Towards a Robust Digital Data Protection Regime in India

In an increasingly digital world, protecting personal data has become more critical than ever. The Government of India notified the Digital Personal Data Protection (DPDP) Rules, 2025 in November 2025, marking the full operationalisation of the Digital Personal Data Protection Act, 2023. Together, the Act and Rules establish a citizen-centred framework that balances privacy rights with the lawful and responsible use of digital personal data. While the framework enhances individual rights, strengthens accountability, and promotes transparent data practices, it has also faced criticism for implementation delays and weakened transparency provisions. These concerns pose challenges in ensuring timely safeguards, effective oversight, and robust enforcement. 

What are the Key Features of the Digital Personal Data Protection Act, 2023? 

• Applicability: The Act applies to the processing of digital personal data within India, including both data collected online and offline data that has been digitised.  
  • It also covers processing outside India if it involves offering goods or services to individuals in India. 
• Core Principles: It is based on seven key principles- consent, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability, that guide lawful data processing at every stage. 
  • The Act adopts the SARAL approach, meaning it is designed to be Simple, Accessible, Rational, and Actionable. 
• Rights of Data Principals: Individuals have rights to clear consent, access, correction, updating, and erasure of their personal data.  
  • They can nominate someone else to exercise these rights on their behalf if needed.  
  • The Act mandates responses to such requests within a specified timeline. 
• Obligations of Data Fiduciaries: Entities processing data must implement reasonable security safeguards, obtain explicit consent, erase data when no longer needed or when consent is withdrawn, notify individuals and the Data Protection Board of breaches, and establish grievance redressal mechanisms. 
• Significant Data Fiduciaries: Certain large or sensitive data handlers are designated as significant data fiduciaries with additional responsibilities such as appointing data auditors, conducting periodic impact assessments, and complying with stricter regulations on new or sensitive technologies. 
  • Data fiduciaries must offer clear communication, publish contact details of data protection officers, conduct independent audits, and ensure accountability for the protection and lawful use of personal data 
• Data Protection Board of India: The Act establishes an independent regulatory authority to monitor compliance, inquire into breaches, take corrective actions, impose penalties and handle grievances. 
• Special Protections: The Act provides enhanced protections for children's data by requiring verifiable parental consent and restricting harmful processing like targeted advertising or tracking of children.  
  • It also includes safeguards for persons with disabilities requiring consent from verified legal guardians. 
• Cross-Border Data Transfers: Transfers outside India are permitted except to countries restricted by the government.  
  • Restrictions and conditions aim to safeguard data sovereignty and security.. 
• Exemptions: Rights of the Data Principal and obligations of Data Fiduciaries (except data security) will not apply in specified cases, including: 
  • For notified agencies, in the interest of security, sovereignty, public order, etc. 
  • For research, archiving, or statistical purposes. 
  • For start-ups or other notified categories of Data Fiduciaries. 
  • To enforce legal rights and claims; or prevention and investigation of offences. 
  • To perform judicial or regulatory functions. 
  • To process in India personal data of non-residents under foreign contract. 
• Penalties and Enforcement: The Act prescribes substantial financial penalties for breaches, including failures in security safeguards, breach notification, and child data protection obligations, reinforcing the seriousness of compliance. 
  • The Act introduces the concept of a Data Consent Manager as a feature to facilitate a Data Principal’s exercise of their rights.

What are the Key Provisions and Intended Benefits of the Digital Personal Data Protection Rules, 2025? 

• Individual-Centred Data Governance: The DPDP framework is designed around the needs and rights of the Data Principal (individual), ensuring that citizens—not corporations or the state—are at the heart of data protection. 
  • Rules are written in clear, simple language, enabling ordinary users to understand their rights without legal expertise. 
  • Organisations handling personal data must operate with transparency, responsibility, and demonstrable accountability. 
• Rights of Data Principals : Citizens can seek information on what personal data has been collected, why it has been collected and how it is being used. 
  • Individuals can ask for a copy of their personal data that is held by a Data Fiduciary. 
  • People may request corrections to personal data that is inaccurate or incomplete. 
  • Citizens can ask for changes when their details have altered, such as a new address or updated contact number. 
  • Individuals may request the removal of personal data in certain situations. 
  • Every individual can appoint someone to exercise their data rights on their behalf. 
  • Individuals now have the explicit right to give, refuse, or withdraw consent for the processing of their personal data. 
• Mandatory Response within Ninety Days: Data Fiduciaries are required to address all requests related to access, correction, updating or erasure within a maximum of ninety days, ensuring timely action and accountability. 
• Protection During Personal Data Breaches: If a breach takes place, citizens must be informed at the earliest. The message must explain what happened and what steps they can take. This helps people act quickly to reduce harm. 
• Clear Contact for Queries and Complaints: Data Fiduciaries must provide a point of contact for questions relating to personal data. This may be a designated officer or a Data Protection Officer. 
• Special Protection for Children: When a child’s personal data is involved, verifiable consent from a parent or guardian is required.  
  • This consent is needed unless the processing relates to essential services such as healthcare, education or real-time safety. 
• Special Protection for Persons with Disabilities: If a person with a disability cannot make legal decisions even with support, their lawful guardian must give consent. This guardian must be verified under the relevant laws. 
• Harmonisation with the Right to Information (RTI) Act: The DPDP Act amends Section 8(1)(j) of the RTI Act to harmonise privacy rights with the right to information. 
  • The amendment reflects judicial reasoning that personal information should not be disclosed without assessing privacy implications. 
  • It does not limit transparency, but ensures that disclosure is justified and responsible. 
    • The Supreme Court in the KS Puttaswamy v. Union of India (2017) judgment affirmed privacy as a fundamental right under Article 21, underscoring the need for legal frameworks that uphold individual autonomy over personal data. 

What are the Key Challenges Associated with India’s Data Governance Framework? 

• Government Exemptions and Surveillance Risks: The Act grants broad exemptions to the government for data processing in the name of sovereignty and public order, raising concerns about unchecked surveillance and potential privacy violations.  
  • This has been a major criticism, fearing erosion of the KS Puttaswamy ruling on fundamental privacy rights. 
  • The amendment to Section 8(1)(j) of the RTI Act through Section 44(3) of the DPDP Act 2023 poses a serious threat to the RTI Act’s core goals of transparency and accountability.  
  • By creating a blanket prohibition on disclosing personal information and without clearly defining what personal information means, the amendment weakens one of India’s strongest tools for public scrutiny.  
    • It risks making the RTI framework less effective in ensuring government accountability and in preventing corruption. 
• Lack of Independent Regulatory Authority: The government-appointed Data Protection Board lacks full autonomy, raising concerns about impartiality, transparency, and selective enforcement, which could undermine public trust in data regulation. 
  • Because appointments and administrative control largely rest with the executive, the Board may not enjoy the institutional independence necessary for impartial oversight. 
• Challenges in Managing Consent and Data Subject Rights: Implementing granular, verifiable, and age-appropriate consent mechanisms is complex, especially for parental consent in children’s data processing.  
  • The absence of clarity on consent verification adds to compliance challenges for handlers of personal data. 
  • The Justice B.N. Srikrishna Committee emphasised meaningful and informed consent as central to data protection, recommending that consent be the lawful basis for personal data processing. 
• Technological Gaps and New Tech Challenges: The Act does not specifically address emerging technologies like blockchain, AI, big data analytics, and IoT, which involve decentralised, automated data processing, potentially leaving regulatory gaps and legal uncertainties. 
  • Large Language Models (LLMs) are trained on massive, often scraped datasets that may contain private information.  
  • This can lead to data regurgitation, where the model unintentionally leaks sensitive personal data from its training corpus to a user during a regular conversation. 
  • AI models, particularly those using Big Data, can infer sensitive personal data (like health conditions, political views, or sexual orientation) from non-sensitive, seemingly anonymous input, effectively de-anonymizing individuals and posing data privacy concerns. 
• Low Public Awareness and Digital Literacy: Many Indian users, especially in rural areas, lack awareness of their data rights and how to exercise them, hindering effective use of the protections under the Act. 
  • Government campaigns are planned but lack a clear strategy or scale for widespread impact yet. 
• Cross-border Data Transfer Uncertainties: Ambiguities around data localisation and international data flows create compliance uncertainties for multinational companies and may conflict with global regulations like GDPR, complicating global operations. 
• Potential Over-penalisation: While significant fines are critical for enforcement, disproportionate penalties could stifle smaller businesses' capabilities to comply, potentially leading to selective enforcement or legal challenges. 
  • Small enterprises face difficulties in meeting technical and legal requirements, like hiring Data Protection Officers, conducting audits, and maintaining secure infrastructure.  
  • This compliance burden could discourage innovation or push smaller firms out due to costs and lack of expertise. 

What Measures can be Adopted to Build a Robust and People-centric Digital Personal Data Protection Regime in India? 

• Strengthen Institutional Independence: India must enhance the autonomy and independence of the Data Protection Board of India (DPBI) by insulating it from governmental and corporate influence, ensuring impartial regulatory oversight. 
  • Drawing from Justice B.N. Srikrishna Committee recommendations and global models like the European Data Protection Board (EDPB), a separate budget, transparent appointment procedures, and judicial review powers should be instituted to build credibility and public trust. 
• Clarify and Limit Government Exemptions:  The government’s data processing exemptions on grounds of sovereignty and security should be clearly defined with judicial or parliamentary oversight to prevent misuse.  
  • The legislative framework must embed safeguards akin to the KS Puttaswamy v. Union of India (2017) ruling, which affirms privacy as constitutionally protected, ensuring that state interests do not unreasonably infringe on fundamental rights or enable unchecked surveillance. 
• Enable Practical Compliance for MSMEs and Startups: Considering cost and capacity constraints, the government should introduce tiered compliance requirements calibrated by enterprise size and risk profile.  
  • Providing subsidies, technical assistance, capacity-building programs, and shared infrastructure platforms (e.g., centralized Consent Managers) can ease the burden on SMEs, encouraging innovation while maintaining robust privacy safeguards.  
  • This approach aligns with international best practices observed in jurisdictions like Singapore and Australia. 
• Mandate Clear and Verifiable Consent Mechanisms: The government must enforce standards for granular, easily comprehensible, and verifiable consent processes, including age-appropriate parental verification for children’s data, to uphold agency and transparency.  
  • Learning from GDPR’s explicit consent requirements, technological interoperability standards for Consent Managers should be set and regularly audited to prevent consent fatigue and ensure genuine user control. 
• Enhance Public Awareness and Digital Literacy Initiatives: To maximize the framework’s effectiveness, the government should launch large-scale education campaigns targeting urban and rural populations alike, raising awareness of data privacy rights and remedies.  
  • Partnering with civil society, educational institutions, and digital platforms for accessible content in multiple languages will empower citizens to holistically exercise their protections and hold entities accountable. 
• Address Emerging Technology Challenges: A dedicated task force should be formed to study and design regulatory guidance for evolving technologies like AI, blockchain, IoT, and big data analytics, ensuring they comply with data protection principles without stifling innovation. 
  • Dynamic rules and periodic reviews could maintain regulatory relevance and anticipate risks, as recommended by the Srikrishna Committee and reflected in frameworks like the EU’s AI Act. 
• Streamline Cross-border Data Transfer Regulations: The government should clarify data localization norms while promoting safe, standardized bilateral and multilateral data transfer agreements to facilitate global trade.  
  • Aligning with international frameworks (e.g., GDPR’s adequacy decisions) will enable Indian businesses to compete internationally while safeguarding data sovereignty and citizens’ rights. 

Conclusion:  

India’s Digital Personal Data Protection Act, 2023, along with the Rules, 2025, represents a major milestone in operationalising the constitutional right to privacy affirmed in the K.S. Puttaswamy judgment. Yet, its success hinges on overcoming critical implementation challenges. Strengthening independent oversight, refining exemptions, simplifying SME compliance, improving consent frameworks, enhancing digital literacy, regulating emerging technologies, and ensuring smooth cross-border data transfers are essential to create a balanced data-governance ecosystem that safeguards rights while enabling innovation and economic growth. 

Drishti Mains Question:   "Privacy as a fundamental right was affirmed by the Supreme Court in the KS Puttaswamy Case (2017)."Discuss how India's Digital Personal Data Protection Act, 2023, and Rules, 2025, operationalise this right and the challenges in its implementation.