India
India Data Privacy Laws: DPDP Act 2023 and DPDP Rules 2025 Complete Guide
India's Digital Personal Data Protection Act, 2023 (No. 22 of 2023) governs how organisations collect and use digital personal data within India and when targeting Indian residents abroad. The DPDP Rules, notified November 13, 2025, set phased compliance deadlines with full enforcement and Schedule 1 penalties up to INR 250 crore effective May 13, 2027.
India enacted the Digital Personal Data Protection Act 2023 (DPDP Act) after decades of debate and a series of failed legislative drafts. The Act received Presidential assent on August 11, 2023, making India the 19th G20 nation with a comprehensive data protection law. The implementing DPDP Rules, notified on November 13, 2025, completed the framework and set a phased enforcement calendar. This guide covers the full regime: the constitutional foundation, the DPDP Act and Rules, the Data Protection Board, consent mechanics, data principal rights, Significant Data Fiduciary obligations, cross-border transfers, penalties, the legacy IT Act framework being superseded, and practical compliance steps.
Information in this guide reflects the DPDP Act, No. 22 of 2023, and the DPDP Rules, 2025, as notified by MeitY on November 13, 2025. Verified as of May 19, 2026. Consult a lawyer licensed to practise in India for advice specific to your organisation.
Quick Answer: What Governs Data Privacy in India?
India's data protection regime rests on two pillars: the Digital Personal Data Protection Act, 2023 (DPDP Act), which is the primary statute, and the Digital Personal Data Protection Rules, 2025 (DPDP Rules), which provide the operational detail. Together they establish who must comply, on what legal basis data may be processed, what rights individuals hold, what obligations fall on data-handling organisations, how the regulator is structured, and what penalties apply.
The Act applies to digital personal data processed within India and to processing outside India when it involves offering goods or services to individuals in India. Two core roles structure the framework. A Data Fiduciary is any person, company, or government entity that determines the purpose and means of processing personal data. A Data Principal is the individual whose personal data is processed.
The regime is enforced by the Data Protection Board of India (DPBI), an adjudicatory body constituted under the DPDP Rules. The DPBI operates as a fully digital tribunal: complaints are filed online, proceedings are conducted electronically, and appeals go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Before the DPDP Act, India relied on a patchwork of provisions under the Information Technology Act, 2000, primarily Section 43A and the SPDI Rules of 2011. That legacy framework is superseded by the DPDP regime as the phased rollout completes by May 2027.
Constitutional Foundation: Puttaswamy and the Right to Privacy
The DPDP Act's constitutional legitimacy derives from a landmark Supreme Court ruling. In K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, a nine-judge bench of the Supreme Court unanimously held that the right to privacy is a fundamental right guaranteed by the Constitution of India, traceable to Articles 14, 19, and 21.
Justice D.Y. Chandrachud, writing for one of the concurring groups, articulated that informational privacy, meaning control over one's personal data and narrative, forms a core dimension of this right. The judgment applied a proportionality standard: any state interference with privacy must (i) have a legally authorised basis, (ii) serve a legitimate aim, (iii) employ means proportionate to the aim, and (iv) preserve procedural guarantees against abuse.
The Puttaswamy ruling dismantled two earlier decisions, M.P. Sharma v. Satish Chandra (1954) and Kharak Singh v. State of U.P. (1963), which had held that the Constitution did not recognise a right to privacy. By overruling those precedents, the nine-judge bench cleared the legal path for comprehensive data protection legislation.
The DPDP Act is explicitly framed as giving effect to this fundamental right. Its preamble declares that the Act is enacted to "provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes." Any future challenge to the Act's scope, exemptions, or penalties will be assessed against the proportionality standard the Puttaswamy court established.
The Legacy Framework: IT Act 2000 and the SPDI Rules
Understanding the DPDP Act requires knowing what it replaces. India's pre-2023 data protection regime rested on two instruments.
Section 43A of the Information Technology Act, 2000 made corporate bodies liable for compensation when negligent handling of "sensitive personal data or information" (SPDI) caused wrongful loss. The liability was civil and compensatory, not regulatory with capped fines. Crucially, it applied only to corporate bodies; government agencies were outside its scope.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) defined SPDI categories: passwords, financial information, physical and mental health conditions, sexual orientation, medical records, and biometric data. They required a privacy policy, purpose limitation, and consent before collection.
The SPDI framework had four structural weaknesses. First, government data processing was largely unregulated. Second, the definition of SPDI was narrow and omitted modern data types such as location data, browsing histories, and inferred characteristics. Third, enforcement was inadequate and penalties were disproportionately low for large-scale incidents. Fourth, there was no independent regulator.
The DPDP Act does not automatically repeal the SPDI Rules on enactment. Section 43A and the SPDI Rules will be repealed when the Central Government notifies the relevant Phase 3 provisions, expected to take full effect by May 13, 2027. Until then, organisations with potential SPDI exposure should treat both frameworks as concurrently applicable and default to the higher standard.
Scope and Territorial Application
The DPDP Act applies to:
- Processing of digital personal data within India, whether the data was originally collected online or offline and later digitised.
- Processing of digital personal data outside India when it is done in connection with providing goods or services to Data Principals located within India.
The Act does not apply to: personal data processed by an individual for purely personal or domestic purposes; personal data made publicly available by the Data Principal or by a person legally required to make it public; or processing for research and statistical purposes where results are not used to take decisions specific to individual Data Principals.
The extra-territorial scope matches the GDPR's targeting principle and means foreign companies marketing to Indian consumers, operating Indian-language apps, or accepting Indian Rupee payments must assess whether the DPDP Act applies to their operations.
Consent Framework and Lawful Processing
Consent is the primary legal basis under the DPDP Act. The Act defines consent as a free, specific, informed, unconditional, and unambiguous agreement, limited to a specific purpose, signified through a clear affirmative action.
Before relying on consent, a Data Fiduciary must provide a consent notice explaining: (a) the personal data to be collected, (b) the purpose of processing, (c) how the Data Principal may exercise their rights, and (d) how to file a complaint with the DPBI. The DPDP Rules require this notice to be in clear, plain language and available in the languages listed in the Eighth Schedule of the Constitution (the 22 scheduled languages of India), so that language is not a barrier to informed consent.
Consent may be withdrawn at any time. On withdrawal, the Data Fiduciary must cease processing and delete the data unless retention is required by law. A Data Fiduciary may not make provision of services conditional on consent for purposes beyond what is necessary for those services.
Legitimate Uses: Processing Without Consent
The Act supplements consent with a closed set of "legitimate uses" permitting processing without consent:
- Voluntary provision of data for a specified purpose, where the Data Principal's voluntary act signals intent.
- Processing necessary to provide Central or State Government benefits, subsidies, services, or licences.
- Processing required by a court order, tribunal, or law.
- Medical emergencies and epidemics threatening life or public health.
- Disaster and public-order situations.
- Employment-related processing where the employer is the Data Fiduciary and the purpose is reasonably related to employment.
This list is narrower than the GDPR's six lawful bases, which include a broad legitimate-interests basis. The DPDP Act has no equivalent, which means organisations that rely on GDPR legitimate interests to process data about Indian residents must map those activities to consent or a listed legitimate use.
Consent Managers: A Distinctive Indian Innovation
One of the DPDP Act's most novel features is the formal recognition of Consent Managers: entities registered with the Data Protection Board that enable Data Principals to manage their consents across multiple platforms through a single interoperable interface.
The consent manager framework becomes operational under Phase 2 of the rollout on November 13, 2026. Key requirements under the DPDP Rules include:
- The consent manager must be a company incorporated in India.
- It must maintain a minimum net worth of INR 2 crore (approximately USD 240,000).
- It must deploy AES-256 encryption and maintain clear conflict-of-interest policies.
- It must maintain records of all consent activity for at least seven years in machine-readable format.
- It must submit to regular audits by the Data Protection Board.
- It must act in a fiduciary capacity toward Data Principals and cannot simultaneously serve as a Data Fiduciary or Data Processor for the same Data Principal whose consent it manages.
The consent manager concept has no direct equivalent in the GDPR framework. It reflects India's vision of a consent-as-infrastructure layer sitting above individual platforms, potentially reducing consent fatigue by allowing individuals to manage permissions in one place rather than across hundreds of separate apps and services.
Data Principal Rights
The DPDP Act grants Data Principals the following rights. Compared to the GDPR, the rights to data portability and to object to automated decision-making are absent.
Right to Information and Access
A Data Principal may request a summary of the personal data the Data Fiduciary holds and the processing activities conducted, including the identities of third parties to whom data has been disclosed.
Right to Correction and Erasure
A Data Principal may request correction of inaccurate or incomplete data and erasure of data no longer necessary for the purpose for which it was collected. For large platforms with at least 20 million registered users in India, the DPDP Rules treat a specified purpose as no longer served after three years of user inactivity. In that event, the platform must send a 48-hour pre-erasure alert before deleting the data.
Data Fiduciaries must respond to correction and erasure requests within 90 days. If the request is rejected, the fiduciary must communicate the reasons and the path to escalate to the DPBI.
Right to Grievance Redressal
Every Data Fiduciary must establish a published grievance redressal mechanism and respond to complaints within a timeline not exceeding 90 days. Unresolved grievances may be escalated to the Data Protection Board.
Right to Nominate
A Data Principal may designate a trusted individual to exercise their data rights on their behalf in the event of death or incapacity. This nomination right has no GDPR equivalent and reflects the Indian legal tradition of anticipating personal representatives in statutory schemes.
Duties of Data Principals
The Act also imposes duties on Data Principals. They must not impersonate another person, withhold material information, or file frivolous or false complaints with the Board. A Data Principal who violates these duties may face a penalty of up to INR 10,000 under Schedule 1.
Significant Data Fiduciaries
The Central Government may designate any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary (SDF) based on the volume and sensitivity of data processed, the potential risk of harm to Data Principals, and the potential impact on India's sovereignty, security, or public order.
SDFs face obligations beyond those of standard Data Fiduciaries:
- Appoint a Data Protection Officer (DPO) who is a full-time employee based in India, reporting directly to the Board of Directors or equivalent governing body.
- Conduct a Data Protection Impact Assessment (DPIA) at least once every 12 months and share significant findings with the DPBI.
- Undergo an independent data protection audit each year.
- Appoint an independent algorithmic auditor to assess the algorithms and trained models used in processing.
- Comply with any data localisation requirements the Central Government specifies, which may prohibit transfer of certain categories of personal data outside India.
As of May 2026, MeitY had not published a list of designated SDFs. Industry expects the initial list to include large technology platforms, financial services companies, and healthcare aggregators.
Children's Data
The DPDP Act defines a child as any person under 18 years of age and imposes the strictest requirements on processing their data.
Before processing a child's personal data, a Data Fiduciary must obtain verifiable parental consent. The verification process must confirm: (a) the user is a child; (b) the guardian's identity and age; (c) the parent-child relationship; and (d) the parent's consent to the specific processing purpose.
The Act expressly prohibits: behavioural monitoring of children, targeted advertising directed at children, and processing children's data in any manner likely to cause harm.
A flexibility mechanism allows the Central Government to lower the age threshold from 18 to 16, or even to 13, for a specific Data Fiduciary that can demonstrate verifiably safe data processing practices to the government's satisfaction. No such designations had been made as of May 2026.
The DPDP Rules also address persons with disabilities who cannot make legal decisions even with support: in such cases, their lawful guardian must provide verifiable consent.
Cross-Border Data Transfers
The DPDP Act adopts a negative-list model for cross-border transfers under Section 16, distinct from the GDPR's adequacy-based system. Personal data may be transferred to any country or territory outside India unless the Central Government restricts or prohibits transfer to a specified jurisdiction.
Three key points about this approach:
- The government is not required to publish justifications for restriction decisions.
- The Act does not require alternative transfer mechanisms such as Standard Contractual Clauses or Binding Corporate Rules.
- As of May 2026, the Central Government had not published any list of restricted jurisdictions. Transfers to all countries therefore remain permissible.
The negative-list model provides immediate operational flexibility: multinational organisations can transfer personal data of Indian residents globally without implementing GDPR-style safeguards. However, the government may restrict specific jurisdictions at any time without a prolonged adequacy assessment process, and no transition grace period is specified. Organisations should monitor MeitY notifications regularly.
Data Breach Notification
The DPDP Rules establish a two-tier notification duty triggered from the moment the Data Fiduciary becomes aware of a breach, not from the date of occurrence.
Immediate notification: The Data Fiduciary must without delay inform the DPBI and all affected Data Principals of: the nature of the breach, the categories and approximate number of persons affected, the likely impact, and the contact details of the person handling the breach.
Detailed report within 72 hours: A full report must follow covering the circumstances of the breach, technical and organisational measures implemented in response, and findings on the cause. The DPBI may grant extensions beyond 72 hours on written request.
Unlike GDPR Article 33, which restricts mandatory notification to breaches "likely to result in a risk to the rights and freedoms of natural persons," the DPDP Act requires notification for all personal data breaches regardless of assessed risk. This is a stricter standard that will require organisations to report even low-risk incidents involving Indian personal data.
Penalties and Enforcement
The DPDP Act's penalty schedule is set out in Schedule 1 and operates through Section 33. The Data Protection Board must conduct an inquiry before imposing any penalty, considering: the nature, gravity, and duration of the breach; the type and sensitivity of data affected; whether the breach was repetitive; any gain derived; and the effectiveness of mitigation actions.
| Violation | Maximum Penalty |
|---|---|
| Failure to implement reasonable security safeguards leading to a data breach (Section 8(5)) | INR 250 crore (approx. USD 30 million) |
| Failure to notify the Board and Data Principals of a data breach | INR 200 crore (approx. USD 24 million) |
| Breach of obligations for children's data (Section 9) | INR 200 crore (approx. USD 24 million) |
| Breach of Significant Data Fiduciary obligations (Section 10) | INR 150 crore (approx. USD 18 million) |
| Breach of any other provision of the Act or Rules | INR 50 crore (approx. USD 6 million) |
| Data Principal duty violations | INR 10,000 |
These figures rank among the highest in the Asia-Pacific region. Appeals from DPBI penalty orders go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), and further judicial review lies before the High Courts.
The Data Protection Board of India
The Data Protection Board of India (DPBI) is the Act's adjudicatory and regulatory body. It operates as a fully digital institution: complaints are filed through a dedicated portal and mobile app, proceedings are conducted online, and orders are published electronically.
Structure: The DPBI consists of a Chairperson and four Members. At least one Member must be a legal expert. Members serve renewable two-year terms.
Status as of May 2026: The DPDP Rules were notified on November 13, 2025. The government constituted a search-cum-selection committee in late 2025 to appoint the Board's Chairperson and Members. Applications for these positions were under evaluation as of May 2026; formal appointments had not yet been publicly announced. The Board's full operational capacity is subject to completion of this appointment process.
Functions: Once fully constituted, the DPBI is empowered to: receive and inquire into personal data breach complaints from Data Principals; issue directions to Data Fiduciaries to implement remedial measures; conduct inquiries into non-compliance; and impose monetary penalties under Schedule 1.
Government Exemptions
Section 17 of the DPDP Act grants the Central Government authority to exempt its instrumentalities from most provisions when processing is deemed necessary for: sovereignty, integrity, or security of India; friendly relations with foreign states; public order; or preventing incitement to cognisable offences.
When an exemption is granted, most Data Principal rights and Data Fiduciary obligations cease to apply, though the obligation to implement reasonable security safeguards persists even for exempt processing.
Privacy advocates have criticised these exemptions as broad and lacking meaningful judicial oversight, arguing that they may not satisfy the proportionality standard the Puttaswamy judgment requires. The constitutionality of Section 17 exemptions is likely to face court challenge as the DPDP regime matures.
The Act also exempts processing for research and statistical purposes where results are not used to make decisions specific to individual Data Principals.
Startup and MSME Simplified Compliance
MeitY has emphasised that the DPDP framework includes differentiated compliance pathways for startups and MSMEs. The DPDP Rules provide graded responsibilities: smaller entities with lower data volumes and risk profiles face lighter obligations, while Significant Data Fiduciary status with its enhanced requirements is reserved for high-volume, high-risk processors.
Startups and smaller Data Fiduciaries that do not qualify as SDFs are not required to appoint a full-time DPO, conduct annual DPIAs, or undergo algorithmic audits. Their primary obligations are: providing a clear consent notice, responding to Data Principal requests within 90 days, notifying the Board of breaches, and implementing reasonable security safeguards appropriate to the volume and nature of data they handle.
MeitY convened consultations with startups, MSMEs, industry bodies, and civil society during 2025 specifically to calibrate compliance thresholds. The 18-month phased compliance window ending May 2027 is designed to give early-stage companies adequate time to build compliant data practices.
Phased Compliance Timeline
| Phase | Effective Date | What Activates |
|---|---|---|
| Phase 1 | November 13, 2025 | Data Protection Board constituted; DPBI powers, processes, and appointment procedures take effect |
| Phase 2 | November 13, 2026 | Consent manager registration framework operational; DPBI authority to inquire into breaches and impose penalties related to consent management activates |
| Phase 3 | May 13, 2027 | All remaining core obligations: consent notices, Data Principal rights, Data Fiduciary obligations, SDF requirements, breach notification, data retention and erasure triggers, and security safeguard mandates |
Phase 3 does not provide a cure period before enforcement begins. Organisations should be fully compliant before May 13, 2027.
How the DPDP Act Compares to the GDPR
| Feature | India DPDP Act 2023 | EU GDPR 2016/679 |
|---|---|---|
| Scope | Digital personal data only | All personal data including paper records |
| Legal bases | Consent plus narrow legitimate uses | Six bases including broad legitimate interests |
| Sensitive data categories | None (single compliance tier) | Eight special categories with stricter rules |
| Data portability right | Absent | Present |
| Right to object to automated decisions | Absent | Present (Article 22) |
| Consent manager | Formal legal framework | No equivalent |
| Cross-border transfers | Negative-list (blacklist model) | Adequacy decisions, SCCs, BCRs |
| Breach notification threshold | All breaches | Only those risking individual rights |
| Independent regulator | DPBI, appeals to TDSAT | National DPAs, coordination via EDPB |
| Private right of action | None | Varies by member state |
| Maximum fine | INR 250 crore (approx. USD 30 million) | EUR 20 million or 4% of global annual turnover |
Business Compliance: Practical Steps
Organisations subject to the DPDP Act should work through the following before Phase 3 takes effect on May 13, 2027.
Data mapping. Identify all digital personal data collected, stored, or processed about Indian residents. Map data flows, processing purposes, retention periods, and third-party disclosures.
Consent notice audit. Review all consent notices and collection points. Ensure each notice identifies the data collected, the purpose, how rights can be exercised, and how to complain to the DPBI. Translate notices into Hindi and any other scheduled languages material to your user base.
Legal-basis review. For each processing activity, identify whether it rests on consent or a listed legitimate use. Activities that relied on GDPR legitimate interests without an equivalent DPDP legitimate use will need either consent or discontinuation.
Children's data gating. Implement age-verification mechanisms for platforms accessible to users under 18. Prepare a verifiable parental consent workflow if children's data processing is within scope. Disable behavioural monitoring and targeted advertising for verified child users.
Breach response procedure. Build and test a breach detection, internal escalation, and DPBI notification workflow that meets the 72-hour deadline. The obligation runs from awareness, not from the breach date.
SDF readiness. If your organisation may qualify for SDF designation, begin preparatory work for DPO appointment, annual DPIAs, and independent audits even before formal designation.
Consent manager evaluation. Consider whether integrating with a DPBI-registered Consent Manager on its Phase 2 launch (November 13, 2026) simplifies your consent management architecture across multiple product lines or partner platforms.
Vendor contracts. Review data processing agreements. While the DPDP Act does not specify written DPA requirements as explicitly as GDPR Article 28, robust contractual security and breach notification obligations are best practice and align with the Rules' security safeguard mandate.
For a related consent law regime applicable to recording and communications interception in India, see India recording laws.
This article provides general legal information about India's Digital Personal Data Protection Act, 2023, and the DPDP Rules, 2025. It does not constitute legal advice. The information was verified against official government sources as of May 19, 2026. Laws and implementing guidance may change. Consult a lawyer licensed to practise in India for advice on your specific compliance situation.
Frequently Asked Questions
What is the DPDP Act 2023?
The Digital Personal Data Protection Act, 2023 (No. 22 of 2023) is India's first comprehensive statute governing the processing of digital personal data. Parliament enacted it on August 11, 2023. It establishes the roles of Data Fiduciary and Data Principal, sets out lawful bases for processing, creates individual rights, and constitutes the Data Protection Board of India as the regulatory enforcement body. The implementing DPDP Rules were notified by MeitY on November 13, 2025.
When does the DPDP Act take full effect?
The Act is being enforced through a three-phase rollout. Phase 1 took effect on November 13, 2025, establishing the Data Protection Board. Phase 2 activates the consent manager registration framework on November 13, 2026. Phase 3, requiring full compliance with all substantive obligations including consent notices, data principal rights, breach notification, and Significant Data Fiduciary requirements, takes effect on May 13, 2027.
What are the maximum penalties under the DPDP Act?
The highest penalty under Schedule 1 is INR 250 crore (approximately USD 30 million) for failure to implement reasonable security safeguards that leads to a personal data breach. Failure to notify the Board and affected individuals of a data breach, and breach of children's data obligations, each carry up to INR 200 crore. Significant Data Fiduciary violations carry up to INR 150 crore. All other Act or Rules violations carry up to INR 50 crore. Data Principal duty violations carry up to INR 10,000. The DPBI must conduct an inquiry before imposing any penalty.
Can Indian personal data be transferred outside India?
Yes. The DPDP Act uses a negative-list approach under Section 16: personal data may be transferred to any country unless the Central Government specifically restricts that jurisdiction. As of May 2026, the Central Government had not published any list of restricted jurisdictions, so transfers to all countries remain permissible. Restrictions can be imposed without a mandated transition period; organisations should monitor MeitY notifications.
Does the DPDP Act apply to foreign companies?
Yes. The Act applies to processing of digital personal data outside India when it is done in connection with providing goods or services to Data Principals located within India. Foreign companies that offer Indian-language apps, accept Indian Rupee payments, or otherwise target Indian consumers must assess their DPDP Act compliance obligations regardless of where they are incorporated.
How does the DPDP Act handle children's data?
The Act defines a child as anyone under 18 years of age. Before processing a child's personal data, a Data Fiduciary must obtain verifiable parental consent, including verification of the guardian's identity, age, and parent-child relationship. Behavioural monitoring, tracking, and targeted advertising directed at children are expressly prohibited. The Central Government may lower the threshold to 16 or 13 for specific Data Fiduciaries demonstrating verifiably safe data processing; no such designations had been made as of May 2026.
What is a consent manager under the DPDP Act?
A consent manager is an entity registered with the Data Protection Board that allows individuals to manage their data processing consents across multiple platforms through a single interoperable interface. Consent managers must be Indian-incorporated companies with a minimum net worth of INR 2 crore, deploy AES-256 encryption, and act in a fiduciary capacity toward Data Principals. The consent manager registration framework activates on November 13, 2026 under Phase 2 of the rollout.
What is a Significant Data Fiduciary?
A Significant Data Fiduciary (SDF) is a Data Fiduciary designated by the Central Government based on the volume and sensitivity of personal data it processes, the risk of harm to Data Principals, or the potential impact on India's sovereignty, security, or public order. SDFs must appoint an India-based Data Protection Officer, conduct annual Data Protection Impact Assessments, undergo independent annual audits, and appoint an algorithmic auditor. They may also face data localisation requirements. As of May 2026, MeitY had not published an initial SDF list.
What is the constitutional basis for the DPDP Act?
The DPDP Act rests on the Supreme Court's nine-judge ruling in K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, which unanimously held that privacy is a fundamental right traceable to Articles 14, 19, and 21 of the Constitution of India. The Puttaswamy judgment applied a proportionality standard to state interference with privacy and overruled two earlier decisions that had denied constitutional privacy protection. The DPDP Act's preamble explicitly invokes this constitutional mandate.
How does the DPDP Act differ from the GDPR?
Key differences: the DPDP Act covers only digital personal data while the GDPR covers all personal data; the DPDP Act has no broad legitimate-interests legal basis; it does not create separate sensitive-data categories; it omits rights to data portability and objection to automated decisions; it requires notification of all breaches rather than only those posing risk to individual rights; and it uses a negative-list model for cross-border transfers rather than adequacy decisions. The DPDP Act's consent manager framework has no GDPR equivalent. The Act's maximum penalty of INR 250 crore is lower than the GDPR's cap of EUR 20 million or 4% of global annual turnover.
What replaces the SPDI Rules under the IT Act 2000?
The DPDP Act will supersede Section 43A of the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, when Phase 3 provisions take full effect on May 13, 2027. Until then, organisations with potential SPDI exposure should treat both regimes as concurrently applicable and apply the higher standard.
Does the DPDP Act create a private right of action?
No. Enforcement under the DPDP Act is exclusively through the Data Protection Board of India. Individual Data Principals have no right to sue a Data Fiduciary directly for DPDP Act violations in a civil court. The right to file a complaint with the DPBI and escalate unresolved grievances to TDSAT is the primary individual remedy.
Sources and References
- Digital Personal Data Protection Act, 2023 - Ministry of Electronics and Information Technology (MeitY)(meity.gov.in).gov
- The Digital Personal Data Protection Act, 2023 (No. 22 of 2023) - Official Gazette Text(meity.gov.in).gov
- India Code: Digital Personal Data Protection Act, 2023(indiacode.nic.in).gov
- India Code: Digital Personal Data Protection Act, 2023 - Full Text PDF(indiacode.nic.in).gov
- Government notifies DPDP Rules to empower citizens and protect privacy - PIB, November 2025(pib.gov.in).gov
- DPDP Rules 2025 - Press Information Bureau Full Document(static.pib.gov.in).gov
- Digital Personal Data Protection Rules, 2025 - MeitY Official Page(meity.gov.in).gov
- Simplified compliance framework for start-ups and certain data fiduciaries under DPDP Act and Rules - PIB(pib.gov.in).gov
- K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 - Supreme Court of India Digital SCR(digiscr.sci.gov.in).gov
- The Digital Personal Data Protection Bill, 2023 - PRS Legislative Research(prsindia.org)
- With rules finalized, India DPDPA takes force - IAPP(iapp.org)
- Top 10 operational impacts of India DPDPA: Cross-border data transfers - IAPP(iapp.org)
- Top 10 operational impacts of India DPDPA: Enforcement and the Data Protection Board - IAPP(iapp.org)
- Data Protection Laws and Regulations Report 2025-2026 India - ICLG(iclg.com)