Date: – 13.11.2025
The Ministry of Electronics and Information Technology (MeitY) on November 13, 2025 notified the Digital Personal Data Protection Rules 2025, framed under the Digital Personal Data Protection Act 2023, a significant step towards protection of data privacy.
The Digital Personal Data Protection Act, 2023, enacted in response to the Supreme Court’s landmark privacy ruling in Justice K.S. Puttaswamy v. Union of India (2017), establishes India’s first comprehensive framework for safeguarding informational privacy. The Act articulates core principles such as consent-based data processing, rights of individuals (Data Principals), and obligations of Data Fiduciaries, but leaves operational details to be prescribed by delegated legislation. The Digital Personal Data Protection Rules, 2025 formally notified by MeitY on 13 November 2025. The Rules would be enforced in Phases.
- Basic provisions (Rules 1, 2, 17–21) take effect immediately;
- The registration framework for Consent Managers (Rule 4) begins after one year;
- And the remaining detailed compliance obligations (Rules 3, 5–16, 22–23) start 18 months later.
These Rules create the practical machinery required for implementation of the Act. They prescribe clear notice and consent requirements, data retention limits, breach reporting duties, and erasure obligations, while also establishing standards for processing data for government benefits and public services. They mandate minimum security safeguards such as encryption, access controls, and logging; require advance notice before deletion; and ensure verifiable consent mechanisms for children and persons with disabilities. The Rules also regulate cross-border data transfers, designate responsibilities of Data Protection Officers, set up the registration and conduct standards for Consent Managers, and exempt specific fiduciaries and sectors where necessary.
To enforce compliance, the Rules operationalise the Data Protection Board as a fully digital adjudicatory body with defined procedures for inquiries, emergency orders, conflict-of-interest safeguards, and appeals to the Appellate Tribunal. Together, the DPDP Act and its 2025 Rules form India’s first integrated, modern privacy framework balancing individual rights, technological realities, and government service delivery, thus giving real-world effect to the constitutional right to privacy under Article 21.
