Enacted on 11 August 2023 and operationalized with Rules in November 2025, the DPDPA establishes India's rights-based framework for digital personal data protection.
The DPDPA rests on seven foundational pillars that guide every stage of data processing in India.
Personal data may only be processed after obtaining clear, informed, and freely given consent from the individual.
Data must be used only for the specific, stated purpose for which it was originally collected.
Collect only the data that is strictly necessary. Nothing more, nothing less.
Data fiduciaries must ensure the personal data they hold is accurate, complete, and up to date.
Personal data must be deleted once the purpose of processing has been fulfilled.
Organisations must implement reasonable technical and organisational measures to protect personal data.
Data fiduciaries are responsible for compliance, regardless of whether processing is outsourced.
The Act introduces clear terminology for every party in the data ecosystem.
Any person or entity that determines the purpose and means of processing personal data. Equivalent to a "data controller" under GDPR. Bears primary compliance obligations.
The individual whose personal data is being processed. Known as "data subject" in GDPR. Parents or guardians serve as data principal for children under 18.
Processes personal data on behalf of the data fiduciary. Cannot be penalised directly — the fiduciary bears responsibility for processor violations.
A special category notified by the Central Government for entities processing large volumes of data. Subject to additional obligations including mandatory audits and impact assessments.
The fully digital adjudicatory body established to investigate complaints, enforce compliance, and impose penalties. Consists of four members with quasi-judicial powers.
A registered intermediary that manages, reviews, and withdraws consent on behalf of data principals. Must be registered with the Board.
The DPDPA imposes financial penalties only — no criminal sanctions. Fines are absolute amounts, not percentage-based.
Citizens are empowered with actionable rights over their personal data.
Know what personal data is being collected and how it is being processed.
Request correction of inaccurate data or complete erasure of personal data.
File complaints with the Data Fiduciary first, then escalate to the Data Protection Board.
Withdraw previously given consent at any time, with ease equal to giving consent.
Nominate another individual to exercise rights in case of death or incapacity.
Data principals must not furnish false or misleading data and must not file frivolous complaints.
The Act applies broadly but carves out specific exemptions.
From the landmark privacy verdict to full enforcement.
How India's law differs from Europe's data protection regulation.
| Aspect | DPDPA 2023 | GDPR |
|---|---|---|
| Scope | Digital personal data only | All personal data (digital & physical) |
| Age of Consent | 18 years | 16 years |
| Max Penalty | ₹250 Crore (~$30M) fixed | €20M or 4% global turnover |
| Data Localisation | Blacklist approach — restrict specific countries | Adequacy decisions for transfers |
| Criminal Sanctions | None — financial penalties only | Member states may add criminal penalties |
| Right to Portability | Not included | Included |
| Right to be Forgotten | Not explicitly stated | Explicitly included |
| Sensitive Data | No separate category | Special categories defined |
The DPDPA 2023, now fully operationalised through the DPDP Rules 2025, marks India's decisive entry into the global data protection landscape. With a citizen-centric design, phased implementation, and penalties that rival international standards, the Act creates a practical framework that balances innovation with individual privacy rights.
For over 1.4 billion citizens, this law establishes clear digital rights. For organisations, it demands accountability, transparency, and a genuine commitment to data protection — not just compliance checkboxes.
Every data processing activity requires clear, specific, and revocable consent from the individual.
With the May 2027 deadline approaching, organisations have 12–18 months to achieve full compliance.
Up to ₹250 Crore per violation — absolute amounts that can be devastating regardless of company size.
Unique globally — even data principals have duties and can be penalised for misuse of rights.