India’s DPDP Act: A New Era in Personal Data Privacy
September 20, 2025
India’s New Data Privacy Law: How the DPDP Act Could Change the Way Your Personal Information Is Protected
From courtrooms to boardrooms, the push for stronger privacy safeguards is reshaping India’s digital future
With cybercrime on the rise, citizens and companies prepare for a new era of accountability
By CK AI Tracker
New Delhi, September 18, 2025 — When 28-year-old Ananya Sharma opened her banking app one morning, she froze. Her savings account had been emptied overnight. A phishing scam had stolen her personal details, and she had no idea how. “I thought my data was safe,” she says. “Now I’m not so sure.”
Stories like Ananya’s are becoming alarmingly common in India — and they’re exactly why the Digital Personal Data Protection Act, 2023 (DPDP Act) is being hailed as a potential game-changer.
Why It Matters
- Your phone number, Aadhaar details, and shopping history could be safer under the new rules.
- Companies will face heavy fines for mishandling your personal data.
- You’ll have more control over who collects your information and why.
Courts Step In Before the Law
Even before the Act is fully enforced, Indian courts are making their stance clear. The Delhi High Court recently pressed the government on delays in operationalising the law, citing the urgent need to protect citizens from large-scale data breaches.
Cyber law expert Radhika Mehra says this is part of a bigger shift: “The judiciary is telling both the government and companies that privacy is not optional — it’s a constitutional right.”
What the DPDP Act Will Do
The law introduces:
- Clear Consent Rules: Companies must get your explicit permission before using your data.
- Plain-Language Notices: No more confusing fine print — you’ll know exactly what’s being collected and why.
- Breach Alerts: If your data is leaked, you must be informed quickly.
- Heavy Penalties: Big fines for companies that fail to protect your data.
Small Businesses Brace for Change
While large corporations are already investing in compliance systems, small and medium enterprises (SMEs) face a tougher challenge. “Many SMEs don’t have the resources to overhaul their systems overnight,” says IT consultant Rajiv Bhatia. “They’ll need affordable tools and clear guidance.”
Cybercrime Surge Adds Urgency
According to CERT-In, cybercrime incidents have spiked in the past two years, with phishing, ransomware, and identity theft leading the list. A recent breach at a major e-commerce platform exposed millions of customer records, fuelling public demand for stronger laws.
The Global Connection
India’s move mirrors global privacy laws like the EU’s GDPR and California’s CCPA. Aligning with these standards could boost India’s credibility in global digital trade and reassure foreign investors.
What Happens Next
The government is expected to publish the final rules later this year, along with setting up the Data Protection Board of India. Once in force, the DPDP Act will give citizens more control over their personal data — and give companies a strong incentive to handle it responsibly.
For Ananya, that can’t come soon enough. “I just want to know my information is safe,” she says. “If this law can do that, it’s worth it.”
📅 Timeline: The DPDP Act’s Journey
|
Year/Date |
Milestone |
|---|---|
|
2017 |
Supreme Court’s Puttaswamy judgment declares privacy a fundamental right. |
|
2018 |
Justice B.N. Srikrishna Committee submits draft Personal Data Protection Bill. |
|
2019–2022 |
Multiple revisions and consultations; Bill renamed Digital Personal Data Protection Bill. |
|
Aug 2023 |
Parliament passes the DPDP Act, 2023. |
|
July 2025 |
MeitY completes public consultation on draft rules; receives ~7,000 responses. |
|
Late 2025 (expected) |
Final rules notified; Data Protection Board of India established. |
|
2026 (expected) |
Full enforcement of the DPDP Act begins. |
🔍 Fact-Check: How DPDP Compares Globally
|
Feature |
India – DPDP Act |
EU – GDPR |
California – CCPA |
|---|---|---|---|
|
Consent Requirement |
Explicit, informed, unambiguous |
Explicit, informed, unambiguous |
Opt-out for sale of data; opt-in for minors |
|
Right to Erasure |
Yes |
Yes |
Yes |
|
Breach Notification |
Mandatory to regulator & affected individuals |
Mandatory to regulator & individuals |
Mandatory to individuals |
|
Penalties |
Up to ₹250 crore per violation |
Up to €20 million or 4% of global turnover |
Up to $7,500 per intentional violation |
|
Cross-Border Data Transfer |
Allowed with safeguards |
Allowed with safeguards |
Allowed with safeguards |
ALSO READ POPULAR ARTICLES
Kerala HC Orders Probe into Missing 4.54 Kg Sabarimala Gold
SC: Auction of Abandoned Cargo Not Taxable as Storage
Delhi HC Blocks Sites Illegally Streaming ‘Jolly LLB 3’
SC Rules Minor Touch Without Penetration Isn’t Rape
SC Orders States, UTs to Register Sikh Marriages in 4 Months
SC Warns of Arrests for Stubble Burning in Delhi-NCR
SC Allows Limited Use of Unstated Reasons in Orders
SC: HUF Karta Can Sell Joint Property for Legal Need
SC Upholds Kerala HC Nod for Global Ayyappa Conclave
SC Orders CBI Probe into Lawyer’s Alleged Fake Degree
SC to Hear All Challenges to Religious Conversion Laws
SC: Unused Village Land Must Return to Original Owners
SC: No Conviction If Offence Predates Law’s Enforcement
SC: Video with Valid 65B Certificate Is Admissible
Patna HC Orders Removal of Bihar Congress AI Video