India’s DPDPA details

India is moving from a short privacy law to a much more detailed operating manual, and the practical change for companies is simple: they will have less room to improvise when personal data is collected, shared, or exposed. The Ministry of Electronics and Information Technology released the draft Digital Personal Data Protection Rules, 2025 on January 3, 2025, to fill in the missing details under the Digital Personal Data Protection Act, 2023, which Parliament passed on August 11, 2023. (dpdpa.in) The law uses unusual labels, but the roles are familiar. A “data fiduciary” is the company that decides why and how personal data is used, and a “data principal” is the person the data belongs to. The draft rules matter because they turn those broad labels into step-by-step duties for websites, apps, employers, hospitals, banks, platforms, and overseas companies serving people in India. (ey.com) One of the biggest changes is how consent has to be asked for. Under the draft rules, the consent notice cannot be buried inside a long privacy policy or mixed into unrelated text. It must stand on its own, use clear language, describe the personal data in an itemized way, explain the specific purpose of processing, and tell the person how to exercise rights or complain to the Data Protection Board. (dpdpa.in) That sounds procedural, but it changes product design. A company that once used one broad checkbox for “service improvement,” “marketing,” and “personalization” would now need to spell out what data is being collected and what each use enables. The draft rules also reinforce that consent must be specific and informed, and that withdrawing consent should be as easy as giving it. (ey.com) The breach rules are also sharper than many companies expected. Commentary on the draft rules notes that a personal data breach must be notified to affected individuals and to the regulator without delay, with more detailed information to be provided to the Board within 72 hours. That creates the kind of countdown clock that forces companies to know, in advance, who investigates incidents, who drafts notices, and who approves disclosures. (tta.in) India’s penalty structure gives that deadline weight. EY’s summary of the framework notes that failure to give notice of a personal data breach can draw penalties of up to 200 crore Indian rupees, while broader non-compliance by data fiduciaries can reach 250 crore Indian rupees. In plain terms, a slow or chaotic response can become a board-level financial risk, not just an information security problem. (ey.com) Another important feature is how far the law reaches beyond India’s borders. EY’s summary says the Act applies not only to processing inside India, but also to processing outside India if it involves offering goods or services to people in India. That means a software company in California, a retailer in Singapore, or a cloud vendor in Europe can still be pulled into India’s compliance map if Indian users are in scope. (ey.com) This is where vendor liability becomes the real story. The Act already says a data fiduciary may engage a data processor only under a valid contract, and the draft rules make the operational side of compliance much more concrete. Once breach reporting, consent handling, retention, grievance workflows, and security controls are specified in detail, the company that outsources processing still needs contract terms strong enough to make the vendor do those things on time and prove that it did them. (lawsikho.com) So even if the government does not use the phrase “shared legal responsibility” in the broadest possible way, the commercial effect is close to that. The regulated company remains on the hook to the government, but it will try to push obligations downstream through data processing agreements, audit rights, indemnities, incident reporting clauses, subcontractor controls, and tighter service-level terms. That is why service providers, software vendors, payroll processors, customer support firms, and cloud partners all face more pressure under this framework. (lawsikho.com) The draft rules also add pressure in a few other places. They describe a formal system for “consent managers,” require stronger handling of children’s data including verifiable parental consent, and impose extra duties on “significant data fiduciaries,” a category the government can designate based on scale, sensitivity, and risk. For large consumer internet, financial, and health businesses, those extra layers could mean audits, impact assessments, and stricter data handling controls. (dpdpa.in) The timeline matters too. The draft rules were published for public consultation on January 3, 2025, with comments invited until February 18, 2025, and legal analyses at the time noted that implementation would be staggered. India later notified the final Digital Personal Data Protection Rules, 2025 on November 14, 2025, which means the policy debate has already moved from theory to enforcement planning. (dpdpa.in) For companies operating in or with India, the practical checklist is no longer abstract. They need cleaner consent flows, shorter incident escalation paths, clearer data maps, named contacts for grievances, and vendor contracts that match the new rulebook. The organizations that treated privacy as a policy page will now have to treat it more like fire safety: drills, owners, logs, deadlines, and proof. (lexology.com)