DPDP Act 2023 & DPDP Rules 2025: India’s Privacy Law

Governance & Polity · GS Paper II & III · Prelims + Mains

The DPDP Act, 2023 & DPDP Rules, 2025: India's Data Privacy Law

India's first comprehensive data-protection law is now live: the Digital Personal Data Protection (DPDP) Act, 2023 gained operational teeth when the DPDP Rules, 2025 were notified in November 2025. Flowing from the Puttaswamy (2017) right-to-privacy judgment, it balances individual privacy with lawful data use. This guide covers the Act, the notified Rules, concerns and global practice — with probable questions for Prelims and Mains.

📜 Act 2023
🗓️ Rules Notified Nov 2025
⚖️ Regulator DPB of India
💰 Max penalty ₹250 crore
📅 Published: July 2026 🏛 Subject: Governance & Polity ✍️ By: Legacy IAS 🔄 Updated: July 2026

Every time we sign up for an app, shop online or use a government portal, we hand over personal data. For years India had no dedicated law to govern how that data is collected and used. That gap has now closed. The Digital Personal Data Protection (DPDP) Act, 2023 is India's first comprehensive data-protection law, and with the DPDP Rules, 2025 notified in November 2025, the framework is finally being operationalised through a phased rollout.

The law flows directly from the Supreme Court's landmark Justice K.S. Puttaswamy (2017) ruling, which declared privacy a fundamental right under Article 21. For UPSC, this is one of the most important governance topics of the cycle — spanning GS-II (governance, government policies) and GS-III (e-governance, IT).

🆕 Why in the News

After a draft was released in January 2025 and a nationwide consultation drawing nearly 6,915 inputs, the Ministry of Electronics and IT (MeitY) notified the final DPDP Rules, 2025 on 13 November 2025 (Gazette, 14 November). This gave full effect to the DPDP Act, established the Data Protection Board of India, and set a phased/staggered compliance timeline running up to mid-2027.

How UPSC Asks About Data Protection (2025–2026 Trend)

  • Definition MCQs (Prelims): who is a Data Principal, Data Fiduciary, Significant Data Fiduciary or Consent Manager.
  • Institution MCQs (Prelims): the Data Protection Board of India and appeals to the TDSAT.
  • Rights & case-law MCQs (Prelims): the Puttaswamy judgment, Article 21, and the right to be forgotten/erasure.
  • Analytical questions (Mains GS-II/III): balancing privacy with state power and innovation; comparison with the EU's GDPR; the RTI dilution debate.
Prep tip: Anchor this topic on three pillars — the Puttaswamy right to privacy, the Act's key definitions, and the newly notified Rules. That covers most possible questions.

Background — The Right to Privacy in India

MilestoneYearSignificance
A.K. Gopalan case1950SC rejected the argument for a right to privacy
Kharak Singh case1962First relief touching privacy — but not yet a fundamental right
A.P. Shah Committee2011Recommended a comprehensive privacy law for public & private sectors
B.N. Srikrishna Committee2017Proposed a Data Protection Authority, right to be forgotten, data localisation
K.S. Puttaswamy judgment20179-judge bench: privacy is a fundamental right under Article 21
DPDP Act enacted2023India's first comprehensive data-protection law
DPDP Rules notified2025Operationalised the Act; phased rollout to 2027
Exam angle: The chain Puttaswamy (2017) → DPDP Act (2023) → DPDP Rules (2025) is the single most testable sequence. Note the committees: A.P. Shah (2011) and B.N. Srikrishna (2017).

What Is the DPDP Act, 2023?

About & Applicability

The DPDP Act is India's first comprehensive data-protection law, providing a legal framework for handling digital personal data — safeguarding individual privacy while allowing lawful data processing. It was enacted nearly six years after Puttaswamy and is broadly inspired by global frameworks like the EU's GDPR.

Where It Applies

  • To digital personal data processed within India — whether collected digitally or digitised later.
  • Extraterritorially — to processing outside India if it is for offering goods or services in India.
  • Not to personal data used for purely personal/domestic purposes, or data made public by the individual or under a legal duty.
Exam angle: The Act covers only digital personal data; non-personal and non-digital data are outside its scope.

Key Concepts — Who's Who

TermMeaning
Data PrincipalThe individual whose personal data is being processed (for a child, the parent/guardian)
Data FiduciaryThe entity that decides how and why personal data is processed
Data ProcessorAn entity that processes data on behalf of a Data Fiduciary
Significant Data Fiduciary (SDF)A high-impact fiduciary notified by the government (large volume/sensitive data, risks) with extra duties
Consent ManagerA registered Indian intermediary that helps users give/withdraw consent
Data Protection Board of IndiaThe regulator that enforces the law and handles breaches/grievances

Key Provisions of the DPDP Act, 2023

The Core Rules of the Game

Consent

Personal data may be processed only for a lawful purpose with the consent of the Data Principal, who can withdraw it anytime. Consent is not required for certain "legitimate uses" (e.g. government services, medical emergencies).

Children's Data (Section 9)

A "child" is anyone under 18. Processing a child's data needs verifiable parental consent; harmful processing and targeted advertising to minors are prohibited.

Rights & Duties of the Data Principal

Individuals get the right to access, correct, erase, seek grievance redressal, and nominate a representative (in case of death/incapacity). They must not file false complaints — a violation can attract a fine up to ₹10,000.

Obligations of Data Fiduciaries

Ensure data accuracy and security, notify the Board and affected individuals of a breach, and erase data once its purpose is met and retention is no longer required.

Significant Data Fiduciaries (SDFs)

Face extra duties — appointing a Data Protection Officer (India-based) and an independent auditor, and conducting periodic Data Protection Impact Assessments (DPIAs).

Data Protection Board of India (DPBI)

An independent regulator that monitors compliance, imposes penalties and handles breaches and grievances. Appeals lie to the Telecom Disputes Settlement & Appellate Tribunal (TDSAT).

Penalties

Steep — up to ₹250 crore for failure to maintain reasonable security safeguards, and up to ₹200 crore for breach-notification failures.

⚠️ The RTI Amendment (Section 44(3))

The Act amended Section 8(1)(j) of the RTI Act, removing the earlier "larger public interest" test for personal information. Critics argue this lets public authorities withhold information simply by labelling it "personal data," potentially weakening the Right to Information — a key point of debate.

The DPDP Rules, 2025 (Now Notified)

What the Rules Add

Notified: 13 Nov 2025 By: MeitY (Section 40) Rollout: Phased to 2027

The Rules translate the Act's principles into concrete, "how-to" obligations:

  • Data Protection Board: a "digital-by-design," four-member Board — citizens can file and track complaints online via a portal/app, with faster grievance redressal.
  • Breach notification: a two-stage duty — inform the Board immediately, and notify affected Data Principals within 72 hours.
  • Children & guardians: verifiable parental consent (including via DigiLocker-based verification); no tracking, profiling or behavioural/targeted advertising directed at children.
  • Data retention/erasure: large platforms (big e-commerce, online gaming, social media) must delete data after 3 years of a user's last interaction, with a 48-hour prior notice before erasure.
  • Graded responsibilities: lighter compliance for startups & MSMEs; heavier duties (annual DPIA + audit, algorithmic due diligence) for SDFs. Big platforms (e.g. major social-media and e-commerce firms) are likely SDFs.
  • Consent Managers: must be an Indian company with a minimum net worth of ₹2 crore, registered with the Board.
  • Cross-border transfers: data may flow abroad, subject to conditions set by the government; certain data may be localised for SDFs.

Phased Timeline

  • Phase I (immediate): setting up the Data Protection Board.
  • Phase II (12 months, ~Nov 2026): Consent Manager provisions.
  • Phase III (18 months, ~May 2027): the main substantive compliance obligations kick in.
Exam angle: Remember: Rules notified Nov 2025; full compliance obligations from ~May 2027. Consent Manager net worth = ₹2 crore; 3-year retention for large platforms.

Key Concerns With the DPDP Framework

  • Excessive state exemptions: broad exemptions let the State collect and retain data, raising fears for the fundamental right to privacy.
  • Missing rights: the Act omits some rights found abroad, notably the right to data portability.
  • Cross-border flows: a largely open transfer regime, with restrictions only at the government's discretion — raising data-security and sovereignty concerns.
  • Weak harm-prevention: the law does not explicitly tackle identity theft, financial fraud or discriminatory profiling.
  • RTI dilution: the amendment to Section 8(1)(j) may weaken transparency (see box above).

Way Forward — Strengthening the Framework

  • Clarify exemptions: define terms like "sovereignty and integrity" precisely and make the process for granting exemptions transparent.
  • Promote data agreements: pursue bilateral/multilateral pacts for safe data exchange rather than isolationism.
  • Keep regulation adaptive: build a dynamic framework that evolves with AI and new privacy risks — possibly via a specialised task force.
  • Adopt global best practices: learn from models like the EU–US data-privacy framework for secure, trusted cross-border flows.

Global Practices on Data Governance

JurisdictionFramework
European UnionGDPR — comprehensive; treats privacy as a fundamental right with strong individual control
ChinaData Security Law (DSL) + Personal Information Protection Law (PIPL) — data classification & tight cross-border rules
United StatesNo single federal law — sector-specific rules; the Privacy Act governs government data
IndiaDPDP Act 2023 + Rules 2025 — consent-driven, rights-based, with a digital regulator
A data-protection law is really a trust law. The DPDP framework tries to give citizens control over their digital selves while letting the digital economy grow — its success will hinge on how independently the Board acts and how narrowly the State's own exemptions are read. — Legacy IAS Faculty

Probable Prelims MCQs (with Answers)

📝 Prelims MCQ 1

The fundamental right to privacy was affirmed by the Supreme Court in which case?

(a) Kharak Singh v. State of U.P.
(b) K.S. Puttaswamy v. Union of India
(c) Maneka Gandhi v. Union of India
(d) A.K. Gopalan v. State of Madras

Answer: (b). The 2017 Puttaswamy judgment held privacy to be a fundamental right under Article 21.

📝 Prelims MCQ 2

Under the DPDP Act, 2023, consider the following:

1. A "Data Principal" is the individual whose personal data is processed.
2. A "Data Fiduciary" decides the purpose and means of processing.
3. Appeals against the Data Protection Board lie to the TDSAT.

Which of the statements given above are correct?
(a) 1 and 2 only   (b) 2 and 3 only   (c) 1 and 3 only   (d) 1, 2 and 3

Answer: (d). All three are correct.

📝 Prelims MCQ 3

With reference to the DPDP Act, 2023, consider the following statements:

1. The Act applies to personal data in both digital and non-digital form.
2. A "child" is defined as anyone below 18 years of age.
3. The maximum penalty can go up to ₹250 crore.

Which of the statements given above are correct?
(a) 1 and 2 only   (b) 2 and 3 only   (c) 1 and 3 only   (d) 1, 2 and 3

Answer: (b). Statement 1 is wrong — the Act covers only digital personal data.

📝 Prelims MCQ 4

As per the DPDP Rules, 2025, a Consent Manager must be:

(a) A foreign company with any net worth
(b) An Indian company with a minimum net worth of ₹2 crore
(c) A government department
(d) An individual registered with the TDSAT

Answer: (b). A Consent Manager must be an Indian company with a minimum net worth of ₹2 crore, registered with the Board.

Probable Mains Questions (GS Paper II)

  1. Discuss the significance of the DPDP Act, 2023 in safeguarding the fundamental right to privacy under Article 21, and examine its key concerns. (250 words)
  2. The DPDP Rules, 2025 translate a principle-based law into operational obligations. Analyse their key features and their impact on citizens and businesses. (250 words)
  3. "The DPDP Act balances privacy with state power imperfectly." Critically examine the exemptions granted to the State. (150 words)
  4. Compare India's DPDP framework with the EU's GDPR. What can India learn from global best practices? (250 words)
  5. Examine how the DPDP Act's amendment to the RTI Act may affect the balance between privacy and transparency. (150 words)

Frequently Asked Questions (FAQs)

What is the DPDP Act, 2023?

It is India's first comprehensive data-protection law, governing how digital personal data is collected, processed and protected, while safeguarding the right to privacy and allowing lawful data use.

When were the DPDP Rules, 2025 notified?

The final Rules were notified on 13 November 2025 by MeitY, operationalising the Act with a phased rollout — the main compliance obligations take effect around May 2027.

Who is a Data Principal and a Data Fiduciary?

A Data Principal is the individual whose personal data is processed; a Data Fiduciary is the entity that decides the purpose and means of processing that data.

What is the Data Protection Board of India?

It is the independent, digital-first regulator that monitors compliance, penalises violations and handles data-breach and grievance cases. Appeals go to the TDSAT.

How does the Act protect children's data?

It defines a child as anyone under 18, requires verifiable parental consent, and bans harmful processing and targeted advertising directed at minors.

💡

Key Takeaways

  • The chain: Puttaswamy (2017, privacy = FR under Art 21) → DPDP Act (2023) → DPDP Rules (notified 13 Nov 2025); committees A.P. Shah (2011) & B.N. Srikrishna (2017).
  • Scope: only digital personal data; applies within India and extraterritorially for goods/services offered in India.
  • Key players: Data Principal, Data Fiduciary, SDF, Consent Manager (Indian co., ₹2 cr net worth), and the Data Protection Board of India (appeals to TDSAT).
  • Consent & children: consent-driven; a "child" is anyone under 18; verifiable parental consent; no targeted ads to minors.
  • Rules 2025: 72-hour breach notice to individuals, 3-year data deletion for big platforms, graded duties, phased rollout to ~May 2027; max penalty ₹250 crore.
  • Concerns: broad State exemptions, no data portability, open cross-border flows, weak harm-prevention, and the RTI dilution (Section 8(1)(j)).

Master Governance & Polity with Legacy IAS — Bangalore

Expert faculty, structured GS & Optional guidance, and Bangalore's most trusted UPSC coaching — all under one roof.

Book a Free Demo Class

July 2026
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  
Categories

Get free Counselling and ₹25,000 Discount

Fill the form – Our experts will call you within 30 mins.