India formally operationalized its first comprehensive digital privacy law on November 14, 2025, when the Ministry of Electronics and Information Technology published the Digital Personal Data Protection Rules, 2025 in the Official Gazette. The notification brought into force both the Rules and a phased enforcement timeline for the Digital Personal Data Protection Act, 2023 — a law that had been passed by Parliament more than two years earlier but remained non-operational pending the drafting of implementing regulations. The DPDP framework now governs how organizations across every sector collect, use, store, and share the personal data of over a billion Indian digital citizens. Its arrival places India alongside the European Union as one of the few jurisdictions in the world with a fully enacted, rights-based data protection regime — though the two laws differ in significant ways that carry practical consequences for users and businesses alike.
What the DPDP Rules Require
The DPDP Rules form a clear and citizen-centred framework for the responsible use of digital personal data, placing equal weight on individual rights and lawful data processing. The Ministry of Electronics and Information Technology invited public comments on the draft Rules before finalizing them, conducting consultations in Delhi, Mumbai, Guwahati, Kolkata, Hyderabad, Bengaluru, and Chennai. A total of 6,915 inputs were received during the consultation process. Press Information Bureau
At its core, the DPDP framework is built around consent. Unlike the GDPR, which offers multiple grounds for processing personal data including legitimate interests, consent is the primary means for processing under the DPDP Act, which is likely to have a very broad effect across industries. Organizations operating in India must obtain explicit, informed, and freely given consent before collecting personal data, and must provide clear notices explaining what data is being collected and for what purpose. Individuals can ask to access their personal data, seek corrections and updates, or request its removal in certain situations. Data fiduciaries — the entities processing data — must respond to such requests within 90 days. Press Information Bureau
The Rules introduce a significant new institutional structure: a fully digital Data Protection Board of India, consisting of four members, through which citizens can file complaints online and track their cases through a dedicated portal and mobile application. Appeals against the Board’s decisions will be heard by the Appellate Tribunal, TDSAT. Press Information Bureau
For companies that handle especially large volumes of sensitive data, the Rules create an elevated compliance tier. Organizations classified as Significant Data Fiduciaries must conduct a comprehensive Data Protection Impact Assessment and an independent data protection audit at least once every 12 months, submit reports to the Data Protection Board, and ensure that algorithmic systems they deploy are subject to due diligence requirements.
The Phased Enforcement Timeline
The DPDP framework does not become fully enforceable all at once. The Ministry of Electronics and Information Technology has notified three sets of enforcement dates: November 14, 2025; November 14, 2026; and May 14, 2027. The substantive provisions of the DPDP Act and Rules come into full force 18 months after notification — meaning May 14, 2027.
This staggered approach gives businesses time to restructure their data governance practices, but the window is narrower than it appears. Stage 1, effective from November 13, 2025, establishes the Data Protection Board of India and its initial processes. Stage 2, effective from November 13, 2026, implements the registration process for Consent Managers — entities that act as intermediaries helping individuals manage and withdraw their consents across multiple platforms. The full suite of obligations — consent requirements, breach reporting, data erasure rules, and Significant Data Fiduciary obligations — becomes enforceable in May 2027.
Penalties under the DPDP Act are graded and reach up to ₹250 crore per contravention, depending on the type and gravity of the violation. Higher penalties apply to failures such as implementing reasonable security safeguards or meeting breach-notification requirements. For context, ₹250 crore is approximately $30 million at current exchange rates — significant for most Indian companies, though considerably below the maximum GDPR fine of €20 million or 4% of global annual turnover, whichever is higher.
DPDP vs. GDPR: How the Two Laws Differ
The GDPR, which has been in force since May 25, 2018, remains the world’s most comprehensive and extensively enforced data privacy regulation. Both laws share fundamental architecture: extraterritorial reach, consent as a foundational principle, breach notification obligations, data subject rights, and enforcement authority with penalty powers. The divergences, however, are consequential.
The GDPR requires organizations to identify one of six specific lawful bases for processing personal data, including the frequently used legitimate interests basis. The DPDP Act relies primarily on consent, supplemented by certain explicitly defined legitimate uses such as state welfare benefits or medical emergencies. This difference has direct implications for businesses operating across both jurisdictions: processing activities that can be justified under GDPR’s legitimate interests provision will require separate consent mechanisms for Indian users under DPDP — creating a compliance bifurcation that affects marketing, analytics, and operational data processing at scale.
On the scope of personal data, the laws diverge in a foundational way. The GDPR defines personal data broadly and introduces special categories — including racial origin, political beliefs, and health data — that require stricter compliance. The DPDP Act applies to all personal data in the digital space without differentiating between sensitive and non-sensitive categories, meaning a consistent standard applies across all data types.
Breach notification is one area where India’s law is arguably stricter. Unlike breach reporting laws in the EU, UK, and Australia, the DPDP Rules provide no threshold to determine whether a breach needs to be reported. On a strict reading of the law, any personal data breach must be reported to the Data Protection Board and affected individuals. Under GDPR, notification is required only when a breach is likely to result in a high risk to affected individuals.
On children’s data, the DPDP is more prescriptive than GDPR in certain respects. The DPDP prescribes the requirement for verifiable parental consent and includes an express and broad prohibition on processing data likely to cause a detrimental effect on the well-being of a child, including a specific prohibition on behavioral monitoring and targeted advertising aimed at children — provisions that do not find explicit mention in GDPR.
Cross-border data transfer is another point of divergence. The GDPR has a mature framework for international transfers, permitting them to countries with adequate protection or through mechanisms like standard contractual clauses. The DPDP Act’s framework is still developing — it generally allows cross-border data transfers by default, subject to a negative list of prohibited countries to be specified by the Central Government, but offers no justification framework comparable to GDPR’s adequacy assessment.
What This Means for Ordinary Users
For Indian citizens, the DPDP framework creates rights they have never previously held under a single, enforceable law. Users can now demand to know what data a company holds about them, request corrections, withdraw consent, and have data erased once its stated purpose has been served. A recent PwC India survey found that only 16% of Indian consumers understand the Digital Personal Data Protection law, while more than half are unaware of their rights over personal data. The gap between legal entitlement and user awareness is a structural challenge that enforcement alone cannot close.
The Rules also introduce a notable protective provision: when a child’s personal data is involved, verifiable consent from a parent or guardian is required, unless the processing relates to essential services such as healthcare, education, or real-time safety. Press Information Bureau For any platform that has millions of underage users in India — including social media, gaming, and streaming services — this requirement will demand significant verification infrastructure.
The full architecture of India’s data protection regime is now in place on paper. Whether it delivers meaningful protection to individuals or becomes primarily a compliance documentation exercise will depend on how actively the Data Protection Board uses its enforcement powers after May 2027 — and on whether ordinary users choose to exercise the rights the law now gives them.