and age details previously provided by the parent.26 If the parent is not a user, verification can occur through mechanisms like a virtual token from government-approved entities (e.g., DigiLocker) or other methods notified by the government.26 Data Fiduciaries are required to implement appropriate technical and organizational measures to verify the identity and age of the person providing consent.35 Practical challenges with these mechanisms are discussed in Section XII.
  • Prohibited Processing: Data Fiduciaries are explicitly prohibited from undertaking any processing of a child’s personal data that is likely to cause any detrimental effect on the well-being of the child.3 Furthermore, they must not engage in tracking, behavioural monitoring, or targeted advertising directed at children.3
  • Exemptions: The Central Government has the power to exempt certain classes of Data Fiduciaries or specific processing purposes from the requirement of obtaining parental consent and the prohibitions on tracking/monitoring/targeted advertising, provided the processing is deemed ‘verifiably safe’.54 The Draft Rules (Rule 11, Schedule 4) propose such exemptions for specific purposes undertaken by entities like healthcare professionals, educational institutions, and childcare providers (e.g., processing for providing health services, education, transport, or care).30

Breaches of obligations related to children’s data carry a high potential penalty of up to ₹200 crore.12

The DPDP Act adopts a particularly protective stance towards children’s data. The definition of a child extending up to the age of 18 1 is higher than the threshold used in many other jurisdictions, such as the GDPR, where member states often set the age of consent between 13 and 16.40 Additionally, the explicit and broad prohibition on tracking, behavioural monitoring, and targeted advertising directed at anyone under 18 16 is notably stricter than GDPR, which lacks such a blanket ban although it urges caution.63 This combination of a high age threshold and strict processing prohibitions presents significant compliance challenges for online platforms and services, particularly those popular among teenagers (13-17 years old), potentially requiring major adjustments to user verification, data handling, and advertising models in the Indian market.

Furthermore, the practical implementation of ‘verifiable parental consent’ poses difficulties. The mechanisms suggested in the Draft Rules 26 rely heavily on parents already being users of the service, the availability and adoption of specific government-linked tools like DigiLocker, or potentially self-attestation.26 Critics point to the lack of robust, universally applicable methods for verifying age or the parent-child relationship beyond these limited options or self-declarations.26 This creates potential loopholes for circumvention 26 and may not cover all families, especially those less digitally integrated.94 The burden of implementing these verification measures falls on the Data Fiduciary 39, potentially increasing operational costs.91 There are also concerns that cumbersome verification processes could lead to ‘consent fatigue’ or create unintended barriers preventing minors from accessing beneficial online services, including educational or support resources.26

VII. Enforcement and Adjudication: The Data Protection Board (DPB)

The DPDP Act establishes the Data Protection Board of India (DPB) as the primary body for enforcing the Act’s provisions and adjudicating non-compliance.1

Establishment and Structure:

  • The Central Government is empowered to establish the DPB by notification.12
  • The Board comprises a Chairperson and other Members, all appointed by the Central Government.12 Draft Rules provide for appointment and service conditions.17
  • Members serve a term of two years and are eligible for reappointment.45

Operational Approach:

  • The DPB is designed to function as a “digital office”.1 This means proceedings, from receiving complaints or breach intimations to issuing orders, are intended to be conducted online or digitally wherever practicable.1 This approach aims to enhance efficiency, transparency, and accessibility for both citizens and businesses.18

Powers and Functions:

The DPB is vested with significant adjudicatory powers 3:

  • Monitoring and Penalties: Monitor compliance with the Act and impose financial penalties for violations.
  • Inquiry into Breaches: Conduct inquiries into personal data breaches upon receiving intimation from a Data Fiduciary or a complaint from an affected Data Principal.
  • Remedial Directions: Direct Data Fiduciaries to take urgent remedial or mitigation measures in the event of a data breach.
  • Grievance Adjudication: Hear grievances made by affected persons, but only after the person has first exhausted the grievance redressal mechanism offered by the Data Fiduciary or Consent Manager.
  • Inquiry Determination: Determine whether there are sufficient grounds to proceed with an inquiry based on a complaint or intimation.
  • Conducting Inquiries: Conduct inquiries following principles of natural justice (e.g., allowing the concerned party to be heard).
  • Issuing Orders: Issue binding directions and orders upon conclusion of an inquiry.
  • Voluntary Undertakings: Accept voluntary undertakings from Data Fiduciaries facing action, which may involve commitments to take or refrain from certain actions within a timeframe.16 Acceptance of such an undertaking can lead to the dropping of proceedings.
  • Advising Government on Blocking: Advise the Central Government to block public access to the online platform (website, app, etc.) of a Data Fiduciary found to have repeatedly breached the Act’s provisions.16
  • Alternate Dispute Resolution (ADR): Refer complaints for ADR.16
  • Civil Court Powers: Possesses powers equivalent to a civil court under the Code of Civil Procedure, 1908, for summoning individuals, examining them on oath, requiring discovery and production of documents, receiving evidence on affidavits, and inspecting data/registers.12

Appeals:

Appeals against orders passed by the DPB can be filed with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).1

Concerns have been raised regarding the potential independence of the DPB. The fact that the Chairperson and Members are appointed (and can be reappointed) solely by the Central Government 12, combined with the relatively short two-year term 45, leads to questions about the Board’s ability to function autonomously, free from executive influence.43 This structure could potentially impact the Board’s impartiality, particularly in cases involving government entities or matters with political sensitivities.

Additionally, while the “digital by design” philosophy 3 promises efficiency gains and aligns with India’s digital transformation goals, it may inadvertently create accessibility barriers.18 A significant portion of India’s population may lack consistent internet access or the digital literacy required to effectively navigate online complaint and hearing mechanisms.18 This reliance on digital channels, while aiming for ease, could potentially disenfranchise certain individuals and hinder their ability to seek redressal under the Act.

VIII. Navigating Cross-Border Data Transfers

The DPDP Act introduces a new regime for the transfer of personal data outside India, moving away from earlier, more restrictive proposals.

DPDP Act Approach (Sec 16):

  • Default Permission: The Act generally permits the transfer of personal data by a Data Fiduciary to any country or territory outside India.9
  • ‘Blacklisting’ Power (Sec 16(1)): The key restriction mechanism lies with the Central Government, which can, by notification, restrict the transfer of personal data to specific countries or territories it designates.10 This creates a ‘negative list’ or ‘blacklist’ approach, where transfers are allowed unless explicitly prohibited to certain destinations.9 The Act itself does not specify the criteria the government must use for such blacklisting.99
  • Primacy of Stricter Laws (Sec 16(2)): The Act clarifies that its provisions do not prevent other Indian laws or sector-specific regulations from imposing higher degrees of protection or stricter restrictions on cross-border data transfers.12 This means regulations from bodies like the Reserve Bank of India (RBI) or other sectoral regulators that mandate data localisation or impose tougher transfer conditions will continue to apply and override the DPDP Act where they offer greater protection.15

Draft Rules Provisions:

The Draft Rules introduce elements that appear to expand the government’s power to restrict data flows beyond the simple blacklisting mechanism envisaged in Section 16:

  • Potential Data Localisation for SDFs (Rule 12(4)): This rule empowers the Central Government, based on recommendations from an appointed committee, to specify categories of personal data and associated traffic data that Significant Data Fiduciaries must not transfer outside India.7 This effectively introduces a data localisation requirement for certain data held by SDFs.
  • Broader Transfer Restriction Power (Rule 14): This rule allows the Central Government, through general or special orders, to impose restrictions on the transfer or disclosure of personal data to any foreign state or entity controlled by it, or in situations where the transferred data may become subject to the jurisdiction of foreign governments.7

Analysis and Implications:

The Act’s ‘blacklisting’ approach in Section 16 marked a significant departure from earlier legislative proposals that contemplated ‘whitelisting’ (only allowing transfers to approved countries) or stricter mechanisms akin to GDPR’s adequacy requirements.12 This was initially seen as a move towards facilitating freer data flows, crucial for India’s IT and BPO sectors.95

However, the Draft Rules, particularly Rule 12(4) and Rule 14, introduce considerable ambiguity and potential conflict with the Act’s apparent intent.7 Rule 14 grants broad discretionary power to restrict transfers based on factors like potential foreign government jurisdiction, moving beyond the country-specific blacklist model.91 Rule 12(4) explicitly allows for data localisation mandates for SDFs, a measure not directly contemplated in Section 16.7 This apparent inconsistency between the Act’s framework and the expansive powers introduced in the Draft Rules creates significant regulatory uncertainty for businesses, especially multinationals reliant on global data flows.29 Organizations cannot reliably determine the future landscape for data transfers, hindering investment and operational planning.29

The debate around data localisation persists. While the Act seemed to move away from mandatory localisation, the Draft Rules reintroduce it as a possibility for SDFs.7 Concerns remain about the potential negative economic consequences of localisation, such as increased operational costs, reduced innovation, and fragmentation of the internet 37, weighed against perceived benefits for national security or data control.93

Furthermore, the power to restrict transfers (either via blacklisting in Sec 16 or through the broader powers in R.14) rests with the Central Government without clearly defined, objective criteria based on data protection adequacy.32 This lack of specified parameters opens the door for decisions to be potentially influenced by geopolitical factors or diplomatic considerations rather than purely data protection assessments.32 This introduces an element of political risk into data transfer compliance strategies for international businesses.

IX. Penalties for Non-Compliance

The DPDP Act establishes a framework for imposing significant financial penalties for non-compliance, enforced by the Data Protection Board (DPB).

Adjudication and Enforcement:

  • The DPB is the body responsible for determining instances of non-compliance with the Act or its rules and imposing penalties following an inquiry.12
  • Penalties imposed by the DPB are enforceable in the same manner as a decree of a civil court.74

Penalty Schedule:

The Schedule appended to the DPDP Act outlines the maximum monetary penalties applicable for specific categories of breaches 12:

  1. Failure to implement reasonable security safeguards to prevent a data breach (Sec 8(5)): Penalty may extend up to ₹250 crore.12
  2. Failure to notify the Board or affected Data Principals of a personal data breach (Sec 8(6)): Penalty may extend up to ₹200 crore.12
  3. Breach of additional obligations related to children (Sec 9): Penalty may extend up to ₹200 crore.12
  4. Breach of additional obligations of Significant Data Fiduciaries (Sec 10): Penalty may extend up to ₹150 crore.59
  5. Breach of duties by Data Principals (Sec 15): Penalty may extend up to ₹10,000.12
  6. Breach of any term of a voluntary undertaking accepted by the Board (Sec 32): Penalty up to the extent applicable for the original breach.81
  7. Breach of any other provision of the Act or rules made thereunder: Penalty may extend up to ₹50 crore.81

Factors in Determining Penalty Amount:

When deciding the quantum of penalty within these maximum limits, the DPB is required to consider various factors, including 18:

  • The nature, gravity, and duration of the breach.
  • The type and nature of the personal data affected.
  • The repetitive nature of the breach.
  • Whether the person made any gain or avoided any loss due to the breach.
  • Whether the person took any action to mitigate the effects of the breach.
  • The person’s history of compliance.

The potential penalties under the DPDP Act are substantial, reaching up to ₹250 crore (approximately USD 30 million at current exchange rates) for certain violations.9 These high caps create significant financial risk for non-compliant organizations, particularly large entities and SDFs, and serve as a strong deterrent, signaling the government’s serious intent regarding data protection enforcement.4 This necessitates considerable investment in robust compliance programs and security measures.

However, a notable omission in the DPDP Act, compared to earlier drafts or other international regimes, is the lack of an explicit mechanism for awarding direct compensation to Data Principals who have suffered harm as a result of a data breach or non-compliance.54 The penalties collected are payable to the state. While individuals may potentially pursue remedies through other legal avenues, the DPB’s adjudication process under the Act does not provide for direct financial redressal to those affected by privacy violations.

X. Comparative Perspective: DPDP Act vs. GDPR

While the DPDP Act draws inspiration from global best practices, particularly GDPR, it incorporates unique features and diverges in several key aspects. Understanding these differences is crucial for multinational organizations aligning their compliance programs.

Key Similarities:

  • Core Principles: Both laws are built on similar data protection principles like purpose limitation, data minimisation, accuracy, storage limitation, security, and accountability.2
  • Key Roles: Both define analogous roles for the individual (Data Principal/Data Subject), the primary entity responsible for processing (Data Fiduciary/Data Controller), and the entity processing on behalf (Data Processor).3
  • Extraterritorial Scope: Both laws apply to organizations outside their respective territories if they offer goods or services to individuals within the territory.2
  • Consent Standards: The requirements for valid consent (free, specific, informed, unambiguous, affirmative action) are broadly similar.22
  • Core Rights: Both grant individuals fundamental rights like access, correction, and erasure.2

Key Differences:

FeatureDPDP Act, 2023 (India)GDPR (EU)
Scope of DataApplies only to digital personal data (or non-digital data subsequently digitized) 2Applies to personal data in any format, including structured offline data (part of a filing system) 2
Sensitive DataNo specific categories like ‘sensitive personal data’; uniform rules apply 2Defines ‘special categories’ (health, race, religion, etc.) with stricter processing conditions 22
Lawful BasesPrimarily Consent + limited ‘Legitimate Uses’ 3Six lawful bases, including consent, contractual necessity, legal obligation, vital interests, public task, legitimate interests 22
Individual RightsFewer rights; lacks data portability & rights re: automated decisions.10 Imposes duties on Data Principals.9Broader rights, including data portability and rights related to automated decision-making/profiling.22 No duties on Data Subjects.
Processor LiabilityPrimary liability rests with Data Fiduciary; no direct statutory obligations on Processor 14Imposes direct obligations and liability on Data Processors 67
Cross-Border TransferDefault permission; ‘Blacklisting’ approach by Govt notification 9Requires adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), etc. 22
Breach NotificationNotify Board & all affected Principals for potentially all breaches (threshold unclear) 29Notify supervisory authority (if risk); notify Data Subjects only if high risk 22
Age of Consent18 years (Child definition) 1Varies by Member State (13-16 years) 40
Consent ManagersUnique mechanism introduced 55No direct equivalent
SDFsUnique category with higher obligations 63No direct equivalent (though risk-based obligations exist)
PenaltiesFixed maximums per violation type; no direct compensation mechanism 54Can be based on global annual turnover (up to 4% or €20M); potential for compensation 22

XI. Business Impact Analysis

The DPDP Act and its Draft Rules necessitate significant adjustments for businesses operating in or targeting India. Compliance requires a proactive and comprehensive approach.

General Compliance Requirements:

Organizations processing digital personal data of individuals in India must undertake several key actions:

  • Review and Map Data Flows: Understand what personal data is collected, where it comes from, how it’s used, stored, shared, and retained.36
  • Update Policies and Notices: Revise privacy policies and create clear, compliant consent notices meeting the Act’s and Rules’ requirements (including language accessibility and itemized descriptions).36
  • Implement Consent Mechanisms: Develop or adopt systems for obtaining, recording, managing, and withdrawing consent that meet the DPDP standard (free, specific, informed, unconditional, unambiguous, affirmative, easily withdrawable).46 Address consent for pre-Act data.1 Consider integration with Consent Managers.38
  • Establish Rights Fulfillment Procedures: Create internal processes to handle Data Principal requests for access, correction, erasure, and nomination efficiently and within required timeframes.71
  • Enhance Security Safeguards: Implement and maintain “reasonable security safeguards” as per the Act and potentially the minimum standards outlined in the Draft Rules (e.g., encryption, access control, logging).36 Develop incident response plans for data breaches.76
  • Review Processor Contracts: Ensure contracts with Data Processors clearly define roles, responsibilities, and mandate compliance with DPDP obligations, particularly security safeguards.35
  • Appoint Personnel: Designate a contact person or, if an SDF, a DPO for grievance redressal and compliance oversight.3
  • Training and Awareness: Train employees handling personal data on DPDP requirements and internal policies.48

Impact on Startups and Micro, Small, and Medium Enterprises (MSMEs):

  • Challenges: The primary challenge for startups and MSMEs lies in the cost and resources required for compliance. Implementing necessary technical security measures, developing compliant consent flows, potentially needing legal expertise to interpret the law and rules, and dedicating personnel time can strain limited budgets.11
  • Potential Benefits: The Act’s principles-based nature and focus on digital data might be less burdensome than GDPR initially.62 Demonstrating compliance can build customer trust and offer a competitive advantage.47 The government’s stated aim of “minimum disruption” 19 and the potential for exemptions offer some hope, although details are lacking.
  • Exemptions Uncertainty: The Act empowers the Central Government to exempt certain classes of Data Fiduciaries, potentially including startups, from some provisions.13 However, neither the Act nor the Draft Rules specify the criteria, scope, or process for these exemptions. This ambiguity makes it impossible for startups to rely on potential future exemptions in their current compliance planning.62 Industry bodies have called for specific support, grants, and longer transition periods for startups and MSMEs.62

Impact on Significant Data Fiduciaries (SDFs):

  • Heightened Compliance Burden: SDFs face a substantially higher compliance threshold, including mandatory appointment of an India-based DPO, annual independent data audits, annual DPIAs, potentially stricter scrutiny of algorithms, and possible data localisation mandates.3
  • Increased Scrutiny and Financial Risk: SDFs will likely be under greater regulatory scrutiny from the DPB and face higher penalties (up to ₹150 crore specifically for SDF obligation breaches).59
  • Strategic and Operational Impact: The additional obligations, particularly potential restrictions on cross-border data transfers or data localisation requirements introduced via the Draft Rules 7, could significantly impact the global operations, data architecture strategies, and operational costs of large multinational corporations designated as SDFs.

The tiered regulatory structure, differentiating between general Data Fiduciaries and SDFs, inherently creates a disparity in compliance effort and cost.80 While this aims to shield smaller players from excessive burdens 18, it concentrates significant compliance complexity and expense on larger entities deemed high-risk.80

Sector-Specific Considerations:

The Act’s impact will vary across sectors depending on the nature and volume of data processed. Key areas of focus include:

  • Finance/BFSI: High volume of KYC, transaction data; cross-border transfer implications; security for sensitive financial data.45
  • Healthcare: Handling sensitive health records, patient privacy, data sharing between providers/insurers, consent for research/trials.45
  • E-commerce/Retail: Processing purchase history, payment details, browsing behavior; consent for targeted advertising/profiling; managing third-party integrations (payments, logistics).45
  • Technology/Cloud: Managing vast customer/enterprise data; cross-border transfer and data residency issues; B2B data sharing complexities.45
  • Telecommunications: Handling call records, location data, media consumption; consent for marketing; government access requests.15
  • Education: Protecting student data in digital learning environments; parental consent for minors; managing third-party EdTech integrations.45

XII. Implementation Hurdles: Challenges and Ambiguities

Despite the DPDP Act’s aim for clarity and simplicity 17, its implementation faces several practical challenges and ambiguities, particularly evident in the Draft Rules. These need resolution to ensure effective and consistent application of the law.

Practical Difficulties:

  • Compliance Costs: Implementing the required technical measures (security, consent platforms), procedural changes (rights fulfillment, breach response), and potentially hiring specialized staff (DPOs, legal counsel) represents a significant financial undertaking, especially for MSMEs and startups.11
  • Technical Implementation: Building or integrating systems for granular consent management, tracking data flows for access/erasure requests, and meeting potentially prescriptive security requirements demands technical expertise and development effort.36
  • Delayed & Phased Implementation: The significant delay in releasing the Draft Rules and the lack of a definitive enforcement date for the Act create ongoing uncertainty, hindering effective preparation.5 The proposed phased implementation adds another layer of complexity, as businesses need clarity on which provisions apply when.5
  • Digital Divide: The DPB’s digital-first approach and reliance on digital consent mechanisms may pose accessibility challenges for individuals in India who lack reliable internet access or digital literacy.18

Key Ambiguities and Areas of Concern:

  1. Breach Notification Threshold: A major point of contention is the apparent requirement in the Draft Rules (Rule 7) to notify the DPB and affected individuals of every personal data breach, regardless of its scale or potential harm.29 Stakeholders argue this lack of a materiality or risk-of-harm threshold (common in laws like GDPR) will lead to excessive reporting of minor incidents (“notification fatigue”), overwhelming the DPB and desensitizing individuals.29 It may also conflict with existing reporting timelines under CERT-In rules.29 Furthermore, the mandated 72-hour timeframe for providing detailed information to the Board is seen as potentially unrealistic, as comprehensive details are often unavailable in the immediate aftermath of discovering a breach.26
  2. “Reasonable Security Safeguards”: While the Act mandates “reasonable” safeguards 13, the term itself is not defined. The Draft Rules (Rule 6) attempt to clarify by listing minimum measures (encryption, access control, logging, etc.).6 However, the use of “at the minimum” and the prescriptive nature (e.g., one-year log retention) are criticized for lacking flexibility and a risk-based approach.7 Determining adequacy remains subjective 7, potentially leading to inconsistent implementation or challenges in demonstrating compliance.
  3. Consent Notice Granularity: The Draft Rules’ (Rule 3) requirement for “itemized descriptions” of data, purposes, and linked goods/services 6 raises concerns about practical implementation. A strict interpretation could lead to excessively long and complex notices, potentially confusing users or causing “consent fatigue,” undermining the goal of informed consent.26 Calls for greater flexibility and potentially standardized templates exist.26
  4. Verifiable Parental Consent (VPC): As discussed in Section VI, the mechanisms in Draft Rule 10 for verifying parental consent lack robustness and clarity.26 Issues include defining “reliable” existing data, handling situations where verification methods are unavailable, authenticating the parent-child relationship beyond self-declaration, and the lack of specific standards for the required “technical and organizational measures”.26 This ambiguity creates compliance challenges and potential access barriers.26
  5. Scope of ‘Legitimate Uses’: While Section 7 lists specific grounds for processing without consent, the interpretation of terms like data “voluntarily provided by the Data Principal” or processing for “employment purposes” may require further clarification or guidance to ensure consistent application.23
  6. Government Exemptions: The Act grants broad powers to the Central Government to exempt its agencies from provisions of the Act on grounds like security of state, public order, or prevention of offences.43 Concerns exist that these wide-ranging exemptions, coupled with potentially broad interpretations of ‘Legitimate Uses’ for state functions 11 and powers to requisition information without clear safeguards 29, could undermine privacy protections and accountability, particularly regarding state surveillance.15
  7. Cross-Border Transfer Rules: The inconsistencies and ambiguities between the Act’s Section 16 and the Draft Rules (R.12(4), R.14) regarding restrictions and potential localisation create significant uncertainty, as detailed in Section VIII.7

Addressing these ambiguities and challenges through the finalization of the Rules and subsequent guidance will be critical for the successful and effective implementation of India’s data protection regime.

XIII. Conclusion

The Digital Personal Data Protection Act, 2023, along with the Draft DPDP Rules, 2025, represents a watershed moment for data privacy regulation in India. It establishes a comprehensive, albeit principles-based, framework intended to govern the processing of digital personal data, granting individuals specific rights while imposing significant obligations on organizations. The Act’s digital-first approach, the introduction of Consent Managers, and the tiered regulation distinguishing Significant Data Fiduciaries are notable features of the Indian model.

However, the framework is not without its challenges. The significant delay in issuing the Draft Rules has hampered preparedness and created uncertainty. Key ambiguities persist, particularly concerning the practical application of consent requirements, the threshold for data breach notifications, the definition of reasonable security safeguards, the mechanisms for verifiable parental consent, and the final contours of the cross-border data transfer regime. The potential conflict between the Act’s generally permissive stance on data flows and the restrictive powers introduced in the Draft Rules is a major point of concern for businesses operating globally.

Furthermore, the DPDP Act offers a narrower set of individual rights compared to GDPR, lacking provisions like data portability. The imposition of duties on Data Principals is an unusual feature that requires careful implementation to avoid chilling legitimate rights assertion. Concerns also remain regarding the functional independence of the Data Protection Board and the breadth of exemptions granted to government entities.

Ultimately, the success of the DPDP Act will hinge on the final form of the Rules and the manner of their enforcement. Striking the right balance between protecting individual privacy, fostering innovation, addressing the compliance burden on businesses (especially MSMEs), and ensuring clarity and predictability in areas like data transfers and security will be crucial. As India solidifies its position in the global digital economy, the effective and nuanced implementation of this landmark legislation will be paramount in building trust and ensuring responsible data governance for years to come.

Works cited

  1. THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 (NO. 22 OF 2023) An Act to provide for the processing of digital personal data in – MeitY, accessed on April 18, 2025, https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
  2. Digital Personal Data Protection Act, 2023 – Wikipedia, accessed on April 18, 2025, https://en.wikipedia.org/wiki/Digital_Personal_Data_Protection_Act,_2023
  3. Data protection laws in India, accessed on April 18, 2025, https://www.dlapiperdataprotection.com/index.html?t=law&c=IN
  4. Empowering Privacy: A deep dive into India’s Data Protection and Privacy Act – AmicusX, accessed on April 18, 2025, https://www.amicusx.com/post/empowering-privacy-a-deep-dive-into-india-s-data-protection-and-privacy-act
  5. Data protection laws in India, accessed on April 18, 2025, https://www.dlapiperdataprotection.com/?t=law&c=IN
  6. Legal Update and Technology Law Analysis – Nishith Desai Associates, accessed on April 18, 2025, https://www.nishithdesai.com/fileadmin/user_upload/Html/Hotline/Technology_Law_Analysis_Jan0625-M.html
  7. Draft Digital Personal Data Protection Rules, 2025 – S&R Associates, accessed on April 18, 2025, https://www.snrlaw.in/draft-digital-personal-data-protection-rules-2025/
  8. India Digital Personal Data Protection Act (DPDP Act) Overview – Usercentrics, accessed on April 18, 2025, https://usercentrics.com/knowledge-hub/india-digital-personal-data-protection-act-dpdpa/
  9. India Passes Privacy Law | Insights – Mayer Brown, accessed on April 18, 2025, https://www.mayerbrown.com/en/insights/publications/2023/08/india-passes-privacy-law
  10. From GDPR to DPDP Act and the impact on Indian enterprises – The Sunday Guardian Live, accessed on April 18, 2025, https://sundayguardianlive.com/business/from-gdpr-to-dpdp-act-and-the-impact-on-indian-enterprises
  11. Your Data, Your Choice: Unpacking the Draft DPDP Rules 2025 – SPRF, accessed on April 18, 2025, https://sprf.in/your-data-your-choice-unpacking-the-draft-dpdp-rules-2025/
  12. Understanding Basics of Digital Personal Data Protection (DPDP) – Information Security Consulting Company – VISTA InfoSec, accessed on April 18, 2025, https://vistainfosec.com/blog/understanding-dpdp-basics/
  13. Digital Personal Data Protection Act, 2023 – Lawyers Associated Worldwide, accessed on April 18, 2025, https://www.lawyersworldwide.com/wp-content/uploads/Digital-Personal-Data-Protection-Act-2023.pdf
  14. The key aspects of India’s Data Protection Act – Law.asia, accessed on April 18, 2025, https://law.asia/india-data-protection-key-aspects/
  15. The impact of India’s DPDPA on existing laws and regulations – IAPP, accessed on April 18, 2025, https://iapp.org/news/a/the-impact-of-india-s-dpdpa-on-existing-laws-and-regulations
  16. Digital Personal Data Protection Act, 2023 – Digital governance – Vikaspedia, accessed on April 18, 2025, https://egovernance.vikaspedia.in/viewcontent/e-governance/digital-india/digital-personal-data-protection-act-2023?lgn=en
  17. MeitY releases Draft Digital Personal Data Protection Rules, 2025 for public consultation, accessed on April 18, 2025, https://pib.gov.in/PressReleasePage.aspx?PRID=2090048
  18. Draft Digital Personal Data Protection Rules – PIB, accessed on April 18, 2025, https://pib.gov.in/PressReleasePage.aspx?PRID=2090271
  19. Salient Features of the Digital Personal Data Protection Bill, 2023 – PIB, accessed on April 18, 2025, https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1947264
  20. Digital Personal Data Protection Act of India (DPDP) – usecure Blog, accessed on April 18, 2025, https://blog.usecure.io/digital-personal-data-protection-act-of-india-dpdp
  21. The Digital Personal Data Protection Act, 2023 | Corporate Professionals, accessed on April 18, 2025, https://www.corporateprofessionals.com/wp-content/uploads/2024/02/the-digital-personal-data-protection-act-2023.pdf
  22. GDPR Vs India’s DPDPA: Key Differences And Compliance Implications – Ardent Privacy, accessed on April 18, 2025, https://www.ardentprivacy.ai/blog/gdpr-vs-indias-dpdpa/
  23. Internal Investigations Under the Digital Personal Data Protection Act, 2023, accessed on April 18, 2025, https://disputeresolution.cyrilamarchandblogs.com/2025/01/internal-investigations-under-the-digital-personal-data-protection-act-2023/
  24. Draft Digital Personal Data Protection Rules, 2025 – Innovate India – MyGov.in, accessed on April 18, 2025, https://innovateindia.mygov.in/dpdp-rules-2025/
  25. India: MeitY publishes draft Digital Personal Data Protection Rules | News – DataGuidance, accessed on April 18, 2025, https://www.dataguidance.com/news/india-meity-publishes-draft-digital-personal-data
  26. India’s draft data protection rules – Law.asia, accessed on April 18, 2025, https://law.asia/draft-digital-personal-data-protection-rules-2025/
  27. MeitY Releases the Draft Digital Personal Data Protection Rules, 2025 – GALA, accessed on April 18, 2025, https://blog.galalaw.com/post/102k1ll/meity-releases-the-draft-digital-personal-data-protection-rules-2025-a-proposed
  28. Act and Policies – MeitY, accessed on April 18, 2025, https://www.meity.gov.in/documents/act-and-policies
  29. Impact of India’s data protection framework on policy and business – Law.asia, accessed on April 18, 2025, https://law.asia/india-data-protection-policy-business-impact/
  30. DPDP rules inch forward but bring challenges | India – Law.asia, accessed on April 18, 2025, https://law.asia/digital-personal-data-protection-rules-challenges-india/
  31. Transfer in India – Data Protection Laws of the World, accessed on April 18, 2025, https://www.dlapiperdataprotection.com/?t=transfer&c=IN
  32. Critical Analysis of the Draft DPDP Rules 2025 – Bridge Counsels, accessed on April 18, 2025, https://bridgecounsels.com/critical-analysis-of-the-draft-dpdp-rules-2025/
  33. Decoding India’s draft DPDPA rules for the world – IAPP, accessed on April 18, 2025, https://iapp.org/news/a/decoding-india-s-draft-dpdpa-rules-for-the-world
  34. Data protection rules: India Inc says challenges remain – The New Indian Express, accessed on April 18, 2025, https://www.newindianexpress.com/business/2025/Jan/05/data-protection-rules-india-inc-says-challenges-remain
  35. 9 Sweeping Changes Proposed in India’s Latest Data Protection Draft Rules: What U.S. Employers Can Do to Prepare | Fisher Phillips – JDSupra, accessed on April 18, 2025, https://www.jdsupra.com/legalnews/9-sweeping-changes-proposed-in-india-s-2008463/
  36. Transforming data privacy: Digital Personal Data Protection Rules, 2025 | EY – India, accessed on April 18, 2025, https://www.ey.com/en_in/insights/cybersecurity/transforming-data-privacy-digital-personal-data-protection-rules-2025
  37. Internet Society’s Comments on India’s Digital Personal Data Protection (DPDP) Rules 2025, accessed on April 18, 2025, https://www.internetsociety.org/resources/doc/2025/internet-societys-comments-on-indias-digital-personal-data-protection-dpdp-rules-2025/
  38. Key Takeaways from the Draft Digital Personal Data Protection Rules, 2025, accessed on April 18, 2025, https://www.saikrishnaassociates.com/key-takeaways-from-the-draft-digital-personal-data-protection-rules-2025/
  39. FREQUENTLY ASKED QUESTIONS ON THE DRAFT DIGITAL PERSONAL DATA PROTECTION RULES, 2025 – Legal 500, accessed on April 18, 2025, https://www.legal500.com/developments/thought-leadership/frequently-asked-questions-on-the-draft-digital-personal-data-protection-rules-2025/
  40. An Overview of India’s DPDP Rules 2025: Key Highlights – Ampcus Cyber, accessed on April 18, 2025, https://www.ampcuscyber.com/blogs/dpdp-rules/
  41. Understanding the Draft Digital Personal Data Protection Rules, 2025 – Treelife, accessed on April 18, 2025, https://treelife.in/legal/understanding-the-draft-digital-personal-data-protection-rules-2025/
  42. Digital Data Protection Rules 2025: Key Insights & Cases – Metalegal, accessed on April 18, 2025, https://www.metalegal.in/post/breaking-down-the-digital-personal-data-protection-rules-2025-with-examples-that-affect-your-daily
  43. Digital Data Protection Bill, 2023 – Balancing Privacy And Progress, accessed on April 18, 2025, https://www.impriindia.com/insights/policy-update/data-protection-bill/
  44. Decoding the Digital Personal Data Protection Act, 2023 | EY – India, accessed on April 18, 2025, https://www.ey.com/en_in/insights/cybersecurity/decoding-the-digital-personal-data-protection-act-2023
  45. Everything You Need to Know About the DPDP Act India, 2023 – Knovos, accessed on April 18, 2025, https://www.knovos.com/blog/everything-you-need-to-know-about-the-dpdp-act-india-2023/
  46. Unlocking DPDP Act Compliance: Essential Tools You Need to Know – JISA Softech Pvt Ltd, accessed on April 18, 2025, https://www.jisasoftech.com/unlocking-dpdp-compliance-essential-tools-you-need-to-know/
  47. India’s Data Protection Bill: Impacts on India’s MSME Sector – Blog | BimaKavach, accessed on April 18, 2025, https://www.bimakavach.com/blog/indias-data-protection-bill-impacts-on-indias-msme-sector/
  48. Key Legal Challenges For Startups In India And How To Overcome Them – Legallands LLP, accessed on April 18, 2025, https://legallands.com/key-legal-challenges-for-startups-in-india-and-how-to-overcome-them/
  49. One year of DPDP Act: Firms in a fix over delayed implementation of rules, accessed on April 18, 2025, https://www.business-standard.com/economy/news/one-year-of-dpdp-act-delayed-rules-hamper-india-s-data-protection-law-124081100299_1.html
  50. Personal Data Protection Act, 2023: A Step Forward Or A Threat To Privacy? – Lawful Legal, accessed on April 18, 2025, https://lawfullegal.in/personal-data-protection-act-2023-a-step-forward-or-a-threat-to-privacy/
  51. (PDF) EMPOWERING INDIVIDUALS: A DEEP DIVE INTO THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 – ResearchGate, accessed on April 18, 2025, https://www.researchgate.net/publication/381383119_EMPOWERING_INDIVIDUALS_A_DEEP_DIVE_INTO_THE_DIGITAL_PERSONAL_DATA_PROTECTION_ACT_2023
  52. The Digital Personal Data Protection Bill, 2023 – PRS India, accessed on April 18, 2025, https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023
  53. The Digital Personal Data Protection Bill, 2023 – PRS India, accessed on April 18, 2025, https://prsindia.org/files/bills_acts/bills_parliament/2023/Summary_Digital_Personal_Data_Protection_Bill_2023.pdf
  54. Digital Personal Data Protection Act, 2023 – Key Highlights – AZB & Partners, accessed on April 18, 2025, https://www.azbpartners.com/bank/digital-personal-data-protection-act-2023-key-highlights/
  55. India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison – Latham & Watkins LLP, accessed on April 18, 2025, https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf
  56. A Dawn of a New Era for Data Protection in India: An in-depth analysis of the Digital Personal Data Protection Act, 2023 – Legal 500, accessed on April 18, 2025, https://www.legal500.com/developments/thought-leadership/a-dawn-of-a-new-era-for-data-protection-in-india-an-in-depth-analysis-of-the-digital-personal-data-protection-act-2023/
  57. Understanding the Digital Personal Data Protection (DPDP) Act: A Comprehensive Guide for Businesses | Zscaler, accessed on April 18, 2025, https://www.zscaler.com/blogs/product-insights/understanding-digital-personal-data-protection-dpdp-act-comprehensive-guide
  58. India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison – Latham & Watkins LLP, accessed on April 18, 2025, https://www.lw.com/en/insights/2023/12/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison
  59. Guide to India’s Digital Personal Data Protection Act (DPDP Act) – CookieYes, accessed on April 18, 2025, https://www.cookieyes.com/blog/india-digital-personal-data-protection-act-dpdpa/
  60. India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison, accessed on April 18, 2025, https://www.globalprivacyblog.com/2023/12/indias-digital-personal-data-protection-act-2023-vs-the-gdpr-a-comparison/
  61. India’s Digital Personal Data Protection Act, 2023 (DPDP Act) vs GDPR – Securiti.ai, accessed on April 18, 2025, https://securiti.ai/india-digital-personal-data-protection-act-vs-gdpr/
  62. Here’s How The New DPDP Bill Will Impact India’s Startup Ecosystem – Inc42, accessed on April 18, 2025, https://inc42.com/features/heres-how-the-new-dpdp-bill-will-impact-indias-startup-ecosystem/
  63. Indian Data Protection Law versus GDPR – A Comparison – AZB & Partners, accessed on April 18, 2025, https://www.azbpartners.com/bank/indian-data-protection-law-versus-gdpr-a-comparison/
  64. India: Digital Personal Data Protection Act, 2023 – what it means for cross-border transfers, accessed on April 18, 2025, https://www.dataguidance.com/opinion/india-digital-personal-data-protection-act-2023-0
  65. Implications of India’s New Data Protection Law for U.S. Multinational Employers, accessed on April 18, 2025, https://www.acc.com/resource-library/implications-indias-new-data-protection-law-us-multinational-employers
  66. Understanding India’s New Data Protection Law, accessed on April 18, 2025, https://carnegieendowment.org/research/2023/10/understanding-indias-new-data-protection-law
  67. Comparing GDPR and DPDPA | Data Protection Laws in EU and India – Secure Privacy, accessed on April 18, 2025, https://secureprivacy.ai/blog/comparing-gdpr-dpdpa-data-protection-laws-eu-india
  68. What is the difference between GDPR and DPDP Act? – Leegality, accessed on April 18, 2025, https://www.leegality.com/consent-blog/gdpr-vs-dpdp
  69. Digital Personal Data Protection Act, 2023: Key Provisions & Overview – The Legal School, accessed on April 18, 2025, https://thelegalschool.in/blog/data-privacy-act-india
  70. GDPR V INDIA’S DPDPA: KEY DIFFERENCES AND COMPLIANCE IMPLICATIONS, accessed on April 18, 2025, https://www.legal500.com/developments/thought-leadership/gdpr-v-indias-dpdpa-key-differences-and-compliance-implications/
  71. Understanding Data Principal Rights Under DPDPA & DPDP Rules – Tsaaro Consulting, accessed on April 18, 2025, https://tsaaro.com/blogs/understanding-data-principal-rights-under-dpdpa-2023-and-draft-dpdp-rules-2025/
  72. Rights of a Data Principal Under the DPDP Act – Information Security Consulting Company, accessed on April 18, 2025, https://vistainfosec.com/blog/dpdp-act-data-principal-rights/
  73. Rights and Duties of a Data Principal under – DSCI, accessed on April 18, 2025, https://www.dsci.in/files/content/documents/2024/DPD24Infographic-Responsibilities-of-a-Data-Principal-under-the-DPDPA.pdf
  74. FAQs-on-DPDP-Act-2023-MiniBooklet.pdf – DSCI, accessed on April 18, 2025, https://www.dsci.in/files/content/documents/2024/FAQs-on-DPDP-Act-2023-MiniBooklet.pdf
  75. India’s DPDP Act: Obligations of Data Fiduciaries – Ardent Privacy, accessed on April 18, 2025, https://www.ardentprivacy.ai/blog/data-fiduciary-obligations-under-the-digital-personal-data-protection-act-2023/
  76. DPDP Act Compliance Guide: Essential Steps for Businesses – Corrida Legal, accessed on April 18, 2025, https://corridalegal.com/dpdp-act-compliance-guide-essential-steps-for-businesses/
  77. Duties of Data Fiduciary under DPDPA, 2023 – Tsaaro Consulting, accessed on April 18, 2025, https://tsaaro.com/blogs/duties-of-data-fiduciary-under-dpdpa-2023/
  78. DPDP Diaries: The Anatomy of a Data Fiduciary – IDfy, accessed on April 18, 2025, https://www.idfy.com/blog/dpdp-diaries-the-anatomy-of-a-data-fiduciary/
  79. Who’s a Significant Data Fiduciary Under The DPDP Act, accessed on April 18, 2025, https://www.dpdpconsultants.com/blog/whos-a-significant-data-fiduciary-under-the-dpdp-act.php
  80. DPDP Compliance for Significant Data Fiduciaries (SDFs) – Leegality, accessed on April 18, 2025, https://www.leegality.com/consent-blog/significant-data-fiduciary
  81. Digital Personal Data Protection Act, 2023 DPDPA SECTION 7 WITH INTERPRETATION, accessed on April 18, 2025, https://dpdpa.com/theschedule.html
  82. Who is a Significant Data Fiduciary under the DPDP Act? – IDfy, accessed on April 18, 2025, https://www.idfy.com/blog/significant-data-fiduciary/
  83. Top 10 operational impacts of India’s DPDPA – Data audits for significant fiduciaries – IAPP, accessed on April 18, 2025, https://iapp.org/resources/article/operational-impacts-of-indias-dpdpa-part8/
  84. Rights of Data Principals under the DPDP Act explained – Leegality, accessed on April 18, 2025, https://www.leegality.com/consent-blog/rights-dpdp
  85. India DPDP Act Data Principal Rights and Requests – Secure Privacy, accessed on April 18, 2025, https://secureprivacy.ai/blog/india-dpdp-act-data-principal-rights-and-requests
  86. India’s Digital Personal Data Protection (DPDP) Act, 2023: everything you need to know, accessed on April 18, 2025, https://www.didomi.io/blog/india-digital-personal-data-protection-dpdp-act-2023-everything-you-need-to-know
  87. DPDP Act Compliance: Your Ultimate FAQ Guide to Consent Managers in India – Leegality, accessed on April 18, 2025, https://www.leegality.com/consent-blog/consentfaq
  88. DRAFT DIGITAL DATA PROTECTION RULES 2025: UPSC Current Affairs – IAS Gyan, accessed on April 18, 2025, https://www.iasgyan.in/daily-editorials/draft-digital-data-protection-rules-2025
  89. What is Data Protection Board under DPDP Law – Leegality, accessed on April 18, 2025, https://www.leegality.com/consent-blog/data-protection-board
  90. Penalties for non-compliance under DPDP Act 2023 – Leegality, accessed on April 18, 2025, https://www.leegality.com/consent-blog/penalties
  91. www.bsa.org, accessed on April 18, 2025, https://www.bsa.org/files/policy-filings/02272025bsadpdprules.pdf
  92. Exemptions under the DPDP Act? – Leegality, accessed on April 18, 2025, https://www.leegality.com/consent-blog/exemptions
  93. CROSS-BORDER DATA TRANSFERS: LEGAL CHALLENGES AND SOLUTIONS IN THE GLOBALIZED DIGITAL ECONOMY – Indian Journal of Integrated Research in Law, accessed on April 18, 2025, https://ijirl.com/wp-content/uploads/2024/02/CROSS-BORDER-DATA-TRANSFERS-LEGAL-CHALLENGES-AND-SOLUTIONS-IN-THE-GLOBALIZED-DIGITAL-ECONOMY.pdf
  94. fpf.org, accessed on April 18, 2025, https://fpf.org/wp-content/uploads/2025/03/Full-Submission-to-MeitY-on-Indias-Draft-DPDP-Rules-Final-5-March-2025.pdf
  95. globaldataalliance.org, accessed on April 18, 2025, https://globaldataalliance.org/wp-content/uploads/2025/02/02282025gdaiddpdp.pdf
  96. Data Protection Board of India – Wikipedia, accessed on April 18, 2025, https://en.wikipedia.org/wiki/Data_Protection_Board_of_India
  97. The Data Protection Board of India Its Powers and Functions – Tsaaro, accessed on April 18, 2025, https://tsaaro.com/blogs/the-data-protection-board-of-india-its-powers-and-functions/
  98. ai hampers privacy and analysis of digital personal data protection act 2023 by – dhatchayini amarnath & minnila priyadarshini s, accessed on April 18, 2025, https://www.whiteblacklegal.co.in/details/ai-hampers-privacy-and-analysis-of-digital-personal-data-protection-act-2023-by—dhatchayini-amarnath-minnila-priyadarshini-s
  99. Guarding The Data Frontier: Navigating Cross-Border Data Transfer Under Digital Personal Data Protection Act – NLIU Law Review, accessed on April 18, 2025, https://nliulawreview.nliu.ac.in/blog/guarding-the-data-frontier-navigating-cross-border-data-transfer-under-digital-personal-data-protection-act/
  100. Top 10 operational impacts of India’s DPDPA – Cross-border data transfers – IAPP, accessed on April 18, 2025, https://iapp.org/resources/article/operational-impacts-of-indias-dpdpa-part5/
  101. Cross-Border Data Transfer Requirements Under India DPDPA – Securiti.ai, accessed on April 18, 2025, https://securiti.ai/cross-border-data-transfer-requirements-under-india-dpdpa/
  102. Major data protection statutes in the world : a comparative analysis – iPleaders, accessed on April 18, 2025, https://blog.ipleaders.in/major-data-protection-statutes-in-the-world-a-comparative-analysis/

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *