The Digital Personal Data Protection Act, 2023 (DPDP Act), was enacted by the Indian Parliament on August 11, 2023, to establish a comprehensive framework for safeguarding digital personal data. It recognizes the right to privacy as a fundamental right, following the Supreme Court’s 2017 Puttaswamy judgment. The DPDP Rules, 2025, notified by the Ministry of Electronics and Information Technology (MeitY) on November 14, 2025, operationalize the Act, providing detailed guidelines for compliance.
These rules adopt a “SARAL” (Simple, Accessible, Rational, and Actionable) design, using plain language to make them user-friendly for citizens, businesses, and regulators. The framework balances privacy protection with innovation, particularly supporting startups and MSMEs through exemptions and phased implementation.
The rules were shaped by extensive public consultations held in cities like Delhi, Mumbai, and Bengaluru, incorporating feedback from industry, civil society, and government bodies. They emphasize seven core principles: consent and transparency, purpose limitation, data minimization, accuracy, storage limitation, security safeguards, and accountability.
Implementation Timeline
• Notification Date: November 14, 2025.
• Phased Compliance: Organizations have 12-18 months to fully comply, allowing a smooth transition. Core obligations (e.g., privacy notices, consent, security safeguards, children’s data handling) kick in after 18 months. Consent manager registration and Data Protection Officer (DPO) appointments for significant data fiduciaries take effect in 12 months.
• Immediate Actions: Formation of the Data Protection Board of India (DPBI) is underway, functioning as a digital entity with online complaint filing via a dedicated platform and mobile app.
• Appeals: Decisions by the DPBI can be appealed to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Key Rights of Data Principals (Individuals)
Data principals (individuals whose data is processed) gain enhanced control:
• Access and Correction: Right to access, correct, update, or erase personal data. Requests must be responded to within 90 days.
• Nomination: Individuals can nominate another person to exercise these rights on their behalf (e.g., in case of incapacity).
• Consent Management: Through registered Consent Managers (Indian entities), users can centrally manage, withdraw, or review consents across platforms, similar to smartphone permission settings.
• Breach Notification: Immediate alerts in plain language about data breaches, including nature, impact, remedial steps, and contact details.
• Erasure After Inactivity: Data must be deleted after one year of user inactivity (with 48-hour notice), unless legally required.
Special protections apply to vulnerable groups:
• Children (under 18): Verifiable parental/guardian consent required for data processing; exemptions for healthcare, education, and child safety. No tracking for advertising.
• Persons with Disabilities: Consent from lawful guardians if the individual cannot decide independently.
Obligations of Data Fiduciaries (Entities Handling Data)
Data fiduciaries (e.g., companies, government bodies) must adhere to strict standards:
• Consent Requirements: Obtain “free, specific, informed, unconditional, and unambiguous” consent via clear notices explaining data collected, purpose, and usage. Notices must be standalone and in plain language. Withdrawal of consent must be as easy as granting it.
• Data Handling: Limit collection to what’s necessary (data minimization); ensure accuracy; delete data once purpose is fulfilled or after storage limits.
• Security Measures: Implement access controls, encryption, firewalls, and regular audits. Significant data fiduciaries (e.g., large platforms handling sensitive data) face enhanced duties like impact assessments, independent audits, and technology due diligence.
• Transparency: Publish contact details (e.g., DPO) for queries. Notify users before data erasure.
• Breach Reporting: Report breaches without delay to affected users and the DPBI.
• Children’s Data: Prohibitions on behavioral tracking or targeted ads for minors.
• Exemptions: Limited for startups in government schemes, research, or innovation; also for legal enforcement, court orders, or offense prevention.
Cross-Border Data Transfers
Personal data can be transferred outside India unless restricted by the government (e.g., for national security). Consent is required for transfers to foreign entities, with flexibility for scenarios like overseas contracts or user-initiated requests.
Data Protection Board (DPBI)
• A subordinate body under MeitY with at least four members.
• Handles inquiries, imposes penalties, and promotes compliance through digital tools.
• Fully online operations for filing/tracking complaints, ensuring efficiency and transparency.
Penalties and Enforcement
• Fines: Up to ₹250 crore per violation, graded by severity (e.g., ₹10,000 minimum for minor issues). The DPBI assesses based on breach nature, harm caused, and fiduciary’s size—protecting small businesses.
• Enforcement Focus: Targets misuse like spam calls, unauthorized leaks (e.g., phone numbers), and breaches. Citizens can trace and report leakers for action.
Criticisms and Limitations
While praised for empowering citizens and fostering trust, the rules have drawn concerns:
• Lack of mandatory disclosure on data recipient categories, retention periods, or detailed cross-border flows, potentially limiting transparency.
• Amendments to the Right to Information (RTI) Act, 2023, remove public interest overrides for personal data disclosure, which critics (e.g., MKSS and NCPRI) argue could hinder social audits and expose official misconduct.
• Some view the framework as less stringent than GDPR in areas like mandatory impact assessments for all fiduciaries.
For the full official text, refer to the MeitY website: DPDP Rules, 2025. Businesses should prepare for compliance audits and consent overhauls to avoid penalties. This framework positions India’s digital economy as privacy-resilient while supporting growth.