The government on Friday released the long-awaited Digital Personal Data Protection (DPDP) Rules 2025, marking a significant step in India’s data governance framework. The rules, notified under the Digital Personal Data Protection Act 2023, will be implemented in a phased manner over the next 12–18 months.

Framed to give citizens greater control over how their personal information is collected, processed, and used, the rules also provide mechanisms to prevent data misuse and ensure privacy in the digital ecosystem.

While certain provisions take effect immediately, key requirements, such as the registration and obligations of consent managers, mandatory notices from data fiduciaries to individuals prior to processing, and several other compliance norms, will be operationalised gradually.

Officials said the rules are expected to help curb spam calls, prevent unauthorised access to personal data, and strengthen safeguards around video and audio information shared online.

According to the notification, the rules also outline the setting up of a Data Protection Board, which will investigate breaches and impose penalties in line with the parent Act. Under the DPDP Act 2023, data fiduciaries may be fined up to Rs 250 per breach, though a graded penalty system has been incorporated to ease the compliance burden on small businesses.

The rules come nearly eight years after the Supreme Court, on 24 August 2017, affirmed the Right to Privacy as a Fundamental Right. While the framework grants individuals the right to protect and manage their personal data, it also places duties on citizens, including providing accurate information for government documents, avoiding suppression of relevant details, and refraining from filing frivolous complaints. Individuals seeking correction or deletion of data must provide verifiable information to support such requests.

With the new rules in force, citizens will be able to seek redress if their phone numbers or other personal details are leaked, with mechanisms in place to trace the source of unauthorised access and initiate penal action.

However, the rules also specify several exemptions.