Digital Personal Data Protection (DPDP) Rules 2025- Explained

Introduction

The Digital Personal Data Protection (DPDP) Act, 2023 and the DPDP Rules, 2025 together create framework for personal data in the digital space. They set duties for data fiduciaries, give rights to users, create an enforcement board, and change the RTI regime, while raising concerns about transparency, executive control, long transition periods and the balance between privacy and accountability.The Act was passed in August 2023 after draft Rules were issued for consultation in January and later notified on 14 November 2025. Digital Personal Data Protection (DPDP) Rules 2025.

Key Features of Digital Personal Data Protection (DPDP) Rules, 2025

1. Fair processing, notice and consent: Data fiduciaries must use access control, encryption and security audits, and give notices on what data is taken and why. Processing starts only after clear, informed consent, and a Consent Manager lets people manage permissions across services.
2. User rights, deletion and DPO: Users can access, correct, erase or delete their data, and firms must delete stored data after a period of inactivity. Large firms must appoint a Data Protection Officer (DPO) to monitor compliance.
3. Children’s data and parental tracking: The framework restricts targeted advertising and certain data collection relating to children, but allows an exemption so parents can track their children’s location.
4. Breach reporting, penalties and transition: Data breaches must be reported as soon as possible. Penalties for non-compliance range from ₹10,000 to ₹250 crore.
5. Transition: Firms get up to 18 months to comply, with some duties, like appointing DPOs, taking effect after one year.
6. Data Protection Board of India: The law creates the Data Protection Board of India as a four-member subordinate office of MeitY. It oversees implementation of the framework and acts against erring data fiduciaries.
7. RTI and IT Act changes: The law deletes the public-interest safeguard in Section 8(1)(j) of the RTI Act, letting authorities refuse more “personal information” requests.

Concerns Related to DPDP Rules, 2025

1. RTI weakening: Section 8(1)(j) of the RTI Act, 2005 allowed public bodies to refuse “personal information” but required disclosure when public interest existed. The DPDP Act removes this safeguard, letting government organisations define information as personal and refuse disclosure even in the public interest.
2. Lack of independent regulator: Composition and appointment of the Data Protection Board are heavily controlled by the executive, which critics say “deepens executive control” instead of creating an independent data protection authority.
3. Vague definitions: Key terms like “significant data fiduciary” and thresholds for stricter obligations remain ambiguous.
4. localisation risk: Trade bodies also flagged that the draft rules introduce potential data-localisation style restrictions and broad government access, which could disrupt cross-border data flows and business models.
5. Phased implementation and delay in rights: Many important rights and obligations under the DPDP framework will become fully operational only after a long transition period (around 18 months). This delays actual protection for users and gives data fiduciaries more time without strict compliance.
6. Concerns over consultation process: Civil society groups have flagged that consultations around the Rules were limited and appeared skewed towards industry participation. They argue that broader, multi-stakeholder engagement (civil society, academia, technical experts, consumer groups) was needed for such a rights-impacting framework.

Way forward

1. Build steady awareness and training: Teach citizens, businesses and public officials about data rights, duties, consent, grievance options and breach reporting through continuous programmes and simple guidance.
2. Promote Data Protection Impact Assessments (DPIAs): Use DPIAs for high-risk processing at an early stage to spot privacy risks and change systems before they harm users.
3. Strengthen enforcement and compliance: Give the Data Protection Board enough staff, technical support and clear rules so that probes are quick and penalties really deter violations.
4. Ensure strong quality checks: Require regular security and compliance audits, inspections and reliable certification schemes for organisations that follow DPDP standards.
5. Make the system truly user-centric: Keep consent notices short and clear, make withdrawal and correction of data simple, and ensure Consent Managers and grievance systems are easy to use.
6. Keep the framework flexible: Review and update Rules from time to time so they keep pace with AI, IoT and cross-border data flows without weakening core safeguards.
7. Use technology to protect privacy: Support privacy-enhancing tools in encryption, anonymisation and secure processing so that innovation and data protection grow together.
8. Protect transparency and accountability: Re-examine the RTI amendment with civil society and social audit groups so data protection does not block public-interest disclosure or checks on public spending.

Conclusion

The DPDP Rules, 2025 operationalise the Act by detailing consent, user rights, security duties, penalties and oversight through the DPBI. At the same time, the RTI amendment and concerns over Board design, localisation risk and delays in enforcement show that India’s new data regime must still balance privacy with transparency and accountability.

For detailed information on Digital Personal Data Protection Rules 2025 read this article here

Question for practice

Discuss how the Digital Personal Data Protection Rules, 2025 seek to protect user data and what concerns have been raised regarding their implementation and impact on transparency.

Source: The Hindu