In a landmark shift for India’s data privacy landscape, the government has officially notified the Digital Personal Data Protection (DPDP) Rules, 2025, ushering in a modern regulatory framework that is making parts of the Information Technology Act redundant — notably Section 43A, which once imposed compensation liabilities for companies that failed to protect sensitive personal data.
Section 43A of the IT Act, 2000, long served as a cornerstone of corporate accountability: it mandated that any body corporate dealing with sensitive personal data must maintain “reasonable security practices,” and imposed liability in cases of negligent mishandling. But with the arrival of the DPDP Rules, Section 43A is effectively being sidelined, as the new rules establish detailed, binding obligations under the DPDP Act.
Under the newly notified rules, every “data fiduciary” — the term now used for entities that collect or process individuals’ personal data — must implement robust security safeguards. These include encryption, masking, access controls, logging, and backup systems. In the event of a breach, affected users must be notified promptly, and the Data Protection Board must be alerted within 72 hours.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Unlike Section 43A, which was relatively vague about what constituted “reasonable security practices,” the DPDP Rules spell out specific technical requirements — a shift that legal experts say strengthens enforcement and clarifies expectations.
The implementation of the DPDP Rules will be phased: foundational aspects come into force immediately, while operational requirements (like breach reporting, data retention norms, and registration of “Consent Managers”) will be rolled out over the next 12–18 months. This gradual rollout is designed to give firms breathing room to align their systems with the new standards.
Industry reactions have been largely positive. Experts note that by replacing the older IT-Act-based regime with a dedicated data protection framework, India is aligning itself more closely with global norms and building greater trust in the digital ecosystem.
Privacy advocates, too, have welcomed the move, highlighting how the DPDP Rules empower individuals with stronger rights — including access, correction, deletion, and breach notification — and demand greater transparency from companies.
At the same time, this development marks the end of an era: Section 43A, once a go-to legal lever for data-compensation claims, is now being overshadowed by a far more sophisticated, enforceable regulatory architecture. The DPDP Rules, in effect, make parts of the IT Act legacy law — a clear signal that India’s data protection regime is entering a new, more structured phase.
