{"id":6740,"date":"2025-07-17T05:54:00","date_gmt":"2025-07-17T10:54:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&p=6740"},"modified":"2025-12-09T13:11:50","modified_gmt":"2025-12-09T19:11:50","slug":"indias-digital-personal-data-protection-act-dpdpa","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/indias-digital-personal-data-protection-act-dpdpa\/","title":{"rendered":"India\u2019s Digital Personal Data Protection Act (DPDPA)"},"content":{"rendered":"\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t\tarticle<\/strong>\n\t\t\t\t\t\t\t\t\t\t

India\u2019s Digital Personal Data Protection Act (DPDPA)<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\"\"\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\tAakanksha Tewari<\/strong>\n\t\t\t\t\t\t\t\t\t\t\t\tPrivacy Knowledge Researcher, Ph.D., Cybersecurity<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Key principles, consent rules, and organizational readiness<\/h2>\n

On November 13, 2025, the Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules 2025 (Rules)<\/a>, clarifying key implementation aspects of the Digital Personal Data Protection Act (DPDPA) 2023<\/a>, marking a significant milestone in the rollout of India’s first comprehensive data protection law.<\/p>\n

India\u2019s landmark DPDPA\u00a0was enacted on August 11, 2023, to regulate the processing of all digital personal data (data collected in digital form, or later digitized) of India\u2019s residents, the DPDPA applies to any entity (data fiduciary) that determines the purpose and means of processing such data.<\/p>\n

Its extraterritorial scope is broad, and covers processing within India and processing abroad connected with offering goods or services to individuals in India. The Act introduces consent-based processing, individual rights, and regulatory mechanisms, elements familiar in global privacy laws, tailored to India\u2019s context.<\/p>\n

The Rules will take effect in phases. Certain provisions, such as those creating the Data Protection Board (Board), became effective as soon as they were published in the Official Gazette. Rules governing the registration and operation of consent managers will apply after 12 months, while all remaining regulations will come into force after 18 months.<\/p>\n

Stakeholders are advised to start preparing now. The law promises robust penalties (up to INR500\u202fmillion- 2.5\u202fbillion, approx. US$6-30\u202fmillion) for noncompliance and represents an urgent mandate to integrate privacy into business operations.<\/p>\n

Who\u2019s covered under India\u2019s DPDPA? Scope, key terms, and processing principles explained<\/h2>\n

While the DPDPA introduces foundational data protection principles, it lacks the concept of \u201cspecial categories of data\u201d like the GDPR\u2019s sensitive personal data (e.g., health, biometric, sexual orientation). All personal data is treated uniformly; notably, any data made publicly available by the individual or required to be made public by law is wholly outside the law\u2019s scope. This is broader than exemptions in many laws<\/strong> and means scraped social-media or directory data may escape the law if already \u201cpublic,\u201d though legal questions remain if such data ceases to be public after collection.<\/p>\n

A data fiduciary,<\/em> analogous to a GDPR controller, \u201cdetermines the purposes and means\u201d of processing, and bears the burden of compliance. By contrast, data processors (acting under a fiduciary\u2019s instructions) have no direct obligations under the DPDPA; instead, fiduciaries must contractually bind processors to protect data.<\/p>\n

Thus, unlike GDPR or CCPA, which impose some duties on processors, DPDPA focuses enforcement on the fiduciaries, who must, in turn, hold their vendors accountable.<\/p>\n

The DPDPA codifies the standard fair-information principles. All processing must be lawful, fair, transparent, purpose-specific, and minimally invasive. Personal data must be collected only for clear purposes and not retained longer than needed. Data fiduciaries must implement strong security safeguards (technical and organizational) to prevent breaches and maintain records demonstrating compliance.<\/p>\n

DPDPA consent requirements: Lawful basis for processing personal data in India<\/h2>\n

A consent-oriented regime is at the core of the DPDPA, as it demands \u201cfree, specific, informed, unconditional and unambiguous\u201d consent from individuals (data principals) before processing their personal data. Consent must be an affirmative act; pre-checked boxes or implied agreements are prohibited.<\/p>\n

The Rules require very specific consent, where each piece of personal data must be clearly linked to the exact purpose for which it is used. Businesses handling large, varied data must rethink how they present this information and whether related purposes can be grouped together. Companies will need to redesign consent flows and user interfaces so that purposes are clearly stated and opting out is simple. Uniquely, the Rules also mandate providing a website or app link for opt-outs, unlike most countries that only require a contact point.<\/p>\n

Additionally, consent is the primary lawful basis for processing. The DPDPA does not recognize many of the non-consent bases familiar to European law.<\/p>\n

Aside from consent, the Act allows only a narrow list of \u201clegitimate uses\u201d (specific statutory or emergency purposes) without consent. These include situations where data is voluntarily shared and not objected to by the individual, compliance with court orders or law, employment necessities, and responses to natural disasters or epidemics.<\/p>\n

No general legitimate interest or contract necessity grounds exist as in the GDPR. This consent-centric approach will challenge many organizations: in contexts like AI model training or large-scale analytics, it may be impractical to obtain individualized consent.<\/p>\n

Data principle rights under India\u2019s DPDPA: Access, correction, deletion, and redress<\/h2>\n

The DPDPA grants individuals rights<\/a> largely similar to those in GDPR, but with some country-specific enhancements. Data principals can access, correct, or erase their data held by a fiduciary, and they may receive a copy of their information. The law also mandates notice; organizations must provide clear privacy policies and notices about how data is processed and protected.<\/p>\n

Importantly, the law adds some unique rights:<\/strong> every data fiduciary must maintain a grievance redressal officer so that individuals have \u201creadily available and effective means\u201d to complain. Individuals also gain the right to nominate a representative to exercise their rights after death or incapacity. These procedural rights reflect India\u2019s emphasis on accessible redress. Additionally, the Rules require that grievances are resolved within a reasonable time, not exceeding ninety (90) days, adding certainty to the duration of internal grievance resolution processes between businesses and customers.<\/p>\n

Notably, there is no private right of action under the DPDPA; only the Board can enforce penalties. However, data principals can register complaints with the Board or seek other prescribed remedies.<\/p>\n

DPDPA exemptions and special cases<\/h3>\n

The DPDPA provides several exemptions and carve-outs balancing privacy with other interests. Personal data processed by natural persons for purely personal or household purposes is out of scope. Personal data already made public by the individual or under a legal obligation is exempt.<\/p>\n

Critically for innovation, Section 17(2)(b) explicitly exempts research, archiving, and statistical processing from the Act\u2019s obligations, provided such processing meets government-prescribed standards and is not used for decisions about a specific individual. If rulemaking clarifies the standards, this could permit AI\/ML research using large datasets, a boon for innovation.<\/p>\n

But questions remain:<\/strong> who qualifies (academic institutions only or also private labs), and what technical\/ethical guidelines will apply? Clear guidelines here will determine how \u201cclean\u201d personally identifiable data can be repurposed for research.<\/p>\n

Children\u2019s data<\/strong> is another focus. The Act contemplates special protections for minors: a parent’s consent is needed for processing a child\u2019s data, and the government may mandate a parental consent mechanism. The draft version of the Rules provided for certain purposes for which children\u2019s personal data could be subject to tracking or behavioral monitoring. This list has been expanded to include the determination of real-time location of a child, where such processing is restricted to tracking real-time location of a child in the interest of their safety, protection or security. Further, children\u2019s data may also be monitored or tracked to restrict certain types of services and advertisements which may pose a detrimental effect on their well-being.<\/p>\n

Importantly, the DPDPA grants broad government exemptions. The government can declare law enforcement, national security, and sovereign interests out of scope, as can certain classes of data fiduciaries (e.g., startups) based on factors like the volume of data processed and the impact on national security or public order (these open-ended powers have drawn criticism).<\/p>\n

DPDPA security obligations explained: Data minimization, breach notifications, and governance standards<\/h3>\n

Security<\/h4>\n

The DPDPA reiterates and extends traditional security obligations. Data fiduciaries must adopt \u201creasonable security practices\u201d at least as stringent as international standards, akin to India\u2019s IT Act 43A (now largely superseded).<\/p>\n

The Rules also mandate that every data fiduciary protect personal data under its control, requiring the implementation of technical protections like encryption, strong access controls, logging, continuous monitoring, and incident-response capabilities. Data fiduciaries must also maintain backups and business-continuity measures to ensure data availability and integrity. Logs and relevant personal data must be retained for at least one year to support breach investigations. Data Processors must be contractually bound to meet the same security standards. SMEs, in particular, may need significant upgrades to their security infrastructure, policies, and practices to meet these requirements.<\/p>\n

New retention requirement<\/h4>\n

The final rules introduce a new requirement, mandating all personal data, traffic data and logs generated from data processing activities to be retained at least for 1 year, even after the fulfilment of the purpose, or deletion of the user account, for (i) processing of personal data by government agencies in the interest of national security and sovereignty and integrity of India; (ii) performance of any function under any law in force in India; and (iii) disclosure of any information, pursuant to any law in force in India.<\/p>\n

Breach notification<\/h4>\n

On breaches, the Act requires mandatory notification to both the Board and affected individuals whenever a personal data breach occurs, irrespective of scale.<\/p>\n

The Rules creates a two-stage breach reporting process requiring immediate intimation to affected principals and the Board, followed by a detailed report to the Board within 72 hours. Notifications must include breach details, impacts, mitigation steps, and user guidance. Due to the lack of materiality threshold, it is unclear whether even minor incidents must be reported, resulting in administrative overload and user \u201cnotification fatigue\u201d. The 72-hour window also differs from other sectoral rules like CERT-In\u2019s 6-hour timeline, adding compliance complexity for organizations.<\/p>\n

Importantly, organizations should align DPDPA breach procedures with other obligations (e.g., telecom or financial sector breach rules and CERT-IN requirements) to avoid conflicting processes.<\/p>\n

Accountability<\/h4>\n

Beyond breach reports, the DPDPA embeds accountability measures. All fiduciaries must maintain records of their processing activities and implement privacy governance measures. Those designated as \u201cSignificant Data Fiduciaries\u201d (SDFs), based on factors like volume of data, sensitivity, and impact on India\u2019s sovereignty, democracy, or public order, face extra duties.<\/p>\n

To see how these SDF obligations apply to AI and high-volume data platforms, read our breakdown of the DPDPA\u2019s global and sector-specific implications<\/a>.<\/p>\n

The Central Government may classify certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on factors such as data volume and sensitivity, risks to Data Principals, and national or public-order considerations. SDFs face enhanced obligations, including appointing an India-based Data Protection Officer and undergoing independent data audits.<\/p>\n

Once designated, they must conduct annual DPIAs and audits, and report key findings to the Data Protection Board. They must also ensure technical and algorithmic systems are tested and verified to prevent risks to data principals. SDFs must comply with any Government-mandated cross-border data transfer restrictions. Likely candidates include major tech platforms and organizations in regulated sectors such as finance, banking, and healthcare. The Government retains broad discretion to include additional categories when determining SDF status.<\/p>\n

These measures are aimed at high-volume tech firms, social platforms, and critical infrastructure providers, forcing them into a formal data governance posture.<\/p>\n

The government can also ease or tighten obligations (even exempt whole classes like startups), so companies should watch for objective criteria in the rules.<\/p>\n

When will DPDPA be enforced? Understanding the Board\u2019s powers and what comes next<\/h2>\n

Along with the notification of the Rules, the Government has notified a phased timeline for implementing the DPDPA as follows:<\/p>\n