India's journey toward a comprehensive data protection law has been a long and winding road, marked by numerous drafts, revisions, and extensive consultations. While the Digital Personal Data Protection Act (DPDP Act) received presidential approval in August 2023, it has not yet been enforced. As of August 2025, the nation still awaits the full implementation of this critical legislation.

The need for a robust data protection framework became increasingly apparent with the growth of India's digital economy and the surge in data processing activities. Before 2023, data protection was primarily governed by the Information Technology Act, 2000, and its associated rules, which were considered inadequate to address the complexities of the modern digital landscape. The landmark Supreme Court judgment in Justice K. S. Puttaswamy (Retd.) v. Union of India in 2017, which affirmed privacy as a fundamental right, further emphasized the urgency of a comprehensive data protection law.

After years of deliberation, the Digital Personal Data Protection Act, 2023 (DPDP Act) was enacted. This law is designed to govern the collection, use, and management of personal data in India, establishing a framework of rights and obligations for both data processors and individuals. The DPDP Act applies to the processing of personal data within India, as well as to entities outside India if their processing relates to offering goods or services to individuals within India.

To facilitate the implementation of the DPDP Act, the Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection Rules, 2025. These rules provide detailed guidance on how the provisions of the DPDP Act should be operationalized. The draft rules cover key aspects such as consent, data retention, security, breach notifications, children's data, and cross-border data transfers.

The draft rules outline a phased implementation strategy. Initially, provisions related to the establishment of the Data Protection Board of India will take effect. The Data Protection Board will serve as the enforcement authority under the DPDP Act. The draft rules also specify a three-year retention period for certain data fiduciaries, such as e-commerce platforms, online gaming services, and social media intermediaries, provided they meet specific user thresholds.

The DPDP Act introduces the concept of "consent managers," who will facilitate the management of consent between data principals (individuals) and data fiduciaries (entities processing data). These consent managers must be registered with the Data Protection Board and provide user-friendly platforms for individuals to manage their consent.

The DPDP Act mandates that data fiduciaries provide clear and comprehensive notice to data principals before collecting personal data. This notice must include details about the data being processed, its purpose, and the entities involved, and inform the data principal of their rights under the DPDP Act.

One of the critical aspects of the new law concerns cross-border data transfers. The DPDP Act imposes stricter restrictions, requiring the government to issue guidelines outlining when such transfers are permissible. The draft rules specify that data fiduciaries in India may transfer personal data abroad only in compliance with conditions set by the government.

The DPDP Act also addresses the processing of children's personal data, introducing more stringent provisions. For instance, verifiable parental consent is required for processing children's data.

Upon discovering a data breach, organizations must inform both affected individuals and the Data Protection Board of India without delay. A detailed report of the breach must be submitted to the Data Protection Board within seventy-two hours.

While the DPDP Act and the draft rules represent a significant step forward, some ambiguities need to be addressed to ensure comprehensive compliance and ease of implementation. The government is unlikely to make changes to the DPDP Act itself. However, the government may issue FAQs to address concerns.