CarpeDiem IAS • CarpeDiem IAS • CarpeDiem IAS •

Digital Personal Data Protection (DPDP) Rules, 2025

15 Nov 2025 GS 2 Governance
Digital Personal Data Protection (DPDP) Rules, 2025 Click to view full image

Introduction

  • Government of India notified the Digital Personal Data Protection (DPDP) Rules, 2025, completing the operationalisation of the DPDP Act, 2023.

  • Together, the Act and Rules establish a citizen-centric, innovation-friendly data protection regime.

  • The DPDP Rules, 2025 were also notified, marking compliance with the Supreme Court’s K.S. Puttaswamy (2017) ruling that affirmed privacy as a fundamental right under Article 21.

Background

  • DPDP Act passed by Parliament on 11 August 2023.

  • Creates obligations for Data Fiduciaries (entities processing data) and rights for Data Principals (individuals).

  • Uses the SARAL design principle:
    Simple, Accessible, Rational and Actionable Language.

Core Principles of the DPDP Act

The Act is guided by seven fundamental data protection principles:

  1. Consent and Transparency

  2. Purpose Limitation

  3. Data Minimisation

  4. Accuracy of Personal Data

  5. Storage Limitation

  6. Security Safeguards

  7. Accountability of Data Fiduciaries

Phased and Practical Implementation

  • 18-month compliance window for transition.

  • Allows organisations (especially startups/MSMEs) to adapt gradually.

Key compliance requirement:

  • Standalone, simple, purpose-specific consent notices.

  • Consent Managers must be Indian companies.

Personal Data Breach Notification Protocols

In the event of a breach, Data Fiduciaries must:

  • Inform affected individuals promptly, in plain language.

  • Explain:

    • Nature of breach

    • Possible consequences

    • Corrective steps taken

    • Contact details for support

Safeguards for Children & Persons with Disabilities

For Children:

  • Verifiable parental consent is mandatory.

  • Limited exemptions allowed for:

    • Healthcare

    • Education

    • Real-time safety

For Persons with Disabilities:

  • If an individual cannot consent even with support →
    consent must be from a lawful guardian verified under applicable laws.

Transparency & Accountability Requirements

Duties of Data Fiduciaries:

  • Display clearly:

    • Contact info of designated officer or

    • Data Protection Officer (DPO)

  • Respond to Data Principal requests within 90 days.

Additional Duties for Significant Data Fiduciaries:

  • Independent audits

  • Data Protection Impact Assessments

  • Tech due diligence

  • Compliance with government restrictions (including data localisation, if mandated)

Strengthening Rights of Data Principals

Individuals have the right to:

  1. Access their personal data

  2. Correct and update it

  3. Erase it

  4. Nominate another person to exercise these rights in case of death/incapacity

Digital-First Data Protection Board

  • Fully digital functioning

  • Citizens can file and track complaints via:

    • Online platform

    • Mobile app

  • Appeals lie with TDSAT (Appellate Tribunal).

Significance of DPDP Rules, 2025

  1. Strengthen privacy & public trust

  2. Enable innovation with minimal disruption

  3. Provide a technology-neutral, scalable regulatory framework

  4. Support India’s goal of a secure, resilient, globally competitive digital economy

  5. Help build a predictable compliance regime for startups & MSMEs

Key Features of DPDP Act, 2023

1. Obligation to Protect Personal Data

  • Firms (“Data Fiduciaries”) must:

    • Protect digital personal data

    • Prevent unauthorised access, breaches

    • Process data lawfully and transparently

2. Exemptions

  • Significant exemptions offered to:

    • The State

    • State instrumentalities

  • This is one of the major points of criticism (state surveillance concerns).

3. Penalties

  • Heavy financial penalties for firms that fail to protect data or violate obligations.

4. Data Protection Board of India (DPBI)

  • The Act mandates the creation of the DPBI, a regulatory and adjudicatory body.

  • Latest notification: DPBI will have four members.

  • Functions:

    • Conduct inquiries on complaints

    • Impose penalties for data breaches

Impact on Right to Information (RTI)

  • The law weakens the RTI Act, 2005 by:

    • Removing the obligation for public authorities to disclose “personal information” even when public interest outweighs privacy.

  • Transparency activists argue this amendment undermines accountability and democratic oversight.

Criticisms by Civil Society

1. Expansive State Exemptions

  • Fear of enabling mass surveillance

  • Lack of independent oversight on State agencies

2. Diluted User Rights

  • Many obligations deferred

  • Limited mechanisms for user grievance redressal

3. Weak Regulatory Independence

  • DPBI is appointed and controlled by the Central Government.

4. Reduced Transparency

  • Conflict with the RTI Act

  • Removes public-interest override on personal information

Significance

  • Establishes India’s first dedicated digital privacy law.

  • Aligns India with global privacy regimes like:

    • GDPR (EU)

    • CCPA (California)

  • Creates a formal framework for:

    • Data protection

    • Accountability of firms

    • Penalties for breaches

    • Rights for data principals (users)

Comparison Table: DPDP Act vs GDPR

Parameter

DPDP Act, 2023 (India)

GDPR (EU)

Scope of Data Covered

Only digital personal data

All personal data (digital + non-digital)

Year Enacted

2023

2016, enforced 2018

Regulatory Objective

Protect digital privacy while enabling innovation

Strongest global privacy protection regime

Design Principle

SARAL (Simple, Accessible, Rational, Actionable Language)

No specific design principle

Rights Provided to Individuals

Access, correction, erasure, grievance redress, nomination

Access, rectification, erasure, portability, restrict processing, object, profiling rights

Right to Data Portability

No

Yes

Right to Object / Restrict Processing

No

Yes

Children’s Data

Parental consent mandatory for <18 years

Age 16, member states may lower to 13

Legal Basis for Processing

Consent + limited “legitimate uses”

6 legal bases (consent, contract, legal obligation, vital interest, public interest, legitimate interest)

Exemptions for Government

Very broad; State can be exempted by notification

Narrow; limited and supervised

Data Localisation

No blanket localisation; govt may restrict certain countries

No localisation; global transfers allowed with safeguards

Regulator

Data Protection Board of India (DPB) – govt-appointed, fully digital

Independent national Data Protection Authorities + EDPB

Independence of Regulator

Moderate (appointed by Centre)

High

Penalties

Up to ₹250 crore per instance

Up to €20 million or 4% global turnover

Consent Requirements

Clear, specific, purpose-based; Consent Managers must be Indian

Must be freely given, specific, informed, unambiguous

Data Fiduciary / Controller Duties

Moderate; enhanced for Significant Data Fiduciaries

Extensive documentation, DPIA, accountability

Applicability Outside Jurisdiction

Applies extra-territorially to processing of Indian data

Applies extra-territorially to EU residents’ data

Automated Decision-Making / Profiling

No explicit restrictions

Strong rights against automated profiling

Breach Notification

Mandatory to affected individuals in simple language

Mandatory to supervisory authority within 72 hrs

Consumer Opt-Out Rights

Not explicit; only for certain State-notified categories

Not opt-out based

Data Minimisation Principle

Yes

Yes

Storage Limitation Principle

Yes

Yes

Sensitive Personal Data

No detailed categorisation; govt may notify

Strictly defined (health, biometrics, religion etc.)

Prelims Practice MCQs

Q. With reference to the Digital Personal Data Protection (DPDP) Act, 2023, consider the following statements:

  1. The Act is guided by the SARAL principle, which emphasises simple and accessible language.

  2. The Act recognises the right to privacy as a fundamental right.

  3. The Act applies equally to digital and non-digital personal data.

Which of the above statements is/are correct?

A. 1 only
B. 1 and 2 only
C. 2 and 3 only
D. 1, 2 and 3

Answer: A

Explanation:

  • Statement 1 is correct: SARAL = Simple, Accessible, Rational, Actionable Language.

  • Statement 2 is incorrect: The right to privacy was recognised as fundamental in K.S. Puttaswamy (2017), not by the DPDP Act.

  • Statement 3 is incorrect: DPDP covers digital personal data only, not offline/non-digital data.

Q. Which of the following rights are available to a Data Principal under the DPDP Act, 2023?

  1. Right to access their personal data

  2. Right to correct and update personal data

  3. Right to erasure of personal data

  4. Right to nominate another person to exercise rights on their behalf

Select the correct answer:

A. 1 and 2 only
B. 1, 2 and 4 only
C. 1, 2, 3 and 4
D. 2, 3 and 4 only

Answer: C

Explanation:
The DPDP Act provides Data Principals with all four:

  • Access

  • Correction/Update

  • Erasure

  • Nomination

Q. With reference to DPDP Rules, 2025, consider the following statements:

  1. The Rules provide an 18-month phased compliance timeline.

  2. Consent Managers must be Indian companies.

  3. Data Fiduciaries must notify personal data breaches to affected individuals using simple, plain language.

Which of the above statements is/are correct?

A. 1 and 3 only
B. 2 and 3 only
C. 1 and 2 only
D. 1, 2 and 3

Answer: D

Explanation:
All three statements are correct



← Back to list