The Union government has
notified the Digital Personal Data Protection (DPDP) Rules, 2025, a crucial framework that gives operational shape to the Digital Personal Data Protection Act, 2023. The move marks a significant step in India’s long-awaited data privacy overhaul and advances compliance with the Supreme Court’s 2017 KS Puttaswamy ruling, which affirmed the right to privacy as a fundamental right and called for a robust data protection regime.
The ministry of electronics and information technology
(MeitY) issued four gazette notifications on Thursday, concurrently bringing large parts of the DPDP Act into force. The Rules came nearly 10 months after the government held public consultations on the draft framework in January this year.
Under the new Rules, data fiduciaries, entities that determine why and how personal data is processed, are required to adopt appropriate technical and organisational safeguards before processing the personal data of children.
Crucially, the Rules require a data fiduciary to obtain the consent of a child’s parent before initiating any data processing activity. The government has underscored that child safety and consent management remain central pillars of the new regulatory architecture.
Further, the Rules set additional obligations for significant data fiduciaries (SDFs). These entities, which may be notified by the Union government based on the volume and sensitivity of data handled and the potential risk to the rights of data principals (individuals whose data is being processed), must carry out annual data protection impact assessments and audits. These requirements aim to ensure that entities dealing with large-scale or high-risk data maintain heightened levels of compliance and accountability.
The DPDP Rules also outline the creation of a search-cum-selection committee tasked with appointing members of the Data Protection Board of India (DPBI). A separate notification issued on Friday specifies that the
DPBI will comprise four members. The Board is empowered to conduct digital inquiries into data breaches, adjudicate complaints and impose penalties on erring entities. It is expected to function entirely online, improving accessibility and reducing procedural delays.
Another key provision concerns the transfer of personal data outside India. The Rules permit data fiduciaries to transfer personal data overseas, subject to restrictions that may be imposed by the Central government. This approach departs from earlier drafts that proposed stringent data localisation norms, making the regime comparatively more acceptable to global technology companies.
The phased implementation timeline gives industry stakeholders time to adapt. While certain amendments—including limitations on the disclosure of personal information under the Right to Information Act, 2005—take immediate effect from Friday, several core compliance requirements come into force only over the next two years. Data fiduciaries will have until November 2026 to publish details of their designated data protection officers (DPOs) and operationalise the consent manager framework, which will allow users to exercise rights related to data access, correction and deletion through authorised intermediaries.
By May 2027, the full force of the Act will apply to larger technology companies classified as SDF, completing the transition to the new digital privacy regime.
The DPDP Act, 2023, represents the culmination of a legislative process that began in 2017 and saw three major draft versions across successive governments. The first draft in 2018 proposed strict data localisation requirements that faced stiff resistance from global tech companies. The 2023 version, by contrast, adopted a more flexible approach, focusing on user rights, compliance mechanisms and proportional obligations for high-volume data handlers.
With the notification of the DPDP Rules, 2025, India now enters a defining phase of its digital governance journey. The coming months will shape how the country balances user privacy, innovation and state oversight in the digital era.
You may also want to read…
