The government of India has formally notified the Digital Personal Data Protection (DPDP) Rules, 2025, bringing the DPDP Act, 2023, into full operational effect. With this step, India now moves toward a comprehensive legal framework governing the collection, processing, and protection of digital personal data.
The DPDP Act, passed by Parliament in August 2023, lays down the duties of “Data Fiduciaries” — entities that collect or process personal data — and the rights of citizens, termed “Data Principals.” Built on seven core principles, including consent, transparency, purpose limitation, and data minimization, the legislation aims to safeguard individual privacy while enabling responsible digital innovation.
According to the Ministry of electronics and information technology, the Rules were framed following extensive public consultations. Inputs were gathered from startups, MSMEs, civil society organisations, and government bodies through multiple stakeholder meetings and town-hall discussions held in major cities.
The newly notified Rules outline a phased implementation plan, granting organisations up to 18 months to comply. They mandate clear and simple consent notices, require breach notifications in user-friendly language, and impose stricter safeguards for children and persons with disabilities. Consent managers — intermediaries that help users manage data permissions — must be incorporated in India.
Significant Data Fiduciaries will be subject to additional obligations, including regular data audits and risk assessments, especially when dealing with sensitive or high-impact technologies. Citizens will be able to access, correct, update, or request deletion of their personal data, with fiduciaries required to respond within 90 days.
Oversight will be handled by the newly established Digital Data Protection Board of India, designed to allow citizens to file and track grievances online. Appeals against the Board’s decisions will lie with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Officials said the new rules strike a balance between protecting individual privacy and maintaining a compliance system that does not burden smaller businesses. The government expects the framework to strengthen trust in the digital ecosystem while supporting continued growth in India’s technology sector.
Journalists, however, have feared that the Act would deter them from doing their work in a free, fair, and smooth manner. According to the new rules, accessing individual information is a violation of the Right to Privacy, and journalists feel this could stand directly in the way of their work. There is a penalty clause of up to Rs 250 crore against an individual or entity for violation of rules, and that is one of the biggest concerns of journalists.
