Down to Earth 28 January 2026 governance

Data Privacy Day 2026: India's DPDP Rules Now Active; Full Compliance Deadline May 2027

Q: What is Data Privacy Day 2026 and what is the status of India's DPDP Rules?

**Data Privacy Day** is observed on **January 28** every year, commemorating the **Council of Europe Convention 108 (1981)** — the first international treaty for data protection. In India, **Data Privacy Day 2026** was significant because the **Digital Personal Data Protection (DPDP) Rules** under the **DPDP Act 2023** became active, with the **full compliance deadline set for March 2026**. This marks India's transition from the old **IT Act 2000** framework to a comprehensive data protection regime.

Q: What is the Digital Personal Data Protection (DPDP) Act 2023 and what does it regulate?

The **DPDP Act 2023** — India's first dedicated **personal data protection law** — creates a framework for: (1) **Data Principal rights** — consent, correction, erasure; (2) **Data Fiduciary obligations** — purpose limitation, storage limitation, security; (3) **Significant Data Fiduciaries** — enhanced obligations for companies with large data processing; (4) **Cross-border data transfers** — list of approved countries; (5) **Data Protection Board (DPB)** — adjudicatory body; and (6) **Penalties up to ₹250 crore** for violations. Children under 18 get special protections.

Q: What are the key obligations of companies under India's DPDP Act 2023?

Under the **DPDP Act 2023**, companies ('Data Fiduciaries') must: (1) obtain **valid consent** for data processing (clear, specific, informed); (2) **purpose limitation** — collect only what's needed; (3) **data minimization** — not collect excessive data; (4) **data accuracy** — ensure data is correct; (5) **storage limitation** — delete data when no longer needed; (6) **security safeguards** — prevent breaches; (7) **breach notification** — inform Data Protection Board and data principals of breaches; and (8) appoint a **Data Protection Officer (DPO)** for Significant Data Fiduciaries.

Q: What is the Data Protection Board of India and what powers does it have?

The **Data Protection Board of India (DPB)** under the **DPDP Act 2023** is India's regulatory body for personal data protection. Its powers: (1) **Investigate** complaints by data principals; (2) **Issue directions** to data fiduciaries for compliance; (3) **Impose penalties** — up to ₹250 crore per violation (₹200 crore for breach notification failure, ₹250 crore for children's data violations); (4) **Voluntary undertakings** — settlement mechanism; (5) **Block non-compliant services**. The DPB functions digitally without physical hearings.

Q: How does India's DPDP Act 2023 compare with GDPR and global data protection standards?

**India's DPDP Act vs EU's GDPR**: Similarities — consent-based, data principal rights, data fiduciary accountability, penalties. Differences: (1) GDPR covers both **personal and non-personal** data; DPDP covers only personal data; (2) GDPR has **'legitimate interests' basis**; DPDP relies primarily on consent; (3) DPDP explicitly allows **government data processing** exemptions more broadly; (4) GDPR penalties can be **4% of global turnover** (potentially billions); DPDP caps at ₹250 crore. India's DPDP is considered **less stringent** but more adaptable to developing-country business realities.

Data Privacy Day: India's DPDP Rules active; Data Protection Board operational; full compliance by May 2027.

Down to Earth News

tsaaro.com

Key Points for RAS

International Data Privacy Day observed on January 28, 2026; DPDP Rules 2025 being implemented in phases
Data Protection Board of India (DPBI) is active; full compliance deadline is May 13, 2027
Key provisions: mandatory consent management, data breach notification within 72 hours, cross-border data transfer restrictions
Penalties up to ₹250 crore for violations; rules apply to both government and private sector entities
India joins 137 countries worldwide with comprehensive data protection legislation

International Data Privacy Day was observed on January 28, 2026, with special significance for India as the Digital Personal Data Protection (DPDP) Rules 2025, approved by Parliament in November 2025, are now formally being implemented in phases. The Data Protection Board of India (DPBI) is active, with full compliance deadline set for May 13, 2027.

Key provisions include mandatory consent management for data collection, data breach notification within 72 hours, restrictions on cross-border data transfers, and significant penalties up to ₹250 crore for violations. The rules apply to both government and private sector entities processing digital personal data. India joins 137 countries worldwide that have enacted comprehensive data protection legislation.

Report Issue

Frequently Asked Questions

1 What is Data Privacy Day 2026 and what is the status of India's DPDP Rules?

Data Privacy Day is observed on January 28 every year, commemorating the Council of Europe Convention 108 (1981) — the first international treaty for data protection. In India, Data Privacy Day 2026 was significant because the Digital Personal Data Protection (DPDP) Rules under the DPDP Act 2023 became active, with the full compliance deadline set for March 2026. This marks India's transition from the old IT Act 2000 framework to a comprehensive data protection regime.

2 What is the Digital Personal Data Protection (DPDP) Act 2023 and what does it regulate?

The DPDP Act 2023 — India's first dedicated personal data protection law — creates a framework for: (1) Data Principal rights — consent, correction, erasure; (2) Data Fiduciary obligations — purpose limitation, storage limitation, security; (3) Significant Data Fiduciaries — enhanced obligations for companies with large data processing; (4) Cross-border data transfers — list of approved countries; (5) Data Protection Board (DPB) — adjudicatory body; and (6) Penalties up to ₹250 crore for violations. Children under 18 get special protections.

3 What are the key obligations of companies under India's DPDP Act 2023?

Under the DPDP Act 2023, companies ('Data Fiduciaries') must: (1) obtain valid consent for data processing (clear, specific, informed); (2) purpose limitation — collect only what's needed; (3) data minimization — not collect excessive data; (4) data accuracy — ensure data is correct; (5) storage limitation — delete data when no longer needed; (6) security safeguards — prevent breaches; (7) breach notification — inform Data Protection Board and data principals of breaches; and (8) appoint a Data Protection Officer (DPO) for Significant Data Fiduciaries.

4 What is the Data Protection Board of India and what powers does it have?

The Data Protection Board of India (DPB) under the DPDP Act 2023 is India's regulatory body for personal data protection. Its powers: (1) Investigate complaints by data principals; (2) Issue directions to data fiduciaries for compliance; (3) Impose penalties — up to ₹250 crore per violation (₹200 crore for breach notification failure, ₹250 crore for children's data violations); (4) Voluntary undertakings — settlement mechanism; (5) Block non-compliant services. The DPB functions digitally without physical hearings.

5 How does India's DPDP Act 2023 compare with GDPR and global data protection standards?

India's DPDP Act vs EU's GDPR: Similarities — consent-based, data principal rights, data fiduciary accountability, penalties. Differences: (1) GDPR covers both personal and non-personal data; DPDP covers only personal data; (2) GDPR has 'legitimate interests' basis; DPDP relies primarily on consent; (3) DPDP explicitly allows government data processing exemptions more broadly; (4) GDPR penalties can be 4% of global turnover (potentially billions); DPDP caps at ₹250 crore. India's DPDP is considered less stringent but more adaptable to developing-country business realities.

Syllabus Topics

Subjects

Science & TechnologyCurrent Affairs