In 2023, India introduced the Digital Personal Data Protection Act, 2023 (DPDP Act), marking the start of a new chapter in privacy regulation. In January 2025, the government also released the Draft DPDP Rules, 2025 for public feedback. This consultation ended on 5 March 2025.
Although the President has already signed the DPDP Act, it has not yet taken effect. Until the law officially comes into force, the 2011 SPDI Rules (Sensitive Personal Data or Information) continue to regulate data protection in India. The Ministry of Electronics and Information Technology (MeitY) is also considering a two-year transition period to give businesses time to prepare for the new regime.
Government officials have urged companies to start aligning their systems with the DPDP Act, but the lack of finalized rules makes this difficult. The upcoming rules, along with directions from the Data Protection Board of India (DPB), will add further operational requirements. For now, businesses must comply with the SPDI Rules while simultaneously preparing for the DPDP framework.
Transition Difficulties
At first glance, a two-year transition may seem sufficient. However, the SPDI Rules offer only a basic framework with weak enforcement. This makes the shift to the more comprehensive DPDP Act much harder. In addition, the DPDP Act works alongside sector-specific laws, which may impose stricter rules on areas like cross-border data transfers. Startups and smaller firms, in particular, may struggle with the added costs and infrastructure demands.
The DPDP Act’s principles-based design also brings fresh challenges at both the policy and operational levels.
Policy Uncertainty
Several provisions create uncertainty for businesses. For instance, the government has previously taken strong actions on data security, such as banning Chinese apps in 2020 for unauthorized data transfers. Yet, recent statements by the MeitY minister about hosting the Chinese AI model DeepSeek in India reflect a softer approach, causing confusion.
The DPDP Act gives the government wide powers to restrict cross-border data transfers. Draft rules require all transfers to follow government orders, raising the risk of frequent policy shifts. This lack of clear safeguards could lead to arbitrary decisions, discouraging investor and business confidence.
Another grey area lies in personal data breach notifications. The draft rules require companies to report any breach “without delay” and submit a detailed report within 72 hours. Since “without delay” is undefined, this could conflict with existing rules from CERT-In, leading to duplication and confusion.
Moreover, companies must report all breaches, no matter how minor. This could overwhelm both the DPB and affected users with excessive alerts, potentially damaging reputations and delaying real crisis management.
Multiple Reporting Burdens
The breach reporting rules do not align with other frameworks, such as the CERT-In Directions on Cybersecurity or the Telecom Cyber Security Rules, 2024. This fragmented system forces businesses to report the same incident to multiple authorities, creating unnecessary complexity instead of a single streamlined process.
Data Localisation and Government Powers
The draft rules revive data localisation requirements for certain “significant data fiduciaries.” These entities may be prohibited from sending specific categories of personal or traffic data outside India. This is a shift from earlier moves to relax localisation demands, and it may clash with foreign laws that require disclosure of data to overseas regulators.
The government also reserves broad powers to demand information from companies and intermediaries. These powers lack clear procedural safeguards and do not reflect the privacy protections laid down by the Supreme Court in the landmark Puttaswamy judgment (2017), which requires legality, necessity, and proportionality for any action that infringes privacy. Without limits, such powers tilt the balance heavily in favour of the state, potentially at the cost of privacy rights and business ease.
The Way Forward
The DPDP Act and draft rules are undoubtedly a major step toward aligning India with global privacy standards. However, unresolved issues remain. The real challenge lies not just in the law itself but in how the rules are drafted and implemented.
For India to succeed, the framework must strike a balance—protecting individual rights while supporting innovation and ease of doing business. A clear, consistent, and well-coordinated regulatory approach will be key to achieving that balance.
