The DPDP Act, 2023 & DPDP Rules, 2025: India's Data Privacy Law
India's first comprehensive data-protection law is now live: the Digital Personal Data Protection (DPDP) Act, 2023 gained operational teeth when the DPDP Rules, 2025 were notified in November 2025. Flowing from the Puttaswamy (2017) right-to-privacy judgment, it balances individual privacy with lawful data use. This guide covers the Act, the notified Rules, concerns and global practice — with probable questions for Prelims and Mains.
Every time we sign up for an app, shop online or use a government portal, we hand over personal data. For years India had no dedicated law to govern how that data is collected and used. That gap has now closed. The Digital Personal Data Protection (DPDP) Act, 2023 is India's first comprehensive data-protection law, and with the DPDP Rules, 2025 notified in November 2025, the framework is finally being operationalised through a phased rollout.
The law flows directly from the Supreme Court's landmark Justice K.S. Puttaswamy (2017) ruling, which declared privacy a fundamental right under Article 21. For UPSC, this is one of the most important governance topics of the cycle — spanning GS-II (governance, government policies) and GS-III (e-governance, IT).
After a draft was released in January 2025 and a nationwide consultation drawing nearly 6,915 inputs, the Ministry of Electronics and IT (MeitY) notified the final DPDP Rules, 2025 on 13 November 2025 (Gazette, 14 November). This gave full effect to the DPDP Act, established the Data Protection Board of India, and set a phased/staggered compliance timeline running up to mid-2027.
How UPSC Asks About Data Protection (2025–2026 Trend)
- Definition MCQs (Prelims): who is a Data Principal, Data Fiduciary, Significant Data Fiduciary or Consent Manager.
- Institution MCQs (Prelims): the Data Protection Board of India and appeals to the TDSAT.
- Rights & case-law MCQs (Prelims): the Puttaswamy judgment, Article 21, and the right to be forgotten/erasure.
- Analytical questions (Mains GS-II/III): balancing privacy with state power and innovation; comparison with the EU's GDPR; the RTI dilution debate.
Background — The Right to Privacy in India
| Milestone | Year | Significance |
|---|---|---|
| A.K. Gopalan case | 1950 | SC rejected the argument for a right to privacy |
| Kharak Singh case | 1962 | First relief touching privacy — but not yet a fundamental right |
| A.P. Shah Committee | 2011 | Recommended a comprehensive privacy law for public & private sectors |
| B.N. Srikrishna Committee | 2017 | Proposed a Data Protection Authority, right to be forgotten, data localisation |
| K.S. Puttaswamy judgment | 2017 | 9-judge bench: privacy is a fundamental right under Article 21 |
| DPDP Act enacted | 2023 | India's first comprehensive data-protection law |
| DPDP Rules notified | 2025 | Operationalised the Act; phased rollout to 2027 |
What Is the DPDP Act, 2023?
About & Applicability
The DPDP Act is India's first comprehensive data-protection law, providing a legal framework for handling digital personal data — safeguarding individual privacy while allowing lawful data processing. It was enacted nearly six years after Puttaswamy and is broadly inspired by global frameworks like the EU's GDPR.
Where It Applies
- To digital personal data processed within India — whether collected digitally or digitised later.
- Extraterritorially — to processing outside India if it is for offering goods or services in India.
- Not to personal data used for purely personal/domestic purposes, or data made public by the individual or under a legal duty.
Key Concepts — Who's Who
| Term | Meaning |
|---|---|
| Data Principal | The individual whose personal data is being processed (for a child, the parent/guardian) |
| Data Fiduciary | The entity that decides how and why personal data is processed |
| Data Processor | An entity that processes data on behalf of a Data Fiduciary |
| Significant Data Fiduciary (SDF) | A high-impact fiduciary notified by the government (large volume/sensitive data, risks) with extra duties |
| Consent Manager | A registered Indian intermediary that helps users give/withdraw consent |
| Data Protection Board of India | The regulator that enforces the law and handles breaches/grievances |
Key Provisions of the DPDP Act, 2023
The Core Rules of the Game
Consent
Personal data may be processed only for a lawful purpose with the consent of the Data Principal, who can withdraw it anytime. Consent is not required for certain "legitimate uses" (e.g. government services, medical emergencies).
Children's Data (Section 9)
A "child" is anyone under 18. Processing a child's data needs verifiable parental consent; harmful processing and targeted advertising to minors are prohibited.
Rights & Duties of the Data Principal
Individuals get the right to access, correct, erase, seek grievance redressal, and nominate a representative (in case of death/incapacity). They must not file false complaints — a violation can attract a fine up to ₹10,000.
Obligations of Data Fiduciaries
Ensure data accuracy and security, notify the Board and affected individuals of a breach, and erase data once its purpose is met and retention is no longer required.
Significant Data Fiduciaries (SDFs)
Face extra duties — appointing a Data Protection Officer (India-based) and an independent auditor, and conducting periodic Data Protection Impact Assessments (DPIAs).
Data Protection Board of India (DPBI)
An independent regulator that monitors compliance, imposes penalties and handles breaches and grievances. Appeals lie to the Telecom Disputes Settlement & Appellate Tribunal (TDSAT).
Penalties
Steep — up to ₹250 crore for failure to maintain reasonable security safeguards, and up to ₹200 crore for breach-notification failures.
The Act amended Section 8(1)(j) of the RTI Act, removing the earlier "larger public interest" test for personal information. Critics argue this lets public authorities withhold information simply by labelling it "personal data," potentially weakening the Right to Information — a key point of debate.
The DPDP Rules, 2025 (Now Notified)
What the Rules Add
The Rules translate the Act's principles into concrete, "how-to" obligations:
- Data Protection Board: a "digital-by-design," four-member Board — citizens can file and track complaints online via a portal/app, with faster grievance redressal.
- Breach notification: a two-stage duty — inform the Board immediately, and notify affected Data Principals within 72 hours.
- Children & guardians: verifiable parental consent (including via DigiLocker-based verification); no tracking, profiling or behavioural/targeted advertising directed at children.
- Data retention/erasure: large platforms (big e-commerce, online gaming, social media) must delete data after 3 years of a user's last interaction, with a 48-hour prior notice before erasure.
- Graded responsibilities: lighter compliance for startups & MSMEs; heavier duties (annual DPIA + audit, algorithmic due diligence) for SDFs. Big platforms (e.g. major social-media and e-commerce firms) are likely SDFs.
- Consent Managers: must be an Indian company with a minimum net worth of ₹2 crore, registered with the Board.
- Cross-border transfers: data may flow abroad, subject to conditions set by the government; certain data may be localised for SDFs.
Phased Timeline
- Phase I (immediate): setting up the Data Protection Board.
- Phase II (12 months, ~Nov 2026): Consent Manager provisions.
- Phase III (18 months, ~May 2027): the main substantive compliance obligations kick in.
Key Concerns With the DPDP Framework
- Excessive state exemptions: broad exemptions let the State collect and retain data, raising fears for the fundamental right to privacy.
- Missing rights: the Act omits some rights found abroad, notably the right to data portability.
- Cross-border flows: a largely open transfer regime, with restrictions only at the government's discretion — raising data-security and sovereignty concerns.
- Weak harm-prevention: the law does not explicitly tackle identity theft, financial fraud or discriminatory profiling.
- RTI dilution: the amendment to Section 8(1)(j) may weaken transparency (see box above).
Way Forward — Strengthening the Framework
- Clarify exemptions: define terms like "sovereignty and integrity" precisely and make the process for granting exemptions transparent.
- Promote data agreements: pursue bilateral/multilateral pacts for safe data exchange rather than isolationism.
- Keep regulation adaptive: build a dynamic framework that evolves with AI and new privacy risks — possibly via a specialised task force.
- Adopt global best practices: learn from models like the EU–US data-privacy framework for secure, trusted cross-border flows.
Global Practices on Data Governance
| Jurisdiction | Framework |
|---|---|
| European Union | GDPR — comprehensive; treats privacy as a fundamental right with strong individual control |
| China | Data Security Law (DSL) + Personal Information Protection Law (PIPL) — data classification & tight cross-border rules |
| United States | No single federal law — sector-specific rules; the Privacy Act governs government data |
| India | DPDP Act 2023 + Rules 2025 — consent-driven, rights-based, with a digital regulator |
A data-protection law is really a trust law. The DPDP framework tries to give citizens control over their digital selves while letting the digital economy grow — its success will hinge on how independently the Board acts and how narrowly the State's own exemptions are read. — Legacy IAS Faculty
Probable Prelims MCQs (with Answers)
The fundamental right to privacy was affirmed by the Supreme Court in which case?
(a) Kharak Singh v. State of U.P.
(b) K.S. Puttaswamy v. Union of India
(c) Maneka Gandhi v. Union of India
(d) A.K. Gopalan v. State of Madras
Answer: (b). The 2017 Puttaswamy judgment held privacy to be a fundamental right under Article 21.
Under the DPDP Act, 2023, consider the following:
1. A "Data Principal" is the individual whose personal data is processed.
2. A "Data Fiduciary" decides the purpose and means of processing.
3. Appeals against the Data Protection Board lie to the TDSAT.
Which of the statements given above are correct?
(a) 1 and 2 only (b) 2 and 3 only (c) 1 and 3 only (d) 1, 2 and 3
Answer: (d). All three are correct.
With reference to the DPDP Act, 2023, consider the following statements:
1. The Act applies to personal data in both digital and non-digital form.
2. A "child" is defined as anyone below 18 years of age.
3. The maximum penalty can go up to ₹250 crore.
Which of the statements given above are correct?
(a) 1 and 2 only (b) 2 and 3 only (c) 1 and 3 only (d) 1, 2 and 3
Answer: (b). Statement 1 is wrong — the Act covers only digital personal data.
As per the DPDP Rules, 2025, a Consent Manager must be:
(a) A foreign company with any net worth
(b) An Indian company with a minimum net worth of ₹2 crore
(c) A government department
(d) An individual registered with the TDSAT
Answer: (b). A Consent Manager must be an Indian company with a minimum net worth of ₹2 crore, registered with the Board.
Probable Mains Questions (GS Paper II)
- Discuss the significance of the DPDP Act, 2023 in safeguarding the fundamental right to privacy under Article 21, and examine its key concerns. (250 words)
- The DPDP Rules, 2025 translate a principle-based law into operational obligations. Analyse their key features and their impact on citizens and businesses. (250 words)
- "The DPDP Act balances privacy with state power imperfectly." Critically examine the exemptions granted to the State. (150 words)
- Compare India's DPDP framework with the EU's GDPR. What can India learn from global best practices? (250 words)
- Examine how the DPDP Act's amendment to the RTI Act may affect the balance between privacy and transparency. (150 words)
Frequently Asked Questions (FAQs)
What is the DPDP Act, 2023?
It is India's first comprehensive data-protection law, governing how digital personal data is collected, processed and protected, while safeguarding the right to privacy and allowing lawful data use.
When were the DPDP Rules, 2025 notified?
The final Rules were notified on 13 November 2025 by MeitY, operationalising the Act with a phased rollout — the main compliance obligations take effect around May 2027.
Who is a Data Principal and a Data Fiduciary?
A Data Principal is the individual whose personal data is processed; a Data Fiduciary is the entity that decides the purpose and means of processing that data.
What is the Data Protection Board of India?
It is the independent, digital-first regulator that monitors compliance, penalises violations and handles data-breach and grievance cases. Appeals go to the TDSAT.
How does the Act protect children's data?
It defines a child as anyone under 18, requires verifiable parental consent, and bans harmful processing and targeted advertising directed at minors.
Key Takeaways
- The chain: Puttaswamy (2017, privacy = FR under Art 21) → DPDP Act (2023) → DPDP Rules (notified 13 Nov 2025); committees A.P. Shah (2011) & B.N. Srikrishna (2017).
- Scope: only digital personal data; applies within India and extraterritorially for goods/services offered in India.
- Key players: Data Principal, Data Fiduciary, SDF, Consent Manager (Indian co., ₹2 cr net worth), and the Data Protection Board of India (appeals to TDSAT).
- Consent & children: consent-driven; a "child" is anyone under 18; verifiable parental consent; no targeted ads to minors.
- Rules 2025: 72-hour breach notice to individuals, 3-year data deletion for big platforms, graded duties, phased rollout to ~May 2027; max penalty ₹250 crore.
- Concerns: broad State exemptions, no data portability, open cross-border flows, weak harm-prevention, and the RTI dilution (Section 8(1)(j)).
Master Governance & Polity with Legacy IAS — Bangalore
Expert faculty, structured GS & Optional guidance, and Bangalore's most trusted UPSC coaching — all under one roof.


