New Delhi: India officially operationalised its first data protection regime Friday with the notification of the Digital Personal Data Protection (DPDP) Rules, 2025. The Rules give shape to the Digital Personal Data Protection Act, 2023, defining how personal data can be collected, processed, stored and deleted.
For the first time, platforms will have to follow verifiable consent norms, report data breaches, restrict sharing of data with third parties and comply with the decisions of a dedicated government-nominated Data Protection Board.
Together, the Act and Rules mark India’s first major attempt to structure a formal privacy framework eight years after the Supreme Court, in the Justice K.S. Puttaswamy (2017) judgment, recognised privacy as a fundamental right.
The government has opted for a phased rollout. The first tranche of provisions—mainly definitions and the institutional setup for the Data Protection Board—come into effect immediately. The board will comprise four members and would be tasked to oversee the “efficient discharge” of the privacy law.
The second layer, which includes the registration system and duties of Consent Managers, will become operational only in November 2026. These intermediaries are expected to provide standardised consent dashboards and act as interfaces between platforms and users.
The rest of the compliance architecture is scheduled to take effect 18 months after notification, in May 2027. This includes obligations relating to privacy notices, data processing standards, security measures, deletion protocols, grievance redress, and appeals.
While some experts have lauded the rollout of rules and structured privacy protection, civil society groups insist that many concerns raised during the consultation process have not been incorporated.
Also Read: Despite 62% drop in data breaches, India among top 5 nations targeted by hackers, study finds
How final Rules differ from draft
The Rules issued now are in many respects similar to the January draft, but several structural changes stand out.
One major shift is the separation of obligations relating to children’s data and the data of adults with certain disabilities. The draft had clubbed these categories in a single provision. Rule 10 of the final version now deals exclusively with children, carrying forward the draft’s verification methods and illustrations.
A new Rule 11, meanwhile, separately regulates processing for adults who are legally incapable of making decisions even with assistance.
Another change concerns the clause on national security: related confidentiality. In the draft, this appeared within a broader provision where the government could seek information from fiduciaries, which collect and use personal data.
The final Rules move this into a standalone sub-rule—Rule 23(2), but add a clause that gives the state a greater say in case information sought by a private party from an intermediary potentially prejudices national security or the sovereignty and integrity of India. In such a scenario, the platform cannot disclose any information without the government’s prior permission.
Mandatory 1-year retention
The breach notification norms remain largely unchanged from the draft. Fiduciaries must inform affected users “without undue delay” and report to the Data Protection Board within 72 hours. However, one major departure is the introduction of a mandatory one-year data retention requirement.
In the draft, only logs or personal data needed to detect unauthorised access had to be preserved.
The final Rules expand this significantly. Rule 8(3) now requires platforms to retain all personal data, all traffic data, and all logs generated during any processing cycle for a minimum of one year. This obligation applies even if the original purpose of data collection has been met, the user withdraws consent, or the user deletes their account.
The stated reason behind the new provision is to ensure effective breach investigations and compliance checks. The new rule also ensures that the intermediary is restricted to collect and retain data that is directly relevant for the purpose for which it is being gathered.
Consent & deletion requirements
The new framework mandates verifiable consent, meaning platforms must clearly inform users about what data is being collected and for what purpose. Individuals also have the right to withdraw consent, after which the data must be deleted, subject, however, to the compulsory one-year retention period introduced in the Rules.
Before erasing any personal data, fiduciaries must provide a 48-hour prior notice to the user, giving them time to decide whether they want to continue services or exercise their rights. Every website, app, or service covered under the Act must also publish the contact details of its Data Protection Officer or a designated official, and ensure these details are included in all communication relating to user rights.
For children, Rule 10 obligates platforms to verify parental consent using technical and organisational measures. The Rules identify “authorised entities”, such as DigiLocker or other government-empowered bodies, as the ones permitted to issue age or identity tokens for this purpose.
Also Read: How safe is your private life? Your SIM can be cloned, phone number spoofed & WhatsApp hacked
How Board will work
The government has now formally established the Data Protection Board, headquartered in the National Capital Region, with one chairperson and three members. Appointments will be made through a search-cum-selection committee, which will follow separate procedures for the chairperson and members.
All Board functions will be conducted digitally. Meetings can be convened only by the chairperson, who also sets the agenda and has the authority to issue immediate orders in urgent situations, subject to later ratification. Decisions require a majority vote, with the chairperson exercising a casting vote in case of a split.
Members must recuse themselves in situations involving conflict of interest. The Board is also empowered to issue decisions by circulation where physical meetings are not necessary.
Inquiries are expected to be completed within six months, although the Board may extend this period in increments of three months by recording reasons. While the Board is designed to function online, it may summon individuals if required. All orders must be authenticated by the chairperson, a member, or an authorised officer.
‘Strengthens digital autonomy’
Prashant Phillips, executive partner at Lakshmikumaran & Sridharan Attorneys, termed the rollout a “carefully calibrated, staggered implementation designed to balance industry preparedness and user rights with regulatory readiness”.
He emphasised that users will now see “specific and transparent disclosures, more meaningful consent options, and enhanced control over their personal information”.
“While the DPDP Act does not replicate the full breadth of rights available under the GDPR (General Data Protection Regulation of the European Union), it materially strengthens digital autonomy for Indian users and brings a level of structured privacy protection not previously available under Indian law, while preserving business interests and providing flexibility as well,” he told ThePrint.
“Overall, the staggered rollout provides both regulators and industry with a measured path toward full compliance while signalling a decisive evolution in India’s data-protection landscape.”
Phillips said individuals should prepare by reviewing existing consent settings, reading privacy notices carefully, and noting where identity documents or sensitive details have been shared.
Speaking to ThePrint, advocate Khushbu Jain explained the need for the law.
As India’s digital footprint expanded rapidly, the personal information of citizens began to be collected, stored and shared by countless organisations, sometimes without people even realising it. This, she said, led to real problems: data was misused, passed around without permission or used to target people unfairly, resulting in cases of discrimination, fraud, cybercrime and violation of rights.
The situation necessitated that the government establish a robust privacy framework, she said, adding: “Users will have the right to access their personal data, the right to seek correction and erasure of their data, the right to revoke consent at any time, the right to obtain information about how their data is being processed, the right to nominate another person to exercise these rights in the event of death or incapacity and the right to effective grievance redressal if their rights are violated.”
“By shifting from vague obligations to clear statutory requirements, the DPDP Act compels entities handling personal data to overhaul internal governance, security, and user interface processes,” she said.
“Each non-compliance with these rights can result in penalties of up to Rs 50 crore and in cases of a security breach, the penalty can reach Rs 250 crore. By making digital interactions safer and more user-centric, these reforms help users trust and actively participate in the digital economy with confidence.”
Jain explained that from a compliance perspective, data fiduciaries today face challenges including aligning legacy systems and workflows with new statutory requirements, redesigning consent and notice protocols, enabling user data access and erasure on demand, maintaining accurate and auditable logs and ensuring timely breach notifications.
Regarding the implementation timelines for the provisions, she said: “The structured, yet relatively brief, transition window is intended to facilitate systematic alignment of organisational governance, contracts, systems and compliance frameworks, despite being shorter than the implementation periods often granted in comparative international regimes.”
‘Concerns unaddressed’
Civil society groups argue that many of their concerns raised during the consultation process have not been incorporated.
Apar Gupta, co-founder of digital rights advocacy organisation Internet Freedom Foundation (IFF), notes that while the Act and Rules create India’s first institutional privacy framework, they remain far from the rights-oriented system envisioned by the Supreme Court in the Puttaswamy judgment.
“The DPDP Act, 2023, and its implementing DPDP Rules, instead of buttressing citizens’ data rights, have created new barriers to transparency and individual freedom. The Act itself instituted onerous duties on individuals and carved out broad exceptions that weaken the fundamental right to privacy,” he said.
Rule 23 gives the state sweeping power to demand personal data from any data fiduciary without user consent, relying on broad grounds such as national security, sovereignty, or any “lawful function” of the government, he pointed out.
With no clear safeguards, necessity test, judicial authorisation, or post-facto oversight, it opens the door to surveillance, over-collection, and privacy violations. In effect, the government can compel platforms or telecom providers to hand over user data in bulk by invoking vague justifications, according to Gupta.
The concern, raised during consultations, is that the categories of access of data by the government are so wide that they invite misuse. The problem is compounded by the secrecy clause in the DPDP Rules, 2025, which bars fiduciaries from disclosing national-security-related information on the government’s mandate, removing transparency and preventing the public from knowing the extent of state surveillance.
While the Rules widen the state’s power to seek relevant data, at the same time they restrict citizens’ right to seek data under the secrecy clause, which is subjective and ambiguous, Gupta said.
He also noted that provisions like the new one-year retention rule weaken user protections, while the lack of detailed transparency requirements means platforms may not be obliged to publish granular data on how requests for personal information are handled.
According to the IFF, the overall regime vests considerable discretion in large data-processing entities without creating equally strong safeguards for users.
(Edited by Nida Fatima Siddiqui)
Also Read: Privacy verdict presents big data as a reality we need to work with, not against