Siechem Technologies’ vice president of legal, Pooja Damodaran, and legal associate Sailesh Neelakantan explore the uncertain space left by the delay in implementation of privacy laws released in 2023
TThe journey towards a strong data protection framework in India has been long. The Digital Personal Data Protection Act (DPDP Act) received presidential assent in August 2023. But more than two years have passed, and the law still remains inactive, as the central government is yet to issue the notification under section 1(2) of the DPDP Act that would bring the act into force.
As digital transformation accelerates across industries, the absence of a functioning privacy legislation increasingly exposes businesses to regulatory uncertainty and operational risk. This has left India in an unusual situation, where a comprehensive privacy framework exists on paper but remains without legal effect despite rising public and judicial pressure to operationalise it.
The Information Technology Act, 2000 (IT Act), governs electronic records, cyber offences, and limited data security, addressing personal data protection only incidentally through the IT Rules, 2011. These apply to “body corporates” handling sensitive data, but grant no rights to individuals or accountability for data use.
The DPDP Act, 2023, marks a shift from a security-based to a rights-based framework, treating personal data as part of individual autonomy. It defines lawful processing, data fiduciary duties, user rights, and cross-border transfer norms, areas largely absent in the IT Act. This paradigm shift from organisational responsibility to individual empowerment places India in closer alignment with global privacy regimes, yet the delay in activation continues to erode its intended impact.
Concerned judiciary
Recently, this delay by the government was criticised by Delhi High Court, which questioned why the DPDP Act had not yet been implemented. The court stressed the urgency of enforcing data protection laws, asking whether the notification required for its implementation is even being contemplated.
From a business perspective, the court’s observations highlight the core issue: legal frameworks exist in form, but their implementation continues to be deferred.
TIMELINE
2017: The Supreme Court’s decision, in Justice KS Puttaswamy v Union of India, affirmed privacy as a fundamental right and provided the momentum for a statutory data protection framework.
2017 to 2018: The central government constituted a committee of experts, chaired by Justice BN Srikrishna, to explore legislation on privacy. The committee submitted a comprehensive draft data protection framework and recommendations to the government in 2018, which guided subsequent draft bills.
2019 to 2022: Multiple iterations of a Personal Data Protection Bill were introduced and debated, reflecting stakeholder consultations and successive revisions.
2023: The DPDP Act was published in August 2023, after receiving the presidential assent, but required notification of a commencement date and rules to become operative.
2025: The government released draft rules in January 2025, and invited feedback and comments from the public and stakeholders on cross-border transfer provisions, and breach reporting timelines. Much of this consultation focused on contentious areas, including the above-mentioned and exemptions for government entities. Despite extensive submissions and multiple stakeholder meetings, final notification remained pending as of September 2025, leaving organisations uncertain about compliance expectations.
Business uncertainty
The high court’s comments point to the main issue here, the presence of a data protection law that is not enforceable. This delay has created a policy vacuum, with companies not being able to rely on consistent standards or guidance on enforcement.
This results in delayed investments in technology, personnel and third-party audits needed for compliance, while some have already incurred costs to enhance privacy safeguards without a clear understanding of the final rules.
Businesses are left without any clarity about what compliance currently entails, and whether they need to ensure that their systems align with existing governance models such as: the IT Rules, 2011; ISO 27001; and EU General Data Protection Regulation-style (GDPR) frameworks; or instead wait until the DPDP Act and its rules are formally notified.
The dilemma reflects India’s transitional phase in the data governance regime, where many entities have adopted interim best practices drawn from international standards. This uncertainty continues to delay implementation timelines and inflate compliance costs, and once the DPDP Act is finally notified, most organisations will have to revisit and recalibrate these interim frameworks to achieve full statutory compliance.
Sectoral regulators have begun imposing privacy obligations in the absence of the DPDP framework. For instance, financial institutions are governed by the Reserve Bank of India’s (RBI) data localisation and cybersecurity mandates, while the Telecom Cyber Security Rules govern the telecom sector.
This approach has led to regulatory overlap, inconsistent enforcement, and confusion over which authority prevails in the event of a conflict. For multinational businesses operating in India, this ambiguity complicates risk assessment and contract negotiations, with international clients demanding data protection guarantees equivalent to GDPR standards.
Data breaches make headlines almost daily, yet in the absence of active enforcement many organisations treat privacy as a secondary concern. Increasing regulatory attention and growing public scrutiny means responsible companies are seen as more credible and trustworthy with personal data.
Although India offers no fiscal incentives for privacy or compliance, a model such as Singapore’s funding support for cybersecurity adoption through its productivity solutions grant for cybersecurity is a policy initiative that India can learn from.
The Indian computer emergency response team (CERT-In), operating under the Ministry of Electronics and Information Technology has, however, imposed supplementary obligations that overlap with data protection compliance.
Through its directions in April 2022, CERT-In requires companies to report any cybersecurity incidents involving personal data within six hours of discovery. Although framed as cybersecurity measures, they also govern personal data management, highlighting the overlap between privacy and security.
In practice, this has created a quasi-compliance environment where companies are compelled to implement privacy and breach management measures in anticipation of the DPDP Act’s eventual enforcement, even without the formal legal mandate.
Expectations and impact
Data protection has become a global business imperative. International partners increasingly expect Indian companies to uphold privacy standards comparable to European and American frameworks. Delays in implementing robust data protection laws could make India appear to be falling behind, potentially undermining cross-border opportunities and international trust.
Consumers are becoming more conscious of their information not being protected. With every major breach, people tend to ask more questions about how their data is used and stored.
For instance, recent high-profile data breaches in India such as the exposure of more than 810 million citizens’ Aadhaar (unique identity details) and passport details from a government database in 2023; and the 2024 cyberattack that targeted a crypto exchange and led to losses worth INR20 billion (USD22.7 million) have demonstrated the widespread vulnerability of data systems.
More recently, business-focused incidents such as the 2025 Angel One leak, where its Amazon Web Services resources were compromised; and the 2024 audio products giant boAt’s data breach where personally identifiable information including names, addresses, contact numbers, email IDs and customer IDs of 7.5 million customers became available for purchase on the dark web, have reignited calls for accountability and reinforced the need for a functioning data protection authority.
These incidents illustrate the risks businesses face not only in regulatory terms, but also in reputation and customer trust. The lack of clear legal safeguards has caused businesses to come under pressure to be more transparent with their data storage mechanisms. Meanwhile, the RBI continues to enforce stringent data localisation norms for payment systems, and has launched the IFS Cloud framework to ensure financial-sector data remains within domestic infrastructure, operating parallel to, and often stricter than, the DPDP framework.
This fragmentation, where sectoral regulators move faster than the legislation, creates increased compliance burdens and varying levels of preparedness across industries. Companies that operate in multiple sectors must now navigate overlapping expectations, often resulting in duplicated efforts and inflated costs.
There is growing consensus among industry observers that the first phase of enforcement could be rolled out before the end of the financial year 2025-2026, given Delhi High Court’s direction and the government’s active engagement in finalising the draft rules. This may include the establishment of a Data Protection Board and the notification of select provisions related to data fiduciary obligations and breach reporting.
Prepare early
Businesses should use this time to strengthen privacy safeguards and handle personal data responsibly. Under section 1(2) of the DPDP Act, the central government may bring different provisions into effect on separate dates, allowing a staggered rollout.
While the draft rules do not specify a formal transition period, they indicate that compliance timelines and procedural obligations will be introduced in phases. Companies that prepare early are likely to transition smoothly, while others may face last-minute compliance pressure.
The way forward for Indian businesses lies in proactive compliance by conducting internal data audits, mapping data flows, and adopting data privacy principles even before the DPDP Act takes effect. Early movers can leverage compliance as a competitive advantage, projecting themselves as trustworthy partners in an increasingly data-conscious global economy.
The government, for its part, should provide clarity on enforcement timelines and possibly consider capacity building incentives, including training grants or digital compliance credits, to ease the transition for small and medium-sized enterprises.
Ultimately, India stands at a crossroads. A robust data protection law, once implemented, can transform its digital ecosystem, enhance consumer confidence, and align it with global economic expectations. The longer the delay, however, the greater the cost to business certainty, innovation and international credibility.
