India

King Stubb & Kasiva has appointed Atul N Menon as a Partner in its Litigation and Dispute Resolution practice. Atul joins the Firm after being a Partner at SAGA Legal, and prior to that, he was Counsel at AZB & Partners, where he advised and represented clients in complex commercial and regulatory disputes. He holds a B.A. LL.B. (Hons.) from the National University of Advanced Legal Studies (NUALS), Kochi, and an LL.M. in International Dispute Resolution  from Queen Mary University of London. With over 13 years of experience, Atul has represented clients before the Supreme Court of India, several High Courts, and key regulatory and investigative forums, advising on a wide range of white-collar, financial, and audit-related criminal matters, in addition to arbitrations, civil suits, and shareholder disputes. He has advised and represented leading Indian and multinational corporations in high-stakes criminal investigations involving white-collar offences, financial irregularities, and auditing issues, appearing before courts as well as enforcement and investigation agencies. As a key member of litigation teams, Atul has been involved in some of the country’s most high-profile and transformative litigations, with notable successes in insider trading cases, money laundering investigations, and proceedings under foreign exchange laws. His experience also includes representing Chartered Accountants and Company Secretaries in sensitive regulatory and criminal matters. He has also acted for banks and financial institutions in recovery proceedings and has advised corporates on oppression and mismanagement, mergers, capital reductions, and restructuring matters. He also serves on the Advisory Council of the Indian Society of Artificial Intelligence and Law and is a member of the youth wings of leading international arbitration institutions, including YIAG, YICCA, and YMCIA. His work has been recognised through his inclusion in BW LegalWorld’s “40 Under 40” list of legal elites (2024) and his recognition as a “Future Star” for White-Collar Crime by Benchmark Litigation (2025). Commenting on Atul’s joining, Mr. Jidesh Kumar, Managing Partner of King Stubb & Kasiva, said: “We are delighted to welcome Atul to the partnership. His sharp litigation acumen, deep expertise in white-collar and regulatory matters, and extensive experience across courts and investigative forums bring immense value to our clients. At KSK, we continue to strengthen a future-ready disputes practice capable of handling complex, high-stakes, and evolving legal challenges.” Atul added, “I am pleased to join King Stubb & Kasiva at an important inflection point in the Firm’s growth. KSK’s strong credentials in complex litigation, white-collar, and regulatory matters, coupled with its progressive and collaborative culture, make it a compelling platform. I look forward to working with the team to further strengthen the disputes practice and to advising clients on high-stakes, strategically critical matters.”

The Delhi High Court has granted ex parte ad-interim relief in favour of Akira Desai alias Akira Nandan, restraining the unauthorised AI-generated misuse of his identity and infringement of his personality, publicity and privacy rights. The suit challenged large-scale creation and circulation of AI-generated and deepfake content, including fake accounts and misleading posts across digital platforms, falsely portraying the plaintiff as being associated with various cinematic and commercial projects. This included a full-length AI-generated film depicting him as a lead actor, resulting in public deception and unauthorised commercial exploitation. By an order dated January 23, 2026, Justice Tushar Rao Gedela restrained the defendants and unidentified John Doe parties from creating, publishing or disseminating the impugned AI-generated film “AI LOVE STORY (Telugu) 4K”, or from using the plaintiff’s name, image, likeness, voice or other personality attributes through AI, generative AI, machine learning or deepfake technologies. The Court also directed the immediate takedown of infringing links. The Court observed that the creation of an AI-generated film itself demonstrated the commercial value of the plaintiff’s identity, and that continued circulation would cause irreparable harm. The Court further directed Meta Platforms Inc. to notify users responsible for the infringing URLs within 72 hours, failing which the content was to be removed, and to disclose BSI and IP login details of the account holders within three weeks. The Court relied on DM Entertainment Pvt. Ltd. v. Baby Gift House & Ors. and a recent order in Ranganathan Madhawan v. G Filmz Studioz & Ors. Senior Advocate J. Sai Deepak was briefed by advocates Himanshu Deora (Partner), Rahul Mehta (Partner), Arpit Choudhary (Partner), Krunal Mehta, Karen Koya, Dhwani Vora, B. Sidhi Pramodh Rayudu, Anupriya Alok, Shambhavi Sharma, Sanat Saswadkar, Shambhavi Bharadwaj and Divya Bhushan, of King Stubb & Kasiva (KSK).

Introduction The Digital Personal Data Protection Act, 2023 (DPDP Act) represents India’s comprehensive response to the pressing need for digital privacy protection in an increasingly data-driven economy. Enacted on 11 August 2023 following Parliamentary approval, the DPDP Act establishes a citizen-centric legal framework that balances individual privacy rights with the legitimate need for lawful data processing. The subsequent notification of the Digital Personal Data Protection Rules, 2025 on 14 November 2025 marks the transition from legislative intent to operational reality, providing the practical implementation framework that organizations must now navigate.[1] This article examines the DPDP Act’s core architecture, traces its evolutionary path from enactment to current stage, and provides clarity on the compliance obligations and timelines that organizations face in 2025 and beyond. Legislative Framework, Evolution, and Core Principles Historical Evolution: From IT Act to DPDP Act[2] India’s journey toward comprehensive data protection spans nearly two decades. The Information Technology Act, 2000 served as the foundational digital law but provided scant privacy protection, with only Sections 43A and 72A addressing sensitive personal data security. This inadequacy became increasingly evident as digital transactions and data misuse escalated. The constitutional turning point arrived with the Supreme Court’s landmark 2017 judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India, which recognized privacy as a fundamental right under Article 21 of the Constitution. This decision provided constitutional grounding for comprehensive data protection legislation and established the proportionality test for any restrictions on privacy rights. Following this constitutional affirmation, the Government appointed the Justice B.N. Srikrishna Committee (2017), which recommended a rights-based framework emphasizing responsibility, consent, and data localization. This committee’s recommendations influenced the development of the Personal Data Protection (PDP) Bill, 2019. However, the PDP Bill faced substantial parliamentary scrutiny; the Joint Parliamentary Committee proposed 81 amendments, citing concerns over robust data localization requirements and expansive government powers under Section 35. The PDP Bill was consequently withdrawn in 2022. The Government then introduced the Digital Personal Data Protection (DPDP) Bill, 2022, which adopted a more balanced and business-friendly approach while maintaining stringent privacy protection. This revised approach reflected stakeholder feedback emphasizing practical compliance and innovation enablement. The DPDP Bill was finally enacted as the Digital Personal Data Protection Act, 2023 on 11 August 2023, establishing India’s modern data protection regime. Seven Foundational Principles[3] The DPDP Act rests on seven core principles that govern all data processing activities: Consent and Transparency: Data processing requires affirmative, informed consent; processing purposes must be transparent. Purpose Limitation: Personal data shall be used only for the specific purposes for which consent was obtained. Data Minimisation: Only necessary personal data shall be collected and processed. Accuracy: Data fiduciaries must ensure data is accurate and complete, particularly where processing will affect the individual. Storage Limitation: Personal data shall be retained only for the period necessary to serve its purpose. Security Safeguards: Reasonable technical and organisational security measures must be implemented. Accountability: Data fiduciaries bear demonstrable responsibility for compliance. The Act deliberately adopts the SARAL approach: Simple, Accessible, Rational, and Actionable. It uses plain language and avoids legal complexity, enabling both individuals and businesses to understand their rights and obligations without specialized legal interpretation. Key Stakeholders and Their Roles Data Principal[4] A Data Principal is the individual to whom personal data relates. For minors or persons with disabilities unable to make independent decisions, the lawful parent or guardian acts as the Data Principal. This recognition ensures vulnerable populations receive adequate protection while allowing lawful guardians to exercise rights on their behalf. Data Fiduciary[5] A Data Fiduciary is any entity—public or private—that decides why and how personal data is processed, either independently or jointly with others. Retailers, platforms, financial institutions, healthcare providers, and government agencies collecting personal data all qualify as Data Fiduciaries. Data Processor[6] A Data Processor is an entity that processes personal data on behalf of a Data Fiduciary under a valid contract and solely for activities related to providing goods or services to Data Principals. Data Fiduciaries remain fully responsible for Data Processor compliance; any failure by the Data Processor does not absolve the Data Fiduciary of its obligations under the Act. Significant Data Fiduciaries (SDFs) A subset of Data Fiduciaries designated as Significant Data Fiduciaries under Section 10 faces heightened obligations. The Central Government classifies entities as SDFs based on illustrative criteria including:[7] Processing personal data of 10 million or more Data Principals Large-scale processing of financial, health, or biometric data Platforms with systemic societal impact (social networks, digital banks) Risks to national security, electoral democracy, or state security SDFs must appoint an India-based Data Protection Officer (DPO) who represents the SDF for DPDP compliance and serves as the primary grievance redressal contact. The DPO must report directly to the Board of Directors or equivalent governing body. Additionally, SDFs must engage independent data auditors and conduct annual Data Protection Impact Assessments (DPIAs) that outline the purpose of processing, Data Principal rights, and a comprehensive assessment and mitigation of related risks.[8] Consent Manager[9] The Consent Manager is a new regulatory intermediary introduced by the DPDP Rules. Acting as a fiduciary to the Data Principal, the Consent Manager provides a single, transparent, and interoperable platform through which individuals can give, manage, review, and withdraw consent across multiple Data Fiduciaries from a unified interface. The Consent Manager serves as a critical accountability layer between Data Fiduciaries and Data Principals, ensuring neutral and transparent consent administration. Consent Managers must be companies incorporated in India with a minimum net worth of ₹2 crore, demonstrating sufficient technical, operational, and financial capacity. They must register with the Data Protection Board and comply with stringent obligations including neutrality (avoiding conflicts of interest), data integrity, audit trails, and grievance handling.[2] The Board may initiate inquiries and impose penalties on Consent Managers for violations of registration conditions or fiduciary duties. Data Protection Board of India The Data Protection Board of India (DPBI), a four-member independent body established under the Act, functions as the central enforcement and adjudicatory mechanism.[10] The Board, with its head office in the National Capital Region, investigates complaints, ensures compliance, and determines appropriate remedial actions. Board members must possess integrity and expertise in data governance, law, dispute resolution, information and communication technology, or the digital economy, with at least one member being a legal expert. A key feature of the DPDP Rules is the Board’s digital-first infrastructure: citizens can file complaints online, track cases through a dedicated portal and mobile application, and receive faster decisions. The Board possesses powers to investigate data breaches, conduct inquiries, direct remedial actions, and impose substantial penalties.[3] Appeals against Board decisions are heard by the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which functions entirely through digital means and issues decisions within six months where possible.[11] Rights of Data Principals The DPDP Act grants individuals comprehensive rights to control their personal data:[12] Right Scope Right to Consent or Refuse Full discretion to allow or deny data use; ability to withdraw consent at any time; withdrawal process as simple as giving consent Right to Know Access to information about data collected, collection purpose, and usage manner; know who data is shared with (except lawfully authorized agencies) Right to Access Obtain a summary of personal data held by the Data Fiduciary; know all disclosures made; request any other information about processing Right to Correct Request correction of inaccurate or incomplete data; request updates for changed details (address, contact information) Right to Erase Request removal of personal data in prescribed circumstances; mandatory erasure upon consent withdrawal or purpose fulfillment Right to Nominate Appoint another individual to exercise rights on their behalf (in case of death or incapacity from unsoundness of mind or physical infirmity) Right to Grievance Redressal Seek redressal from Data Fiduciary or Consent Manager for non-compliance; must exhaust internal mechanisms before escalating to the Data Protection Board Response Timeline Data Fiduciaries must respond to all requests within 90 days Duties of Data Principals While granting extensive rights, the Act also imposes reciprocal duties on Data Principals to ensure responsible exercise of these rights:[13] Compliance with Laws: Data Principals must comply with all applicable laws while exercising rights under the Act. No Impersonation: Must not impersonate another person when providing personal data. No Suppression of Material Information: Must not hide or suppress important information while providing data for official documents or government-issued identification. No False Grievances: Must not file false or frivolous complaints with a Data Fiduciary or the Data Protection Board. Authentic Information for Corrections: When requesting correction or erasure, must provide only verifiably authentic information. Phased Implementation Timeline and Current Stage[14] Timeline Overview The DPDP Rules introduce a carefully structured 18-month phased compliance period, reflecting the Government’s recognition that organizations require time to redesign systems, retrain personnel, and implement compliance infrastructure.[15] The timeline comprises three distinct stages:[16] Stage 1: Immediate Effect (13 November 2025) - Data Protection Board of India formally established and operational with head office in NCR - Digital complaint portal and mobile application launched - Rule 4 provisions relating to Board appointment, functioning, and digital office activated - Board’s enforcement and investigative powers operational - Institutional framework for enforcement activated - Old SPDI Rules, 2011 continue to remain in force for 18 more months, ensuring no compliance vacuum - Compliance action required: Organizations should begin data mapping, governance assessment, and preparation of consent redesign Stage 2: One Year from Notification (13 November 2026) - Consent Manager registration commences under Rule 4 - Consent Managers must register with DPBI and meet stringent registration conditions - Obligations for Consent Managers detailed in Schedule I of the Rules take effect - Neutrality, data integrity, and grievance handling obligations become operative - Compliance action required: Data Fiduciaries should finalize Consent Manager selection and initiate integration planning; SDFs must appoint Data Protection Officers Stage 3: Eighteen Months from Notification (13 May 2027) - Full operational compliance obligations come into force - Notice requirements become mandatory (standalone, clear, in prescribed languages) - Breach notification requirements (72-hour timeline) apply with detailed reporting to DPBI - All data principal rights and corresponding fiduciary obligations become enforceable - Data Protection Impact Assessments and data audits mandatory for SDFs - Penalties commence for violations - Final deadline: All organizations must achieve compliance by this date. Current Status (As of January 2026) As of January 2026, India stands at the inception of Stage 1. The Data Protection Board of India has been formally established and is operationalizing its digital infrastructure with head office in NCR. Organizations are currently in the critical planning and preparation phase. While technical penalties have not yet commenced, the regulatory framework is active, and the Board is building capacity for enforcement. The continued operation of the older SPDI Rules 2011 for an additional 18 months ensures there is no compliance vacuum during the transition. This 18-month window is not a grace period but a narrow transition period during which compliance obligations crystallize progressively. Compliance Obligations and Consent Framework Procedure for Data Collection and Notice Requirements (Rule 3)[17] Effective from 13 May 2027, Data Fiduciaries must provide a standalone, clear consent notice separate from other terms and conditions. This notice must: Use plain language in English or any of the 22 scheduled languages (Eighth Schedule of the Constitution) Be clear, independent, and self-contained—not buried within lengthy privacy policies Itemize categories of personal data collected Specify the exact purpose for processing Explain data retention periods Detail disclosure practices and identify recipients Provide information on Data Principal rights, including withdrawal of consent Include contact details of the Data Protection Officer or authorized person Provide information on rights and grievance redressal mechanisms Data Fiduciaries must retain records of notices given and issue revised notices if there are alterations in the purpose or means of data processing. Even if prior consent was received before Act implementation, new notices with complete information must be provided.[3] Consent Standards: Free, Specific, Informed, and Unambiguous (FSIU)[18] Critically, consent must be Free, Specific, Informed, and Unambiguous (FSIU) under Section 6 of the Act. This standard precludes: - Pre-ticked consent boxes - Bundled consent for multiple purposes (e.g., requesting consent for both health data and contact list when only health data is necessary) - Difficult or obscured opt-out mechanisms - Implicit consent through silence - Conditional consent (e.g., requiring waiver of complaint rights to the Data Protection Board) Any consent obtained in violation of the Act or other laws is considered invalid to that extent. For example, if an insurance company requests consent to waive Data Principal rights to complain to the Board, that portion is void. Verifiable Consent for Children[19] The final DPDP Rules introduce enhanced standards for processing children’s and vulnerable persons’ data: Mandatory Verifiable Consent: Before processing a child’s personal data or data of an individual with a disability, a Data Fiduciary must obtain verifiable consent from the child’s parent or the lawful guardian. This is “a stronger, more operationally enforceable standard” than earlier draft provisions.[20] Authentication Process: Verification may involve: - Examination of trustworthy identity and age information available to the Fiduciary - Documentation and digital authentication systems - Prescribed verification protocols - Virtual tokens provided by legally recognized bodies (e.g., Digital Locker service providers) - Technical and organizational measures sufficient to enable parent/guardian consent verification Prohibited Processing: Data Fiduciaries are strictly prohibited from: - Processing children’s data in ways that have a detrimental effect on their well-being - Engaging in tracking, behavioural monitoring, or targeted advertising directed at children - Using children’s data in ways that manipulate or exploit them through personalized content Exemptions: The Central Government may exempt a Data Fiduciary from obtaining parental consent and from restrictions on tracking if satisfied that the Data Fiduciary processes children’s data in a verifiably safe manner, subject to government notification. Data Fiduciary Obligations (Section 8 and rules)[21] [22] All Data Fiduciaries must: Maintain Privacy Policies: Publish accessible privacy policies detailing: - Data handling practices and type of data collected - Purposes of collection and usage - Disclosure practices and potential recipients - Security measures implemented - Data retention periods - Individual rights and grievance redressal mechanisms Policies must be consistent with IT Rules 2011 frameworks that organizations already maintain, providing continuity during transition. Implement Reasonable Security Measures: Adopt documented information security programs with technical and organizational safeguards commensurate with the sensitivity of data: - Technical measures: Encryption, masking, obfuscation, virtual tokens for securing confidentiality, integrity, and availability - Access controls: Compelling access controls limiting unauthorized access - Surveillance and logging: Regular surveillance of computer facilities with periodic logging of activity to detect unauthorized access and enable investigation - Data backup and business continuity: Regular data backups; logs and personal data retention for minimum one year - Standards compliance: International Standard ISO/IEC 27001 or Board-approved sectoral codes Upon data breaches, fiduciaries must demonstrate that implemented safeguards were adequate. Contractually, Data Fiduciaries must ensure Data Processors are equally bound by similar safeguards. Breach Notification: Data Fiduciaries must notify DPBI and affected individuals following a structured process: - Immediate Intimation to Data Principals: Prompt notification in clear, concise, plain manner through registered mode of communication (user account, email, mobile number) including: - Nature, extent, timing, and location of the breach - Likely consequences for the individual - Mitigation measures being taken - Personal safety measures the individual can adopt - Contact details of responsible person for queries - Initial Report to DPBI: Immediately upon becoming aware, with basic breach description - Detailed Report within 72 Hours: Comprehensive report including: - Details of all notifications sent to affected Data Principals - Detailed breach information, circumstances, and reasons - Risk mitigation measures taken or proposed - Identity of responsible person (if known) - Remedial actions to prevent future incidents Maintain Records: Keep logs of consent, processing activities, breach-related documentation, and audit trails for at least one year, subject to sectoral requirements. These logs must be reliable and permit reconstruction of breach events. Grievance Redressal: Establish mechanisms enabling individuals to: - Exercise data principal rights with 90-day response timelines - Lodge complaints regarding non-compliance - Receive redressal within prescribed timeframes Data Principals must exhaust internal grievance redressal mechanisms before escalating to the Data Protection Board. Representative Appointment and Data Protection Officer Role Significant Data Fiduciaries[23] must appoint an India-based representative designated as a Data Protection Officer (DPO) responsible for: - Representing the SDF in DPDP compliance matters - Serving as the point of contact for grievance redressal - Reporting to the Board of Directors or governing body - Acting as liaison with the Data Protection Board - Ensuring the organization’s compliance with all Act provisions For organizations engaged in significant data collection, the appointment of both a Data Protection Officer and engagement with a Consent Manager ensures dual accountability mechanisms: the DPO provides internal governance and grievance redressal, while the Consent Manager, if engaged externally,  ensures neutral, independent consent administration. Cross-Border Data Transfers[24] The DPDP Act and Rules adopt a balanced approach to cross-border transfers—not a blanket ban, but a structured framework. The Central Government can restrict the transfer of personal data outside India by Data Fiduciaries through formal notifications under Section 16, subject to specific conditions. This power is used to protect national interests or data security. However, if existing Indian laws require stricter protection or local storage, those rules take precedence over general cross-border transfer provisions. Companies involved in global data processing must: - Reassess data flows and localization commitments - Ensure contractual protections mirror the protection standards required by Indian law - Monitor Government notifications restricting transfers to specific jurisdictions Data Localization and Algorithmic Compliance for SDFs Significant Data Fiduciaries must ensure:[25] - Algorithmic Compliance: Any algorithmic software used for data processing respects the rights of Data Principals - Data Localization: Personal data and traffic data, as defined by the Central Government, remain in India and are processed domestically according to Government guidelines Key Developments Since Notification (November 2025)[26] Critical Change: Right to Information (RTI) Act Amendment A major recent development involves amendment to the Right to Information Act, 2005. The DPDP Act revision of Section 8(1)(j) of the RTI Act reflects the Supreme Court’s Puttaswamy judgment affirming privacy as fundamental. The revision introduces a significant shift: “Personal information” is now a ground to REJECT disclosure outright. In earlier iterations, personal information could be disclosed if the public interest in disclosure outweighed privacy concerns. This change means: - Information considered “personal” cannot be disclosed under RTI requests - Earlier public interest exception permitting disclosure has been removed - The amendment strengthens privacy protection by creating a more categorical privacy protection - This sets up a future policy dialogue on transparency versus sovereign requirements and privacy protection This represents one of the most privacy-protective aspects of the new regime and marks a significant shift toward categorical privacy protection over selective balancing. Public Consultation Success[27] The DPDP Rules followed extensive nationwide consultations conducted by the Ministry of Electronics and Information Technology in Delhi, Mumbai, Guwahati, Kolkata, Hyderabad, Bengaluru, and Chennai. The consultation process received 6,915 inputs from startups, MSMEs, industry bodies, civil society, and government departments, demonstrating robust stakeholder engagement. These contributions materially shaped refinements in the final Rules, particularly regarding Consent Manager registration conditions and relief provisions for small organizations. New “User Account” Definition The final Rules introduce a new definition of “User Account”[28] that significantly impacts breach notification and data processing interpretation. A user account now includes any identifier such as: - Email address - Mobile number - Username or handle - Any credential used to access a platform Consent Manager Regulatory Framework[29] The 2025 Rules introduce a highly regulated Consent Manager ecosystem with stringent eligibility conditions: Incorporation: Must be a company incorporated in India Net Worth: Minimum ₹2 crore Capacity: Documented technical, operational, and financial capacity Platform: Certified interoperable platform meeting DPBI standards Neutrality: Must avoid conflicts of interest with Data Fiduciaries Record Retention: 7-year minimum retention of consent records Audits: Regular independent audit of technical and organisational controls Consent Managers effectively become quasi-regulatory entities with fiduciary responsibilities to Data Principals, subject to DPBI oversight, inquiry, and potential suspension or cancellation of registration. Government Data Request Restrictions[30] A significant privacy protection measure prohibits Data Fiduciaries from notifying individuals when the Government seeks access to their personal data. This raises practical and contractual challenges: Many platforms currently disclose government requests as part of transparency commitments Terms of service may require revision to avoid non-compliance Sets up future policy dialogue on transparency versus sovereign requirements Likely to be a focal point of industry engagement in the months ahead Penalties and Enforcement[31] [32] The DPDP Act establishes substantial financial penalties for non-compliance, scaled by violation severity, with the Board exercising discretion based on multiple factors: Violation Category Maximum Penalty Failure to maintain reasonable security safeguards ₹250 crore (~USD 30 million) Failure to notify breach to DPBI/Data Principals; violations re: children’s data; tracking and behavioral monitoring of children ₹200 crore (~USD 24 million) Any other violation of the Act or Rules ₹50 crore Penalty Determination Factors: The Board considers: - Level of seriousness and gravity of violation - Kind of personal data involved (sensitivity level) - Economic advantage gained or loss prevented - Attempts made to mitigate the violation - Overall impact of penalty on the subject entity Scope of Penalties: Fines may be levied against: - Data Fiduciaries (primary entity) - Consent Managers (for registration condition violations or failure to meet obligations) - Intermediaries (for refusing to block access to data as ordered by Central Government) Important Limitation: Individuals are NOT granted the right to claim compensation for damages, which may reduce litigation incentives but places primary enforcement burden on the Board. Commencement: These penalties apply only from 13 May 2027 onward. However, organizations that delay compliance face compounding risks: remedial costs escalate as data systems require urgent overhaul under pressure, and regulatory relationships may be prejudiced by evident non-preparation during the 18-month transition window. Exemptions and Special Cases[33] The DPDP Act provides exemptions in specific circumstances: Processing Exemptions: - Enforcement of legal rights by courts or regulators - Judicial or supervisory tasks by courts or regulators - Law enforcement activities - Cross-border contractual obligations - Mergers, demergers, or insolvency-related assessments State Instrumentality Exemptions: - Processing for national security, sovereignty, or state security - Processing for public order - Research, archiving, or statistical purposes (if no decision specific to a Data Principal is made) Entity-level Relief: - Recognized startups may be exempted from specific compliance obligations based on size and nature of data processed - Government may, within five years, exempt specific classes of Data Fiduciaries from any provisions through official notification Non-applicability to State Processing: - Certain provisions do not apply to state processing where no decision affecting the Data Principal is involved Conclusion The Act is founded on the constitutional definition of privacy as a human right and establishes a consent model that prioritizes transparency, accountability, and user control over personal data. It fills the legislative gap left by the IT Act of 2000 and puts India’s data protection policies on par with the world. The obligations placed on Data Fiduciaries like adoption of strong technical measures and ensuring data minimization and legitimate processing, are an indication of the government’s intent to foster privacy and innovation both. While the Act grants people the right to access, correct, and delete their data, it also aims to balance such rights, national interest, and ease of doing business.[34] The Digital Personal Data Protection Act and the 2025 Rules represent India’s definitive commitment to building a trustworthy, innovation-friendly digital ecosystem. By placing individuals at the center of the framework while creating clear, proportionate obligations for organizations, the legislation balances privacy protection with economic growth imperatives. The phased 18-month implementation timeline reflects pragmatic policy design, acknowledging that systemic compliance requires time but that the statutory deadline of 13 May 2027. The evolution from the IT Act 2000, through multiple legislative iterations, to the DPDP Act reflects India’s maturation as a digital economy demanding world-class privacy protection. The amendments to the IT Act, the stringent breach notification timelines, the children’s data protections, and the Consent Manager framework all signal a shift toward practical, outcome-based regulation prioritizing individual rights and organizational accountability. [1] Press Release:Press Information Bureau [2] NAVIGATING THE DIGITAL DATA REGIME: AN ANALYSIS OF THE DPDP ACT & DPDP RULES 2025 – Legal Developments [3] Press Information Bureau, “DPDP Rules, 2025 Notified: A Citizen-Centric Framework for Privacy Protection and Responsible Data Use,” Government of India, 17 November 2025 - doc20251117695301.pdf [4] ibid [5] ibid [6] NAVIGATING THE DIGITAL DATA REGIME: AN ANALYSIS OF THE DPDP ACT & DPDP RULES 2025 – Legal Developments [7] DPDP Rules, 2025: Significant Data Fiduciaries and Data Transfers [8] https://www.legal500.com/developments/thought-leadership/48168/ [9] DPDP Rules 2025: Guidance to DPDP Act implementation [10] Press Release:Press Information Bureau [11] https://www.legal500.com/developments/thought-leadership/48168/ [12] Press Information Bureau, “DPDP Rules, 2025 Notified: A Citizen-Centric Framework for Privacy Protection and Responsible Data Use,” Government of India - doc20251117695301.pdf [13] NAVIGATING THE DIGITAL DATA REGIME: AN ANALYSIS OF THE DPDP ACT & DPDP RULES 2025 – Legal Developments [14] c56ceae6c383460ca69577428d36828b.pdf [15] Press Release:Press Information Bureau [16] DPDP Act Compliance Guide 2025 [17] Rule 3 of Digital Personal Data Protection Act, 2023 DPDP Rules 2025 [18] Digital Personal Data Protection Act, 2023 DPDPA SECTION 6 WITH INTERPRETATION [19] Rule 10 of Digital Personal Data Protection Act, 2023 DPDP Rules 2025 [20]https://static.pib.gov.in/WriteReadData/specificdocs/documents/2025/nov/doc20251117695301.pdf [21] DATA FIDUCIARY OBLIGATIONS in The Digital Personal Data Protection Act, 2023. DPPA AND INTERPRETATION 8 [22] Rule 6 of Digital Personal Data Protection Act, 2023 DPDP Rules 2025 [23] Digital Personal Data Protection Act, 2023 DPDPA SECTION 10 WITH INTERPRETATION [24] Digital Personal Data Protection Act, 2023 DPDPA SECTION 16 WITH INTERPRETATION [25] NAVIGATING THE DIGITAL DATA REGIME: AN ANALYSIS OF THE DPDP ACT & DPDP RULES 2025 – Legal Developments [26] doc20251117695301.pdf [27] Press Release:Press Information Bureau [28] Rule 2 of Digital Personal Data Protection Rules, 2025 (DPDP Rules 2025) under DPDPA 2023 [29] DPDP Rules 2025: Guidance to DPDP Act implementation [30] Digital Personal Data Protection Act, 2023 DPDPA SECTION 17 WITH INTERPRETATION [31] doc20251117695301.pdf [32] NAVIGATING THE DIGITAL DATA REGIME: AN ANALYSIS OF THE DPDP ACT & DPDP RULES 2025 – Legal Developments [33] Digital Personal Data Protection Act, 2023 DPDPA SECTION 17 WITH INTERPRETATION [34] https://www.legal500.com/developments/thought-leadership/48168/

We are pleased to announce that Argus Partners advised Surya Hospitals and its promoter Dr. Bhupendra Avasthi, on a transaction comprising a primary investment by Novo Holdings’ (a leading global investor in healthcare and life sciences) in Surya Hospitals, and a secondary sale of shares held by Sealink Capital Partners (“SCP”) in Surya Hospitals to Novo Holdings, pursuant to which SCP has fully exited its investment in Surya Hospitals. Surya Hospitals is the largest private women’s and children’s specialty hospital chain in Western India. Established in 1984, the group operates specialty hospitals across Mumbai, Pune, and Jaipur, offering comprehensive services in obstetrics and gynaecology, neonatal and paediatric intensive care, fertility, and paediatric sub-specialties. Surya Hospitals is widely recognised for its clinical excellence, strong patient outcomes, and highly regarded medical teams.   Novo Holdings’ investment will support Surya Hospitals’ next phase of growth, including the expansion of its footprint across Western India, continued buildup of the clinical infrastructure, and the strengthening of its specialist medical teams. The partnership brings together Surya’s well-established clinical leadership with Novo Holdings’ long-term, engaged ownership approach and connectivity across a global healthcare ecosystem. The deal team at Argus Partners consisted of Krishnava Dutt (Managing Partner), Abhinav Bhalaik, Aayush Kumar (Partners) and Paridhi Rastogi, Anoushka Goel (Associates). The due diligence team at Argus Partners consisted of Aayush Kumar (Partner) and Paridhi Rastogi, Vishakha Somani, Anoushka Goel (Associates). Read more at: Novo Holdings Press Release, Economic Times, ANI, VCCircle.