IndiaStand
Topic brief · maintained 2026-07-05

India's digital public infrastructure and data-protection regime: the state of play

India has built population-scale digital public infrastructure — a digital identity, a real-time payments rail and a document layer used by hundreds of millions — and is now, belatedly, building the legal regime meant to govern the data that flows through it. This is the maintained topic brief on where that regime stands: the IT Act and its intermediary rules, the Digital Personal Data Protection Act of 2023, and the DPDP Rules notified in November 2025 that put it into phased force.

Ministry of Electronics and Information TechnologyReserve Bank of India

The two halves of the story

India’s digital governance has advanced on two tracks that grew out of step with each other. The first is infrastructure — the population-scale systems often grouped as “India Stack”: Aadhaar digital identity, the Unified Payments Interface (UPI), and the DigiLocker document layer. The second is the legal regime meant to govern the data those systems generate. The infrastructure was built and scaled through the 2010s; the standalone data-protection law arrived only in 2023, and its operational rules only in late 2025. This brief tracks that second track catching up with the first, both administered largely by the Ministry of Electronics and Information Technology.

The infrastructure that exists

According to a reference overview of India Stack, the term brands a set of separately governed government-operated systems — identity (Aadhaar, run by the UIDAI under MeitY), payments (UPI, operated in the National Payments Corporation of India ecosystem overseen by the Reserve Bank of India), and documents (DigiLocker, under MeitY). The scale is what makes the regime consequential: public reporting places cumulative Aadhaar numbers issued above 1.4 billion as of mid-2025, and UPI volumes on the order of 18 billion transactions per month in 2025. These figures are attributed to that public reporting rather than presented as this desk’s own verification; the durable point is that the systems operate at national scale, which is why the rules governing their data matter.

The regulatory spine: the IT Act and the 2021 Rules

The foundational statute remains the Information Technology Act, 2000, India’s primary cyber-law, whose Section 79 grants online intermediaries conditional “safe harbour” from liability for third-party content. The conditions are set by subordinate rules. Per PRS Legislative Research, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 impose due-diligence obligations, grievance-redressal mechanisms and, for significant social-media intermediaries, additional requirements; a 2023 amendment extended the framework to online real-money gaming and provided for a government fact-check unit to flag content about government business. The fact-check-unit provision has been contested in court, and this brief characterises rather than adjudicates that dispute: media and free-expression groups challenged it as overbroad, while the government defended it as targeted at demonstrably false information about its own affairs. In a further amendment, per reference reporting, MeitY notified the IT (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026, which define “synthetically generated information” and require intermediaries to label AI-generated content; the amendment took effect on 20 February 2026.

The data-protection law: DPDP Act 2023

India’s first standalone data-protection statute is the Digital Personal Data Protection Act, 2023. Per the Act as published by MeitY and reference records of its passage, it was passed by the Lok Sabha on 7 August 2023 and the Rajya Sabha on 9 August 2023, and received Presidential assent on 11 August 2023 as Act 22 of 2023. The Act establishes a consent-based framework: entities that process personal data (“Data Fiduciaries”) owe defined obligations to individuals (“Data Principals”), including notice, purpose limitation and security safeguards, and it provides for a regulator — the Data Protection Board of India — to adjudicate breaches and impose penalties. The Act was passed as a framework law, leaving much of its operational substance to rules to be notified later, which is why its practical force waited on those rules.

What changed in November 2025: the DPDP Rules

The operational turn came on 13 November 2025, when MeitY notified the Digital Personal Data Protection Rules, 2025. Per MeitY and the government’s own announcement, the Rules operationalise the 2023 Act in phases rather than all at once: an initial set of provisions — definitions, and the machinery to establish the Data Protection Board — took effect on notification; the provisions governing consent managers take effect twelve months after notification; and the substantive compliance obligations on data fiduciaries take effect eighteen months after notification. Government material states the final Rules followed a public consultation that drew about 6,900 stakeholder inputs. As of 2026-07-05 the regime is therefore live but only partly in force: the Board’s enabling provisions are notified while the core compliance duties are within their transition window.

The unsettled edges

Two threads remain open and are tracked here without prediction. First, the proposed Digital India Act, floated in 2023 as a wholesale replacement for the ageing IT Act, 2000: as of the latest available reference reporting no draft bill has been released publicly, and it remains at the consultation stage, with the government having in the interim pursued amendments to the existing IT Rules rather than a new statute. Second, the interaction between the DPDP regime and existing laws — including the Right to Information Act, which the DPDP Act amends, and the IT Rules’ content-governance provisions — where civil-society groups and government have taken differing positions on transparency and exemptions. This brief characterises those positions as they are stated by their holders and does not forecast an outcome.

Who owns this topic (and why we’re here)

The explainer field for “India Stack / DPDP / IT Rules” is dominated by two kinds of source: law-firm and consultancy client alerts (Nishith Desai, Shardul Amarchand Mangaldas, DLA Piper and similar), which are precise but written for compliance officers and paywalled by audience; and exam-prep and current-affairs portals aimed at UPSC aspirants, which are broad but often undated and quick to go stale as rules change. Encyclopedic reference pages sit in between and lag the notifications. What that field lacks is a single, plainly written, continuously maintained state-of-play that separates what is in force from what is notified but not yet operative, attributes each claim to an official or reference source, and is dated. That is the gap this desk fills: an institution-first account — built around what MeitY actually administers — kept current as each phase of the DPDP Rules commences.

Maintained topic brief. Analysis by IndiaStand — it characterises the state of play and the range of positions actually held, attributes each claim, and makes no forecast and no recommendation.

Sources

  1. Ministry of Electronics and Information Technology · India
  2. Digital Personal Data Protection Act, 2023 (MeitY) · India
  3. Digital Personal Data Protection Rules, 2025 (MeitY) · India
  4. PIB: DPDP Rules, 2025 Notified · India
  5. IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 — PRS Legislative Research · India
  6. MeitY notifies the IT Amendment Rules 2026 (Khaitan & Co, reference) · India
  7. India Stack (reference overview) · India