India has built a horizontal privacy statute on top of a vertical regulatory stack: the Digital Personal Data Protection Act 2023 and Rules of November 2025 establish a Data Protection Board with adjudicatory authority, while the Reserve Bank, Securities and Exchange Board, insurance and telecom regulators, and the national cybersecurity authority continue to govern the same data on their own terms. None of the sectoral regimes has been displaced. What does this horizontal-on-vertical design reveal about how the state has chosen to build its privacy regime, and where does a company actually find the binding constraint?
India's Digital Personal Data Protection (DPDP) architecture is not the rationalisation of a previously dispersed regime. It is a horizontal privacy statute laid on top of a vertical regulatory stack that continues to operate on its own tempo and in its own register. The DPDP Act 2023 has not replaced the Reserve Bank of India's (RBI) Master Direction on IT and Cyber Risk Management, the Insurance Regulatory and Development Authority of India's (IRDAI) Information and Cybersecurity Guidelines 2026, the Telecom Regulatory Authority of India's (TRAI) Commercial Communications regime, the Indian Computer Emergency Response Team's (CERT-In) six-hour breach reporting direction, or the Ministry of Health and Family Welfare's (MoHFW) Ayushman Bharat Digital Mission (ABDM) data architecture; each continues to apply. The Act has added a horizontal layer; it has not displaced the vertical stack beneath it. Reading the architecture as a rationalisation misses what the state has built.
The statute was enacted on 11 August 2023. The DPDP Rules were notified by the Ministry of Electronics and Information Technology (MeitY) on 13 November 2025 and gazetted on 14 November 2025, following a consultation process that drew 6,915 stakeholder inputs across seven cities. The Rules operationalise the Act in a phased schedule. Rules 1, 2, and 17-21 came into force on notification and establish the Data Protection Board of India (DPBI) and its procedural architecture. Rule 4, covering Consent Manager registration, comes into force on 13 November 2026. The substantive compliance obligations under Rules 3, 5-16, 22, and 23 (notices, consent standards, security safeguards, breach reporting, retention and erasure, Data Principal rights, children's data, Significant Data Fiduciary obligations, cross-border transfer, appeals to TDSAT, and state access) come into force on 13 May 2027. The phasing is a ceiling rather than a floor: MeitY is actively considering compressing the 18-month runway and notifying Significant Data Fiduciary-specific cross-border restrictions in advance of the substantive commencement date. Penalties scale to ₹250 crore for security safeguard failures, ₹200 crore for breach notification failures or children's data violations, ₹150 crore for Significant Data Fiduciary obligation failures, and ₹50 crore for other violations.
The DPBI's design is the first signal of how the state has chosen to structure enforcement. The Securities and Exchange Board of India (SEBI) is a statutory regulator with rule-making, supervisory, and adjudicatory authority over securities markets; the Competition Commission of India has similar breadth over competition matters. The DPBI does not. It is an adjudicator. It inquires into complaints, calls for information, imposes penalties, and issues directions; it does not make rules. Rule-making authority under the DPDP Act sits with the Central Government acting through MeitY. Appeals from DPBI orders lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), not to a specialised data tribunal or directly to a High Court. This is unusual. The state has retained rule-making at the executive level, delegated only dispute resolution and enforcement to the Board, and routed appeals through a telecom tribunal. Companies that have navigated SEBI, IRDAI, or the RBI will find that the DPBI does not behave like those bodies. It behaves like a tribunal with penalty powers, not like a regulator with institutional presence, and the appellate jurisprudence that will shape its early years will be built by TDSAT judges whose institutional culture was formed on telecom licensing, interconnection, and spectrum disputes.
The vertical stack that continues to operate alongside DPDP is extensive, and the friction between the two layers sits at specific documented points. The RBI's April 2018 circular on Storage of Payment System Data requires payment system operators to store the entire payment data on servers in India only, with limited processing permitted overseas; this binds payment aggregators, payment gateways, banks, and Non-Banking Financial Companies (NBFCs) regardless of the DPDP Rules' negative-list approach to cross-border transfers. The RBI's cybersecurity framework mandates CERT-In breach reporting within six hours of detection, which sits alongside the DPDP 72-hour breach reporting obligation to the DPBI. The RBI's Know Your Customer (KYC) Master Direction requires retention of KYC records for five years after account closure, which sits alongside the DPDP Rule 8 retention regime: personal data must be erased after three years of user inactivity for specified classes of Data Fiduciary (e-commerce, online gaming, and social media intermediaries above prescribed user thresholds), with a mandatory 48-hour pre-erasure notification to the Data Principal, and a minimum one-year retention of personal data, associated traffic data, and processing logs from the date of processing. The same data element is simultaneously subject to two retention rules operating on different triggers, resolved through DPDP Rule 8's carve-out for data retained under another law but operationalised in the Data Fiduciary's system as two parallel retention logics.
SEBI's regulations on cybersecurity and cyber resilience for Market Infrastructure Institutions and intermediaries, the Master Circular on Scheme of Arrangement for Listed Entities, and the disclosure obligations under the Listing Obligations and Disclosure Requirements (LODR) Regulations each carry data-related compliance obligations that continue to apply to listed and regulated entities. IRDAI's Information and Cybersecurity Guidelines 2026, notified earlier this year, carry insurance-sector-specific data obligations that continue to apply to insurers and intermediaries. TRAI's Telecom Commercial Communications Customer Preference Regulations govern consent for commercial communications, and the Telecommunications Act 2023 includes its own data provisions that interface with DPDP at the subscriber identification layer. CERT-In's April 2022 directions, still in force, mandate logging for 180 days, breach reporting within six hours, and cooperation with government investigators. MoHFW's ABDM data standards govern health data under the Unified Health Interface and Ayushman Bharat Health Account (ABHA) framework. The Information Technology Act 2000 remains in force; the Sensitive Personal Data or Information (SPDI) Rules 2011 continue to govern sensitive personal data until 13 May 2027 when they are displaced by the DPDP regime for categories covered.
Four friction points run across the overlay. The first is retention versus erasure, already visible in the KYC example above: the carve-out resolves the legal conflict, but the Data Fiduciary must still classify which elements sit under which regime and run two retention logics in one system. The second is breach reporting multiplication. A material breach at a regulated entity triggers CERT-In reporting within six hours, sectoral supervisory reporting on a different timeline, stock-exchange disclosure if the entity is listed, and DPDP reporting to both the DPBI and the affected Data Principal within 72 hours; each notification addresses a different recipient, carries different content requirements, and carries different consequence exposure. The third is grievance redressal multiplication. A complaint about unauthorised processing of data can be filed with the entity's internal grievance officer, the sectoral regulator's redressal platform (SEBI Complaints Redressal System or SCORES for securities, the insurance ombudsman, the Banking Ombudsman, TRAI's DND platform), and the DPBI simultaneously. The entity has to respond to each on its own timeline. The fourth is cross-border transfer. The DPDP Rules adopt a negative-list approach under Rule 15 (transfers to all countries are permitted unless the Central Government notifies a specific country as restricted); no notification has yet been issued. But the RBI's 2018 payment data localisation, IRDAI's requirement to maintain insurance policyholder data onshore, and SEBI's requirements for securities market data continue to localise the data that matters most to regulated entities. DPDP's liberalisation does not override the sectoral localisation.
Two provisions in the Rules deserve isolation because they carry the regime's most consequential extensions. Rule 13(3) requires a Significant Data Fiduciary to observe due diligence to verify that "technical measures including algorithmic software" deployed by it for processing personal data are not likely to pose a risk to the rights of Data Principals; the final Rules broadened the draft's "algorithmic software" language deliberately. This is the provision through which algorithmic accountability enters Indian law. India will not have a standalone artificial intelligence statute in the short term; it has chosen DPDP as the vehicle, and the SDF designation as the trigger. A Significant Data Fiduciary that deploys recommendation algorithms, credit-scoring models, fraud-detection systems, or content-moderation classifiers will be required to conduct annual Data Protection Impact Assessments, algorithmic fairness assessments, and independent audits covering those systems, and will be answerable to the DPBI for the risks they pose to Data Principals. Rule 23 operates at the opposite end of the architecture: the Central Government, acting through authorised persons specified in the Seventh Schedule, may require any Data Fiduciary or intermediary to furnish specified information, and may direct the Data Fiduciary to not disclose the request to the affected Data Principal where the disclosure would prejudicially affect the sovereignty and integrity of India or the security of the State. The DPBI does not control this pathway. The state-access perimeter sits with MeitY and the authorised Seventh Schedule persons, parallel to the privacy protections the rest of the Rules create. The Rules simultaneously establish a privacy framework and preserve a state-access carve-out that operates outside the DPBI's adjudicatory jurisdiction.
For a regulated entity, the binding constraint on data handling is therefore not DPDP. It is the sectoral regulator. A bank's data architecture is determined by the RBI's IT Cyber Risk Management Master Direction; DPDP adds obligations but does not override. A listed entity's disclosure architecture is determined by SEBI's LODR Regulations, not by DPDP. A telecom operator's consent architecture is determined by TRAI's TCCCP Regulations, not by DPDP. The DPBI will hear complaints from individuals; the sectoral regulator's next inspection will determine whether the company continues to operate. This is counter-intuitive to companies that have built General Data Protection Regulation (GDPR) compliance architectures where the Data Protection Authority is the primary enforcer. In India, the DPBI is one enforcer among many, and for most regulated entities it is not the most consequential.
For unregulated entities (most consumer internet platforms, e-commerce operators below the 20 million-user threshold, Software-as-a-Service providers, many HealthTech entities outside ABDM) the DPBI is the primary enforcer. For Significant Data Fiduciaries (SDFs), once the Central Government issues the SDF notification that the Rules contemplate, an additional layer of obligations activates: annual Data Protection Impact Assessments, independent data audits, algorithmic fairness assessments, Data Protection Officer appointment, and the potential for category-based localisation of specified personal data. The SDF designation has not yet been operationalised, but MeitY has signalled that SDF-specific cross-border restrictions are being prepared for notification in advance of the substantive commencement date. When the designation is made, the regulated entities likely to be designated (large banks, insurers, telecom operators, listed platforms) will sit in a three-tier compliance position: sectoral regulator first, DPBI second, SDF-specific obligations third.
The horizontal-on-vertical design is deliberate. The state has chosen not to consolidate data governance under a single regulator in the way the European Union consolidated it under the Data Protection Authority model. Instead, it has added a horizontal privacy layer while preserving the sectoral regulatory machinery that already governed the regulated industries, routed appeals through TDSAT rather than a specialised tribunal, used the SDF designation as the vehicle for algorithmic accountability, and preserved a state-access pathway that operates outside the DPBI. The design reflects an institutional preference that runs across Indian regulation: the state distributes authority across multiple custodians rather than consolidating it in one, and it manages the resulting overlap through the individual company's compliance burden rather than through inter-regulator coordination at the centre. A GDPR-aligned company that reads DPDP as its binding privacy regime has read the layer; it has not read the stack. The compliance project is therefore not a translation exercise from GDPR to DPDP. It is a re-architecting exercise where the DPDP obligations are composed into a compliance posture already shaped by RBI, SEBI, IRDAI, TRAI, CERT-In, and MoHFW, each of which continues to apply on its own terms.