Notification of Digital Personal Data Protection Law in India: Certain Key Timelines
In our earlier article, DPDP Rules: End of a Long Wait or Yet Another Failed Attempt, we examined the prolonged uncertainty surrounding India’s new data protection framework and the key features of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) along with the draft Digital Personal Data Protection Rules, 2025 (“DPDP Rules”).
A significant development in this regard occurred on 13 November 2025, when the provisions of the DPDP Act and the DPDP Rules were notified and the Data Protection Board of India (“Board”) was constituted, thereby operationalising India’s new data protection framework.
This article seeks to outline the officially notified timelines for the enforcement of key provisions of the DPDP Act read with the DPDP Rules.
Key provisions that have come into force on 13 November, 2025 (date of publication of notification)
| Sl. No. | Section and corresponding rule | Brief overview of the provisions |
| 1. | Section 2 and Rule 2 | Provides for key definitions including ‘Consent Manager’, ‘Data’,‘Data Fiduciary’, ‘Data Principal’, ‘Data Processor’, ‘Digital Personal Data’, ‘Personal Data’, ‘Significant Data Fiduciary’ |
| 2. | Sections 18 to 26 and Rules 17 to 21 | Provides for establishment, composition, proceedings of the Board and powers of the Chairperson of the Board |
| 3. | Sections 38 | Provides for consistency with other laws however, in the event ofconflict, the provisions of DPDP Act shall prevail to the extent of such conflict |
| 4. | Section 44 (1) and (3) | Amendment to the following statutes: a) Section 14 of the Telecom Regulatory Authority of India Act, 1997 thereby providing the jurisdiction of Appellate body under DPDP Act to the Telecom Disputes Settlement and Appellate Tribunal; b) Section 8 of the Right to Information Act, 2005 laying down the exemption of disclosure of information when it relates to personal information. |
Provisions that will come into force on 12 November, 2026 (one year from the publication of notification)
| Sl. No. | Section and corresponding rule | Brief overview of the provisions |
| 1. | Section 6 (9) and Rule 4 | Every Consent Manager must register with the Board and meet the technical, operational, financial, and other requirements as prescribed. |
| 2. | Section 27 (1)(d) | Upon intimation of breach of any condition of registration of a Consent Manager, the Data Protection Board shall inquire into such breach and impose penalty as provided in this Act. |
Certain key provisions that come into force on 12 May, 2027 (eighteen months from the publication of notification)
| Sl. No. | Section and corresponding rule | Brief overview of the provisions |
| 1. | Section 3 | Applicability of DPDP Act on Digital Personal Data: a) within the territory of India; b) outside the territory of India (if the processing is related to goods and services offered within the territory of India). |
| 2. | Section 4 | Grounds for processing the Personal Data of Data Principal |
| 3. | Section 5 and Rule 3 | Notice by Data Fiduciary to Data Principal (prior to obtaining consent from the Data Principal) |
| 4. | Section 6 (1) to (8) and (10) | Manner of obtaining consent from Data Principal and accountability of the Consent Manager to Data Principal |
| 5. | Section 7 read with Rule 5 | Certain legitimate uses for which Data Fiduciary may process Personal Data |
| 6. | Section 8 to 10 read with Rules 6 to 13 | General obligations of Data Fiduciary and additional obligations of Significant Data Fiduciary Processing of Personal Data of children or persons with disability |
| 7. | Sections 11 to 15 read with Rule 14 | Rights and duties of Data Principal (including right to (a) access information; (b) correct and erase Personal Data; (c) grievance redressal and (d) nominate any other individual who shall exercise rights of the Data Principal. |
| 8. | Section 16 read with Rule 15 | Central Government may, by notification, restrict the transfer of Personal Data for processing outside the territory of India |
| 9. | Section 17 read with Rule 16 | Exemptions where obligations of Data Fiduciary; rights and duties of Data Principal and restriction on cross border transfer of Personal Data shall not apply |
| 10. | Sections 27 except (1)(d) | Powers and functions of the Board including but not limited to inquiry of Personal Data Breach |
| 11. | Section 44(2) | Amendment to certain provisions of Information Technology Act, 2000 (“IT Act”): Omission of Section 43A dealing with compensation for failure to protect sensitive personal data or information; Omission of Section 87(2) (ob) dealing with the power of the Central Government to make rules dealing with reasonable security practices and procedures; This omission would have the effect of leading to the omission of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which was India’s first attempt at regulating personal data protection. Addition of “Digital Personal Data Protection Act, 2023” to the proviso of Section 81 leading to the understanding that nothing contained in the IT Act shall restrict any person from exercising any right conferred under the DPDP Act. |
Conclusion:
The Government’s phased implementation of the DPDP Act and Rules offers entities a structured path to compliance. By deferring key obligations such as consent management, issuance of notices, fulfilment of Data Principal rights, breach reporting, and cross-border data governance, until statutory authorities and procedural mechanisms are operational, the 18-month window serves as a strategic preparation period. Proactive readiness during this time will help minimize disruption and mitigate regulatory scrutiny or penalties when the remaining provisions take effect on 12 May, 2027.
The information contained in this document is not legal advice or legal opinion. The contents recorded in the said document are for informational purposes only and should not be used for commercial purposes. Acuity Law LLP disclaims all liability to any person for any loss or damage caused by errors or omissions, whether arising from negligence, accident, or any other cause.
