India has introduced the Digital Personal Data Protection (DPDP) Act, recognizing the need for a law to ensure the data protection rights of Indian citizens. The new rules put into effect the DPDP Act, 2023, giving the South Asian powerhouse data privacy laws in line with other jurisdictions, including the European Union’s General Data Protection Regulation (GDPR) and Singapore’s Personal Data Protection Act, 2012.
The rules aim to establish a straightforward, citizen-oriented, and innovation-enabling framework for the responsible use of digital personal data. It aims to support the rapid development of India’s digital economy while ensuring that privacy remains a key priority in its progress.
“The DPDP Act establishes a comprehensive framework for protecting digital personal data, setting out the obligations of entities handling such data (Data Fiduciaries) and the rights and duties of individuals (Data Principals),” the Ministry of Electronics & IT (MeitY) said in a statement.
A data fiduciary is an entity that determines why and how personal data is processed, either alone or in conjunction with others. The data principal, on the other hand, is the individual to whom the personal data is related. This includes a parent or lawful guardian in case of a child. For an individual with disability who cannot make decisions independently, this includes the lawful guardian acting on their behalf.
“The DPDP Rules provide an 18-month phased compliance timeline, allowing organisations time for smooth transition. They also require data fiduciaries to issue standalone, clear and simple consent notices that transparently explain the specific purpose for which personal data is being collected and used. Consent managers—entities that help individuals manage their permissions—must be Indian companies,” the statement added.
To encourage comprehensive stakeholder participation, MeitY released the draft DPDP rules for public consultation across key metropolitan cities, including Delhi, Mumbai, Guwahati, Kolkata, Hyderabad, Bengaluru, and Chennai. The final DPDP rules were shaped by inputs from micro, small and medium enterprises (MSMEs), industry bodies, startups, civil society, and government departments.
India’s DPDP rules were notified on November 14, after nationwide consultations. The consultation process itself received 6,915 inputs, which helped shape the final rules. These rules now provide full effect to the Digital Personal Data Protection Act, 2023.
A key feature of the DPDP Act is the establishment of a Data Protection Board of India, which serves as an independent body to ensure regulatory adherence, investigate violations, and implement corrective measures. It aims to maintain trust in the system and enforce the rights granted under the Act.
“The Data Protection Board will function as a fully digital institution, enabling citizens to file and track complaints online through a dedicated platform and mobile app, promoting transparency, efficiency and ease of living… The rules seek to strike a careful balance between protecting citizens’ privacy and promoting innovation and growth,” the Ministry said.
“India’s data governance model encourages economic development while safeguarding citizen welfare, and provides a facilitative compliance regime for startups and smaller enterprises so that innovation can continue to thrive alongside strong data protection standards. With simplified rules, adequate transition time and a technology-neutral approach, the DPDP Act and Rules aim to strengthen privacy, enhance trust and support responsible innovation. Together, they help position India’s digital economy as secure, resilient and globally competitive,” the statement added.
The data protection rules
The DPDP law in India aims to establish a comprehensive framework for the protection of digital personal data. It explains what organizations must do when they collect or use such data, an official statement said. The Act follows the ‘SARAL’ approach, which means it is simple, accessible, rational, and actionable. The text uses simple language and clear illustrations so that common people and enterprises can comprehend the rules easily.
India’s DPDP rules outline clear protocols in the event of a personal data breach. Data Fiduciaries are required to promptly inform affected individuals in the event of a personal data breach, using simple language to explain the nature and possible consequences of the breach, as well as the steps taken to resolve the issue and provide contact details for assistance.
“The DPDP framework reinforces the rights of individuals to access, correct, update or erase their personal data and to nominate another person to exercise these rights on their behalf. Data Fiduciaries must respond to all such requests within a maximum of 90 days,” the Ministry stated.
Moreover, with children, data fiduciaries are mandatorily required to obtain verifiable consent before processing their personal data. Some exemptions include essential purposes such as healthcare, education, and real-time safety.
In cases where people with disabilities are unable to make legal decisions even with support, the DPDP rules make it mandatory for consent to come from a legal guardian verified under applicable laws.
“Data Fiduciaries must display clear contact information—such as that of a designated officer or Data Protection Officer—to help individuals raise queries about personal data processing. Significant Data Fiduciaries have enhanced obligations including independent audits, impact assessments and stronger due diligence for deployed technologies. They must also comply with government-specified restrictions on certain categories of data, including localisation where required,” the DPDP rules stated.
The law rests on seven core principles, including consent and transparency, purpose limitation, data minimization, accuracy, storage limitation, security safeguards, and accountability. These principles aim to guide every stage of data processing, ensuring that personal data is used only for specific and lawful purposes, the statement said.
Back to the top ↑
DPDP Act imposes heavy penalties for breaches
The DPDP Act takes data privacy and protection seriously, imposing significant monetary penalties for non-compliance by data fiduciaries. The highest penalty levied is up to ₹250 crore ($28.3 million). This applies to the failure of a data fiduciary to implement adequate security measures.
The rules also impose penalties of up to ₹200 crore ($22.5 million) for failing to notify the Board or individuals exposed in a personal data breach, as well as for failing to meet obligations involving children. Any other violation of the Act or Rules by a data fiduciary may result in penalties of up to ₹50 crore ($5.6 million).
“The Act places clear responsibilities on Data Fiduciaries to keep personal data safe and to stay accountable for its use. It also gives Data Principals the right to know how their data is handled and the right to seek correction or removal when needed,” the statement said.
The framework is user-friendly in design, backed by broad public consultation, and puts strong responsibilities on organisations. The objective is to establish a safer, innovation-supportive data ecosystem that serves citizens and strengthens public confidence in digital governance.
“The DPDP framework places the individual at the centre of India’s data protection system. It aims to give every citizen clear control over personal data and confidence that it is being handled with care. The rules are written in plain language so that people can understand their rights without difficulty. They also ensure that organisations act responsibly and remain accountable for how they use personal data,” the statement added.
Back to the top ↑
Watch: A Nation on Blockchain
Source: https://coingeek.com/india-rolls-out-dpdp-act-for-data-privacy-digital-economy-growth/