A Deep Dive into the Digital Personal Data Protection Rules, 2025

Introduction to the Digital Personal Data Protection Rules, 2025

On November 13, 2025, the Ministry of Electronics and Information Technology (MeitY) announced the implementation of the Digital Personal Data Protection Rules, 2025. These rules bring into effect the Digital Personal Data Protection Act, 2023. The primary aim is to safeguard personal data and ensure the smooth execution of the act, with the Data Protection Board of India (DPBI) leading the enforcement efforts.

Key Objectives and Focus Areas

The core objective of these rules is to protect personal data. The key areas of focus include obtaining consent, reporting breaches, providing information about Data Protection Officers (DPOs), and addressing the needs of children and disabled persons. Additionally, there is a significant emphasis on ensuring Compliance with the rules.

Phased Rollout Plan

The rules are being implemented in phases. Rules 1, 2, and 17–21 are effective immediately, while Rule 4 will be enforced after one year. The remaining rules, 3, 5–16, and 22–23, will become effective 18 months later. This phased approach allows for a smoother transition and ensures all stakeholders are prepared for the changes.

Background and Framework

The DPDP Act, enacted on August 11, 2023, establishes a comprehensive framework for digital personal data protection in India. It defines the responsibilities of Data Fiduciaries and outlines the rights and duties of Data Principals. The act follows the SARAL (Simple, Accessible, Rational, and Actionable) framework, which uses straightforward language and examples to facilitate understanding and Compliance.

Guiding Principles

The act is built upon seven foundational principles: Consent & Transparency, Purpose Limitation, Data Minimisation, Data Accuracy, Storage Limitation, Security Safeguards, and Accountability. These principles guide the implementation of the rules and ensure that personal data is handled with care and responsibility.

Implementation and Privacy Context

The newly introduced rules continue India’s privacy journey, initiated by the Supreme Court judgment in Justice K.S. Puttaswamy v. Union of India (2017), which recognized the Right to Privacy as a fundamental right under Article 21.

Key Provisions of the DPDP Rules, 2025

• Scope: The rules establish procedures, obligations, and safeguards for the collection, processing, storage, and erasure of personal data.
• Consent & Notices: Data Fiduciaries are required to provide clear, itemized notices detailing the personal data collected, its purpose, and withdrawal mechanisms.
• Consent Managers: These managers must register with the Data Protection Board (DPB) to ensure effective oversight.
• Breach Notification: In the event of a data breach, affected users and the DPB must be notified within 72 hours, along with details and mitigation steps.
• Data Retention & Erasure: Personal data should be erased once the purpose is served, with data principals being notified 48 hours in advance.
• Children and Vulnerable Users: Parental or guardian consent is required for children, and targeted advertising is restricted, with certain exemptions.
• Significant Data Fiduciaries: Platforms exceeding specific thresholds must undergo annual audits, perform algorithmic risk assessments, and adhere to government-approved frameworks for cross-border data transfers.

About the Data Protection Board of India (DPBI)

The DPBI consists of a Chairperson and three Members, appointed through search-cum-selection committees. It functions as a digital office to address complaints, enforce data protection norms, and oversee breach reporting.

About the Ministry of Electronics and Information Technology (MeitY)

The current Union Minister is Ashwini Vaishnaw, with Jitin Prasada serving as the Minister of State. Their leadership is crucial in steering India towards enhanced digital data protection.