C&M E-Alert: THE IMPLEMENTATION TIMELINE FOR THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

The Digital Personal Data Protection Rules, 2025 (“Rules”) along with a separate notification providing details on the phased framework for the implementation of obligations under the Digital Personal Data Protection Act, 2023 (“Act”) have been notified and published on the E-Gazette on 13 November 2025.

The notification follows a structured, multi-phase wise implementation approach. Only a few governance and administrative provisions under the Act take effect immediately, while other obligations particularly those relating to notice, consent, rights of data principals, cross-border transfers and responsibilities of data fiduciaries and significant data fiduciary will become enforceable after the defined transition periods.

In the efforts to provide clarity and to support organisations in planning and aligning their compliance programmes, this e-alert outlines the statutory timeline that governs the implementation of various provisions under the Act.

 The provisions under the following sections of the Act are already in force as on 13 November 2025:

• Section 1 – Short title and commencement

• Section 2 – Definitions

• Sections 18 to 26 – Covering Chapter V – Data Protection Board of India

• Section 35 – Protection of action taken in good faith

• Sections 38 to 43 – Covering miscellaneous provisions like consistence with laws, power to make rules and power to remove difficulties

• Sections 44 (1) and (2) – Amendments to Telecom Regulatory Authority of India Act, 1997 and Right to Information Act, 2005

• Sections 6(9) and 27(1)(d) – The sections of the Act have provisions on the registration and responsibility of Consent Manager in cases of data breach.

These are the core operational obligations under the Act:

• Section 3 – Application of the Act

• Section 4 – Grounds for processing personal data

• Section 5 – Notice obligations

• Section 6(1), 6(8) and 6(10) – Consent and role of Consent Manager

• Section 7 – Certain legitimate uses

• Section 8 – General obligations of Data Fiduciary

• Section 9 – Processing of personal data of children

• Section 10 – Additional obligations of Significant Data Fiduciary

• Sections 11 to 15 – Covering Chapter III – Rights and duties of Data Principal

• Section 16 – Processing of personal data outside India

• Section 17 – Exemptions

• Sections 27 & 28 – Covering Chapter VI - Powers, functions and procedure to be followed by Board (Exception: Section 27(1)(d) – role of Consent Manager for a breach)

• Sections 29 to 32 – Covering Chapter VII – Appeals and alternate dispute resolution

• Sections 33 & 34 –Penalties and Adjudication – Penalties range from INR 50 Cr (USD 5.63 million) to INR 250 Cr (USD 28.17 million)

• Sections 36,37 and 44(2) – Covering certain power of Central Government regarding call for information, issue directions and amendments to the Information Technology Act, 2000.

*********

Should you have any queries or comments on this alert please visit our LinkedIn page. You may also contact the authors below.