Category
Published
Author
Reading Time
2 min readTags
DPDPA Rules 2026: Data Protection Board to Begin Adjudication from April
The Data Protection Board of India will commence adjudication proceedings under the Digital Personal Data Protection Act, with the first set of enforcement rules now notified.
The Ministry of Electronics and Information Technology (MeitY) has notified the final set of rules under the Digital Personal Data Protection Act, 2023 (DPDPA), paving the way for the Data Protection Board of India (DPBI) to begin hearing complaints and adjudicating violations from April 2026.
The rules, formally titled the Digital Personal Data Protection Rules, 2026, cover several critical areas:
Consent management
Data fiduciaries must implement standardized consent mechanisms with clear, plain-language notices. The rules mandate that consent requests be presented in all 22 scheduled languages, with verifiable parental consent required for processing children's data.
Data breach notification
Fiduciaries must notify the Board and affected data principals within 72 hours of becoming aware of a personal data breach. The rules prescribe the format, content, and channels of notification.
Cross-border data transfers
The rules identify a "whitelist" of countries and territories to which personal data may be transferred, including the EU, UK, Singapore, and Japan. Transfers to non-whitelisted jurisdictions require additional safeguards, including contractual commitments and sectoral approvals.
Penalties framework
The Board may impose penalties ranging from ₹10,000 for individual violations to ₹250 crore for significant breaches affecting large numbers of data principals. Repeat violations attract enhanced penalties.
Legal experts note that the actual enforcement capability of the Board will depend on its composition, which is yet to be formally announced. "The statutory framework is robust, but its efficacy will be judged by how independently and efficiently the Board operates," observed a leading privacy counsel.
Industry bodies have raised concerns about the compliance burden, particularly for startups. MeitY has indicated that a phased implementation approach will be adopted, with an initial 12-month grace period for small data fiduciaries.
Continue Reading
Related Articles
Supreme Court Upholds Validity of Article 370 Abrogation in Landmark Verdict
In a historic 5-judge Constitution Bench ruling, the Supreme Court of India has upheld the validity of the Presidential Order revoking the special status of Jammu & Kashmir under Article 370.
Parliament Passes 130th Constitutional Amendment to Strengthen Election Commission Autonomy
The amendment establishes an independent collegium-based appointment process for Election Commissioners, replacing the executive-driven model challenged in the Anoop Baranwal case.
Supreme Court Expands Free Speech Protections to Digital Platforms in Landmark Ruling
The Court rules that intermediary guidelines cannot impose prior restraint obligations on platforms, extending Article 19(1)(a) protections to the digital ecosystem.