Digital Personal Data Protection Rules 2025 notified; rollout to span 12–18 months

The government on Friday released the long-awaited Digital Personal Data Protection (DPDP) Rules 2025, marking a significant step in India’s data governance framework. The rules, notified under the Digital Personal Data Protection Act 2023, will be implemented in a phased manner over the next 12–18 months.

Framed to give citizens greater control over how their personal information is collected, processed, and used, the rules also provide mechanisms to prevent data misuse and ensure privacy in the digital ecosystem.

While certain provisions take effect immediately, key requirements, such as the registration and obligations of consent managers, mandatory notices from data fiduciaries to individuals prior to processing, and several other compliance norms, will be operationalised gradually.

Officials said the rules are expected to help curb spam calls, prevent unauthorised access to personal data, and strengthen safeguards around video and audio information shared online.

According to the notification, the rules also outline the setting up of a Data Protection Board, which will investigate breaches and impose penalties in line with the parent Act. Under the DPDP Act 2023, data fiduciaries may be fined up to Rs 250 per breach, though a graded penalty system has been incorporated to ease the compliance burden on small businesses.

The rules come nearly eight years after the Supreme Court, on 24 August 2017, affirmed the Right to Privacy as a Fundamental Right. While the framework grants individuals the right to protect and manage their personal data, it also places duties on citizens, including providing accurate information for government documents, avoiding suppression of relevant details, and refraining from filing frivolous complaints. Individuals seeking correction or deletion of data must provide verifiable information to support such requests.

With the new rules in force, citizens will be able to seek redress if their phone numbers or other personal details are leaked, with mechanisms in place to trace the source of unauthorised access and initiate penal action.

However, the rules also specify several exemptions.

Citizen rights may not apply in matters related to enforcing legal rights, complying with court orders, preventing or investigating offences, processing data of individuals overseas who have given consent to a foreign entity, verifying financial details of loan defaulters, or in cases where the Centre grants exemptions to certain data fiduciaries, including start-ups, for implementing government schemes or supporting research and innovation.

Several opposition parties, including the Congress, CPM, RJD, DMK, Shiv Sena (UBT), and the Samajwadi Party, have criticised the DPDP Act for allegedly diluting key provisions of the Right to Information (RTI) Act.

Section 44(3), they argue, restricts public access to government-held information under the pretext of privacy, thereby undermining transparency and democratic accountability.

Critics in Parliament have also claimed that these changes were introduced without adequate debate and consolidate excessive control within the executive.

Civil society groups and privacy advocates have raised broader concerns, arguing that the Act grants sweeping exemptions to the state and could enable disproportionate access to citizen data.

They note the absence of essential user rights such as data portability, the lack of detailed safeguards governing government access to personal information, and vague rules on how individuals can request information about the processing of their data.

The absence of an independent data protection regulator has also fuelled fears of potential mass surveillance and weak institutional oversight.

Industry bodies, including Nasscom, have warned that restrictions on cross-border data transfers may create significant uncertainty for businesses operating in global markets. Companies have also pointed to ambiguous breach notification procedures, unclear consent-management processes, and a one-size-fits-all breach management model that does not account for the severity or impact of incidents.

Start-ups and multinational firms are particularly concerned about compliance burdens stemming from incomplete or hastily framed implementation guidelines. Additionally, experts note a lack of clarity around mechanisms for protecting children’s data and verifying parental consent—an area of rising importance in the digital economy.

With both industry and rights groups seeking further clarity, the rollout of the DPDP Rules 2025 is expected to spark continued debate as India works to balance privacy protections, ease of doing business, and national security considerations in its evolving data governance landscape.