India’s Digital Personal Data Protection Act, 2023: Navigating the Transition

India has taken a significant step towards strengthening data protection with the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act). This landmark legislation aims to safeguard personal data and align India with global privacy standards. However, its enforcement remains pending.

To refine the regulatory framework, the government introduced the Draft Digital Personal Data Protection Rules, 2025 (Draft DPDP Rules) in January 2025, allowing for public consultation until March 5, 2025.

Current Status and Transition Challenges

Despite receiving presidential assent, the DPDP Act has yet to come into effect. Until its implementation, businesses must comply with the existing 2011 SPDI (Sensitive Personal Data or Information) Rules. The Ministry of Electronics and Information Technology (MeitY) is considering a two-year transition period, but this phase presents several challenges.

The lack of finalized DPDP Rules and the anticipated directives from the Data Protection Board of India (DPB) make compliance increasingly complex.

Navigating the Transition: A Complex Shift

Transitioning from the SPDI Rules to the DPDP Act is far from straightforward:

The SPDI Rules provide a relatively flexible and minimally enforced data protection regime.

The DPDP Act introduces a more structured and stringent regulatory framework.

Businesses must also comply with sector-specific regulations, some of which impose stricter data protection and cross-border data transfer requirements.

For small and emerging enterprises, this transition presents significant operational and logistical hurdles. Many lack the necessary infrastructure for compliance, increasing their risk of regulatory penalties.

Policy Uncertainty: The Biggest Challenge

One of the most pressing concerns surrounding the DPDP Act is policy ambiguity. Various provisions, when read alongside sectoral regulations, create uncertainty for businesses. For instance:

In 2020, India banned several Chinese apps due to concerns over unauthorized data transfers. However, in 2025, the MeitY minister proposed hosting Chinese AI models like DeepSeek on Indian servers, indicating a policy shift.

The DPDP Act grants the central government the authority to restrict cross-border data transfers, but the criteria for such restrictions remain unclear.

The Draft DPDP Rules require data fiduciaries to notify the DPB and affected individuals of violations "without delay," yet they fail to specify a clear timeframe—potentially conflicting with CERT-In regulations.

These uncertainties pose compliance risks, forcing businesses to constantly adapt to evolving regulatory expectations without clear guidance.

Data Breach Notification Challenges

The Draft DPDP Rules mandate reporting all personal data breaches to the DPB and affected individuals. However, they:

Do not establish a reporting threshold, leading to excessive notifications.

Fail to differentiate between minor and significant breaches, increasing regulatory burdens.

Overlap with other regulations, such as CERT-In cybersecurity guidelines and the Telecom Cyber Security Rules, 2024.

This fragmented reporting system may overwhelm the DPB, misclassify system failures as breaches, and cause reputational damage to businesses.

Data Localization and Compliance Risks

Data localization requirements for major data fiduciaries introduce additional complexities:

Certain categories of personal data may not be transferred outside India based on recommendations from a government-appointed committee.

This represents a policy reversal from previous government efforts to relax localization regulations.

Such restrictions may conflict with international data protection laws, complicating cross-border data flows for multinational corporations.

Government Authority and Privacy Concerns

The DPDP Act grants the government broad powers to requisition data from businesses with minimal procedural safeguards. This contradicts the Supreme Court's ruling in the KS Puttaswamy judgment (2017), which upheld privacy as a fundamental right under Article 21 of the Indian Constitution. The judgment outlined three key principles for government actions involving personal data:

Authorization by law.

Proportionality to a legitimate objective.

Necessity and proportionality in implementation.

However, the DPDP Act and its draft rules do not fully adhere to these standards, raising concerns about excessive government control over personal data and its potential impact on business operations and individual privacy.

The Road Ahead: Achieving a Balance

Despite its challenges, the DPDP Act and its draft rules represent a crucial step towards a structured data protection regime in India. Addressing ambiguities and implementation challenges will be key to ensuring its success.

To create a robust regulatory framework, the government must:

Strike a balance between privacy rights and business operations.

Ensure regulatory consistency across various sectoral laws.

Provide clear and enforceable guidelines to facilitate compliance.

As India moves towards enforcing the DPDP Act, businesses must proactively prepare for compliance. Collaboration between regulatory authorities, industry stakeholders, and businesses will be vital in shaping a data protection landscape that is both effective and business-friendly.

Get Expert Assistance for Data Protection Compliance

Navigating India's evolving data protection regulations can be complex. Contact us today for expert guidance on ensuring compliance with the DPDP Act and building a robust data protection framework for your business.