In a landmark move for data privacy, the Indian government notified rules under the Digital Personal Data Protection (DPDP) Act on November 14, 2025, with some provisions effective immediately and others to be phased in over the next 12 to 18 months. A new four-member Data Protection Board will be established to enforce compliance. The rules aim to shift the power dynamic from organizations to consumers, marking the country's first comprehensive regulation dedicated to safeguarding personal information.

Experts hailed the development as a significant step forward. A senior executive  from a reputed MNC management consultancy described it as placing consumers "in the driver's seat" regarding their data. Organizations must now provide transparency on data collection, processing, and retention periods. Individuals gain rights to access, correct, or delete their data, nominate representatives, and withdraw consent at any time. Companies are mandated to set up grievance redressal mechanisms and notify users promptly in case of data breaches, including impacts and remedial actions.

Another senior lawyer simplified the definition of personal data as any information identifying a natural person, such as a named email address, but not generic ones like "admin@company.com." He addressed concerns over government exemptions for national security or public order, noting that access is purpose-limited and authorized by designated officials, preventing unbridled overreach. He emphasized that the law builds on a previously fragmented landscape under the Information Technology Act, which offered barebone protections only for sensitive data like biometrics or financial details.

The pre-DPDP era relied on patchwork laws, including sectoral guidelines from regulators like the RBI for banks and IRDAI for insurers. The new act represents a "quantum leap," potentially setting a global gold standard. However, successful implementation requires collaboration among regulators, businesses, and consumers. The management consultant stressed the need for ongoing dialogue with regulators given the non-prescriptive nature of the rules, consumer education on rights, and heavy investment in processes, technology, and training.

Experts from Data Security Council of India praised the rules for avoiding prescriptive standards like mandatory ISO certifications, favouring risk-based “reasonable” safeguards suitable for startups and SMEs. “One size doesn’t fit all,” noted one, adding that logs must demonstrate due diligence in access, modification, or deletion scenarios. They stressed that stressed that while the rules empower users with greater control, the “need of the hour” is operationalization. Organizations must overhaul processes, integrate privacy-enhancing technologies, and demonstrate compliance.

However, while the rules provide a robust framework for everyday data handling, they fall short in several areas, potentially undermining their effectiveness. Experts and civil society groups, including the Internet Freedom Foundation (IFF), argue that the rules prioritize compliance over robust enforcement, creating barriers to true individual empowerment. As per a startup entrepreneur specialising in data privacy, a primary weakness is the modest penalty structure: fines are capped at ₹250 crore per breach, but the emphasis on "remedial directions" by the four-member Data Protection Board (DPB)—rather than swift, punitive actions—lacks "teeth." This could lead companies to treat compliance as optional, especially smaller entities exempt from SDF-level scrutiny like data protection impact assessments (DPIAs).

Also, broad government exemptions emerge as a major loophole, potentially enabling overreach. The rules inherit the Act's wide carve-outs for national security, public order, and state functions, allowing the government to access data without procedural safeguards—unlike the IT Act or telecom laws, which mandate oversight mechanisms. Section 16 of the Act, expanded in the rules, empowers the Central Government to impose conditions on cross-border data transfers, including blacklisting countries or restricting access by foreign states, without transparent criteria. This could stifle legitimate business flows while favoring domestic surveillance, echoing IFF's critique that such provisions "weaken the fundamental right to privacy.