Development

The Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025, notified on 13 November 2025, follow a three-phase commencement schedule. Phase I, which took effect on 14 November 2025, brought into force the definitional provisions, the establishment of the Data Protection Board, and certain foundational institutional sections. Phase II, commencing 14 November 2026, activates the Consent Manager registration framework and further institutional machinery. Phase III, commencing 14 May 2027, brings into force the substantive obligations on Data Fiduciaries including notice, consent, security safeguards, breach notification, and the Significant Data Fiduciary regime.

Phase II: What Comes into Force

The most significant element of Phase II is the commencement of the Consent Manager framework. Consent Managers are registered entities through which Data Principals can give, manage, review, and withdraw consent across multiple Data Fiduciaries via an accessible, transparent, and interoperable platform. The Rules prescribe registration conditions, net-worth requirements, and independence obligations for Consent Managers. The framework draws conceptually from the Data Empowerment and Protection Architecture and the Account Aggregator model already operational in Indian financial services.

Significance

Phase II is the compliance milestone for entities intending to operate as Consent Managers. For Data Fiduciaries, it signals the approaching operative date for substantive obligations and should serve as the trigger for finalising data-flow mapping, consent architectures, processor contracts, and grievance-redressal mechanisms. The eighteen-month total implementation window from notification to full enforcement is now past its midpoint.

This update is provided for general information and does not constitute legal advice.