The Personal Data Protection Act (PDPA), 2025, patriating the crowning glory, is an expression of the way the Indian endeavour to becoming a data-secure digital economy. This law is in existence to protect persons in respect of personal data and to regulate its processing. The philosophy remains consent, accountability, and transparency.
Separate digital footprints were getting more in number as threats became more sophisticated; hence, India required laws to keep pace with data-driven innovation on one hand and provided safeguards for individual rights on the other. Partly modelled on the European Union’s GDPR, the PDPA replaces the disjointed protections granted under the Information Technology Act, 2000, for data protection, with a comprehensive legal framework.
Need A Legal Advice
The internet is not a lawyer and neither are you. Talk to a real lawyer about your legal issue
What’s Changing Under the PDPA: 7 Most Important Features You Should Know
As someone working in tech law and handling client complaints around privacy violations, here are the most significant changes clients were seen worried or excited about:
- The rules apply to a company wherever it is located: Even if the data is processed within or outside the territory of India, the law applies to any Indian living in India.
- Bigger Companies Hold Bigger Responsibilities: Companies that deal with large amounts of sensitive data are now called Significant Data Fiduciaries (SDFs) and will be subject to stricter requirements.
- Consent Must Come First and with the Right to Withdraw: Consent shall be free, specific, informed, and unambiguous. The days of pre-checked boxes or concealed terms are long gone.
- You Can Ask for Your Data or Ask Them to Delete It: For the first time, individuals have legal rights to:
- See what data is collected
- Get it corrected or erased
- File a complaint if something goes wrong
- Companies Can’t Keep Your Data Forever: Once your data is no longer needed, it must be deleted.
- Data Can Cross Borders: The government will notify which countries are okay for storing Indian data.
- There’s Now a Dedicated Watchdog: The Data Protection Board of India (DPBI) will investigate breaches and issue penalties.
What This Means for You as a Citizen: More Power Over Your Personal Data
Before PDPA, there was a client whose personal data was misused by a fintech app. Despite multiple complaints, there was no legal structure to force the company to delete his information. Now, with PDPA, he can demand removal and seek damages.
Your New Rights:
- Know who has your data
- Ask for corrections
- Get it deleted
- Nominate someone to manage it after your death
Landmark Case: In Justice K.S. Puttaswamy v. Union of India (2017), the Supreme Court of India decided that privacy is a fundamental right.
Running a Business? Here’s Why the PDPA Will Keep You Up at Night
As a lawyer advising tech startups and marketing agencies, here’s what to see founders asking after reading the Act:
“Do we need a Data Protection Officer now?”
“Can we still use customer data for retargeting ads?”
“Will this increase compliance costs?”
The answer? Yes, yes, and definitely yes.
For Businesses, This Means:
- Conduct data audits
- Collect valid and documented consent
- Hire a Data Protection Officer
- Face penalties up to ₹250 crore for violations
Case in Point: In Google India Pvt. Ltd. v. Visaka Industries (2020), the court hinted at platform responsibility in handling user data. PDPA now makes that responsibility a legal requirement.
Even the Government Isn’t Exempt (But with a Catch)
While the law applies to activities of both private and public bodies, Section 17 bestows upon the government the power to exempt agencies on the ground of national interest.
Case That Raised Questions: Lacking a legal framework for the collection of app data emerged as a serious problem in Internet Freedom Foundation v. Union of India (2021).
How Different Industries Will Need to Change?
Tech and IT: Privacy by Design or Get Left Behind
Companies like Infosys, TCS, and startups must now embed privacy settings into the core of their platforms, not bolt them on later.
E-Commerce and Digital Ads: No More Sneaky Tracking
From Flipkart to Facebook ads, everyone must now:
- Get clear consent for marketing
- Offer opt-outs for personalized ads
- Maintain a log of consent history
Fintech and Banking: Encryption Isn’t Optional Anymore
You’ll need:
- End-to-end encryption
- Audit trails for every data use
- No sharing with third parties unless users say yes
One client in lending lost ₹15 lakh in a cyber breach, and still couldn’t sue the data processor. Under PDPA, the same breach would bring legal and financial consequences.
Healthcare: Medical Data is Sacred
Hospitals, apps like Practo, and diagnostic labs must:
- Anonymize data
- Obtain explicit consent
- Store health data with confidentiality protocols
Case Reference: In Mr. X v. Hospital Z (1998), the Court ruled that medical privacy is non-negotiable. The PDPA reinforces that principle.
Data Protection Board of India
What can it do?
- Investigate data misuse
- Issue directions
- Penalize violators (up to ₹250 crore)
- Suspend data processing rights
Even startups handling basic customer info must:
- Build a grievance redressal portal
- Maintain logs of data processing activities
- Be ready for a DPBI audit at any time
How Does India’s PDPA Compare with Europe’s GDPR?
| Feature | GDPR (EU) | PDPA (India) |
| Consent | Mandatory and granular | Mandatory, slightly simplified |
| Data Transfers | Controlled | Allowed to notified countries |
| Penalty Cap | €20 million / 4% global turnover | ₹250 crore |
| Right to Port Data | Yes | No |
| Watchdog Structure | Independent Authorities | Centralized DPBI |
Criticism You Should Be Aware Of
- Too Much Power to the Government: Critics worry about broad exemptions under Section 17 that may allow surveillance.
- Lack of Independence: Being appointed by the government, enforcement is questionable.
- An Absence of Rights: Unlike the GDPR, the PDPA does not guarantee data portability or restrict automated profiling.
What are the Next Real-World Legal Challenges?
- Expect PILs challenging government exemptions
- Courts will define what counts as legitimate use
- Startups will see investors demanding data compliance roadmaps
Conclusion
The Personal Data Protection Act, 2025, gives you something you never had before, a legal say over your digital identity. For businesses, it’s a compliance challenge. For citizens, it’s a chance to reclaim privacy.
“Privacy is not a privilege. It’s your right. And now, it’s the law.”
One can talk to lawyer from Lead India for any kind of legal support. In India, free legal advice online can be obtained at Lead India. Along with receiving free legal advice online, one can also ask questions to the experts online free through Lead India.
FAQs
1. According to PDPA 2025, what is a Significant Data Fiduciary?
An institution that manages sensitive or extensive personal data is known as a Significant Data Fiduciary. Such entities are subject to additional compliance like impact assessments, data audits, and appointing a Data Protection Officer.
2. Can I take legal action if a company misuses my personal data?
Yes. Upon making a complaint to the Data Protection Board of India, which then finds a violation, the PB may impose penalties and direct the company to cease the violation.
3. Is PDPA 2025 applicable to small businesses or startups?
Yes. Independent of their size, all businesses dealing with digital personal data of residents of India will have to comply with the PDPA. Startups shall have to obtain valid consent, ensure secure processing, and provide mechanisms for grievance redressal.
Talk to a Lawyer