India's first comprehensive data privacy law received Presidential assent in August 2023. With rules expected in 2025, here is what the Act means for individuals, businesses, and digital platforms.
The Digital Personal Data Protection Act, 2023 (DPDP Act) was signed into law on 11 August 2023, marking the culmination of a six-year legislative journey. It establishes, for the first time, a comprehensive statutory framework for the collection, processing, and protection of personal data of Indian citizens — online and offline where data is subsequently digitised.
Core Rights of Data Principals (Citizens)
- Right to access information about personal data being processed.
- Right to correction and erasure of inaccurate or incomplete data.
- Right to grievance redressal against data fiduciaries within defined timelines.
- Right to nominate another person to exercise rights in the event of death or incapacity.
- Right to withdraw consent at any time, with the withdrawal being as easy as granting it.
Obligations on Businesses (Data Fiduciaries)
Every entity that collects personal data — from a neighbourhood clinic that digitises patient records to a multinational e-commerce platform — is now a "data fiduciary" under the Act. Key obligations include obtaining free, specific, informed, unconditional, and unambiguous consent before processing; appointing a Data Protection Officer for Significant Data Fiduciaries; and implementing appropriate technical and organisational security safeguards.
“The DPDP Act shifts the burden from the citizen to the corporation. For the first time, platforms must prove they had your consent — you no longer have to prove they did not.”
— Rakesh Kumar, Advocate, Mudgal Advocates
Penalties
The Act provides for financial penalties of up to ₹250 crore for failure to implement adequate security safeguards leading to a data breach, and up to ₹200 crore for non-compliance with child data protection provisions. The Data Protection Board of India, yet to be constituted by the Central Government, will be the adjudicatory body.
Current Status and Next Steps
As of January 2025, the DPDP Rules are in advanced draft stage and are expected to be notified in the first half of 2025. Businesses should begin gap analyses against the Act's requirements immediately. Individuals who believe their data rights are being violated may still approach existing regulators (TRAI, RBI, SEBI) under their respective sectoral frameworks until the Data Protection Board is operational.
- Review and update your privacy policies to align with DPDP consent requirements.
- Audit third-party data processors and ensure contractual compliance obligations are in place.
- Establish an internal data grievance mechanism before the Rules mandate one.
- Appoint a Data Protection Officer if you are likely to be designated a Significant Data Fiduciary.
At Mudgal Advocates, we are advising clients across sectors on DPDP compliance readiness. If you have questions about your obligations or rights under this Act, contact us for a consultation.