From bill to law: India's digital personal data protection journey, implications

Extensive debates and revisions have marked the journey of India’s data protection framework. Beginning with the first draft of the Data Protection Bill in 2018, the legislation underwent significant amendments in 2019 and 2021 before being scrapped entirely. The government then introduced the Digital Personal Data Protection (DPDP) Bill, 2022, which evolved into the DPDP Bill, 2023. Passed by the Lower House of Parliament on August 7, 2023, and by the Upper House on August 9, 2023, it became law following Presidential assent and gazette notification on August 11, 2023.

On January 3, 2025, the Ministry of Electronics and Information Technology (MeitY) released the draft DPDP Rules for public consultation, aiming to operationalise the DPDP Act, 2023. These rules mark a transformative shift in India’s data protection landscape, establishing stringent guidelines for data fiduciaries and empowering citizens with robust rights over their personal data.

The Draft DPDP Rules: Key Provisions

1. Informed Consent and Empowerment: The Act emphasises user-centric data management, mandating that data fiduciaries provide clear, accessible information to enable informed consent. As outlined by India’s Press Information Bureau, citizens gain rights to manage their data through mechanisms such as data erasure and appointing digital nominees. This provision aligns with GDPR’s principles of transparency and consent.

2. Rigorous Obligations for Data Fiduciaries (DFs): Data fiduciaries must adopt robust security measures, including encryption, access controls, and proactive breach detection. Additionally, they are required to:

Report breaches to the Data Protection Board (DPB) and affected users within 72 hours. Display contact information for a designated Data Protection Officer (DPO).

Secure verifiable parental consent before processing children’s data. Such mandates ensure accountability, drawing parallels to GDPR’s requirement for Data Protection Impact Assessments (DPIAs) and breach reporting.

3. Pioneering Consent Managers: A unique feature of India’s framework is the Consent Manager system, a standardised platform that enables users to give, manage, or withdraw consent efficiently. By maintaining detailed consent records, Consent Managers prevent conflicts of interest, a concept not explicitly addressed in GDPR.

4. Data Retention and Erasure: Under the DPDP Rules, data fiduciaries must delete personal data after three years of inactivity. Citizens must be notified 48 hours before data erasure. Specific sectors like e-commerce, social media, and online gaming face stricter timelines, emphasising the importance of purpose-limited data usage. This contrasts with GDPR’s requirement for data minimisation and the “right to be forgotten” provisions.

5. Annual Data Protection Audits: Entities handling large volumes of sensitive data must conduct annual DPIAs and audits, ensuring algorithmic accountability. This requirement positions India ahead in regulating AI-driven risks compared to GDPR’s broader emphasis on high-risk processing activities.

Data Localisation and Sovereignty

A contentious provision is the reintroduction of data localisation. A central committee will oversee sector-specific localisation mandates, reflecting India’s commitment to digital sovereignty. IT Minister Ashwini Vaishnaw emphasised a balance between safety and business continuity, with localisation requirements tailored to avoid disrupting industries. GDPR, by contrast, facilitates cross-border data transfers under strict safeguards, underscoring differing regional priorities.

Protecting Children’s Data

The DPDP Act mandates parental consent for processing the data of individuals under 18, leveraging India’s Digital Locker for authentication. While this safeguards minors, critics argue it risks excluding children from marginalised communities. GDPR, on the other hand, sets the age of consent at 16, allowing member states to lower it to 13, providing flexibility based on regional contexts.

Accountability for Govt Data Processing

The Act imposes stringent standards on government use of personal data, ensuring accountability for public welfare schemes. This dual approach—holding both private and state entities to high standards—sets India apart.

Proactive Breach Notifications and Financial Penalties

Data breaches must be promptly reported to the DPB and affected individuals, mirroring GDPR’s 72-hour notification rule. Financial penalties for non-compliance in India can reach ₹250 crore (~$30 million), underscoring the seriousness of safeguarding data. However, this presents challenges for SMEs, echoing similar concerns raised during GDPR’s implementation.

Comparative Analysis: DPDP Act vs. GDPR

India’s DPDP Act and Europe’s GDPR share a foundational goal—strengthening data protection and user rights. However, their approaches diverge in several key areas:

Scope and Applicability: GDPR’s extraterritorial scope applies to entities processing EU residents’ data, while the DPDP Act focuses on data collected within India’s borders.

Data Localisation: GDPR allows cross-border transfers under safeguards; the DPDP Act emphasises localised storage for specific data categories.

Children’s Data: GDPR offers flexibility in age thresholds for parental consent, while India sets a uniform age of 18.

Enforcement and Penalties: Both frameworks impose hefty fines, but India’s penalties aim to reflect its unique digital landscape and market dynamics.

Challenges and Industry Concerns

Businesses, particularly SMEs, face operational disruptions and significant compliance costs. The draft rules require updating systems, conducting DPIAs, and renegotiating contracts, raising concerns about feasibility. Tech giants reliant on global data flows have expressed apprehension over localisation mandates. Industry stakeholders argue that such measures could stifle innovation and increase operational complexities. Rule 10’s parental consent requirement risks excluding children of illiterate or digitally ill-equipped parents from digital platforms, exacerbating socio-economic disparities.

The Road Ahead

The Ministry of Electronics and Information Technology (MeitY) has invited public feedback on the draft rules until February 18, 2025. This consultation phase offers an opportunity to refine the framework, addressing industry concerns while upholding citizen rights. India’s DPDP Act marks a critical step in building a trusted digital ecosystem. By integrating algorithmic transparency, data sovereignty, and robust user rights, the framework aspires to align with global best practices. However, its success hinges on seamless implementation and collaborative policymaking.

(Neehar Pathare is the MD, CEO & CIO at 63SATS)