The Digital Personal Data Protection Act, 2023, and its implementing Rules, 2025, create a robust legal framework for digital personal data processing in India. The Act mandates consent-based data processing, detailed privacy notices, mechanisms for consent withdrawal, and clear responsibilities for facilitating data principal rights. It applies to all organizations processing personal data in India or targeting Indian users, with key exemptions for governmental and research/statistical purposes.
Significant data fiduciaries (SDFs), defined by the volume or sensitivity of data handled, face stricter requirements, including annual impact assessments, algorithmic due diligence, and data localization for specified data categories. The law sets out detailed retention rules and a flexible regime for international data transfers, giving the government broad powers to restrict them.
Mandatory rapid notification of data breaches and minimum security standards also apply. Special regimes govern children’s and disability data, with sectoral exemptions. The establishment of consent managers and broad government powers to access information further increase oversight.
The new rules require comprehensive updates to organizational data practices, documentation, and compliance processes, with elevated obligations for SDFs.
Global Privacy Law Review