BlogLine

India paves the way for functional and enforceable privacy laws with notification of the Digital Personal Data Protection Act rules

11/19/25

By: Jacob Berlinger and Alexia Roney

In 2023, India enacted the Digital Personal Data Protection Act (“DPDP Act”), the first standalone data protection legislation governing the requirements for collection and processing of digitized personal data. The DPDP Act is guided by seven core principles including consent and transparency, purpose limitation, data minimization, accuracy, storage limitation, security safeguards, and accountability. To implement the Act, India’s Ministry of Electronics and Information Technology notified the DPDP Rules on November 14, 2025, which limit companies’ ability to collect data and give India’s citizens the power to opt out of data collection.

Why is this important? The DPDP Act applies not only to entities processing personal data within India but also to those outside India if such processing is in connection with any activity related to offering of goods or services to individuals within India. The United States is the largest market for Indian IT services, accounting for most of India’s IT exports. American IT companies have a significant presence in India from customer support to research and development, employing an estimated one million people.

The DPDP Rules clarify the Act’s application and follow the landmark 2017 India Supreme Court case, Puttaswamy v. Union of India, (2017) 10 SCC 1, declaring privacy a fundamental right embedded in the Constitution of India. The Rules cover topics such as requirements governing data fiduciaries; notice requirements to data principals for obtaining consent; registration of in-house consent managers; data breach notification requirements; obligations for processing minors’ data; and set timelines for data retention and erasure of personal data.

A unique feature of the DPDP Act is the heavy focus on consent-based management processes. Businesses must obtain consent that is free, specific, informed, unconditional, and unambiguous. This may require businesses to completely overhaul their internal systems to retain records of data collection, use, storage, and sharing across business systems and networks. The DPDP Rules will not be implemented at once; rather, the government is focused on a progressive roll out over the next eighteen months which will allow businesses time to comply with the new requirements.

The DPDP Act will be enforced by the Data Protection Board of India (DPB), comprised of four members. Importantly, there is no private right of action for violations, but the DPB will potentially serve as an indirect way for data subjects and data fiduciaries to settle disputes. In addition, the DPB will function as a fully digital institution, enabling Indian citizens to file and track complaints online through a dedicated platform and mobile application.

Freeman Mathis & Gary, LLP, has a strong interdisciplinary team of attorneys across the county ready to help clients navigate the complex and rapidly evolving digital global legal landscape.

For more information, please contact Alexia Roney at alexia.roney@fmglaw.com,  Jacob Berlinger at jacob.berlinger@fmglaw.com or your local FMG attorney.

Information conveyed herein should not be construed as legal advice or represent any specific or binding policy or procedure of any organization. Information provided is for educational purposes only. These materials are written in a general format and not intended to be advice applicable to any specific circumstance. Legal opinions may vary when based on subtle factual distinctions. All rights reserved. No part of this presentation may be reproduced, published or posted without the written permission of Freeman Mathis & Gary, LLP.