India took a major step in digital privacy Friday by formally implementing its first data protection framework with the notification of the Digital Personal Data Protection (DPDP) Rules, 2025. These rules provide detailed guidance under the Digital Personal Data Protection Act, 2023, outlining the collection, processing, storage, and deletion of personal data.
For the first time, platforms are required to adhere to verifiable consent standards, report data breaches, limit data sharing with third parties, and comply with the rulings of a government-appointed Data Protection Board. Collectively, the Act and Rules represent India's initial effort to establish a formal privacy framework, eight years after the Supreme Court's Justice K.S. Puttaswamy (2017) ruling acknowledged privacy as a fundamental right.
Phased Rollout of India’s Data Protection Rules
The government is implementing the DPDP Rules in phases. The first phase, effective immediately, covers key definitions and sets up the Data Protection Board, comprising four members to oversee law enforcement. The second phase, launching in November 2026, will introduce the registration system and roles for Consent Managers, who will provide standardized consent dashboards and serve as intermediaries between platforms and users.
The remaining components of the compliance framework are set to be implemented 18 months following notification, in May 2027. This encompasses requirements concerning privacy notices, data processing standards, security protocols, deletion procedures, grievance redress mechanisms, and appeals.
Separate Rules for Vulnerable Groups
The final Digital Personal Data Protection (DPDP) Rules, 2025, largely follow the January draft but introduce notable changes. Children’s data (Rule 10) and adults with certain disabilities (Rule 11) are now treated separately. Parental consent for children must be verified through authorised entities, ensuring more structured protection for minors.
National Security Provisions
National security clauses have been moved to a standalone provision (Rule 23(2)), granting the government greater control over information disclosure while limiting platform transparency. This change has raised concerns about potential surveillance and reduced user privacy.
Data Retention and Consent
Platforms must retain all personal data, traffic logs, and processing records for one year, even after consent withdrawal or account deletion, to aid breach investigations. Consent must be verifiable, and users are entitled to a 48-hour notice before deletion.
Data Protection Board
The Data Protection Board is formally established and will operate digitally, with structured procedures for meetings, decision-making, conflict-of-interest safeguards, and inquiry timelines.
User Rights and Penalties
The rollout strengthens user autonomy, granting citizens rights to access, correct, erase data, revoke consent, and seek grievance redressal. Penalties for violations range from ₹50 crore to ₹250 crore.
Although some experts have praised the introduction of these rules and the structured approach to privacy protection, civil society organizations argue that numerous issues highlighted during the consultation phase have not been addressed.
