On 13th November 2025, the Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection (DPDP) Rules, 2025, operationalizing the Digital Personal Data Protection Act, 2023 (DPDP Act, 2023).
Exam Hints:
- What? Digital Personal Data Protection Rules, 2025 notified (13th Nov 2025)
- Ministry: MeitY
- Implementer: Data Protection Board of India (DPBI)
- Objective: Safeguard personal data, operationalise DPDP Act
- Key Focus: Consent, breach reporting, DPO information, children & disabled persons, SDF compliance
- Phased Rollout: Rules 1, 2, 17–21 (Immediate), Rule 4 (1 year), Rules 3, 5–16, 22–23 (18 months)
Background:
Framework Overview: Enacted on 11 August 2023, the DPDP Act sets up a comprehensive framework for digital personal data protection in India, outlining the obligations of Data Fiduciaries and the rights and duties of Data Principals.
Approach: The Act follows the SARAL( Simple, Accessible, Rational and Actionable) framework, using plain language and examples to make compliance and understanding easier.
Guiding Principles: The Act rests on seven foundational principles: Consent & Transparency, Purpose Limitation, Data Minimisation, Data Accuracy, Storage Limitation, Security Safeguards and Accountability
Phased Implementation:
Rules 1, 2, 17–21: Effective from 13th November 2025 (covering the Data Protection Board’s constitution and procedures).
Rule 4: Effective from 13th November 2026 (Registration and obligations of Consent Managers).
Rules 3, 5–16, 22–23: Effective from 13th May 2027 (18 months later) (covering core obligations like consent, notices, and data breach reporting).
Privacy Context: The rules are a continuation of India’s privacy journey following the Supreme Court (SC) judgment in Justice K.S. Puttaswamy v. Union of India (2017), which declared the Right to Privacy a fundamental right under Article 21.
Key Provisions of DPDP Rules, 2025:
Scope: Establish procedures, obligations, and safeguards for collection, processing, storage, and erasure of personal data.
Consent & Notices: Data Fiduciaries must provide clear, itemised notices detailing personal data collected, purpose, and withdrawal mechanisms (Rule 3).
Consent Managers: Must register with the Data Protection Board (DPB) (Rule 4).
Breach Notification: Notify affected users and DPB within 72 hours with details and mitigation steps.
Data Retention & Erasure: Personal data must be erased once purpose is served; data principals notified 48 hours prior (Rule 9). Logs and essential records retained for a minimum one year.
Children and Vulnerable Users: Verifiable parental/guardian consent required; targeted tracking and advertising of children restricted, with exemptions for schools, healthcare, and emergencies.
Significant Data Fiduciaries (SDFs): Platforms exceeding thresholds must perform annual audits, algorithmic risk assessments, and follow government-approved frameworks for cross-border transfers.
About Data Protection Board of India (DPBI):
Composition: Chairperson and 3 Members, appointed through search-cum-selection committees chaired by the Cabinet Secretary (for Chairperson) and Secretary, MeitY (for Members).
Functions: Operates as a digital office to inquire into complaints, enforce data protection norms, and oversee breach reporting.
About Ministry of Electronics and Information Technology (MeitY):
Union Minister– Ashwini Vaishnaw (Rajya Sabha – Odisha)
Minister of State (MoS)- Jitin Prasada(Constituency- Pilibhit, Uttar Pradesh, UP)
