Published On: July 13, 2026
Authored By: Manjiri Vaidya
Government New Law College Indore
Abstract
Data is all around us now, and the risks around it have been piling up for years. Personal information gets misused, leaked, and passed around without people even realising it is happening. India took a long time to put a proper legal framework in place, but eventually it did, first through the Digital Personal Data Protection Act in 2023, and then through the Rules that followed in 2025. This article tries to break down what those Rules actually mean: the rights they hand to ordinary people, the duties they impose on companies, and the protections they offer to groups like children and persons with disabilities. The constitutional dimension is also taken up here, particularly Article 21, and how the Puttaswamy case laid the ground for this kind of legislation.[1] Some critical questions are also raised, especially about how broadly the state has been exempted and whether compliance is realistic for smaller businesses. On the whole, the DPDP Rules 2025 are a real step forward for data governance in India, not a flawless one, but a meaningful one.
Keywords: Data protection, Data Fiduciary, Data Principal, Personal Data, Article 21, Consent, Privacy
Introduction
Think about a normal day. Emails, apps, banking portals, job websites, social media, personal data moves through a surprising number of systems before noon. Most people do not notice, which is exactly the problem. This is the ground reality that pushed India towards legislative action. The Ministry of Electronics and Information Technology introduced the Digital Personal Data Protection Act, 2023, building it around the SARAL framework, the idea that the law should be simple, accessible, rational, and actionable.[2] The Act makes companies directly accountable for how they deal with people’s data. But an Act on its own is only half the story. It needs implementing rules to actually work. The Digital Personal Data Protection Rules, 2025 are the second half.[3] They take the broad principles and turn them into operational procedures. Together, the Act and the Rules represent India’s most considered attempt so far at getting data protection right.
Key Concepts
Data Protection – Keeping personal data from being misused or leaked without the owner’s permission.
Personal Data – Any piece of information that can identify a specific person: name, phone number, email address, location, photo.
Consent – A voluntary and specific permission given by a data principal allowing a company to use their data for a defined purpose.
Data Fiduciary – The entity that collects and processes personal data. E-commerce websites and social media platforms all fall into this category.
Data Principal – The individual whose data is being collected and used.
Background
India’s data protection story does not start in 2023. As far back as 2012, the A.P. Shah Committee was already recommending that the country needed a proper privacy law.[4] That recommendation sat on paper for years without much movement. What changed things decisively was a Supreme Court judgment. In 2017, a nine-judge bench in Justice K.S. Puttaswamy v. Union of India unanimously declared privacy to be a fundamental right under the Constitution. That ruling made legislation not just desirable but necessary. The DPDPA 2023 came out of that pressure, and it was anchored in seven core principles, consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability. None of these concepts was invented in India, but formalising them in statute was a genuine commitment. The 2025 Rules were then designed to translate those principles into day-to-day practice. Between the two instruments, India finally has what it has been missing for decades: a real, enforceable framework for personal data protection.
Digital Personal Data Protection Rules, 2025
Developments
If the 2023 Act gave the framework its shape, the 2025 Rules gave it substance. They spell out exactly how data should be collected, stored, processed, and eventually destroyed. The most significant institutional development under the Rules is probably the creation of the Data Protection Board of India. The Board will be headed by a Chairperson and will include four other members with relevant backgrounds. What sets it apart from a purely advisory body is that it carries the powers of a civil court, it can take up complaints, investigate breaches, and hand out penalties. Dissatisfied parties can then appeal to the Telecom Dispute Settlement and Appellate Tribunal. That is a proper adjudicatory chain, which is not something India’s earlier data governance landscape had.
Features
Everything starts with consent. A company cannot collect personal data unless the person has clearly said yes. There is a consent manager, appointed by the company itself, who is responsible for handling these requests. Companies are given 90 days to respond once a user raises any kind of request. A fixed deadline might not sound like a big deal, but in practice, it is a meaningful accountability mechanism where none existed before.
On data breaches, the Rules are reasonably strict. If a breach happens, the affected users have to be notified promptly, and the relevant authority must be formally informed within 72 hours. Cross-border data transfers are permitted in specified categories of cases, a practical concession to Indian businesses with global operations. Companies have been given a transition window of 12 to 18 months to bring their compliance systems in line. Personal data cannot be retained beyond three years; after that, deletion is mandatory. And the Data Protection Officer’s contact details must be displayed publicly on the company’s website, no burying it in fine print.
Rights of Citizens
People now have a legal right to know what data a company holds about them, why it was collected, and how it is being used. Consent given once can also be withdrawn, it is not a one-way door. The Rules list several other rights: to access personal data that a company has collected, to have it corrected or updated if it is wrong or outdated, to have it erased once the original purpose for collecting it no longer holds, and to nominate another person to exercise these rights on one’s behalf.
Obligations of Data Fiduciaries
They are substantial. Consent must be genuine, no pre-ticked boxes, no language buried in terms and conditions, no vague catch-all phrases. Data collected for one purpose cannot quietly be repurposed for something else the company finds useful. Keeping that data secure is also a non-negotiable duty; whether a breach happens through a hack, a leak, or negligence, liability sits with the company. Users must receive a clear notice explaining what data was collected and why. If something goes wrong, both the user and the regulatory authority must be informed without delay. The three-year retention cap applies here too. Companies that fall under the category of significant data fiduciaries, major platforms like Instagram, Amazon, or YouTube would qualify, are required to appoint a dedicated Data Protection Officer. This is not just a formality; it creates an identifiable point of accountability within the organisation.
Special Protection
Children are treated as a distinct category under the Rules, and rightly so. Parental or guardian consent is required before any data from a minor can be collected. Targeted advertising aimed at children is prohibited outright, as is tracking of any kind. For persons with disabilities, the consent process runs through a lawful guardian. There are some exceptions, healthcare, education, and child safety situations.
Key Policy Changes
Perhaps the most tangible shift brought about by these Rules is that ordinary users now actually have control over their information. That was not really true before, rights existed in principle but not in practice. The Data Protection Board changes that by giving people a real forum to take complaints to. The decision to allow cross-border data transfers was a pragmatic one, taking seriously the reality that Indian businesses operate internationally. And the accountability requirements mean companies can no longer afford to treat data protection as a compliance checkbox they file away and forget.
Framework
Constitutional
The DPDP Rules stand on firm constitutional ground. The right to privacy as part of Article 21 was definitively settled in Justice K.S. Puttaswamy v. Union of India (2017). A later judgment in the same matter, delivered in 2019, addressed the specific issue of Aadhaar-linked data and put limits on what the state could collect.[5] State surveillance was not a new constitutional concern even then, it had been raised as early as 1997 in People’s Union for Civil Liberties v. Union of India.[6] Article 14’s guarantee of equal treatment under law is also relevant, since data handling practices cannot be discriminatory.[7] One thing worth noting is that the DPDP framework is designed to coexist with the RTI Act, access to information in the public interest has been preserved.[8]
Legal
The DPDP Act, 2023 is the parent legislation. The 2025 Rules implement it. The Data Protection Board handles enforcement, hearing complaints, investigating breaches, and imposing penalties where warranted. An important jurisdictional point: the Rules are not confined to companies headquartered in India. Any entity anywhere in the world that processes the personal data of Indian residents falls within their scope.
Impact
The most immediate beneficiaries are children and persons with disabilities, who now have specific legal protections around their data rather than just general ones. But the impact is wider than that. Anyone whose biometric data, financial records, health information, or basic contact details are being processed now has enforceable rights, not just aspirational ones written in a policy document somewhere.
That said, criticism of the Rules has not been absent. The Internet Freedom Foundation has raised pointed concerns about the breadth of exemptions granted to state agencies. Those exemptions, if read generously, could leave open the possibility of large-scale surveillance.[9] Concerns about potential effects on the RTI Act and press freedom have also been raised. On the compliance side, smaller organisations may find these requirements genuinely difficult to meet.[10] Clarity on breach notification timelines is still lacking in parts, and the data portability provisions are underdeveloped at this stage.
Conclusion
The DPDP Rules mark a real shift in how personal data is governed in India. Citizens have more say over their own information than they did before. Companies face obligations that carry legal weight. And the Data Protection Board, if it functions as designed, gives people an actual avenue for redress rather than a theoretical one. The gaps are real: the state exemptions deserve scrutiny, and compliance is going to be hard for smaller players. But taken as a starting point, these Rules represent a rights-based approach to data governance that India has been working towards for a long time.
References
[1] Constitution of India, art 21; Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1.
[2] Digital Personal Data Protection Act 2023.
[3] Ministry of Electronics and Information Technology, Draft Digital Personal Data Protection Rules 2025 (Government of India 2025).
[4] Report of the Group of Experts on Privacy under the Chairmanship of Justice A.P. Shah (Planning Commission of India 2012).
[5] Justice K.S. Puttaswamy (Aadhaar-5J) v. Union of India (2019) 1 SCC 1.
[6] People’s Union for Civil Liberties v. Union of India (1997) 1 SCC 301.
[7] Constitution of India, art 14.
[8] Right to Information Act 2005.
[9] Internet Freedom Foundation, ‘Concerns Relating to the DPDP Framework and Surveillance Issues’ (2025).
[10] Policy Analysis Report on Data Protection and Privacy Governance in India (2025).
