Chennai – India has formally operationalised its first comprehensive digital privacy law, issuing the rules under the Digital Personal Data Protection (DPDP) Act, a reform that places new obligations on companies and government departments and expands the rights of hundreds of millions of digital users.
The notification, released on Friday, marks a pivotal moment for a nation with one of the world’s fastest-growing digital economies but long criticised for lacking a unified privacy framework. It brings India closer to global norms shaped by the European Union’s GDPR and similar standards emerging across Asia.
A New Rulebook for Data Use
The DPDP rules clarify how organisations must collect, store, share and process personal information. Entities that handle data — termed “data fiduciaries” — must seek explicit consent, use information for limited purposes and provide individuals the ability to review or withdraw their consent at any time.
A phased compliance schedule has been adopted. Core requirements, including consent and grievance redressal, take effect immediately. More complex obligations will roll out over 12 to 18 months, giving companies time to restructure internal systems.
Stricter Regime for High-Impact Firms
The government will identify certain companies as “significant data fiduciaries”, based on factors such as the volume and sensitivity of data processed. These entities will be subject to tougher obligations, including:
- Mandatory independent audits
- Periodic data protection impact assessments
- Additional safeguards for sensitive user groups
The rules also demand timely reporting of data breaches, requiring organisations to notify both the affected individuals and the Data Protection Board of India (DPB).
Special Provisions for Children and Persons With Disabilities
The DPDP framework introduces enhanced protections for children, requiring parental consent and restricting targeted advertising. It also outlines safeguards for individuals with disabilities who may need authorised guardians to manage consent on their behalf.
Officials said the government aimed to strike a balance between robust user rights and operational feasibility for companies.
Cross-Border Transfers Shift Toward Flexibility
In a significant departure from earlier data-localisation proposals, the rules state that cross-border transfers will be permitted unless specifically restricted by the government. The approach aligns with India’s ambitions to position itself as a global data hub while avoiding excessive compliance burdens.
Corporate India Prepares for a New Compliance Landscape
As the rules take effect, tech platforms, fintech operators, e-commerce firms and numerous government digital services will begin modifying their data-governance structures. For many, the requirements will involve substantial overhauls — from rewriting consent flows to redesigning data storage systems.
Experts say the shift could help restore user trust at a time when digital fraud and unauthorised data sharing are on the rise.
“The DPDP rules signal India’s intention to modernise its privacy architecture while accommodating innovation,” a senior policy analyst in New Delhi said.
The rollout marks a long-awaited transformation in how the world’s largest democracy approaches digital rights, setting the stage for a new era of accountability and transparency in its data economy.
