With the rollout of the long-awaited data protection rules, the Digital Personal Data Protection Act, 2023 has entered the implementation stage, marking a shift in how personal information will be handled in India’s expanding digital ecosystem. The government has adopted a phased rollout: some provisions take effect immediately, while the full framework will be operational over the next 18 months. In this first phase, companies must publish privacy notices in clear, accessible language, appoint grievance officers, and establish data-retention and deletion systems. At the heart of the rules lies the principle of informed consent— entities must clearly state why they are collecting personal data and how they intend to use it. Added safeguards for children and persons with disabilities underline the intent to give individuals meaningful control over their digital footprints.
The rules provide guidance on retention and deletion of data. Any organisation collecting personal information must ensure it is erased once its purpose is fulfilled and notify individuals before deletion. In the event of a data breach, companies must report the incident to the authorities within 72 hours. The framework also introduces consent managers— government-approved platforms that will allow users to view, modify, or withdraw permissions in one place. These systems must be in place by November 2026, potentially reshaping how people monitor and manage their data across services.
The government has, however, granted itself exemptions to process personal data, including that of minors, for specific State functions such as delivering services, issuing certificates, and granting licences. While these carve-outs have triggered concerns among privacy advocates, the rules do require government agencies to follow defined standards when handling such data. The balance between public interest and personal privacy will depend on how these exemptions are exercised and overseen.
Despite apprehensions, the arrival of a formal data protection regime is both necessary and overdue. The rules empower citizens by giving them the right to correct or withdraw their data and by demanding greater accountability from entities that process it. At a time when personal information is routinely misused for fraud, profiling, and manipulation, the emphasis on accuracy, consent, and security is timely. The possibility of state overreach remains a legitimate concern, but it should not overshadow the value of a comprehensive protection framework. As implementation unfolds, real-world challenges will emerge, offering opportunities to refine and strengthen the system further.