With the implementation of the Digital Personal Data Proteciton Rules, 2025 (the “Rules”); the Digital Data Protection Act, 2023 (the “Act”) is now in full force. And any owner or inventor of a software or technology that uses personal data in any form, whether it is names, identifiers, biometric details, or any other information that can identify an individual and be stored digitally, now needs to pause and reassess their business style.
Because while the invention may be protected under intellectual property (IP) law, non-compliance with India’s new data protection framework can still bring everything down. Even if IP law does not question your rights, the DPDP regime certainly will, and that risk cannot be ignored.
Here is what one needs to know about this law:
Parties:
1. Data Fiduciary: A person who, either alone or with others, determines the purpose and means of processing personal data. For example, an inventor or owner of an invention like a software. AI or technology which uses personal data, can be called a data fiduciary.
2. Significant Data Fiduciary: A data fiduciary can get the entitlement of significant data fiduciary, as notified by the Central Government, on the basis of the data being processed. For example, if the volume and sensitivity of personal data processed is high, there is risk to individuals’ rights, and if there is a potential impact on sovereignty or security of the State.
3. Data Protection Officer: A significant data fiduciary can also appoint an individual to represent them under the Act, provided,the individual is based in India, and serves as the point of contact for the grievance redressal mechanism.
4. Data Processor: If data fiduciaries outsource such services from a party who will process such personal data on their behalf, then such party will be called data processor as per the Act, but the responsibility of the security of the data will only be of the data fiduciary.
5. Data Principal: The individuals whose personal data is used by the data fiduciary will be called data principal. But few things need to be remembered. If the individual is a child (under the age of eighteen years), the data principal includes the parents or lawful guardian of that child, and if the individual is a person with disability, the data principal includes the lawful guardian acting on their behalf.
6. Data Protection Board of India (DPB Board/the Board): Established by the Central Government under Section 18 of the Act, the Board will act as the primary authority in the implementation of the Act. The Board’s duties include receiving complaints and conducting inquiries, as well as passing orders and penalties.
7. Consent Manager: A single point of contact that helps a data principal to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform. This single point of contact is an entity registered with the Board, called the consent manager.
8. Central Government: Central Government shall refer to the Central Government of India. As per the Act they would have the power to enforce the Act, make and appoint the Board and its members, file complaints to the Board, notify on who can be a significant data fiduciary, determine the applicability of the Act and more.
9. Appellate Tribunal: The Appellate Tribunal refers to the Telecom Disputes Settlement and Appellate Tribunal. if oe is not satisfied with the orders of the Board they can appeal the same to this Tribunal under Section 29 of the Act.
As each party needs to perform their role with efficiency and without any interference, the Ministry of Electronic and Information Technology (MeiTY) has decided to implement these rules along with Act, strategically in phase-wise manner where each party has a role to play:
Phase 1:
Phase 1 would include implementation of the general provisions of the Act (like the title, commencement and definitions) and the establishment of the DPB Board. Both of them have been implemented with the release of these Rules (i.e. on 13 Nov 2025). This means at present the Board is an established authority who can exercise their power under the present Act and the Rules.
A data fiduciary or a data processor need not to worry much about this phase right now. However, since it is the Board that would have the power and authority to take legal action or authorise to conduct any activities in relation to set or collection of personal data, it is important to understand what they can do and what they cannot do (unless of course they have done something in good faith then they can’t be prosecuted – under Section 35 of the Act).
Under Section 18 of the Act, the Central Government establishes the Board as an independent legal body. It can hold property, enter contracts, and take legal action, much like a company. This makes the DPB Board a powerful enforcement authority. The DPB Board under Section 19 consists of a Chairperson and Members appointed by the Government (via Selection-cum-Committee under Rule 17 of the 2025 Rules) for their expertise in data governance, digital technology, law, regulation, and consumer protection. All Members are treated as public servants, giving their decisions legal force. As per the latest notification, the Board shall consist of 4 Members.and be established in the NCR region.
The Chairperson oversees administration, authorises scrutiny of complaints, and allocates matters among Members. Under Section 23, the Board controls its procedures, and its decisions remain valid despite vacancies or minor procedural defects.The Board will also decide for compliance and consequences, for any data driven technology.
With the implementation of these Rules, few things have also been stirred up, including the fact that:
1. The Act, under Section 38, will prevail, in case of any conflict with other Acts or laws.
2. Since an Appellate Tribunal is there, if one wants to appeal against the Board’s order then under Section 39, it has to go through the tribunal and not the civil court.
3. The Central Government, under Section 40 shall have the power to make rules and amendments by notification in the Act. But such rules or notifications under Section 41, must be placed before both Houses of Parliament for at least 30 days. And only after the consent of both the houses, the rule will get implemented, unless the rule is valid and has already been implemented. The Government may also issue orders under Section 43 to remove difficulties in implementing the Act, as long as such orders do not contradict the Act.
4. Both the Telecom Regulatory Authority of India Act, 1997 and the Right to Information Act, 2005, have been amended to recognise the presence of this new law.
Phase 2:
Phase 2 concerns the registration and regulation of Consent Managers, expected to take effect by November 2026. At this stage, Consent Managers will act on behalf of the Data Principal in administering and managing consent notices.
To qualify for registration under Part A of the First Schedule to Rule 4, an applicant must:
1. Be a company incorporated in India with adequate technical capability, operational capacity, and financial resources, including a minimum net worth of INR 2 crores, sound financial health, proper governance, viable business prospects, and a stable capital structure.
2. Ensure that its directors and senior management have good reputation, integrity, and a proven track record.
3. Have constitutional documents (MoA and AoA) that expressly provide for compliance with statutory obligations, which cannot be amended without prior approval of the Board.
4. Structure its operations to safeguard the interests of data principals.
5. Obtain independent certification confirming compliance of its platform with standards prescribed by the Board and the existence of appropriate technical and organisational measures to meet legal requirements.
The Board may conduct an inquiry and, if satisfied, publish the application and grant registration under Section 6(9) of the Act.
Once registered, a Consent Manager under Part B of the First Schedule to Rule 4, is required to:
1. Provide a secure platform (through a website or application) enabling Data Principals to give, manage, and withdraw consent for processing of their personal data.
2. Facilitate data sharing without accessing or viewing the content of personal data, and maintain detailed, machine-readable records of consent actions, notices, and data sharing activities, accessible to Data Principals and retained for at least seven years.
3. Act in a fiduciary capacity, avoid conflicts of interest with Data Fiduciaries, refrain from subcontracting its functions, and disclose ownership and management details on its website, including shareholders holding more than 2%.
4. Implement strong security safeguards, conduct periodic audits of its operations, technology, and legal compliance, report findings to the Board, and obtain prior approval before any sale, merger, or transfer of control.
In case of non-compliance, the Board must provide an opportunity of hearing and may direct corrective measures or suspend or cancel registration where necessary to protect the interests of data principals under Section 27(1)(d). The Board may also require the consent manager to furnish information to verify compliance.
Takeaway: In short, both phases are seen together, they initially establish the administrative authority and its registered officers for the proper implementation of the Act.
Stay connected to know about Phase 3.
Thank you for reading our blog! We’d love to hear from you! 
- Are you Interested in IP facts?
- Would you like to know more about how IP affects everyday lives?
- Have any questions or topics you’d like us to cover?
Send us your thoughts at info@thepalaw.com. We’d love to hear your thoughts!
