More than two years after the passage of the Digital Personal Data Protection (DPDP) Act in August 2023, the DPDP Rules, 2025 were notified on November 14, 2025. This gives the DPDP Act both the operational clarity and the teeth it requires, by actually defining how consent for data collection and processing is to be taken, how breaches are to be reported, how minors’ data is to be protected, and how cross-border data flows are to be managed. Entities guilty of breaches could face penalties of up to Rs 2.5 billion per incident, along with various penalties for other compliance failures.
There is an 18-month runway to full compliance in May 2027. This long timeline is necessary, since the DPDP Act imposes a structure that significantly changes the current system of consent, data collection, processing and retention. Entities such as corporates and government agencies that collect and process data will have to set up new systems that comply with a proposed framework that offers privacy-by-design and attempts to minimise data retention by private entities.
Digital personal data may be required for collection and processing for a variety of reasons. Data may be used by the government to grant various benefits, services, certificates, licences or permissions. Data may be needed to comply with laws, manage medical emergencies and public health challenges, or for employment-related purposes.
Privacy is a constitutional right, and that right extends to the protection of digital personal data privacy. The DPDP Act’s provisions and the consequent rules are based on the idea that concrete legal protections are required for privacy. The DPDP Act and the accompanying rules outline the concrete provisions required to enforce those constitutional rights.
Other legislative changes were necessary to ensure that the DPDP Act did not clash with other legislation. Most importantly, the Right to Information Act, 2005 required amendment to align with the DPDP Act. However, the amendments have attracted some criticism since they remove the obligation of government bodies to provide personal information if public interest outweighs the right to privacy for public officials. It is felt that this could reduce the transparency of governance.
The DPDP Act and rules work through a complicated structure. The digital privacy ecosystem will be under the oversight of a newly constituted Data Protection Board of India. The board’s secretariat will be appointed and controlled entirely by the centre. The board will oversee the space, offering virtual hearings, allowing digital filings, issuing electronic orders and overseeing the processes of digital evidence management. It would be the go-to agency for complaints, and any cases that it handles are to be resolved within six months.
Another innovative idea is the creation of an interface between individuals and corporates, called consent managers. These entities act as intermediaries, helping users manage permissions while easing the friction of consent and compliance at scale for corporates.
There is an underlying logic to creating this layer of intermediation. It is unrealistic to expect every individual, or indeed, most individuals, to understand what digital personal data entails and what its ramifications are. It is also difficult for corporates, especially for small businesses and start-ups operating on tight budgets, to set up robust, fail-safe systems that comply with the DPDP Act.
Consent managers can ease the processes, ensure compliance and protect the rights of individuals while taking into account the interests of all stakeholders. Data flows will go as follows:
- A data user (say an app) requests data from an individual (the “data principal”).
- The consent manager forwards this request for data to the principal.
- The principal consents to sharing data.
- The consent manager communicates the consent to an entity that stores the data (say, the Unique Identification Authority of India).
- The data travels via the consent manager from the entity that stores the data to the data user.
A governance framework is laid out for consent managers. They must meet strict qualification conditions, such as barring individuals of moral turpitude, capital adequacy, digital interoperability between platforms, security and transparency. Consent managers will be registered with the Data Protection Board and subject to audits of technical, operational, financial and other conditions, and will be accountable to the data principals.
The data flows will be encrypted so that the consent manager cannot read them. The data principals will be able to give consent, withdraw consent, complain about potential issues, etc., via the consent manager. This intermediation could speed up data transfer processes and enhance privacy and security. The intermediation, however, will also have costs. Working out those costs and who pays will also be necessary, along with other details. It remains to be seen how well this invention of a digital middleman for consent management works in practice.
The obligations of data users are being structured according to a model of tiered oversight similar to the European Union’s General Data Protection Regulation. While any entity that requests data, stores and processes it is defined as a “data fiduciary”, the DPDP Rules designate companies that process large volumes of data (that of 10 million or more individuals), operate in sensitive sectors or function as high-impact platforms (such as social networks or digital banks) as “significant data fiduciaries”. Such entities face higher compliance requirements.
A data fiduciary must give the data principal collection notices when asking for consent. The notices must be “clear, standalone and free of unrelated or bundled content”. The notices must outline personal data to be processed, the reason for processing, information regarding the rights of the principal and the process for submitting complaints to the Data Protection Board (if required).
Individuals must expressly, voluntarily consent to process their personal data and fully understand how it will be used. They must be free to revoke their consent at any time. Withdrawing consent must be as easy as giving it.
A significant data fiduciary must adopt more robust data protection policies, conduct regular data audits, keep records of processing activities and appoint in-house data protection officers. Significant data fiduciaries are also subject to additional regulatory oversight, including risk assessments and compliance reporting.
The DPDP Rules place significant emphasis on safeguarding minors’ data. Platforms must verify age and seek consent from guardians. In practice, these requirements will impact many apps. Global platforms with Indian users may need to review local consent processes to comply.
The emphasis on protecting minors clearly affects edtech platforms, gaming companies, social media applications and over-the-top platforms with many under-18 users. Similar protections are also extended to persons with disabilities, for whom permissions and verification may be carried out through court-appointed guardians or through certified institutions.
Breach notifications must be immediate and mandatory. If data breaches occur, companies must notify affected users without delay and also provide the Data Protection Board with detailed incident reports, including chronology, data types, risks and mitigation steps taken.
Data fiduciaries and processors must incorporate risk assessments, encryption, logs of access, security reviews and disposal protocols. All personal processing logs must be retained for a minimum of one year, even if the user withdraws consent.
Most digital personal data may be transferred to any country except those that are specifically restricted. However, data related to national security, critical infrastructure or high-risk sectors may require mandatory local storage. This represents a more flexible cross-border protocol compared to earlier attempts to force total localisation of digital personal data.
The DPDP Rules as a whole offer individuals more protection and greater knowledge about who is collecting and holding data, and also grant some control through the ability to withdraw consent. However, organisations such as the National Association of Software and Service Companies (NASSCOM) and the digital rights advocacy group Internet Freedom Foundation have highlighted certain gaps in the DPDP Rules.
The Internet Freedom Foundation has pointed out gaps that cannot be addressed through subordinate legislation and argued that the rules do not address some of the key concerns raised by civil society. The balancing act between privacy, governance and national security is an area of contention. Critics argue that government agencies have the power under broad, vaguely defined clauses to collect, hold and request digital personal data without sufficient oversight.
NASSCOM has highlighted reservations on the methodology of cross-border transfer of personal data outside India by a significant data fiduciary. The industry body notes: “This does not appear to be compatible with the perimeter of restrictions on international data transfers codified in Section 16 of the DPDP Act. The ability of such a restriction to afford meaningful additional safeguards for the processing of personal data remains at best questionable and could run the risk of being seen akin to a non-tariff barrier.”
In sum, the DPDP Rules offer individuals a greater degree of protection, and there are commendable protections for minors and persons with disabilities. However, there are also some reservations and concerns about the rules, which have been highlighted by stakeholders.
The rules may require some more tweaks to settle possible incompatibilities, ambiguities and conflicts with other laws. The additional costs imposed by measures taken to ensure compliance and intermediation via consent managers is also not clear at this stage. Given the very significant changes that the rules will impose, it is pragmatic that a period of 18 months has been allotted for full compliance.
Devangshu Datta
