DPDPA 2023 & DPDP Rules 2025: Expert Insights from Dr. Prashant Mali

India’s data protection landscape has undergone its biggest shift in decades with the introduction of the Digital Personal Data Protection Act (DPDPA) 2023 and the subsequent DPDP Rules 2025. Together, they form the first full-fledged framework that gives Indian citizens defined rights over their digital personal data while placing new accountability requirements on businesses, platforms, and government bodies handling that data.

The 2023 Act sets the foundation: consent-based processing, user rights, stricter governance, higher penalties, and a more structured approach to cross-border data flows. The 2025 Rules build on that foundation by detailing operational guidelines, sectoral expectations, and enforcement mechanisms for India’s rapidly expanding digital economy. As organisations adjust to 18 months of compliance runway, the conversation around privacy, surveillance, innovation, and citizen protection has intensified across industries.

To understand these developments better, CXO XPERTS spoke with Adv. (Dr.) Prashant Mali, one of India’s most respected experts in cyber law, cybersecurity, privacy regulation, and data protection.

Dr. Prashant Mali is the President and Founder of Cyber Law Consulting (Advocates & Attorneys), a firm he has led for more than 21 years. Over two decades, he has built one of India’s most respected cyber law and cybersecurity practices, advising Fortune 500 companies, government agencies, law enforcement bodies, and high-profile clients on complex issues involving cybercrime, privacy, AI regulation, digital forensics, data breaches, and technology disputes.

With this context, we present his insights on the DPDP Act and the DPDP Rules of 2025.

1. What is the Digital Personal Data Protection Act, 2023, and what key problem areas does it aim to solve for Indian citizens?

The Digital Personal Data Protection Act, 2023 represents India’s first comprehensive federal privacy legislation, addressing the critical vacuum in personal data protection that existed despite India’s rapidly digitizing economy and Supreme Court’s recognition of privacy as a fundamental right under Article 21.

The Act aims to solve several key problem areas:

• the unregulated collection and processing of personal data by digital platforms leading to profiling and surveillance capitalism
• lack of individual control over how personal information is used, shared, or monetized
• absence of accountability mechanisms when data breaches occur or data is misused
• inadequate transparency in algorithmic decision-making affecting citizens, and
• the cross-border flow of Indian citizens’ data without safeguards.

It also seeks to address the power asymmetry between data fiduciaries (controllers) and data principals (individuals), particularly in contexts where consent is coerced or uninformed. The legislation emerged after nearly a decade of policy deliberation following Justice Srikrishna Committee recommendations, incorporating lessons from GDPR while attempting to create a framework suited to India’s unique socio-economic context, digital infrastructure maturity levels, and developmental priorities balancing innovation with protection.

2. What are the fundamental rights that Indian citizens now have over their personal data under the DPDPA?

The DPDPA grants Indian citizens several fundamental rights over their personal data, establishing them as “data principals” with meaningful control. These include the right to access information about personal data being processed knowing what data is collected, for what purpose, and with whom it’s shared. Data principals have the right to correction and updating of inaccurate or incomplete personal data, ensuring accuracy in records that affect their lives.

The right to erasure or “right to be forgotten” allows individuals to request deletion of their data when it’s no longer necessary for the stated purpose, though with certain limitations. Citizens have the right to grievance redressal through designated mechanisms within organizations and subsequently through the Data Protection Board. Crucially, they have the right to nominate someone to exercise these rights on their behalf in case of death or incapacity, addressing digital inheritance concerns.

The Act also embeds the right to withdraw consent at any time, though this may affect service provision, and the right to information about data breaches that may cause harm. These rights collectively aim to shift the paradigm from data being treated as a corporate asset to being recognized as an extension of individual autonomy and dignity.

3. What is your assessment of how well the DPDP Rules 2025 balance individual privacy rights with the innovation needs of India’s growing digital economy? Are there any gaps?

The DPDP Rules 2025 attempt a pragmatic balance between privacy protection and innovation by adopting principles-based regulation rather than prescriptive compliance, allowing flexibility for emerging technologies and business models while maintaining accountability standards. The framework’s emphasis on consent, purpose limitation, and data minimization protects individuals without imposing excessive compliance burdens that could stifle startups and digital innovation—a deliberate departure from GDPR’s more stringent approach.

The tiered classification of data fiduciaries (significant vs. non-significant) appropriately calibrates obligations based on risk and scale, preventing disproportionate impact on smaller enterprises. However, significant gaps remain: the lack of restrictions on automated decision-making and profiling limits protection against algorithmic bias and discrimination; absence of data portability rights restricts competition and user choice; the Rules provide insufficient guidance on implementing “privacy by design” in AI/ML systems; cross-border data transfer mechanisms remain vague, creating uncertainty for global operations; and the broad exemptions for government processing create asymmetric protection.

The consent-centric model, while simpler, may prove inadequate for complex data ecosystems where meaningful consent is difficult, and alternative lawful bases like legitimate interests are narrowly defined. The framework would benefit from clearer standards on children’s data protection, biometric data processing, and workplace surveillance.

4. How will the DPDPA affect enterprises differently based on their sector — for example, fintech, e-commerce, healthtech, and edtech? Are there sector-specific compliance challenges?

The DPDPA’s impact varies significantly across sectors due to differing data sensitivity, processing volumes, and existing regulatory frameworks. Fintech companies face the most complex compliance landscape reconciling DPDPA requirements with RBI’s data localization mandates, account aggregator framework, and lending regulations while managing consent for credit scoring, fraud detection, and regulatory reporting that often requires data retention beyond user preferences.

E-commerce platforms must navigate challenges in behavioral advertising, seller-buyer data sharing, consent management across marketplace models, and logistics partner data processing while maintaining competitive personalization capabilities. Healthtech faces heightened scrutiny given the sensitive nature of health data implementing stricter consent mechanisms for telemedicine, electronic health records, and health insurance processing while ensuring interoperability under the proposed National Digital Health Mission creates compliance complexity.

Edtech companies must contend with stringent children’s data protection requirements including verifiable parental consent, age-appropriate privacy notices, and restrictions on profiling minors for commercial purposes, fundamentally impacting adaptive learning algorithms and business models. Each sector must also align DPDP compliance with sectoral regulators’ (SEBI, IRDAI, RBI, AMFI, TRAI ) existing guidelines, creating potential conflicts and requiring careful legal harmonization to avoid regulatory arbitrage or contradictory obligations.

5. Looking at the 18-month compliance timeline, what are the biggest mistakes or shortcuts you think organizations might take, and what would be the consequences?

During the 18-month implementation timeline, organizations will likely take several problematic shortcuts that could backfire significantly. The most common mistake will be treating DPDP as purely a legal/compliance exercise rather than embedding privacy into business processes and technology architecture resulting in superficial “checkbox compliance” vulnerable to audits and breaches. Many will deploy generic, incomprehensible privacy notices and consent forms that technically meet requirements but fail to provide meaningful transparency or choice, inviting regulatory scrutiny and user distrust.

Organizations may underinvest in data mapping and inventory, leaving them unable to respond to user rights requests or breach notifications within mandated timelines, triggering penalties. Appointing under-qualified Data Protection Officers without adequate authority, resources, or organizational access will create compliance theater without substance. Companies will likely delay vendor due diligence and data processing agreement updates, exposing themselves to vicarious liability for third party violations.

Inadequate employee training means operational staff won’t implement policies correctly despite documented procedures. The consequence of these shortcuts includes substantial financial penalties (up to ₹250 crores), reputational damage from publicized breaches or Board proceedings, operational disruption from compliance orders, competitive disadvantage as privacy-conscious consumers gravitate toward compliant brands, and potential criminal liability for officers under certain violations. Organizations that view the timeline as a deadline rather than a journey toward privacy maturity will find themselves perpetually non compliant.

6. The DPDP Act does not impose restrictions on data transfers, though the government can restrict transfers to specific countries. How will the industry react to this, and what are the long-term implications for large tech companies?

The DPDP Act’s initial approach to cross-border data transfers not imposing blanket restrictions but granting government discretionary power to blacklist certain countries has received cautiously positive reception from the technology industry and multinational corporations operating in India, as it avoids the compliance complexity and operational costs associated with data localization mandates. This pragmatic approach recognizes India’s integration into global digital supply chains and cloud infrastructure dependencies while reserving sovereign authority to restrict transfers based on geopolitical, security, or adequacy considerations.

Industry appreciates the flexibility this provides for business continuity, innovation partnerships, and leveraging global technology platforms without immediate infrastructure overhaul. However, long-term implications for large tech companies are more complex and potentially restrictive. The discretionary power creates regulatory uncertainty companies cannot predict which countries might be blacklisted, complicating long-term infrastructure investments and data architecture decisions. For significant data fiduciaries, restrictions on processing certain sensitive data categories (yet to be notified) could require India-specific data segregation regardless of transfer restrictions.

The provision enables the government to use data transfer restrictions as geopolitical leverage, potentially targeting specific companies or jurisdictions based on diplomatic considerations. This could fragment the internet further, increase compliance costs through jurisdiction-specific systems, and disadvantage companies from blacklisted nations in the Indian market. Large tech platforms may face pressure to establish local data centers despite no explicit localization mandate, and the lack of an adequacy framework similar to GDPR means Indian adequacy decisions won’t automatically enable reciprocal data flows.

7. The DPDPA provides exemptions for government agencies. From a privacy advocacy perspective, what safeguards or mechanisms should exist to prevent misuse of personal data by government entities?

From a privacy advocacy perspective, the DPDPA’s broad exemptions for government agencies processing data “in the interest of sovereignty and integrity of India, security of the State, public order” or for providing benefits/services represent the legislation’s most troubling gap, essentially creating a parallel surveillance apparatus exempt from the protections afforded against private entities.

Critical safeguards that should exist include:

• mandatory data protection impact assessments for government surveillance programs reviewed by an independent oversight body with technical expertise and civil society representation
• sunset clauses on emergency data collection powers requiring periodic legislative reauthorization
• strict purpose limitation preventing function creep where data collected for welfare is repurposed for law enforcement
• algorithmic transparency and audit requirements for government AI systems affecting citizen rights
• judicial oversight and warrants for invasive data collection rather than executive discretion
• mandatory breach notification obligations for government agencies with penalties for non-compliance
• establishment of a Privacy Commissioner independent from government influence with suo moto powers to investigate state surveillance
• whistleblower protection for government employees exposing data misuse, and
• explicit prohibition on mass surveillance without individualized suspicion.

The exemption clause should be narrowly construed through statutory interpretation or amendment, requiring government to demonstrate necessity, proportionality, and lack of less intrusive alternatives essentially importing constitutional standards from the Puttaswamy judgment into operational practice. Without these safeguards, the asymmetry between private sector accountability and government impunity undermines the Act’s legitimacy and creates Orwellian surveillance risks.

8. GDPR applies to both digital and non-digital personal data, while DPDPA applies only to digital personal data. What is the practical implication of this difference for India?

The DPDPA’s limitation to digital personal data, contrasting with GDPR’s comprehensive coverage of all personal data regardless of format, creates significant practical implications and potential protection gaps in India’s regulatory landscape. This distinction means traditional paper-based records, physical photographs, handwritten documents, and offline databases fall outside DPDPA’s purview, potentially incentivizing organizations to maintain sensitive data in non-digital formats to avoid compliance obligations a perverse outcome contradicting the Act’s protective intent.

For sectors like healthcare where physical medical records remain prevalent, banking with paper documentation requirements, or educational institutions maintaining physical student files, this creates a dual compliance framework where the same information receives different protection based solely on format. Citizens exercising rights to access or erasure may find their digital footprint addressed while physical records remain untouched, fragmenting their privacy control. The practical implication is that comprehensive data protection requires organizations to voluntarily extend DPDP principles to non-digital data or rely on sector-specific regulations and common law protections that may be inconsistent or inadequate. This gap is particularly concerning for vulnerable populations with limited digital literacy who interact primarily through physical documentation.

However, the narrow scope also reflects legislative pragmatism India’s institutional capacity for enforcement is limited, and the immediate priority is regulating the digital economy where data processing occurs at unprecedented scale and speed. The distinction acknowledges that digitization amplifies privacy risks through ease of copying, transmission, analysis, and permanence, warranting prioritized regulation even if ideologically inconsistent with technology-neutral principles.

9. Other countries continually update their data protection laws. How do you see the DPDPA evolving over the next 3–5 years, and what gaps might need to be addressed?

Over the next 3-5 years, the DPDPA will likely evolve through multiple mechanisms:

• subordinate legislation and Rules addressing sector-specific issues (AI governance, biometric data, workplace surveillance, children’s data)
• jurisprudence from the Data Protection Board establishing precedents on consent validity, legitimate processing, and penalties
• potential amendments addressing emerging technologies like quantum computing, brain-computer interfaces, and generative AI, and
• harmonization with other digital governance legislation including the proposed Digital India Act, Telecommunications Act amendments, and cybersecurity frameworks.

Critical gaps requiring attention include:

• establishing affirmative data protection obligations for AI systems including explainability, algorithmic impact assessments, and bias auditing
• introducing data portability rights to enhance competition and prevent platform lock in
• creating alternative lawful bases beyond consent for legitimate business interests, recognizing that meaningful consent is often impractical in complex data ecosystems
• implementing stronger children’s data protection including “privacy by default” and prohibition on profiling for commercial purposes
• addressing collective privacy harms and group level data rights where individual consent is insufficient (genetic data, community datasets)
• establishing adequacy frameworks for cross-border transfers providing reciprocity and predictability
• narrowing government exemptions and introducing oversight mechanisms
• creating regulatory sandboxes for privacy-preserving technologies and innovative compliance approaches, and
• developing specific protections for biometric data, workplace surveillance, and public-private data sharing arrangements.

The Act must also address enforcement capacity the Data Protection Board requires substantial technical expertise, resources, and independence to effectively regulate India’s complex digital economy.

The DPDP Act marks a turning point in how India defines digital rights and accountability. But as Dr. Mali points out, the law is only the starting point. True protection depends on how organisations interpret their responsibilities, how the government applies exemptions, and how effectively the Data Protection Board is able to enforce the rules.

As India transitions into a data-driven economy shaped by AI, cross-border ecosystems, and deep digital integration, the real test will be whether the framework evolves fast enough to protect citizens without slowing innovation. That balance will define India’s digital future.