Introduction
India brought in a new era of data protection with the passing of the Digital Personal Data Protection Act, 2023 (DPDP Act) in 2023. This historical legislation intends to govern the protection of personal data and make India compliant with international privacy norms. Its enforcement, however, is still pending.
To further define the framework, the government issued the Draft Digital Personal Data Protection Rules, 2025 (Draft DPDP Rules) in January 2025, with a consultation period closing on March 5, 2025.
Current Status and Transition Challenges
Although the DPDP Act has been signed into law by the President of India, it has not yet come into effect. Until then, companies need to adhere to the current 2011 SPDI (Sensitive Personal Data or Information) Rules. The Ministry of Electronics and Information Technology (MeitY) is mulling a transition period of two years, but the transition is riddled with obstacles.
The absence of finalized DPDP Rules and the foreseen operational orders from the Data Protection Board of India (DPB) make compliance all the more challenging.
Navigating the Transition: A Complex Path
It is not a simple transition from the SPDI Rules to the DPDP Act.
- The SPDI Rules offer a minimal data protection regime with flexible requirements and uneven enforcement.
- The DPDP Act, on the other hand, offers a more formalized and stricter regulatory regime.
- Companies are also subject to sectoral legislation, which can have stricter requirements, especially regarding cross-border data flows.
For small and new businesses, this shift brings enormous operational and logistical hurdles. Most do not have the facilities to effectively achieve compliance, risking regulatory fines.
Policy Uncertainty: The Single Largest Hurdle
Among the most serious challenges brought by the DPDP Act is policy uncertainty. Multiple provisions, read in conjunction with sectoral legislations, keep companies in limbo. For example:
- In 2020, the Indian government banned several Chinese apps citing unauthorized data transmission. However, in 2025, the MeitY minister suggested hosting Chinese AI models like DeepSeek on Indian servers — indicating a shift in policy.
- The DPDP Act empowers the central government to restrict cross-border data transfers, but the criteria for such restrictions remain unclear.
- The Draft DPDP Rules mandate data fiduciaries to inform the DPB and concerned persons of violations “without delay”, but do not provide a specific timeline — potentially in conflict with CERT-In rules.
These ambiguities create a compliance risk for companies, which have to keep adapting to changing rules without explicit direction.
Data Breach Notification Challenges
The Draft DPDP Rules require reporting of all personal data breaches to the DPB and concerned individuals. However, they do not:
- Provide a reporting threshold, resulting in unnecessary notifications.
- Make distinctions between minor and significant breaches, adding to regulatory burden.
- Comply with other regulations like CERT-In cybersecurity guidelines and Telecom Cyber Security Rules, 2024.
This disjointed reporting framework can overburden the DPB, report system failures as breaches, and cause reputational harm to firms.
Data Localisation and Compliance Risks
The localisation requirement for major data fiduciaries poses additional problems:
- Some personal data sets are prohibited from being taken out of India on the advice of a government-nominated committee.
- This is a policy change, contrary to the government’s previous approach of relaxing localisation regulations.
- Localisation rules can conflict with overseas data legislation, making international data exchange difficult for multinational corporations.
Excessive Government Powers and Privacy Concerns
The DPDP Act gives the government sweeping powers of requisition of data from businesses, with little procedural protection. This contradicts the Supreme Court’s KS Puttaswamy judgment (2017), which upheld the basic right to privacy under Article 21 of the Indian Constitution.
The judgment imposed three conditions on any government action dealing with personal data:
- The action should be authorized by law.
- It should be proportionate to a legitimate purpose.
- It should be proportionate to its purpose.
The DPDP Act and the draft rules do not live up to these standards, granting the government unfettered powers to require personal data, which may hurt business operations and privacy rights of individuals.
The Road Ahead: Balancing Privacy, Security, and Business Growth
Notwithstanding its defects, the DPDP Act and draft rules mark an important move toward a specialist data protection regime. However, ambiguities and implementation issues must be resolved.
Properly crafted implementation of the DPDP Rules is necessary to:
- Balance privacy rights and business functioning.
- Facilitate regulatory uniformity across sectoral legislation.
- Make available plain, enforceable guidelines to facilitate compliance.
As India takes steps towards enacting the DPDP Act, companies need to actively gear up for compliance in the face of changing rules. A partnership of regulatory agencies, businesses, and industry players will be instrumental in making an effective, business-friendly framework for data protection.
