Digital Personal Data Protection (DPDP) Rules, 2025

Why in the News?

Government of India notified the Digital Personal Data Protection (DPDP) Rules, 2025.

About DPDP Rules, 2025

• Marks the full operationalisation of Digital Personal Data Protection Act, 2023 (DPDP Act).
• Ministry: Ministry of Electronics and Information Technology.
• Implementation timeline: 18-month phased compliance period for organizations to adjust their systems and adopt responsible data practices.

Key Provisions of the rules

• Obligations on Data Fiduciaries:
  • Issue standalone consent notices: That are clear and simple, provide an itemized description and specific purpose of personal data and specify means by which the Data Principal may withdraw consent.
    • The ease of withdrawing consent must be comparable to ease with which it was given.
  • Erase personal data: If specified purpose is no longer being served (unless legally required to retain it).
    • Personal data, and other logs related to processing need to be retained for a minimum period of 1 year from the date of processing, unless longer retention is mandated by law or notification.
  • Issue Personal Data Breach Notification: Informing all affected individuals without delay, explaining what happened, possible impact and steps taken to address the issue.
  • Publish business contact information of designated officer/Data Protection Officer: on the website or app for queries related to personal data.
  • Mandatory Response within 90 Days: for all requests related to access, correction, updating or erasure.
  • Special Protection of children's data: Through verifiable consent from a parent or guardian before processing a child's personal data.
    • Exemption of consent allowed for essential purposes like healthcare, education, and real-time safety and protection of child.
• Rights and protections for citizens (See infographic).
• Data Protection Board of India (DPBI): Consisting of 4 members with dedicated portal and mobile application allowing citizens to file and track complaints.
  • Appeals against Board's decisions to be heard by Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
• Other provisions:
  • Enhance obligations on Significant Data Fiduciaries (SDFs) including mandatory periodic Data Protection Impact Assessments (DPIA), independent audits once every 12 months, stricter checks while using new or sensitive technologies etc.
  • Consent Managers to be companies based in India.
  • Special Protection for Persons with Disabilities if they cannot make legal decisions.

Need of digital data protection

• Protection of Individual Privacy: Without safeguards, citizens may face surveillance, profiling by arbitrary state or Big tech companies using Personal data (biometrics, location, health, financial details).
• Prevention of Data Misuse & Exploitation: Data can be misused for identity theft, financial fraud, targeted manipulation (ads, elections).
  • E.g., 33,000 additional Cybercrime cases were reported in 2023 as compared to 2021. (National Crime Records Bureau (NCRB)
• Cyber-security & National Security: Large datasets are targets for Hackers and hostile state actors for Cyber espionage.
  • E.g., Cybersecurity incidents in India rose from 10.29 lakh in 2022 to 22.68 lakh in 2024.
• Building trust in digital economy: It will allow India's digital economy grow in a secure and globally competitive way.
  • India's digital economy accounted for 11.74% of GDP in 2022-23.
• Safeguarding Vulnerable Groups: Children, elderly, women are more vulnerable to data breaches, online harassment and exploitation.
• Ethical Use of Emerging Technologies: Ensures non-discrimination, fair algorithms and human oversight.

Criticisms of DPDP Rules, 2025 and DPDP Act, 2023

• Broad Exemptions: Government can exempt notified agencies for reasons like "security," "sovereignty," and "public order" without clear oversight mechanisms from data protection obligations.
• Missing Rights: Act omits the right to data portability and the right to be forgotten.
• Ambiguity in definitions: E.g., "significant data fiduciary" and thresholds for stricter obligations.
• Compliance Burden and Impact on Innovation: High compliance costs and operational complexity may stifle business growth and innovation in Data-heavy businesses.

Conclusion

The DPDP Act and the DPDP Rules mark a major step towards a trustworthy and future‑ready digital environment in India. They clarify how personal data must be handled, strengthen individual rights and fix clear responsibilities on organisations.