Last Updated on November 14, 2025 9:42 pm by BIZNAMA NEWS
R. Suryamurthy
India on Friday formally brought its long-awaited digital privacy framework into force, marking a major shift in the country’s data-governance landscape. More than two years after Parliament cleared India’s first data protection law, the government notified the Digital Personal Data Protection Rules, 2025, and officially established the Data Protection Board of India (DPBI) — a central authority that will oversee implementation, compliance and grievance redressal.
The notification, issued by the Ministry of Electronics and Information Technology (MeitY), triggers an 18-month compliance window for companies, digital platforms and government departments handling personal data. This transition period is designed to help institutions upgrade their systems, strengthen consent mechanisms, revise retention policies and put in place robust cybersecurity safeguards.
According to the government’s phased rollout plan, the implementation will extend into mid-2027, giving entities time to adapt to the new requirements. While several provisions — particularly those related to the constitution, structure and immediate functioning of the DPBI — come into effect right away, the more stringent obligations will apply gradually.
Legal experts say the framework preserves the spine of the Digital Personal Data Protection (DPDP) Act, 2023 while adding sharper edges on operational clarity. Prashant Phillips, Executive Partner at Lakshmikumaran & Sridharan Attorneys, said the rules “mark a major step toward operationalising India’s modern privacy framework,” noting that the core principles of transparency, accountability and user-centric processing remain intact. The refinements, he said, “strengthen grievance-redress timelines and children’s data safeguards” without altering the Act’s foundation.
Across the tech ecosystem, the notification now forces a slow-moving compliance machinery into motion — and with it, a reckoning for firms accustomed to permissive data practices.
A Three-Tier Timeline
Immediate effect:
Rules establishing the DPBI — including appointment procedures, pay scales, quorum norms, and the Board’s “digital office” design — take effect at once. The Board, headquartered in the National Capital Region, must conduct inquiries online by default and close them within six months.
12 months (by November 2026):
A new regulated class of intermediaries — Consent Managers — will come under the framework. Indian-incorporated companies with a net worth of at least ₹2 crore may apply to provide unified dashboards where users can grant or withdraw consent across platforms. Registration opens in 12 months, giving aspiring players time to build compliant systems and governance structures.
18 months (by mid-2027):
The most burdensome obligations for businesses kick in, including:
• Plain-language privacy notices
• Unbundled, explicit user consent
• Mandatory 72-hour breach reporting
• Data-erasure protocols for inactive users
• Safeguards for children’s data, including verifiable parental consent
• Security measures: encryption, obfuscation, tokenisation, and log maintenance
• Additional due-diligence norms for Significant Data Fiduciaries
Supratim Chakraborty, Partner at Khaitan & Co, said the staggered approach gives firms “vital breathing room,” but warned that the runway will shrink quickly. “Businesses must begin identifying and closing compliance gaps now. The 18-month window will feel short once implementation challenges pile up,” he said.
New Rules for a New Privacy Age
The rules require companies to explain — in plain language — what data they collect, why they collect it and how long they will store it. Personal data cannot be retained beyond one year of user inactivity unless legally required. Firms must alert users at least 48 hours before erasing their data.
Security obligations are tighter than earlier drafts. Companies must deploy encryption or tokenisation, maintain access logs for at least a year and ensure business continuity during breaches.
Children’s data receives some of the strictest protections: behavioural tracking, profiling and targeted advertising for those under 18 are banned. Parental consent must be verifiable, not assumed.
Harsh Walia, Partner at Khaitan & Co, said the rules will compel firms to rewrite consent flows entirely. “Consent notices must be in clear and plain language and independently understood by users. Many organisations will need to redesign their interfaces so that consent is specific, informed and not buried in standard terms of use,” he said.
A Tougher Breach-Reporting Regime
While the final rules retain the structure of breach reporting, they impose more exacting expectations:
• Notify affected users immediately, explaining the breach’s timing, nature, impact and recommended steps.
• File a preliminary report with the DPBI detailing the scope and likely consequences.
• Submit a detailed follow-up within 72 hours with root cause, impact assessment, mitigation steps and future safeguards.
Firms failing to report breaches face penalties of up to ₹200 crore, while inadequate security safeguards can attract fines of up to ₹250 crore.
Data Localisation: A Calibrated, Not Absolute, Approach
MeitY has opted for a “blacklist by exception” model for cross-border data transfers: data can flow freely unless the government designates a country as prohibited. However, a separate rule empowers a future inter-ministerial committee to restrict offshore storage of specific data categories — a lever that could tighten localisation in response to geopolitical pressures.
Rashmi Deshpande, founder of Fountainhead Legal, said these areas remain unresolved and will shape compliance strategy. “Cross-border data transfers and criteria for Significant Data Fiduciaries are still open questions. Organisations must track these closely,” she said. Still, she noted that the rules settle long-standing doubts around the DPBI’s functioning, consent management and security measures.
Consent Managers: India’s New Digital Gatekeepers
From November 2026, only accredited Consent Managers can help users track and revoke permissions across services. These intermediaries must:
• Offer a unified consent dashboard
• Retain consent logs for seven years
• Maintain secure, unreadable data-flow pathways
• Remain free of conflicts with data-processing firms
• Undergo regular audits and meet stringent security benchmarks
Their registrations may be suspended or cancelled for violations, subject to due process.
The DPBI: Powers, Process and Missing Pieces
The newly constituted Board can summon individuals, conduct inquiries, impose penalties and recommend blocking access to non-compliant entities in cases of repeated violations.
Selection will follow a two-tier process — one committee led by the Cabinet Secretary for the Chairperson, and another headed by the MeitY Secretary for Members. The Chairperson will earn ₹4.5 lakh per month; Members ₹4 lakh.
Yet gaps remain. The rules do not clarify inquiry procedures, case-prioritisation methods or publication of orders. Industry bodies say the absence of transparency obligations could hamper predictability in the early enforcement phase.
Industry Reaction: Relief, Caution and a Long To-Do List
Policy analysts welcomed the long-awaited clarity but warned that companies must brace for a multi-layered compliance overhaul. Aparajita Bharti of The Quantum Hub said the rules provide a “clear, phased roadmap,” particularly on children’s data and consent for persons with disabilities. But she flagged localisation as a continuing flashpoint for multinational tech companies.
Across sectors, firms now face a year-and-a-half of internal audits, system upgrades and legal overhauls. Encryption, obfuscation and robust access logging will shift from best practice to baseline compliance — a change that, as Walia noted, marks “the official start of the compliance clock.”
A Long Road Ahead
For India’s sprawling digital economy — from e-commerce giants and social networks to lenders, insurers, ed-tech platforms and small businesses — Friday’s notification marks the start of a long regulatory transition. The rules promise stronger privacy protections for citizens, but their enforcement will test both regulatory capacity and corporate preparedness.
With most obligations kicking in only between 2026 and 2027, the next 18 months will determine whether India’s new privacy framework matures into an effective rights-based safeguard or becomes another bureaucratic maze.
Either way, India has finally moved from legislation to enforcement. And the clock has begun to tick.