India notified the Digital Personal Data Protection (DPDP) Rules, 2025 on 14 November 2025, completing the operationalisation of the Digital Personal Data Protection Act, 2023. Together, the Act and the Rules establish India’s first comprehensive, citizen-centric framework for governing digital personal data. The framework balances individual privacy rights with lawful data processing and innovation needs, aiming to strengthen trust in India’s rapidly expanding digital economy while ensuring accountability of data-handling entities.
The Rules are notable for their participatory formulation. The Ministry of Electronics and Information Technology conducted nationwide consultations across major cities, involving startups, MSMEs, industry bodies, civil society organisations, government departments and citizens.
- 6,915 public inputs were received
- Several provisions—such as phased implementation and plain-language consent—were refined based on stakeholder feedback This consultative process lends democratic legitimacy and practical feasibility to the framework.
“Privacy is not merely a statutory entitlement but an intrinsic part of the right to life and personal liberty.” — Supreme Court of India, Puttaswamy judgment
Core legal and institutional framework
The DPDP Act, enacted on 11 August 2023, provides the statutory foundation and follows the SARAL approach—Simple, Accessible, Rational and Actionable—using plain language to reduce compliance ambiguity.
Key principles guiding data processing include:
- Consent and transparency
- Purpose limitation
- Data minimisation
- Accuracy and storage limitation
- Security safeguards
- Accountability
Important institutional definitions:
- Data Fiduciary: Entity deciding the purpose and means of data processing
- Data Processor: Entity processing data on behalf of a Data Fiduciary
- Data Principal: Individual to whom the data relates
- Consent Manager: Interoperable platform enabling consent management
- Appellate authority: Telecom Disputes Settlement and Appellate Tribunal (TDSAT)
The Data Protection Board of India is established as an independent, digital-first enforcement body to:
- Inquire into breaches
- Enforce compliance
- Impose penalties and corrective measures
Operational features introduced through the Rules
The DPDP Rules, 2025 convert statutory principles into enforceable procedures:
-
Phased compliance:
- 18-month transition period for organisations to align systems
-
Consent architecture:
- Separate, clear, purpose-specific consent notices
- Consent Managers must be India-based entities
-
Breach response mechanism:
- Mandatory, prompt notification to affected individuals
- Disclosure in plain language explaining impact and remedies
-
Enhanced accountability for Significant Data Fiduciaries:
- Independent audits
- Data Protection Impact Assessments
- Additional safeguards for new or sensitive technologies
-
Time-bound rights enforcement:
- All data access, correction, update or erasure requests to be resolved within 90 days
Rights of individuals under the framework
The Rules place the individual at the centre of data governance by operationalising enforceable rights:
- Right to give or withdraw consent at any time
- Right to know how and why personal data is used
- Right to access personal data
- Right to correction, updating and erasure
- Right to nominate another person to exercise rights
- Right to timely information during data breaches
Special protections are provided for:
- Children: Verifiable parental consent mandatory, except for essential services such as healthcare or education
- Persons with disabilities: Consent through verified lawful guardians where independent decision-making is not possible
Penalty and deterrence structure
The framework introduces a graded and proportionate penalty regime:
- Up to ₹250 crore for failure to maintain reasonable security safeguards
- Up to ₹200 crore for failure to notify data breaches or violations involving children
- Up to ₹50 crore for other violations
This design emphasises deterrence with accountability, rather than criminalisation.
Examples of how the policy works in practice
- If a digital platform suffers a data breach, it must promptly inform affected users, explain potential harm, and provide support contact details.
- A citizen can request deletion of outdated personal data from an online service, and the entity must respond within ninety days.
- Parents must provide verifiable consent before a child’s personal data is used for non-essential digital services.
- Complaints regarding misuse of data can be filed online through the Data Protection Board’s portal and tracked digitally.
Historical background and constitutional linkage
India’s data protection regime evolved from sector-specific IT rules to a rights-based framework following the Supreme Court’s recognition of privacy as a fundamental right in 2017. The DPDP framework codifies this constitutional principle while resolving long-standing tensions between transparency and privacy.
Amendments to Section 8(1)(j) of the RTI Act align disclosure norms with privacy safeguards, while Section 8(2) continues to allow disclosure in cases of overriding public interest. This ensures that transparency and privacy coexist rather than conflict.
Global comparisons and positioning
India’s approach reflects global best practices while retaining contextual flexibility:
- European Union (GDPR): Strong consent and rights-based model; India mirrors rights but adopts lighter compliance for MSMEs
- United States: Sector-specific privacy laws; India opts for a unified national framework
- United Kingdom: Independent data regulator with strong enforcement; India adopts a digital-first enforcement model
- Singapore: Business-friendly data protection regime; India similarly balances innovation with safeguards
India’s framework stands out for its phased implementation, plain-language drafting, and consultative policymaking, making it suitable for a diverse and rapidly digitising economy.
Concluding perspective
The Digital Personal Data Protection Act and the DPDP Rules mark a decisive shift in India’s digital governance architecture. By embedding constitutional values of privacy, accountability and proportionality into enforceable procedures, the framework supports a secure, transparent and innovation-friendly digital ecosystem. With wide public consultation and institutional clarity, India positions itself as a responsible digital power where citizen trust becomes the foundation of digital growth.