Understanding India’s Digital Personal Data Protection Framework (2023–2025)

India has taken a major step toward strengthening data privacy with the introduction of the Digital Personal Data Protection Act, 2023 (DPDP Act), followed by the DPDP Rules, 2025. Together, they create a structured legal framework for how personal data is collected, processed, stored, and protected in the digital ecosystem.

This blog provides a concise overview of the key provisions, responsibilities, and compliance requirements under the law.

1. Objective of the DPDP Act, 2023

The DPDP Act aims to strike a balance between:

• Individual privacy rights, and
• Legitimate use of personal data for business and governance

It governs the processing of digital personal data, ensuring it is handled lawfully, transparently, and securely.

2. Applicability

The Act applies to:

• Personal data collected in digital form or digitised later
• Processing within India
• Processing outside India if related to offering goods/services to individuals in India

Exclusions:

• Personal/domestic use
• Publicly available personal data

3. Key Definitions

• Data Principal: Individual whose data is being processed
• Data Fiduciary: Entity deciding purpose and means of processing
• Data Processor: Processes data on behalf of fiduciary
• Consent Manager: Facilitates consent management
• Personal Data Breach: Unauthorized access, disclosure, or loss of data

4. Core Principles of Data Processing

Data can be processed only:

• With valid consent, or
• For certain legitimate uses (e.g., legal compliance, emergencies, employment)

Consent must be:

• Free and informed
• Specific and unambiguous
• Given through clear affirmative action
• Withdrawable easily

5. Rights of Individuals (Data Principals)

The Act empowers individuals with:

• Right to access their data and processing details
• Right to correction and erasure
• Right to grievance redressal
• Right to nominate a representative

These rights ensure greater control over personal data.

6. Obligations of Data Fiduciaries

Organizations handling data must:

• Use data only for lawful purposes
• Provide clear notice before collecting data
• Implement security safeguards
• Report data breaches
• Delete data when no longer required

They remain accountable even when data is processed by third parties.

7. Special Provisions

A. Children’s Data

• Requires verifiable parental consent
• No tracking or targeted ads for children

B. Significant Data Fiduciaries

Large or high-risk entities must:

• Appoint a Data Protection Officer (DPO)
• Conduct data audits and impact assessments
• Ensure higher compliance standards

8. Data Protection Board of India

• Acts as the regulatory authority
• Handles complaints and enforcement
• Functions largely as a digital office under the Rules

9. Key Highlights of DPDP Rules, 2025

The Rules operationalize the Act by prescribing detailed compliance mechanisms.

A. Notice Requirements

• Must be clear, standalone, and easy to understand
• Include purpose, data details, and user rights
• Provide links to withdraw consent and file complaints

B. Consent Managers

• Must be registered with the Board
• Act as intermediaries for managing user consent

C. Security Safeguards

Organizations must implement:

• Encryption / masking
• Access control systems
• Monitoring and logging
• Backup and recovery mechanisms

D. Data Breach Reporting

• Immediate intimation to affected users
• Detailed report to the Board within 72 hours
• Must include impact and mitigation steps

E. Data Retention & Erasure

• Data must be deleted once purpose is served
• Minimum 1-year log retention for security and audit
• Users must be notified before deletion

F. Children’s Data Verification

• Strong identity verification for parental consent
• Use of reliable identity systems or digital lockers

G. Cross-Border Data Transfer

• Allowed, but subject to restrictions notified by the Government

H. Compliance for Significant Data Fiduciaries

• Annual audits and DPIA (Data Protection Impact Assessment)
• Monitoring of algorithmic risks
• Possible data localization requirements

10. Practical Impact on Businesses

Organizations must now:

• Redesign privacy policies and consent systems
• Strengthen IT security infrastructure
• Establish grievance redressal mechanisms
• Maintain detailed data processing records

Non-compliance can lead to significant penalties.

Conclusion

The DPDP Act, 2023 and Rules, 2025 mark a transformative shift in India’s data governance landscape. They align India with global privacy standards while addressing local regulatory needs.

For businesses, compliance is no longer optional—it is a strategic necessity. For individuals, it brings enhanced transparency, control, and protection in the digital world.

 Source: https://www.meity.gov.in/documents/act-and-policies?page=1

TDS & TCS Changes Effective from April 1, 2026

 

Introduction

The Finance Bill 2026 introduces important amendments to TDS and TCS provisions under the Income Tax framework. These changes are focused on simplifying compliance, reducing interpretational disputes, and encouraging a digital tax ecosystem.

Major Changes at a Glance

A. Revised TCS Rates

Item	Old Rate	New Rate (2026)	Effect
Alcohol (human consumption)	1%	2%	Higher tax collection
Scrap & minerals	1%	2%	Increased compliance
Tendu leaves	5%	2%	Cost relief
Overseas tour packages	5% (up to ₹10 lakh) / 20% (beyond)	Flat 2% (no threshold)	Simplified taxation

Insight: The shift to a uniform flat 2% on overseas tour packages removes slab-based calculations and reduces compliance complexity for travel agents and customers.

B. Relief on Foreign Remittances (LRS)

Purpose	Old Rate	New Rate	Effect
Education/Medical (via loan)	5%	2%	Reduced tax burden
Other purposes	20%	20%	No change

Insight: The reduction for education and medical remittances provides meaningful relief to students and patients/families, while the flat structure continues to simplify processing by authorised dealers.

C. No TDS on Accident Compensation Interest

• Interest from Motor Accident Claims Tribunal awards will now be fully exempt from TDS deduction.
• Ensures victims receive complete compensation without tax withholding.

Impact: This change removes the earlier ₹50,000 threshold and ensures victims or their families receive the complete compensation amount without any withholding or refund hassles.

D. Property Purchase from Non-Residents Simplified

• Individuals/HUFs can now use PAN instead of TAN.
• Removes unnecessary compliance for one-time transactions.

E. Manpower Supply – Clear Classification as “Work” (effective April 1, 2026) Manpower supply (where personnel work under the supervision, control, or direction of the recipient) is now explicitly classified as “work” (contractual in nature).

Applicable TDS rates:

• 1% – when payee is Individual / HUF
• 2% – in other cases

Impact: This eliminates the earlier confusion between contractual work (Section 194C equivalent) and professional/technical services (higher 10% rate), significantly reducing litigation and ensuring uniform treatment.

F. Digital Transformation in Lower / Nil TDS Certificates The entire process for obtaining lower or nil TDS certificates has been moved to a fully online / electronic mode with rule-based and automated verification wherever possible.

• Applications can now be filed electronically.
• Faster approvals with minimal or no physical paperwork.
• Particularly beneficial for small taxpayers, freelancers, and MSMEs.

Key Compliance Benefits

• Binding nature of CBDT guidelines and clarifications on TDS/TCS issues (to reduce disputes).
• Standardized classifications and definitions.
• Improved ease of doing business.
• Reduced physical interaction with tax authorities through greater digitalisation.

Disclaimer: This is a summary based on the provisions of the Finance Bill 2026 and the new Income-tax Act, 2025. Readers are advised to refer to the final enacted provisions, notifications, and rules for complete details and consult a qualified tax advisor for specific transactions.