Published On: April 12th 2026
Authored By: Trisha Goyal
O.P. Jindal Global University
Abstract
The operationalization of the Digital Personal Data Protection Act, 2023 (DPDP Act) through the Digital Personal Data Protection Rules, 2025, marks a watershed moment in Indian data governance. This article examines the core features, phased implementation structure, and constitutional significance of the DPDP framework, situating it within India’s broader rights jurisprudence and global privacy standards.
I. Introduction
A significant turning point in Indian statutory law was reached in 2025, when the Digital Personal Data Protection Act, 2023 (DPDP Act) was operationalized through the notification of the Digital Personal Data Protection Rules, 2025 (DPDP Rules).[1] After years of deliberation and successive draft revisions, this framework establishes a comprehensive data privacy regime that directly safeguards the digital rights of individuals while placing substantial obligations on data-processing organizations across industries. Since the Supreme Court recognized privacy as a fundamental right in Justice K.S. Puttaswamy (Retd.) v. Union of India,[2] the implementation of the DPDP law represents the most consequential legal development in India’s information rights landscape.
This article examines the core characteristics of the DPDP law, its phased implementation schedule, and its legal and constitutional implications for privacy, individual liberty, industry regulation, and institutional accountability. It also situates the new law within international privacy standards and India’s larger constitutional rights framework.
II. Background and Context
A. Legal Necessity and the Right to Privacy
The Puttaswamy judgment marked a defining moment in Indian privacy law when the Supreme Court, through a nine-judge bench, ruled that the Right to Privacy is a fundamental component of Article 21 of the Constitution of India, which guarantees the Right to Life and Personal Liberty.[2] The ruling directed Parliament to enact a statutory data protection law grounded in the principles of due process, proportionality, and data minimization.
Prior to the DPDP Act, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 regulated only a limited subset of sensitive personal data, leaving the vast majority of personal information without explicit statutory protection.[3]
B. Legislative Journey
Parliament enacted the DPDP Act, 2023 as India’s first dedicated data protection statute.[4] As is common with framework legislation in India, much of its operational mechanics were delegated to executive rule-making. On January 3, 2025, MeitY released the draft DPDP Rules for public consultation, receiving over 6,915 inputs from stakeholders. Following review and revision, MeitY notified the final Rules on November 13, 2025, through Gazette Notification G.S.R. 846(E).[1]
Taken together, the Act and the Rules constitute a comprehensive legal framework governing the processing of digital personal data across both the public and private sectors in India.
III. Core Features of the DPDP Framework
The DPDP law establishes rights for data principals (the individuals to whom personal data pertains), imposes obligations on data fiduciaries and processors (entities that determine the purpose and means of data processing), and creates an institutional enforcement architecture. The framework’s overarching aim is to balance individual autonomy with the operational needs of businesses in the digital economy.
Under the Act, “personal data” refers to any data about an identifiable individual in digital form. The definition of “data principal” extends to children and persons with disabilities, in respect of whom a lawful guardian may exercise rights on their behalf. These definitions broadly align with concepts found in the General Data Protection Regulation (GDPR) of the European Union, though India’s framework incorporates domestic adaptations suited to its legal and technological context.[5]
1. Rights of Data Principals: Individuals are entitled to access their personal data, correct inaccurate or outdated information, seek erasure (akin to the right to be forgotten), and withdraw consent at any point in the data processing lifecycle. These rights represent a meaningful shift toward individual control over digital footprints.
2. Obligations of Data Fiduciaries: Organizations must obtain free, informed, and specific consent before processing personal data. Privacy notices must be clear, standalone documents rather than clauses buried in terms of service. Data minimization is a statutory requirement: entities may collect only what is strictly necessary for the stated purpose. Organizations are also required to implement reasonable security safeguards and report breaches promptly. Entities classified as “significant data fiduciaries” (SDFs), based on the volume or sensitivity of data processed, face additional compliance obligations.[6]
3. Enforcement Architecture: The Data Protection Board of India (DPB) serves as the primary adjudicatory and regulatory body, handling complaints, monitoring compliance, and imposing penalties. Appeals from the DPB’s decisions lie with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), and further appeals may be brought before the Supreme Court of India.[7] This three-tier mechanism replaces the previous fragmented approach, under which privacy grievances were distributed across consumer courts and civil courts without dedicated institutional focus.
4. Interaction with the Right to Information Act, 2005: A notable and contested provision of the DPDP Act amends the Right to Information Act, 2005 (RTI Act) to exempt personal data from mandatory disclosure, even where a public interest argument might otherwise favor disclosure.[8] This creates inherent tension between the constitutional values of informational privacy under Article 21 and the right to access information under Article 19(1)(a). This conflict has not yet been adjudicated by the courts and is likely to generate significant litigation.
IV. Phased Implementation: Legal Design and Rationale
Unlike statutes that come into force in a single step, the DPDP framework adopts a phased rollout designed to give institutions, businesses, and regulators adequate time to build capacity and achieve compliance.
Phase I (13 November 2025): Rules 1, 2, and 17 to 21 came into immediate effect upon notification. This phase covers the establishment of the Data Protection Board, the activation of core definitions under the DPDP Act, and the grant of transitional and rule-making powers to MeitY.[1]
Phase II (13 November 2026, approximately): Rule 4, which governs the registration of Consent Managers, takes effect approximately one year from notification. Rules 3, 5 to 16, and 22 to 23, which cover the substantive obligations of data fiduciaries and the full scope of the DPB’s enforcement jurisdiction, are expected to apply within eighteen months of notification.[6]
The tiered approach reflects a considered policy choice. Large-scale digital infrastructures in sectors such as fintech, e-commerce, artificial intelligence, and cloud services require substantial lead time to re-architect data systems, train personnel, and update consent workflows. Phased implementation allows businesses to adapt without regulatory shock, enables the DPB to build institutional capacity before enforcement commences, and ensures that procedural foundations are established before substantive obligations are activated.
However, important questions remain. During the transitional period before substantive enforcement rules take effect, the practical remedies available to individuals whose data is misused remain unclear. The absence of a defined interim grievance mechanism is a gap that lawmakers and the DPB should address proactively.
V. Legal and Constitutional Significance
a. Giving Substance to the Fundamental Right to Privacy
The DPDP Act translates the constitutional promise of Puttaswamy into enforceable statutory rights. Prior to this legislation, the fundamental right to privacy recognized in 2017 operated largely as a judicially articulated principle without corresponding legislative enforcement machinery. The DPDP framework operationalizes that right, providing individuals with concrete legal recourse against unauthorized data processing.[2]
b. Balancing Privacy and Transparency
The amendment to the RTI Act highlights a genuine constitutional tension between the right to informational privacy under Article 21 and the right to information under Article 19(1)(a). While data protection is a legitimate state objective, an overly expansive exemption for personal data could undermine accountability in public administration. Courts will inevitably be called upon to delineate the boundaries of these competing rights, and this is expected to produce significant constitutional jurisprudence in the coming years.
c. Institutional Accountability and Independence
The creation of the DPB and the designation of TDSAT as the appellate forum introduce specialized institutional actors into India’s privacy governance ecosystem.[7] The effectiveness of this framework, however, depends critically on the operational independence, technical expertise, and public legitimacy of these bodies. Institutional credibility will determine whether the DPDP regime achieves its stated objectives or becomes a compliance formality.
d. India’s Position in the Global Data Governance Landscape
With the DPDP framework now in force, India joins the community of jurisdictions with comprehensive data protection legislation. This has direct implications for cross-border data transfers, international trade negotiations, and the operational frameworks of multinational corporations doing business in India. While the DPDP Act is not a direct transposition of the GDPR (it focuses specifically on digital personal data and retains certain India-specific exemptions), its directional alignment with global standards signals a commitment to strengthening individual rights in the digital economy.[5]
VI. Conclusion
The operationalization of the Digital Personal Data Protection Act, 2023 through the DPDP Rules, 2025 represents a transformative development in India’s legal architecture. Privacy is no longer solely a constitutional aspiration; it is now a statutory right backed by regulatory institutions, enforceable obligations, and graduated penalties.
The phased rollout, while practical, leaves certain transitional ambiguities that policymakers must address. At a deeper level, the DPDP framework reflects a constitutional commitment to individual dignity and autonomy in the digital age, fulfilling the judicial mandate of Justice K.S. Puttaswamy (Retd.) v. Union of India. As courts, regulators, businesses, and citizens navigate this new landscape, questions of constitutional interpretation, institutional independence, and the boundaries between privacy and transparency will shape the DPDP’s ultimate impact.
This is not merely another addition to the statute book. The DPDP Act has the potential to redefine the relationship between individuals, corporations, and the state in India’s digital economy, and to establish India as a credible participant in the global discourse on data governance.
References
[1] Ministry of Electronics and Information Technology, Digital Personal Data Protection Rules, 2025, Gazette Notification No. G.S.R. 846(E), November 13, 2025.
[2] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).
[3] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, G.S.R. 313(E), Ministry of Communications and Information Technology (India).
[4] Digital Personal Data Protection Act, No. 22 of 2023, INDIA CODE (2023).
[5] Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), 2016 O.J. (L 119) 1.
[6] Digital Personal Data Protection Rules, 2025, Rules 3–16, 22–23 (phased obligations for data fiduciaries and significant data fiduciaries).
[7] Digital Personal Data Protection Act, No. 22 of 2023, § 29 (Appellate Tribunal); Telecom Disputes Settlement and Appellate Tribunal Act, No. 38 of 2000, INDIA CODE (2000).
[8] Digital Personal Data Protection Act, No. 22 of 2023, § 44(3) (amending the Right to Information Act, 2005, § 8(1)(j)).
