DPDP: The Clock Starts Ticking

DPDP: The Clock Starts Ticking

New Delhi  |  Cyber Law & Policy Desk

New Delhi: India’s push to build a functioning data protection regime took a significant step forward this year, as the Ministry of Electronics and Information Technology worked through the practical machinery needed to enforce the Digital Personal Data Protection Act of 2023. What began as a broad legislative promise three years ago is now being translated into the fine print that will decide how companies collect, store and move the personal data of hundreds of millions of Indians.

The Digital Personal Data Protection Rules were finalized and notified in November last year. They serve as the operational backbone of the parent Act. They spell out the mechanics that the 2023 law left for later: how Consent Managers will be registered and audited, how organisations must respond when a person asks to see or delete their data, what counts as a reportable breach, and under what conditions personal data can leave Indian shores. Without these rules, the Act existed largely as a statement of intent. With them, it starts to acquire teeth.

People who work at the Ministry have said that they will not do the rollout at once. The Ministry officials want to make sure everything goes smoothly so they will do the rollout in steps not in one move. The rollout, from the Ministry will take some time to complete. Instead, the framework is being switched on in stages, giving companies a runway to adjust their systems before the harsher provisions, including penalties running into hundreds of crores of rupees, come into force. That phased design has become the central talking point among lawyers, compliance officers and industry bodies trying to map out exactly when each obligation begins to bite.

A Rulebook Built in Phases

Under the current schedule, the first tranche of provisions, largely concerned with setting up the Data Protection Board of India, took effect as soon as the rules were notified. The Board is the adjudicatory body that will hear complaints and, eventually, impose penalties. Getting it up and running was treated as the foundational step, since every other part of the regime depends on having a functioning authority to answer to.

A second tranche, due roughly a year after notification, brings in the framework for Consent Managers. These are meant to function as neutral intermediaries that let individuals see, in one place, which organisations are processing their data and allow them to grant or withdraw permission with a few clicks rather than chasing multiple companies separately. To qualify, an entity must be incorporated in India, hold a minimum net worth in the range of two crore rupees, and clear independent technical checks on interoperability. The rules also require Consent Managers to steer clear of conflicts of interest, meaning their directors and senior staff cannot hold financial ties or employment relationships with the very data fiduciaries whose consent flows they are supposed to police impartially.

The remaining and most consequential obligations, covering notice requirements, the grounds on which data can be processed, data breach intimation, protections for children’s data, and the rules governing significant data fiduciaries, are scheduled to become fully enforceable roughly eighteen months after notification. That places the government’s original target for hard enforcement, including financial penalties, in the middle of 2027.

Pressure to Move Faster

That timeline, however, has not stood entirely still. In late January this year, the Ministry sat down with industry representatives and floated a proposal that would compress parts of the schedule considerably, particularly for so called significant data fiduciaries, the larger organisations expected to handle the greatest volumes of sensitive personal information. Under the proposal, the compliance deadline for these entities could move up by roughly six months, bringing forward obligations that were originally not due until the following year.

The idea reflects a broader impatience within government circles. A senior minister had already signalled months earlier that authorities wanted to accelerate enforcement timelines for larger businesses, on the reasoning that many of them already operate under stricter privacy regimes elsewhere in the world and should be capable of complying with India’s framework sooner rather than later. The Ministry invited feedback from stakeholders on the proposal through early February, a sign that the final shape of the timeline is still being negotiated rather than fixed in stone.

Two elements of that fast tracking proposal have drawn particular attention from legal practitioners. The first concerns the restrictions on moving personal data outside India. Under the rules as notified, significant data fiduciaries are required to keep certain categories of data and related traffic information within Indian territory, subject to directions issued by the central government on the advice of a specially constituted committee. The Ministry has proposed bringing this restriction into force immediately rather than waiting for the standard phase in period, which would give the cross border data localisation regime real, immediate weight rather than treating it as a distant obligation.

The second concerns the process for identifying which companies actually qualify as significant data fiduciaries in the first place. Rather than waiting for the full compliance window to lapse before naming these entities, the Ministry wants to notify the criteria and the list of covered organisations as soon as practicable. Once a company is formally designated in this category, it would then face a compressed runway to meet its obligations, rather than the fuller period originally envisioned.

Who Falls Under the Stricter Category

Nobody is allowed to self declare as a significant data fiduciary. The classification rests entirely with the central government, but the direction of the rules gives a fairly good indication of who is likely to be swept in. Entities operating in sensitive sectors such as healthcare, defence and finance are widely expected to be early candidates. So too are companies running artificial intelligence systems, search engines, e-commerce marketplaces and social media platforms, given the sheer volume of personal information such businesses process and the scale of risk to individuals if that data is mishandled.

For these organisations, the rules go well beyond the general obligations that apply to every data fiduciary. They must appoint a data protection officer based in India, conduct periodic data protection impact assessments, and undertake ongoing verification that the algorithmic tools and software they use do not pose risks to the rights of the people whose data they process. Notably, the final version of the rules widened this due diligence requirement beyond just algorithmic software to cover technical measures more broadly, a change from the earlier draft that industry lawyers have flagged as meaningful.

What Ordinary Users Can Expect

For individuals, the parts of the framework likely to matter most in daily life are the rights of access, correction and erasure. The notified rules set a firm ninety day window within which an organisation must respond to a request from a person exercising these rights, a deadline that did not exist in the earlier draft version circulated for public comment. Companies that deal with a lot of people like shopping sites, social media and online games have to delete personal information when it is not needed anymore. This has to be done by a time. However if the law says they have to keep it or the person is still using the service then they do not have to delete it. These companies, like e-commerce platforms, social media intermediaries and online gaming services have to follow these rules.

The breach notification requirements have also been sharpened. Fiduciaries must report incidents to the Data Protection Board as well as to every affected individual, regardless of how serious or limited the breach might be, effectively removing any discretion to downplay smaller incidents. One softening touch in the final rules is that companies are not required to disclose the precise location or systems affected by a breach when informing the individuals concerned, a change intended to prevent breach notices from doubling as a roadmap for further exploitation.

The Compliance Clock Is Already Ticking

Legal advisers tracking the rollout stress that companies should not treat 2027 as a distant deadline that can be dealt with later. Even before the penalty provisions formally kick in, the Data Protection Board has the power to issue directions and ask organisations to demonstrate corrective action if a complaint is filed against them, well before the compliance window formally closes. In other words, the absence of financial penalties in the near term does not mean the absence of regulatory consequences.

Industry groups have broadly welcomed the clarity that the final rules bring after years of drafts and consultations, even as some have pushed back on the idea of compressing timelines further, arguing that smaller businesses in particular need the full runway to build consent infrastructure, retrain staff and update contracts with vendors. The government’s public consultation process, which drew several thousand submissions from start-ups, industry associations, civil society groups and ordinary citizens before the rules were finalised, suggests that further tweaks are still possible as the framework matures.

It is easy to see that Indias law to protect peoples information, which has been talked about for a long time is finally moving forward. This law has been in the works since the Supreme Court said that people have a right, to privacy in 2017. Now Indias data protection law is no longer an idea it is actually happening. Indias data protection law is really taking shape now. The debate has shifted from whether such a law is needed to how quickly and how strictly it will be enforced, and for businesses operating in India’s vast digital economy, that shift changes the nature of the compliance conversation entirely.

Spread the love