An Overview of India’s 2025 Digital Personal Data Protection Law: Part II

As per our last article, since Phase 1 of India’s digital data protection law is now in force and registration of content managers under Phase 2 is soon to be enforced by this year, let us understand the final and the most important phase of this law i.e. Phase 3.

Phase 3 brings in two things:

1. Deletion and updation of the old laws including Section 43A and Section 87 of the IT Act, 2000 (deleted) and adding of the Digital Personal Data Protection Act, 2025 (the “Act”) in Section 81 of the IT Act, 2000.

2. The responsibilites, rights and procedures that are needed to be followed by all the parties mentioned in the Act.

Phase 3 becomes applicable within 18 months from the date of publication of the Gazette Notification. This means that by May 2027 the whole law will become applicable and the following will need to be implemented.

A. Consent and Notices:

Under Section 3 of the Act, if personal data is being collected digitally or in physical form that is later digitised, it will come under the ambit of this Act. Additionally, irrespective of the jurisdiction, the Act will still apply if the personal data processed is used to offer goods or services to individuals located in India and vice versa. A few things to be kept in mind:

1. Data, under Section 4 of the Act, should be collected after consent and be used for lawful and legitimate puposes (such as medical emergencies or government functions), under Section 7 of the Act.

2. The personal data collected from the data principal, should only be used after the data principal consents to it. Such consent from the data principal needs to be taken after giving them a notice. And if the data has already been collected and processed, before this Act came into force, without consent, then the same notice needs to be given immediately within a reasonable time.

3. These notices need to be drafted and implemented carefully, in accordance with Section 5, 6 of the Act and Rule 3 of the Digital Personal Data Protection Rules, 2025 (the “Rules“). According to these provisions,

a) A Notice needs to show:

What data is being collected? Why is it being processed? And describe the specific goods or services that will be provided as a result
How can data principals exercise their rights? Like withdrawing consent.
How to make a complaint to the Data Protection Board (the “Board“)?

b) In addition to this, such consent or notice:

Needs to be free, specific, informed, and unconditional.
Cover data usage only for the specific purpose mentioned in the notice.
Should not be for more data than is actually necessary for that purpose. For example, a food delivery app cannot require access to phone contact list just to deliver a pizza.
Should be in plain and simple language.
Should have the option to be read in English or any of the 22 languages specified in the Indian Constitution.
Should not have a clause that breaks this law or any other Indian law. For instance, if a company asks the data principal to “waive their right to complain to the Board,” that part of the agreement does not count, and will be considered automatically invalid, even if the data principal clicks “agree.”
Should provide contact details for a data protection officer or someone the data principal can talk to about their data rights.
Should provide a direct communication link to their website or app.
And the consent should be withdrawable by the data principal at any time. This means after such removal of consent by the data principal, no services or data of the data principal would be processed or collected. The data collected before this withdrawal of consent shall, however, remain legally valid. The same applies to data processors as well (if hired) unless another law requires them to keep such data.
In case the data collected and used is in relation:
- To a child/minor/ or anyone under 18. Then under Rule 10, a fiduciary must get “verifiable consent” from a parent. This also means to ensure the person giving consent is actually an adult, such as checking reliable IDs or using digital tokens (like from a Digital Locker).
- To anyone with a disability who has a legal guardian. Under Rule 11, the data fiduciary must verify that the guardian was officially appointed by a court or a specific government committee.

c) Exception to Data Collection: Under Section 3(c), 7, 17(1), (2) and (3) of the Act and Rule 5, 12, 16 and 23 of the Rules, consent wouldnt’ be an issue if data is used:

Purely for personal use, such as a private contact list, or data that has been voluntarily made public for a specific service (like giving a pharmacist personal number for a receipt),
For government benefits, medical emergencies, disasters, and employment purposes.
For national security, sovereignty, or to perform duties required by law.
For health purpose like in clinics and doctors providing medical care.
For educational purposes like schools carrying out educational activities.
For safety purposes like tracking the location of a child for their protection, such as on a school bus.
If the data is needed to enforce a legal right, for a court case, or to investigate a crime, the rules are paused.
If two fiduciaries are merging or splitting up through a court-approved process, they can process data as needed for that transition.
If a bank, in case of failure to pay loan, wants to check financial records to see what one owes.
Or if the data is being used for research and statistics (if it doesn’t target the principal specifically) or for startups to help them grow without being overwhelmed by paperwork, as long as the data is still handled using the standard specified in the second schedule of the Rules.

B. Rights and Obligations:

Each party has the following roles and responsibilities under the Act:

1. Data Fiduciaries: Under Section 8 of the Act, they would be fully responsible for handling the data, even if they hire a data processor to process it. They must ensure that:

a) The data is accurate and complete.

b) There are safeguards to prevent breaches, like encryption, access control, constant logs for at least one year or having backups, as per Rule 6.

c) Timely notification on data breach are sent to both the data principal (via user accounts or registered email/phone, explaining what happened and what risks the data principal face) and the Board (within 72 hours of breach explaining the details on how it happened and how they are fixing it).

d) The data is erased once used within one year normally, or within 3 years for certain types of data collected by certain large commercial entities, as defined in the Third Schedule of the Rules. Additionally, a 48 hour notice must be given before such deletion, as per Rule 8.

e) A contact information for a data protection officer, based in India (or a designated contact person) is provided on their website or app, as per Rule 10.

f) A grievance redressal mechanism is established. Such grievances, under Section 14 of the Act need to be responded to within 90 days.

And if it is a significant data fiduciary, then along with Section 8 requirements, some extra steps under Section 10 of the Act, like appointing an independent auditor to check their compliance every year, will also need to be taken. Apart from this, under Rule 13 the significant data fiduciaries must also conduct impact assessments (of their data) and take measures to ensure that their computer programs/algorithms don’t put people’s rights at risk.

2. Data Principal: Apart from having right over their personal data, a data principal would have the right to:

a) Ask the data fiduciary for a summary of the data used and a list of all other fiduciaries they have shared the data with, under Section 11 of the Act.

b) Ask the data fiduciary to fix wrong information, update old data, or delete the data entirely once it is no longer needed, under Section 12 of the Act.

c) Name another person (a nominee) who can manage the data princiapl’s, data rights, under Section 14 of the Act.

However at the same time, such data principal under Section 15 of the Act also needs to:

a) Obey and follow all applicable laws while using the rights.

b) Be honest about themselves and their data and not hide important information when providing identity or address to the government.

c) Not file false or frivolous complaints against a data fiduciary or with the Board.

d) Provide information that is verifiable and authentic, in situations like fixing or deleting the data.

3. Central Government: In relation to personnel data, the Central Government has the power to:

a) Restrict where the data goes. Specifically under Section 16 of the Act and Rule 15, the Central Government can release a list of countries or territories where fiduciaries are forbidden from sending the personal data for processing. However, this doesn’t override any other Indian laws that might have even stricter rules about sending data abroad.

b) Process the data: The Central Government and its agencies can also process personal data under Rule 5 in return for subsidies, benefits, services, licenses, or permits. This applies whether the benefit is required by law, part of a government policy, or funded by public money.

c) Block technical access to a data fiduciary platform: The central government can block technical access to the platforms (website/app) of the data fiduciaries under Section 37 of the Act if :

The Board informs the Central Government that a company has been fined two or more times for breaking the law, and the Government believes that blocking is necessary for the good of the general public.
But before blocking, a chance to be heard shall be given to the data fiduciary. However, if blocking orders are issued, then the internet service providers or online platforms (intermediaries) must comply and stop the information from being accessed.
The Central Government under Rule 23 can also demand information from data fiduciaries or intermediaries (like social media platforms or apps). The data fudiciary must provide such information within a set timeframe.
If the information is in relation to India’s sovereignty, integrity, or national security, the government can order to keep the request secret. This includes not even telling the data principal about the usage of data, unless there is written permission from the government.

4. Data Protection Board: To ensure that data fiduciaries and consent managers are following their rights and obligations lawfully, under Section 27 of the Act, the Board has the right to inquire, issue orders and even impose fines/penalties (if required) in situations involving:

a) Data breaches reported by the data fiduciaries

b) Complaints made by the data principal against data fiduciaries. Including any references made by the Central/State Government or directions given by the Court, in relation to data breach.

c) Complaints made by the data principal against consent managers.

And even references made by theCentral Government, in relation to breach of any direction given the Central Government to the intermediaries. However, before passing any orders, an opportunity of hearing is given to the relevant party. If such orders affect any other party, the Board can change, hold, or cancel that order. The Board can also do this if the central government asks them to.

Most of the complaints and hearings would happen online. If a complaint is filed with the Board then under Section 28 of the Act, they first check if there is enough evidence to start an inquiry. If there isn’t, the case is closed; if there is, they start a formal investigation.

During an inquiry, the Board has the same powers as a civil court. They can ask people to show up and testify under oath, and demand to see documents or data. But along with this, they must be fair (following “principles of natural justice”) and record their reasons for every decision. They can also issue interim orders (temporary rules) while the investigation is still going on.

In case a penalty is imposed, then under Section 33 of the Act the amount of such penalty is decided by the Board on the basis of

a) How serious and long the breach was?

b) What kind of data was involved?

c) If the data fiduciary made money from the mistake or tried to fix it?

d) And if the fine is high enough to discourage them from doing it again?

All the money collected from these fines are then sent to the Consolidated Fund of India, under Section 34 of the Act, which is the central government’s main account.

5. Alternate Dispute Mechanism: If one is not satisfied with the orders, then there are two alternatives:

a) Appeal to the Telecom Dispute Settlement and Appellate Tribunal:

Under Section 29 of the Act, one can appeal to the Appellate Tribunal (i.e.Telecom Disputes Settlement and Appellate Tribunal established under Section 14 of the Telecom Regulatory Authority of India Act, 1997), within 60 days of the passing of the order.
The tribunal herein would act as a “digital office”– meaning most of the procedure will be done online, including the filing (along with a fee).
Since the tribunal has no established procedure, it can follow the principles of “natural justice” and set its own regulations.
When appeal is filed, the Tribunal needs to finish the case within six months and record their reasons for any delay in writing. The Tribunal can also transmit any order made by it to the Civil Court which is then tasked with its execution.
If the Board thinks a complaint can be settled by talking it out, then under Section 31 of the Act, they can tell the two sides to try mediation.

b) Voluntary Undertaking: Under Section 32 of the Act, if a data fiduciary offers a voluntary undertaking like a formal promise to take specific actions (e.g. fixing a security flaw or stop doing something wrong within a certain timeframe) at any point during the proceedings and the Board accepts this promise, then the proceedings can be stopped. However, if the company breaks this promise, it is treated as a major violation of the law, and the Board can restart the penalty process.

In short, the Phase 3 finalizes the DPDP framework. It specifies responsibilities and outlines how personal data must be handled in practice. The law, in whole, is built on transparency and consent, requiring personal data to be collected, processed, and retained lawfully with clear notice and informed approval, except in explicitly permitted cases under the Act and Rules.

Author: Gautam Bhatia, Associate at PA Legal