Data Protection in 2025: Evaluating the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as Instruments for Meaningful Privacy in India’s Digital Economy
By Guru Legal
Keywords
Digital Personal Data Protection Act 2023; DPDP Rules 2025; MeitY; data principal; data fiduciary; consent; data localisation; privacy; personal data; cloud computing; AI; India; data protection authority
Abstract
The Digital Personal Data Protection Act, 2023 (DPDP Act) and the Digital Personal Data Protection Rules, 2025 (DPDP Rules), notified by the Ministry of Electronics and Information Technology (MeitY) on 13 November 2025, constitute India’s first comprehensive legislative framework for personal data protection. This article examines the key provisions of the Act and the Rules, analyses their adequacy against international data protection standards particularly the EU General Data Protection Regulation (GDPR) and evaluates their potential effectiveness in protecting the personal data of India’s more than 900 million internet users in the context of rapidly expanding digital commerce, artificial intelligence, and cloud computing. The article argues that while the DPDP framework represents a significant legislative achievement, its effectiveness in delivering meaningful privacy protection depends critically on the robustness and independence of the Data Protection Board, the comprehensiveness of subsidiary regulations yet to be notified, and the capacity of regulatory enforcement.
I. Introduction
India’s digital economy is one of the largest and fastest-growing in the world, encompassing over 900 million internet users, a rapidly expanding fintech sector, a substantial e-commerce market, and a growing ecosystem of AI-powered services. The collection, processing, and monetisation of personal data is central to the business models of each of these sectors, creating significant risks to the privacy and autonomy of Indian data principals. Prior to the enactment of the DPDP Act, India lacked a comprehensive data protection legislation: the Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 provided only limited and fragmented protection. The DPDP Act, which received Presidential assent in August 2023 and the commencement of whose provisions has been phased through the DPDP Rules, 2025, fills this legislative gap.
II. Key Provisions of the DPDP Act
The DPDP Act establishes a framework built around six core principles: lawful processing on a specified legal basis (consent or legitimate use); purpose limitation; data minimisation; accuracy; storage limitation; and security. The Act applies to the processing of digital personal data within India and to processing outside India if it relates to the offering of goods or services to data principals in India. It establishes the obligations of data fiduciaries entities that determine the purpose and means of processing including the obligation to obtain free, specific, informed, unconditional, and unambiguous consent from data principals, to provide a notice describing the personal data to be processed and the purpose of processing, and to implement appropriate technical and organisational security safeguards.
Data principals are granted a bundle of rights, including the right to access information about their data, the right to correction and erasure, the right to nominate a person to exercise rights in the event of the principal’s death or incapacity, and the right to withdraw consent. The right to erasure under the DPDP Act is narrower than the equivalent right under the GDPR: it is conditional on the data fiduciary no longer needing the data for the specified purpose, and does not extend to data processed on the basis of legitimate use rather than consent.
III. The DPDP Rules, 2025: Phased Implementation
The DPDP Rules, 2025, notified on 13 November 2025, introduce a phased implementation schedule: Rules 1, 2, and 17-21 (general provisions and Data Protection Board) came into force on the date of notification; Rule 4 (consent manager provisions) will take effect one year later; and Rules 3, 5-16, and 22-23 (substantive obligations on data fiduciaries) will take effect 18 months after notification. The phased approach reflects the government’s recognition that data fiduciaries require time to adapt their data processing systems and compliance programmes to the new requirements, but also means that meaningful enforcement of the Act’s core obligations will not begin until May 2027.
IV. Critical Assessment: Adequacy and Gaps
The DPDP Act compares favourably to international data protection standards in several respects, including its consent-based approach, its data principal rights framework, and its extraterritorial scope. However, it falls short of GDPR standards in important areas: its cross-border transfer regime relies on executive notification rather than published adequacy criteria; its exemptions for state instrumentalities are broad; its right to erasure is narrower than the GDPR; and its provisions on automated decision-making are less developed than Article 22 of the GDPR, which grants data subjects the right not to be subject to solely automated decisions with significant effects. The absence of mandatory data breach notification timelines in the Act with the Rules delegating the specification of timeframes to the Data Protection Board is a further gap that creates uncertainty for data fiduciaries.
V. Conclusion
The DPDP Act and the DPDP Rules, 2025 represent a landmark development in Indian data protection law. Their effectiveness as instruments of meaningful privacy protection will depend on the institutional architecture of the Data Protection Board its independence, funding, expertise, and enforcement capacity and on the quality of the subsidiary regulations and guidance that remain to be issued. A robust, well-resourced, and genuinely independent data protection regulator is the indispensable complement to a well-drafted data protection statute in any jurisdiction, and India’s experience with the DPDP framework will be shaped above all by whether such a regulator is established in practice.
Bibliography
Digital Personal Data Protection Act, 2023 (India).
Digital Personal Data Protection Rules, 2025 (India), notified by MeitY on 13 November 2025.
Information Technology Act, 2000 (India).
IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (India).
EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679.
Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1 (Supreme Court of India).
