The DPDP Rules serve as the procedural manual for the Act, detailing the mechanisms through which the law will function. They provide granularity on board composition, grievance workflows, classification criteria, and the technical and organisational measures required for compliance.
By Lt Col Ujjual Abhishek Jha, Retd
The enactment of the Digital Personal Data Protection Act, 2023 (DPDPA) established the foundational architecture for India’s data privacy regime. However, the operationalisation of any legislation lies in its rules. The notification of the DPDP Rules, 2025, marks the transition from statutory intent to enforceable reality. This second installment in the series unpacks these rules, contextualises India’s framework within the global privacy landscape, and analyses the unique “Third Way” that India has carved out for itself.
The DPDP Rules 2025: Operationalising the Act
The DPDP Rules serve as the procedural manual for the Act, detailing the mechanisms through which the law will function. They provide granularity on board composition, grievance workflows, classification criteria, and the technical and organisational measures required for compliance. Crucially, they establish a phased enforcement timeline, allowing regulated entities a structured runway to achieve compliance.
The Regulatory Arbitrator: Data Protection Board of India (DPBI)
The Rules formally empower the Data Protection Board of India (DPBI) as a specialised, digital-first adjudicatory body. Unlike traditional regulators, the DPBI is designed to function as a tribunal, conducting inquiries into data breaches, presiding over formal hearings, and levying financial penalties. Its primary mandate is to ensure that Data Fiduciaries—entities that determine the purpose and means of data processing—remain accountable to the law.
Tiered Accountability: Significant Data Fiduciaries (SDFs)
Recognising that not all data processing carries equal risk, the framework introduces the concept of Significant Data Fiduciaries (SDFs). The Central Government will designate entities as SDFs based on criteria such as the volume and sensitivity of data processed, the potential risk to the rights of Data Principals (individuals to whom the data pertains), and implications for national security or public order.
Entities classified as SDFs must adhere to enhanced obligations:
– Mandatory appointment of a Data Protection Officer (DPO) based in India.
– Engagement of independent auditors to validate compliance.
– Conduct of Data Protection Impact Assessments (DPIAs) to proactively evaluate privacy risks associated with new technologies or processes.
The Consent Ecosystem: A Novel Introduction
In a significant innovation over global models, the DPDPA introduces the role of Consent Managers. These entities act as a bridge between the individual and the Data Fiduciary, providing a seamless, interoperable interface. Through a Consent Manager, individuals can grant, manage, review, and withdraw their consents in a centralised, real-time manner, transforming consent from a one-time checkbox into an ongoing, auditable process.
Cross-Border Data Transfers: The Negative List Strategy
One of the most pragmatic features of the framework is its approach to cross-border data flows. Departing from earlier drafts that mandated strict data localisation, the DPDPA operates on a Negative List principle. Under this model, cross-border data transfers are generally permitted to all countries and sectors except those specifically notified by the government as restricted. This approach ensures the smooth functioning of international trade and cloud-based services while retaining the state’s sovereign power to block data flows to hostile or high-risk jurisdictions.
Transparency, Grievance Redressal, and Compensation
The efficacy of the law rests on the clarity of its notice and grievance workflows. The Act specifies the modalities through which a Data Fiduciary must communicate with users—whether through electronic notifications, app-based prompts, or assisted means for those with limited digital literacy. Furthermore, it establishes strict timelines and tracking obligations for responding to user requests, ensuring that the Right to Correction and Right to Erasure are actionable through standard, time-bound processes.
Enforcement and Implementation Timeline
The rules establish a staggered implementation schedule to facilitate a smooth transition:
– Immediate Effect (from date of Gazette notification, 13 November 2025): Certain “enabling” sections of the Act, along with Rules 1, 2, and 17-21 (covering preliminary aspects, DPBI constitution, and procedural matters), are effective immediately.
– One Year (by late 2026): Rule 4, which pertains to registration and specific compliance obligations, comes into force one year after publication.
– Eighteen Months (by mid-2027): The bulk of operational duties—including rights handling, security controls, classification of SDFs, and penalty procedures (Rules 3, 5-16, 22, and 23)—become effective eighteen months after publication. This implies full compliance obligations will be in force by 2027, although sectoral regulators may compress timelines for critical industries.
The Global Privacy Landscape: A Comparative Overview
India’s privacy framework does not exist in a vacuum. It is shaped by, and must interoperate with, the leading data protection regimes from around the world. The most influential of these remains the European Union’s General Data Protection Regulation (GDPR), which has set a benchmark for modern privacy laws globally.
– European Union: General Data Protection Regulation (GDPR)
The GDPR applies to any entity offering goods or services to EU residents, regardless of its location. It introduced seminal concepts such as the “Right to be Forgotten” and “Data Portability.” It mandates one of six legal bases for processing and is renowned for its stringent penalties, which can reach up to €20 million or 4% of global annual turnover.
– United States: California Consumer Privacy Act (CCPA/CPRA)
In the absence of a federal privacy law, the CCPA serves as the de facto standard in the US. It focuses on consumer rights, particularly the right to opt out of the “sale” or “sharing” of personal data. It is enforced by the California Privacy Protection Agency (CPPA).
– China: Personal Information Protection Law (PIPL)
Often referred to as the “GDPR of China,” the PIPL is characterised by a strong state-centric approach. It imposes stringent restrictions on cross-border data transfers, requiring security assessments by state authorities. Its definition of “sensitive data” is notably broad.
– Brazil: Lei Geral de Proteção de Dados (LGPD)
The LGPD is largely based on the GDPR framework but adapted to the Brazilian market. It applies to any data processing activity within Brazil, irrespective of where the processing entity is located.
A comparative analysis of these frameworks against India’s DPDPA reveals the distinct contours of India’s approach:
| Feature | GDPR (EU) | CCPA (USA-CA) | PIPL (China) | DPDPA (India) |
| Model | Rights-based | Consumer-based | State-centric | Consent-based |
| Applicability | Digital & non-digital | Digital | Digital & non-digital | Digital only |
| Data Localization | No (Adequacy based) | No | Strict | Limited (Negative List) |
| Sensitive Data | Explicit Categories | Explicit Categories | Explicit Categories | No Separate Category |
| Penalties | Up to 4% of Global Revenue | Per Violation ($) | % of Revenue / Fixed | Fixed (up to ₹250 Cr) |
Contextualising DPDPA: India’s “Third Way”
The operationalisation of the DPDPA through the 2025 Rules signals India’s deliberate entry into the global ecosystem of regulated data sovereignty. India’s position can best be understood by examining three dominant global data governance models:
- The European Model: “Rights-Based” Approach
– Key Legislation: GDPR.
– Viewpoint: Privacy is a fundamental human right. This model focuses on comprehensive protection, granular user control, and heavy penalties.
– Impact on DPDPA: The GDPR served as the primary architect for the DPDPA. Concepts such as Data Fiduciary (controller), Data Principal (subject), and the requirement for valid Consent are directly derived from it. However, the DPDPA is notably more concise and business-friendly, aiming for a lower compliance burden than its European counterpart.
- The US Model: “Market-Driven” Mosaic
– Key Legislation: No single federal law; relies on state laws like the CCPA and sectoral laws (HIPAA, GLBA).
– Viewpoint: Privacy is a consumer protection issue, focusing on preventing specific harms through targeted regulation.
– Contrast with DPDPA: Unlike the fragmented US approach, India has opted for a singular, comprehensive federal framework applicable across all sectors.
- The Authoritarian/Sovereign Model: “Security-First” Approach
– Key Legislation: China’s PIPL, Russia’s Data Laws.
– Viewpoint: Data is a national asset. The focus is on data localisation—keeping data within national borders for state access and national security.
– India’s Shift: Early drafts of the Indian law (2018/2019) leaned toward this model, mandating strict localisation. However, the final DPDPA pivoted to a more pragmatic “trusted geography” approach, permitting cross-border flows unless a jurisdiction is specifically restricted.
India’s Position: A Deliberate Balance
The DPDPA represents a calculated effort to forge a middle path. It avoids the immense compliance complexity of the GDPR and the fragmentation of the US model, while strategically stepping back from the rigid data localisation of the Chinese framework. This “Third Way” is characterised by:
– Simplicity: Unlike the 99 articles of the GDPR, the DPDPA is a concise, principle-based statute.
– Digital-First Approach: It is one of the few laws to explicitly acknowledge the digital nature of modern data, excluding offline records to reduce administrative burden.
– Global Interoperability: By shifting from a “whitelist” (only allowed countries) to a “blacklist” (all allowed except those restricted) for cross-border data transfers, India signals its intent to integrate with the global digital economy while retaining the sovereign power to restrict data flows for geopolitical reasons.
A Dual-Lens Framework
The DPDPA, as operationalised by the 2025 Rules, is designed to be viewed through a dual lens. First, it serves as a mechanism to give effect to the fundamental right to privacy, as affirmed by the Supreme Court in K.S. Puttaswamy v. Union of India (2017). Second, it is structured to be technology-friendly, positioning India as a trusted and attractive destination for the digital economy. By striking a balance between individual rights and national interests, India’s data protection framework aspires to be more than a compliance checklist—it aims to become a cornerstone of its digital future.
[For Part I — The Foundations of Privacy: Evolution of Indian Laws & A Roadmap to DPDPA, click here]
(Lt Col Ujjual Abhishek Jha, Retd is a Certified Data Privacy Professional and Strategic & Geopolitical Advisor with over two decades of experience in intelligence, insider threat management, financial crime investigations, and geopolitical risk analysis, advising on complex security and strategic risks.)
*(This is the second installment in a series. The next part will explore the sectoral impact of the DPDPA, focusing on the obligations for specific industries such as healthcare, fintech, and e-commerce.)*