India’s long-delayed data protection regime finally came into force on Friday with the notification of the Digital Personal Data Protection (DPDP) Rules, 2025 and the operationalisation of the Data Protection Board of India (DPBI). But even as the government set an 18-month countdown for full compliance, lawyers, policy analysts and digital rights groups warned that the heart of the privacy framework remains compromised by sweeping state exemptions and unresolved structural gaps.
On paper, the rules deepen requirements around consent, data notices, grievance timelines and safeguards for children. In practice, experts say, the government still retains the power to exempt any of its agencies from nearly all obligations, a provision that critics argue could leave citizens vulnerable even as companies face far tougher scrutiny.
Many practitioners praised the clarity and phased rollout. But across the board, experts stressed that operational refinements do not address the most serious flaw embedded in the DPDP Act: the government can declare broad exemptions for itself without independent oversight.
Apar Gupta of the Internet Freedom Foundation said the rules “dilute the Act’s spirit by allowing broad government exemptions and vague ‘legitimate uses’,” warning that the DPBI’s digital-by-default model “risks opaque justice” with little public accountability.
Privacy researchers argue that the problem is structural: the state possesses the ability to sit outside the very system it expects everyone else to comply with.
Some experts view the framework as a pragmatic, middle-ground model.
Prashant Phillips, Executive Partner at Lakshmikumaran & Sridharan Attorneys, said the notification “marks a major step towards operationalising India’s modern privacy framework,” noting that core principles such as transparency and accountability have been preserved. He added that clearer grievance timelines and enhanced safeguards for children “improve practical usability” and signal a commitment to a predictable, rights-oriented system.
Yet even those welcoming the clarity admit that the imbalance between state and corporate obligations casts a long shadow.
Nishith Desai Associates called the phased rollout “a masterstroke,” giving businesses 18 months to implement core compliance measures, while iSPIRT described consent managers as a potential “game changer” for user experience. But none of these improvements address how government departments themselves will be held accountable.
The rules mandate a 72-hour breach reporting window, aligning with global norms. But Sanjay Khan of Khaitan & Co flagged the absence of a materiality threshold: “No de minimis limit means companies may end up reporting every incident simply to avoid penalties,” he warned, potentially overwhelming the DPBI’s capacity.
The DPBI’s “digital tribunal” model also drew mixed reactions. Senior Advocate Sajan Poovayya called it “innovative,” but noted that appeals lie with TDSAT rather than the High Courts, limiting judicial oversight. Civil society groups remain uneasy that the Board’s membership and appointment processes lack transparency.
An Article 21 Trust researcher put it bluntly: “There is no public member, no independence guarantee, and no firewalls between the government and the adjudicator.”
The rules introduce tighter safeguards for children, including a ban on behavioural tracking and personalised advertising. UNICEF welcomed the provisions, but several experts pointed to the absence of prescribed technology standards for age verification.
Kazim Rizvi of The Dialogue warned that without technical guidelines, “verifiable parental consent will become a compliance roulette,” leading to inconsistent enforcement across platforms.
HealthTech startups also warned of potential disruption, arguing that ambiguous rules could harm teen mental-health apps and digital counselling services.
The government’s decision to avoid data localisation was widely welcomed. DSCI’s Rama Vedashree said the lack of a “negative list” for restricted countries is “a big win” for global firms. But this relief may be temporary.
A future blacklist — expected via executive order — could restrict transfers to countries such as China or Russia. AmCham India cautioned that this ambiguity creates regulatory uncertainty, particularly for cloud services and global payment platforms.
Rashmi Deshpande of Fountainhead Legal noted that cross-border transfer norms, along with the criteria for Significant Data Fiduciaries (SDFs), “remain entirely open,” and both will materially influence compliance strategies. Audit mandates for SDFs could hit early-stage startups especially hard, venture investors warned.
Harsh Walia of Khaitan & Co said the rules require consent notices to be “clear, plain, and independently understandable,” pushing organisations to overhaul their consent architecture. These stricter norms apply only to private entities; government departments may be exempt from similar obligations if so notified.
E-commerce and adtech sectors fear commercial fallout: itemised notices could reduce conversion rates, while bans on behavioural tracking for minors could harm targeted advertising models.
Despite disagreements, experts broadly agree that the DPDP Rules 2025 are more implementable and globally aligned than earlier drafts. Carnegie India’s Anirudh Burman described the law as a “Goldilocks framework” — less rigid than the GDPR but more uniform than the United States’ sectoral approach.
Yet even he conceded that “execution will decide whether this becomes a rights-oriented law or an instrument of broad administrative control.”
Across think tanks, law firms and rights groups, one concern remains consistent: a privacy law cannot truly protect rights when the state can exempt itself from its core obligations.
Until the government narrows exemption powers, clarifies cross-border rules, publishes age-verification standards and ensures an independent DPBI, India’s data-protection journey will remain what one expert called “a project half-finished — progressive in parts, permissive in others.”
