Introduction
On 14th November 2025, the Digital Personal Data Protection Rules, 2025 was notified, and this is one of the milestones in the privacy laws in India since Puttaswamy case. Although the DPDP Act, 2023 established an overall structure of a rights-based system of data protection, it was created to be patient awaiting more information. Policy scholars and jurists have pointed out that the Act had made numerous significant definitions, obligations, protections and enforcement frameworks to subsequent legislations. The 2025 Rules have made such a core a reality. The Rules do not simply operate to patch the gaps in the administration by providing a legal form to the DPDP Act as an idea, they bring the reassurances on privacy of the Supreme Court in Justice K.S. Puttaswamy v. Union of India (2017)[1] alive.
India currently enjoys a clear, enforceable, and technology-focused data protection regime, the first of its kind. It has concise consent provisions, quantifiable security responsibilities, data retention limits, parent verification norms, breach reporting requirements, data transfer provisions in other countries and an operational Data Protection Board which can make inquiries and punish violations. The Rules seek to strike a balance between the privacy rights, digital innovation, practicality to administrators and other legitimate state interests, demonstrating that the process of data governance in India has now gotten mature.
Constitutional Trajectory From Puttaswamy To DPDP
The 2017 Puttaswamy case created a constitutional duty on the part of the State to protect informational privacy. The normative framework that its demand of the legal, necessity, proportionality and procedural protection in data processing has created has shaped each further legislative initiative that followed.
The DPDP Act, 2023,[2] soothed some of the requirements of its predecessors, including the prohibitive localisation requirements and the broad scope of data fiduciary requirements, but maintained the constitutional requirements of consent, a limited purpose, data minimisation and user rights. What it lacked was procedure depth. The 2025 Rules attempt to fill this gap by providing granular compliance mechanisms, defining the role of fiduciaries, consent managers and the Data Protection Board itself (DPB) and placing privacy governance in an environment that is technologically realistic.[3]
Phrased Applicability: Regulatory Strategy, Not A Delay
One important design choice comprises staggered rollout:
| Rule(s) | Implementation Timeline |
|---|---|
| Rules 1, 2 and 17–21 | Become effective immediately (establishment of the DPB)[4] |
| Consent Manager registration (Rule 4) | Effective November 2026 |
| All obligations directly faced by the user | Enforceable only after May 2027 |
This schedule depicts the value of regulatory pragmatism. Unlike the immediate applicability of the GDPR in the EU, the Indian data ecosystem is typified by a varied technological maturity, extensive involvement of MSMEs and diverse infrastructure. Gradual adoption is a stable procedure legally, as it allows fiduciaries to build compliance capabilities over time.[5]
Rule 3 And The Rejection Of The “Constructive Consent”
Rule 3 forms the centrepiece of the Rules in terms of doctrine. Indian users have been forced to live with decades of opaque and boilerplate privacy policies based on a fiction of consent. By mandating:
- Clear, standalone notices,
- Personal disclosure of categories of personal data,
- Specific, unbundled purposes of processing, and
- Personal means of retirement and redress of grievance,
The Rules rejects the constructive consent model which the pre-DPDP data landscape of India assumed under in the Information Technology (Reasonable Security Practices) Rules, 2011. This strategy is jurisprudentially compatible with Puttaswamy, which had theorized the concept of consent not as a formal procedure but as an act of informational autonomy.
Consent Managers: A Unique Indian Innovation
Rule 4 establishes the Consent Manager structure. It might have become the most significant new privacy statute in India. The framework allows neutral groups to assist individuals to provide or withhold consent to have the same information between companies and users.
Minimum Rules (First Schedule)
- The minimum rules that you should meet are listed in the First Schedule.
- The DPB can cancel or revoke your licence in case you break them.
- Consent Managers legally implement the concept of intermediate consent.
- It is more effective in an online setting where there is a lot of online traffic and individuals feel overwhelmed.[6]
Government Processing: Standards Without Constitutionally Absolution
Rule 5 imposes regulations on the way government can utilize personal information, particularly about welfare, certificates, licences and publicly funded projects. In as much as such rules are necessary, they coexist with numerous exceptions of the State and the means. Others claim that there is no restriction of the amount of power that the executive can hold under the Rules.
Standards in the Second Schedule
Nevertheless, the basic processes that were absent before are provided in the standards in the Second Schedule.[7]
Security And Breach Response: Making Technological Due Care Legitimate
Rule 6 takes India in the direction of a level of statutory cybersecurity requirements.
Key Security Requirements
| Requirement Type | Description (Exact Content Preserved) |
|---|---|
| Encryption / Masking | It must be encrypted, masked or tokenised. |
| Access Control | Access control, logs and backed up and all these are based on global standards. |
| Log Retention | It also has the logs maintained in one year which is a tradeoff between the requirement to investigate breaches and the minimisation preference of the Act. |
Breach Notification (Rule 7)
- The breach notification requirement of rule 7 requires the user to be notified immediately.
- Report on the breach to the DPB within 72 hours.
- This is in line with GDPR standards and addresses the deficit of transparency that used to be there.[8]
Data Retention And The Return Of Purpose Limitation
Rule 8 reinforces purpose limitation by stating that upon accomplishment of purpose, then data must be erased. A 48-hour notice prior to erasure is also a requirement of the rule, and it helps to avoid situations when the user of the information lacks control but still, the information is lost.
Minimum Log Retention
- There should be a minimum of 1-year logs, which should provide a reasonable balance between privacy and forensic investigation requirements.[9]
Vulnerable Data Subjects: Children and Persons with Disabilities
Rules 10 and 11 on cover long-neglected areas of the Indian privacy law:
- Authorized parental consent- authenticated by age/identity data or authorised tokens- also a great enhancement over previous self-reporting procedures.
- Guardian verification of people with disabilities is legal, and it is in compliance with the Rights of Persons with Disabilities Act, 2016 and the National Trust Act, 1999.
Rule 12 provides systematic exemptions in schools, healthcare institutions and childcare in favor of unjustified operational taxation.
Big Data Fiduciaries: Reestablishing Proportionality
Rule 13 outlines improved responsibilities of Significant Data Fiduciaries (SDFs).
| Requirements for SDFs | Purpose |
|---|---|
| Yearly DPIAs, audits, and risky algorithm safeguards | Risk oversight and accountability |
| Compliance reports to DPB | Regulatory transparency |
The obligations make regulating burdens proportional to risk as opposed to company size as well as proportionality.
Data Transfers, The Silent Exit of Nationalist Localisation
Rule 15 enables transfer of data across the borders, but only in the case of the government having given a notice that the transfer will be allowed.
This is a conscious shift towards less localisation that was observed in the 2018 draft. It depicts a more balanced approach to data-governance that is mindful of security and global interoperability.[10]
The Data Protection Board: A Digital Tribunal Over a Digital Right
The body that will be established by the Rules 17–21 under the name of the DPB will be the first one in India that will function as a court and have the sole purpose of data protection.
Key Points
- It consists of four members; the Chairperson earns 4.5 lakh a month of salary.
- It operates primarily online, and this reduces time-wasting processes.
- A meeting must have at least one-third of its members present; decisions must have a majority, and the Chairperson is allowed to overcome any deadlock.
- It has emergency powers which can be ratified subsequently in case of necessity.
- It requires making of its orders officially and with proper authentication.
- This is because people are allowed to appeal to the Appellate Tribunal and the appeal has to be made online.
The DPB may serve as a powerful enforcer of digital rights in case it remains independent and has enough skills.[11]
Sanctions, RTI Modifications, And Citizen Obligations: The Greater Legislative Environment
The provisions of the DPDP Act provide the fines up to 250 crores per breach, and India is among the most challenging countries in the global arena to respect data protection.
Meanwhile, the right to the amendment of the Right to Information Act restricts access to personal information even in the case of public interest. This transformation began immediately, which is not typical and begs to ask.
Citizen Duties
- The Rules also include such information that citizens should not provide false information, they have no reason to complain, and they should verify the validity of their requests.
This corresponds to the balance of the rights and duties of the Act.
Conclusion
The DPDP Rules 2025 are the final part in a run of rules that have been accumulated since the Supreme Court declared privacy to be a constitutional right. They attempt to strike the right balance between technology requirements and over regulation, defend rights and also be realistic but not too conservative.
The Fact That This System Is Made Strong Depends On:
- The autonomy and the power of the Data Protection Board,
- The culture of compliance that the businesses and state bodies cultivate, and
- The interpretation of courts concerning the rules of exceptions and the executive power.
At this point, India has finally had a complete, formulated, and enforced system of protection of personal data, because of the Constitution, modern technology and social necessities.
References
- Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors., (2017) 10 SCC 1, AIR 2017 SC 4161, Priv. Lib. (NLUD CCG), https://privacylibrary.ccgnlud.org/case/justice-ks-puttaswamy-ors-vs-union-of-india-ors (last visited Nov. 15, 2025).
- The Digital Personal Data Protection Act, 2023 (No. 22 of 2023) (India), https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf (last visited Nov. 15, 2025).
- MeitY, Digital Personal Data Protection Rules, 2025 (Nov. 14, 2025), SCC Times, https://www.scconline.com/blog/post/2025/11/14/meity-notified-digital-personal-data-protection-rules-2025/ (last visited Nov. 15, 2025).
- Ministry of Electronics & Information Technology (MeitY), Digital Personal Data Protection Rules, 2025, MeitY (India), https://www.meity.gov.in/documents/act-and-policies/digital-personal-data-protection-rules-2025-gDOxUjMtQWa?pageTitle=Digital-Personal-Data-Protection-Rules-2025 (last visited Nov. 15, 2025).
- Aashish Aryan, DPDP rules notified, India’s first digital privacy law now operational, Business Standard (Nov. 14, 2025), https://www.business-standard.com/industry/news/dpdp-act-rules-notified-digital-personal-data-protection-operationalised-125111400811_1.html (last visited Nov. 15, 2025).
- Livelaw News Network, Parental Consent Necessary for Online Platforms to Use Child’s Data as Centre Notifies Digital Personal Data Protection Rules, 2025, LiveLaw (Nov. 14, 2025), https://www.livelaw.in/top-stories/digital-personal-data-protection-rules-2025-notified-309928 (last visited Nov. 15, 2025).
- Digital Personal Data Protection Bill, 2023 Explainer, PRS India, https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023 (last visited Nov. 15, 2025).
- India notifies its first data protection law to strengthen privacy, security, Economic Times (Nov. 14, 2025), https://economictimes.indiatimes.com/tech/technology/centre-notifies-administrative-rules-for-digital-personal-data-protection-act/articleshow/125318362.cms (last visited Nov. 15, 2025).
- Akanksha Nagar, BREAKING: DPDP Act goes live with phased implementation over next 18 months, Storyboard18 (Nov. 14, 2025), https://www.storyboard18.com/digital/breaking-dpdp-act-goes-live-with-phased-implementation-over-next-18-months-84212.htm (last visited Nov. 15, 2025).
- Shouvik Das, After Two Years, India’s Data Privacy Law Comes to Force, LiveMint (Nov. 14, 2025), https://www.livemint.com/news/india/after-two-years-india-s-data-privacy-law-comes-to-force-11763102662199.html (last visited Nov. 15, 2025).
- DPDP Rules: MeitY Establishes Data Protection Board, Head Office to Be in NCR, Will Comprise 4 Members, Moneycontrol (Nov. 14, 2025), https://www.moneycontrol.com/technology/dpdp-rules-meity-establishes-data-protection-board-head-office-to-be-in-ncr-will-comprise-4-members-article-13675863.html (last visited Nov. 15, 2025).
Written By: Akash Beradar, Junior Legal Officer at CCL Products (India) Limited.
