<?php echo html_escape(strip_tags($title)); ?>

India’s Data Protection Law Still Awaits Implementation

Delay in DPDP Act Puts Digital Privacy at Risk

By Pratishtha Sehgal --
Wednesday, 03 Sep, 2025

India’s Digital Personal Data Protection (DPDP) Act, 2023 was passed with the aim of creating a legal framework to safeguard personal information in an increasingly digital world. The law received Presidential assent in August 2023 and draft rules were issued in January 2025, yet it has not been brought into effect. This delay leaves a crucial gap in India’s regulatory landscape at a time when data-driven technologies are expanding at an unprecedented pace.

With one of the largest internet user bases in the world, India sees millions of people share personal details daily through smartphones, apps, e-commerce platforms, and digital payments. In the absence of an enforced framework, this data remains vulnerable to misuse, unauthorized sharing, or breaches. The risks are significant, given that trust is central to the growth of the digital economy. Whether in banking, healthcare, or education, people are more likely to adopt digital services when they feel assured that their information is protected. A robust legal framework not only reassures individuals but also boosts digital adoption across rural and urban areas.

For businesses, the DPDP Act is designed to establish accountability. It sets obligations for organizations—termed data fiduciaries—to ensure lawful and secure handling of personal data, while also creating mechanisms for grievance redressal in the event of violations. This accountability becomes even more critical in an environment where international firms operate under global benchmarks such as the EU’s General Data Protection Regulation (GDPR). Enforcing India’s law would bring its standards closer to international norms, ease cross-border business operations, and allow Indian companies to compete more confidently in global markets.

At the same time, sectors that thrive on large volumes of data, such as artificial intelligence, fintech, and healthtech, require clarity on how data can be processed and used. Well-defined rules will reduce regulatory ambiguity and provide certainty to innovators and startups, enabling them to build solutions responsibly while continuing to drive technological progress.

Currently, while the text of the law exists, the absence of notified rules and enforcement mechanisms has created uncertainty for businesses preparing compliance frameworks, as well as for individuals waiting for stronger privacy protections. The implementation of the DPDP Act is therefore not just a regulatory milestone but an essential step toward balancing privacy rights, economic growth, and innovation. Until the rules are formally enforced, India continues to operate with a critical gap in its digital governance, even as it stands at the forefront of the global digital revolution.

Delay in DPDP Act Puts Digital Privacy at Risk. India’s Digital Personal Data Protection (DPDP) Act, 2023 was passed with the aim of creating a legal framework to safeguard personal information in an increasingly digital world. The law received Presidential assent in August 2023 and draft rules were issued in January 2025, yet it has not been brought into effect. This delay leaves a crucial gap in India’s regulatory landscape at a time when data-driven technologies are expanding at an unprecedented pace.

With one of the largest internet user bases in the world, India sees millions of people share personal details daily through smartphones, apps, e-commerce platforms, and digital payments. In the absence of an enforced framework, this data remains vulnerable to misuse, unauthorized sharing, or breaches. The risks are significant, given that trust is central to the growth of the digital economy. Whether in banking, healthcare, or education, people are more likely to adopt digital services when they feel assured that their information is protected. A robust legal framework not only reassures individuals but also boosts digital adoption across rural and urban areas.

For businesses, the DPDP Act is designed to establish accountability. It sets obligations for organizations—termed data fiduciaries—to ensure lawful and secure handling of personal data, while also creating mechanisms for grievance redressal in the event of violations. This accountability becomes even more critical in an environment where international firms operate under global benchmarks such as the EU’s General Data Protection Regulation (GDPR). Enforcing India’s law would bring its standards closer to international norms, ease cross-border business operations, and allow Indian companies to compete more confidently in global markets.

At the same time, sectors that thrive on large volumes of data, such as artificial intelligence, fintech, and healthtech, require clarity on how data can be processed and used. Well-defined rules will reduce regulatory ambiguity and provide certainty to innovators and startups, enabling them to build solutions responsibly while continuing to drive technological progress.

Currently, while the text of the law exists, the absence of notified rules and enforcement mechanisms has created uncertainty for businesses preparing compliance frameworks, as well as for individuals waiting for stronger privacy protections. The implementation of the DPDP Act is therefore not just a regulatory milestone but an essential step toward balancing privacy rights, economic growth, and innovation. Until the rules are formally enforced, India continues to operate with a critical gap in its digital governance, even as it stands at the forefront of the global digital revolution.