India has formally entered an enforceable data protection regime. The Ministry of Electronics and Information Technology has released the long-awaited rules under the Digital Personal Data Protection Act, 2023, which brings the law into full operation. This is the most significant shift in India’s digital regulation since the IT Act became the backbone of technology governance two decades ago.
A Long Pending Framework Becomes Active
The DPDP Act was passed in 2023 but could not be implemented without the detailed rules that explain how consent, notice, rights of individuals and obligations of companies must be handled. Those rules have now been notified, ending months of uncertainty across the technology sector.
With this, data fiduciaries, which are the companies and platforms that decide how personal data is used, will now function under a clear legal framework instead of voluntary best practices.
Stronger Consent and Notice Requirements
The rules place heavy emphasis on transparency. Every company must provide an upfront notice that clearly explains what data will be collected, why it is being collected, how long it will be stored and how the individual can withdraw consent or raise complaints.
Consent must be explicit, informed, specific to the stated purpose and easy to withdraw. When the data relates to children or persons with disabilities, only verifiable consent from a parent or guardian is valid.
Any use of data for a purpose that was not originally stated requires fresh permission.
What Companies Must Now Do
The rules require companies to strengthen their security practices and take both technical and organisational measures to prevent data breaches. If a breach occurs, the company must report it within the prescribed timeframe.
Unnecessary data retention is prohibited. Personal data must be deleted once the purpose for which it was collected has been fulfilled, unless retention is required by law.
Larger platforms such as social networks, ecommerce marketplaces, fintech apps and gaming companies will need significant upgrades to their consent systems and data governance frameworks. Entities that cross certain thresholds of volume or risk may be classified as significant data fiduciaries, which will include additional obligations such as audits, impact assessments and dedicated compliance officers.
Rights of Individuals Become Enforceable
The rules bring individuals the rights that were promised in the DPDP Act. Citizens can now request access to their personal data, ask for corrections, request deletion when the data is no longer required and withdraw consent at any time.
Every data fiduciary must provide a functional grievance system that resolves complaints within defined timelines.
Global Companies Also Come Under the Law
The rules apply not only to entities based in India but also to companies located outside the country that offer goods or services to people in India. This brings global platforms and international advertising systems under the Indian privacy framework.
Enforcement Begins with the Data Protection Board
The next step is full operationalisation of the Data Protection Board. The Board will oversee compliance, investigate violations and impose penalties. With the rules now published, the Board can begin defining processes, timelines and enforcement guidelines.
More notifications are expected over the next few months, especially on the identification of significant data fiduciaries and details of transition periods for compliance.
Key Challenges for Industry
The rules bring clarity but also introduce a demanding compliance environment. Many companies will need to redesign data flows, improve consent architecture, rewrite vendor contracts, strengthen storage practices and update breach response systems. Smaller firms may face resource constraints in meeting the new standards.
There is also the broader challenge of balancing strong data protection with innovation in AI, fintech, digital retail and health technology, all of which rely heavily on data-led models.
A Landmark Moment for India’s Digital Economy
With these rules in force, India has taken a decisive step toward a modern data protection regime. The move gives citizens stronger control over their personal information, introduces accountability for companies that process data and sets up an enforcement mechanism to ensure compliance.
This marks the beginning of a new era in India’s digital ecosystem, one defined by greater trust, clearer responsibilities and a stronger foundation for the country’s expanding digital economy.
Related Articles
