Event Summary
India has officially implemented the Digital Personal Data Protection Act (DPDPA), 2023, with the formal notification of the DPDP Rules on 14 November 2025, marking the country’s first comprehensive digital privacy law. These rules apply to a wide range of sectors, including social media, banks, e-commerce, and government portals, imposing strict obligations on companies such as transparent data handling, informed consent, secure data processing, and breach notifications. Citizens gain enforceable rights to access, correct, and delete their personal data, and to file complaints with the newly established Data Protection Board (DPB). Special protections for children and people with disabilities are also included. Non-compliance can lead to fines up to ₹250 crore.
The implementation is phased, with immediate enforcement of key provisions and a 12-18 month transition for companies to meet compliance standards. The rules follow an extensive public consultation process, reflecting input from industry, civil society, and citizens.
For citizens, the DPDP enhances trust by empowering them with greater control over their personal data. For companies, it forces changes to data-handling practices, including improved consent mechanisms and cybersecurity. The establishment of the Data Protection Board brings formal oversight to the digital space, which may strengthen rule of law.
While the DPDP Rules 2025 establish various beneficial norms like more defined responsibilities for private entities, stronger consent criteria, and the assurance of enhanced digital accountability, the new framework simultaneously raises significant concerns regarding the enabling environment for civil society. A key concern raised by specialists and organizations is that the Act may undermine the Right to Information (RTI) framework. Broadening the definition of “personal data” could allow government entities to deny RTI requests on privacy grounds, even in cases where public interest or accountability is at stake. This might hinder journalists, researchers, and CSOs from examining government actions closely. Additionally, smaller organizations, especially nonprofits, may struggle to comply with the rules due to limited resources.
This event is part of a broader, long-term pattern rather than an isolated development. For over a decade, India has been moving gradually toward a structured data protection framework, following global trends set by laws such as the EU’s GDPR. The recognition of privacy as a fundamental right in 2017 catalysed policy discussions, leading to several draft bills and committee reports before the DPDP Act finally passed in 2023. Over the past year, India has intensified its focus on digital governance, issuing draft rules for consultation, collecting thousands of public submissions, and setting up institutional mechanisms such as the Data Protection Board. This reflects an ongoing transformation in how the Indian state approaches digital rights, regulatory oversight, and technological accountability. The operationalisation of the DPDP Rules therefore represents the next logical step in a continuing pattern of strengthening India’s data governance ecosystem.