Context

1. The Ministry of Electronics & IT (MeitY) notified the DPDP Rules, 2025, giving legal effect to parts of the Digital Personal Data Protection Act (DPDP Act) that received the President’s assent in August 2023.
2. This notification makes India’s privacy framework partly operational for the first time since the Supreme Court recognised privacy as a fundamental right.

What is the DPDP Act and Rules?

1. The DPDP Act is India’s new law on personal data that sets out rights for individuals and duties for entities that collect or use that data.
2. The DPDP Rules, 2025 explain how the law will work in practice.

Which parts of the DPDP Act are active now, and which are delayed?

1. Active now: The Data Protection Board (DPB) is formed and other administrative parts of the rules are in force. The government has notified the DPB will have four members and be based in New Delhi.
2. Delayed (12–18 months): Crucial user protections — informed consent, purpose limitation (using data only for stated reasons), and mandatory breach notification to users — will be implemented after a transition period of up to 18 months. This gives organisations time to comply.

Who is a data fiduciary?

1. A data fiduciary is any entity (private or public) that collects, stores or processes personal data.
2. The rules introduce the category “significant data fiduciary” for actors handling large volumes or sensitive data, or those whose actions affect national security, elections, or public order.
3. Large tech firms (Meta, Google, Apple, Microsoft, Amazon) are likely to be classified as such.

What is data localisation under these rules?

The rules empower the Centre to specify kinds of personal and traffic data that significant data fiduciaries may process only in India and not transfer abroad. A government committee will decide which data falls under this restriction. This is effectively a data localisation requirement.

How are children’s data and parental consent handled?

1. Companies must obtain verifiable parental consent before processing children’s personal data.
2. The government intentionally did not prescribe a single verification method; instead, companies may adopt mechanisms that suit their services.
3. Targeted advertising and behavioural tracking of children are largely prohibited, though limited processing to keep children safe is allowed.

What happens in a data breach?

1. On a breach, a fiduciary must inform affected individuals “without delay” about the nature, extent, timing and location of the breach, likely consequences, and mitigation steps.
2. Failure to maintain adequate safeguards may attract penalties up to ₹250 crore.

Security and transparency duties

1. Data fiduciaries must implement reasonable security measures like encryption, access control, monitoring, logs, backups and vulnerability assessments.
2. They must also provide a clear, standalone notice to users listing the personal data collected, the exact purpose of processing, and services enabled by that processing.

Government exemptions & RTI change — why controversial?

1. The DPDP Act contains broad exemptions allowing government agencies to process personal data on grounds like national security, foreign relations, or public order.
2. The rules also amend the RTI Act to restrict disclosure of personal information of public officials, even when such disclosure might serve a larger public interest.
3. Critics worry these measures weaken transparency and increase the risk of unchecked state access to personal data.

Why Do the Rules Matter?

1. Supreme Court ruling (Puttaswamy): Privacy was declared a fundamental right, creating a constitutional need for a legal framework.
2. Digital expansion: Citizens now share far more personal information online (finance, health, location), increasing risks of misuse.
3. Global standards & trade: A domestic law helps India align with international norms (e.g., GDPR) and supports cross-border digital trade — though localisation complicates this.
4. Security and democratic concerns: The state cites electoral integrity, sovereignty and public order as reasons to control certain data flows.
5. Rising cyber threats: Frequent breaches and misuse of data underline the need for breach notification, security standards, and enforcement.

How the Rules Work?

1. Institutional setup: The Data Protection Board (DPB) will adjudicate disputes, impose penalties and supervise compliance.
2. Phased implementation: A transition period (12–18 months) delays certain user rights to let firms prepare systems and processes.
3. Significant fiduciary rules: Entities handling sensitive or large volumes of data face stricter controls and possible localisation.
4. Parental consent framework: Firms must design verifiable ways to get parents’ permission for children’s data.
5. Breach handling: Mandatory notifications to users and possible penalties for failure.
6. Security requirements: Encryption, access control, monitoring and backups become mandatory practices.
7. Transparency rules: Clear notices to users about what data is collected and why.

What do DPDP Rules imply for citizens, industry and the State?

1. For citizens: Improved legal protection over personal data is on the way. Once consent and breach-notice rules are active, individuals will have clearer control and information. But government exemptions and RTI changes may reduce transparency in some cases.
2. For industry: Higher compliance costs — especially for multinational firms — because of localisation, security upgrades, breach response systems and notice requirements. Smaller firms may struggle more.
3. For the State: A stronger regulatory framework and an adjudicatory body (DPB) increase the state’s ability to enforce rules — but broad exemptions may tilt the balance toward state power unless checked.
4. International trade: Data localisation could complicate cross-border services and negotiations with trading partners, though the rules signal India’s intent to control critical data flows.
5. Child safety online: Parental consent and limits on targeted ads improve protection for minors, but practical verification challenges remain.

Challenges & Way Forward

Conclusion

The DPDP Rules, 2025 are a major step toward protecting citizens’ digital privacy. But the law’s real impact will depend on how quickly the delayed rights are implemented, whether government exemptions are tightly checked, and how well the DPB enforces rules. Balanced, transparent implementation and targeted support for small firms will be crucial to make the law both rights-protecting and practical.