We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.



Guardians of Your Data: Unpacking India’s New DPDPA Framework

PrintMailRate-it

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​published on 24 September 2025 | reading time approx. 2 minutes


India’s journey towards data protection began with judicial recognition of privacy as a fundamental right in the landmark judgment in The Puttaswamy v. Union of India case, formally known as Justice K.S. Puttaswamy (Retd.) vs Union of India (2017). 

This catalyzed the drafting of a comprehensive data protection framework, leading to multiple iterations of the Personal Data Protection Bill. After years of consultation and revision, the Digital Personal Data Protection Act, 2023 (DPDPA) was enacted, marking India’s first dedicated law for digital personal data. It establishes rights for individuals, obligations for data processors, and introduces enforcement mechanisms like the Data Protection Board, laying the foundation for a privacy-respecting digital ecosystem.

The Digital Personal Data Protection (DPDPA) Rules (“Rules”) are expected to be officially released by September 28, 2025, according to India's IT Minister Ashwini Vaishnaw. The Rules are designed to operationalize the Digital Personal Data Protection Act, 2023, which received presidential assent in August 2023. These Rules aim to establish a robust framework for safeguarding digital personal data and ensuring responsible personal data processing practices. The said Rules apply to digital personal data processed within India, whether collected online or offline and later digitized. They also extend to data processing activities conducted outside India if such processing involves offering goods or services to individuals located in India.

While the Rules will be published by late September, their legal enforceability will begin only once the government notifies the effective date. The effective date of the Rules will actually come into force is subject to formal government notification, which has not yet been issued.

Once implemented, The Digital Personal Data Protection Act, 2023 and its accompanying Rules of 2025 mark a transformative shift in India’s approach to privacy and data governance and will be the first fully codified law governing personal data in India. Together, they establish a legal framework that empowers individuals with rights over their personal data, mandates transparent consent practices, and enforces accountability among data processors through stringent penalties. With clear provisions for children’s data, cross-border transfers, and grievance redressal, the law aims to balance innovation with individual privacy.

As India steps into a digitally driven future, the new legal framework lays the foundation for a privacy-respecting ecosystem where trust, transparency, and responsible data use become the norm, not the exception.​​​

DATA PROTECTION BITES

author

Contact Person Picture

Vivek Balakrishnan

Consultant

Senior Associate

+91 80 44784 803

Send inquiry

RÖDL & PARTNER INDIA

Discover more about our offices in India​. Read​ more »
Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu