Published On: July 13, 2026
Authored By: Sairam Dommetti
Christ Academy Institute of Law (Karnataka State Law University)
I. Introduction
In an era defined by the mass digitisation of personal information, the governance of data has emerged as one of the most pressing legal challenges of our time. India’s legislative response to this challenge culminated in the enactment of the Digital Personal Data Protection Act, 2023 (hereinafter “DPDP Act”), which received presidential assent on 11 August 2023.[1] However, the statute lay dormant for over two years, its substantive provisions awaiting the notification of implementation rules. That critical step arrived on 13 November 2025, when the Ministry of Electronics and Information Technology (“MeitY”) formally notified the Digital Personal Data Protection Rules, 2025 (hereinafter “DPDP Rules”), triggering the phased operationalisation of India’s first comprehensive data protection regime.[2]
The notification of the DPDP Rules marks a watershed moment in Indian jurisprudence, as it translates constitutional guarantees into justiciable statutory obligations for millions of private and public entities. This article critically examines the DPDP Rules, 2025, their structural architecture, the obligations they impose upon Data Fiduciaries, the rights they confer upon Data Principals, and the systemic challenges that may impede their effective implementation. It further situates these developments within the broader global conversation on data governance, drawing comparative insights from the European Union’s General Data Protection Regulation (“GDPR”).[3]
II. Constitutional and Statutory Foundations
The constitutional bedrock upon which the DPDP framework rests was laid by the Supreme Court’s nine-judge constitutional bench decision in Justice K.S. Puttaswamy (Retd.) v. Union of India,[4] which unanimously held that the right to privacy is a fundamental right inherent in Article 21 of the Constitution of India, which guarantees the right to life and personal liberty. The Court unequivocally recognised that informational privacy, an individual’s right to exercise control over the dissemination of their personal data, constitutes a protected dimension of this fundamental right. This constitutional affirmation created an imperative for a comprehensive statutory framework, culminating in the DPDP Act after nearly a decade of legislative deliberation.
Prior to the DPDP Act, the principal statutory instrument governing data protection was the Information Technology Act, 2000,[5] read alongside the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”). However, these instruments were widely criticised for their narrow scope, inconsistent enforcement, and failure to address the contemporary data economy.[6] The DPDP Act supersedes this framework, establishing a rights-based, technology-neutral, and purpose-specific regime.
III. Legal Analysis of the DPDP Rules, 2025
A. Phased Implementation: A Measured Transition
A salient feature of the DPDP Rules is their phased rollout, structured across three distinct phases. Phase I, effective immediately upon the gazette notification of 13 November 2025, operationalised foundational provisions including the formal establishment of the Data Protection Board of India (“DPBI”), the central regulatory and adjudicatory authority under the Act.[7] Phase II, scheduled to take effect in November 2026, governs the registration and functions of Consent Managers. Phase III, covering all substantive obligations including consent, notice, security safeguards, Data Principal rights, and breach notification, is to take effect eighteen months from the enforcement notification, approximately in May 2027.[8]
This graduated approach reflects a deliberate policy choice to afford Data Fiduciaries adequate time to restructure their data governance systems. While pragmatically sound, the extended timeline has attracted criticism from civil society stakeholders, who contend that it delays meaningful protection for individuals whose data is being actively processed.
B. Obligations of Data Fiduciaries: Consent, Notice, and Accountability
Central to the DPDP framework is the institution of the Data Fiduciary, defined as any person who, alone or in conjunction with others, determines the purpose and means of processing personal data.[9] The DPDP Rules impose several layered obligations upon Data Fiduciaries.
First, every Fiduciary must issue a standalone consent notice, written in plain language and itemised format, specifying the exact purpose for which personal data is collected and processed.[10] The Rules depart from omnibus consent practices endemic to current digital platforms, mandating granular, purpose-specific consent that is freely given, specific, informed, unconditional, and revocable.
Second, in the event of a personal data breach, a Fiduciary must notify both the DPBI and affected Data Principals within 72 hours of becoming aware of the breach, providing details of its nature, probable consequences, and remedial measures undertaken.[11] This 72-hour notification window aligns with international best practices as mandated under Article 33 of the GDPR.[12] Third, Data Fiduciaries are required to implement “reasonable security safeguards” — a flexible, technology-neutral standard encompassing encryption, access controls, and periodic audits to prevent unauthorised processing or breach.[13]
C. Significant Data Fiduciaries: Enhanced Obligations
The Rules create a tiered regulatory structure by introducing the category of Significant Data Fiduciaries (“SDFs”), entities designated by the Central Government based on volume of data processed, risk to Data Principals, national security implications, or potential impact on sovereignty.[14] SDFs are subject to a more rigorous compliance regime, including mandatory annual Data Protection Impact Assessments (“DPIAs”), independent audits, algorithmic fairness evaluations, the appointment of a Data Protection Officer (“DPO”), and stricter restrictions on cross-border data transfers.[15] This differentiated approach mirrors the GDPR’s concept of high-risk processing activities requiring DPIAs under Article 35, and represents a significant step toward proportionate, risk-based regulation in India.
D. Rights of Data Principals
The DPDP Rules reinforce a robust set of rights for Data Principals, the individuals to whom personal data relates. These include: the right to access information about the personal data processed; the right to correction and erasure; the right to withdraw consent at any time; the right to nominate another person to exercise these rights; and the right to grievance redressal.[16] Data Fiduciaries are mandated to respond to all such requests within a maximum period of ninety days. The Rules further require Fiduciaries to appoint a dedicated point of contact, a significant departure from the opaque grievance mechanisms currently prevalent in the Indian digital ecosystem.
E. Children’s Data: Verifiable Consent and Special Protections
One of the most significant innovations in the DPDP Rules is the comprehensive protection afforded to the personal data of children, defined as individuals below eighteen years of age.[17] Data Fiduciaries must obtain verifiable consent from a parent or legal guardian before processing a child’s data, with limited exceptions for healthcare, education, or real-time safety services. The prohibition on processing children’s data for the purposes of behavioural advertising or tracking is a landmark provision that directly addresses the harms inflicted by the attention economy upon younger users.
F. The Consent Manager Architecture
The DPDP Rules introduce the novel institution of Consent Managers, intermediary entities, registered with the DPBI, which act as a single, interoperable interface through which Data Principals may give, manage, review, and withdraw consent across multiple Fiduciaries.[18] To participate in this architecture, a Consent Manager must be an Indian-incorporated company with a minimum net worth of INR 2 crore (approximately INR 20 million), ensuring financial accountability.[19] While the concept is innovative, its practical effectiveness will depend on achieving widespread interoperability and digital literacy among India’s diverse population.
IV. Critical Assessment: Strengths, Gaps, and Systemic Challenges
The DPDP Rules represent a commendable legislative milestone, yet several legal and operational concerns warrant careful scrutiny.
First, the absence of a clear definition for “reasonable security safeguards” may produce inconsistent compliance standards across sectors, particularly for smaller Data Fiduciaries operating without dedicated legal or compliance teams.
Second, the Rules grant the Central Government broad exemption powers under Section 17 of the Act, enabling the exclusion of state instrumentalities from compliance requirements on grounds of national security or public order, a provision that civil liberties organisations argue may be susceptible to misuse.[20]
Third, a notable divergence from the GDPR lies in the DPDP Act’s conflation of sensitive and non-sensitive personal data, a single regulatory tier applies irrespective of data sensitivity. In contrast, the GDPR establishes a distinct and heightened regime for “special categories of data” including health, biometric, and genetic data under Article 9. The absence of such categorical differentiation in the Indian framework may undermine proportionality in data protection.
Fourth, while the amendment to Section 8(1)(j) of the Right to Information Act, 2005 introduced by the DPDP Act has been touted as harmonising privacy and transparency, critics argue that it may impede the disclosure of information relating to public officials, thereby diluting democratic accountability.[21]
V. Conclusion
The notification of the Digital Personal Data Protection Rules, 2025 marks a decisive step in India’s transition toward a mature, enforceable data governance regime, one that aspires to position India’s digital economy as globally competitive, secure, and citizen-centric. By establishing the Data Protection Board of India, mandating granular consent, imposing breach notification obligations, and extending special protections to children, the Rules articulate a principled and rights-oriented vision of data protection.
Yet, the true measure of this framework will be tested in its implementation. The DPBI’s institutional capacity, the pace of SDF designations, the adoption of the Consent Manager architecture, and the effectiveness of grievance mechanisms will collectively determine whether the DPDP framework translates from legislative promise into lived reality for India’s 900 million internet users. As the eighteen-month compliance window draws to a close in 2027, Data Fiduciaries, from global technology corporations to domestic startups, must undertake a fundamental reimagination of their data practices. The era of obtaining consent through obfuscatory terms-of-service agreements and harvesting data for purposes beyond those disclosed is drawing to a close.
India’s data protection journey reflects the broader global reckoning with the power of information in the twenty-first century. The DPDP framework, if robustly enforced, has the potential to establish India not merely as a digital economy of scale, but as a jurisdiction of trust, one where innovation and individual dignity are not antagonistic values, but complementary imperatives.
References
[1] Digital Personal Data Protection Act 2023 (Act No 22 of 2023), received presidential assent 11 August 2023, INDIA CODE (2023).
[2] Ministry of Electronics and Information Technology, Gazette Notification, Digital Personal Data Protection Rules 2025, S.O. 4800(E) (13 November 2025).
[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data [2016] OJ L119/1 (General Data Protection Regulation).
[4] Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1 (Supreme Court of India, nine-judge constitution bench).
[5] Information Technology Act 2000 (Act No 21 of 2000), INDIA CODE (2000).
[6] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, notified under s 43A, Information Technology Act 2000.
[7] DPDP Rules 2025 (n 2), Phase I enforcement provisions, effective 14 November 2025; see also MeitY Enforcement Notification S.O. 4801(E) (13 November 2025).
[8] Lexology, ‘India’s Digital Personal Data Protection Regime Takes Effect’ (24 November 2025) accessed 10 May 2026.
[9] DPDP Act 2023 (n 1), s 2(i) (Definition of Data Fiduciary).
[10] DPDP Rules 2025 (n 2), r 3 (Notice requirements of Data Fiduciaries).
[11] DPDP Rules 2025 (n 2), r 7 (Intimation of personal data breach); see also EY India, ‘Transforming Data Privacy: DPDP Act 2023 and DPDP Rules 2025’ (January 2026) accessed 10 May 2026.
[12] GDPR (n 3), art 33 (Notification of a personal data breach to the supervisory authority).
[13] DPDP Rules 2025 (n 2), r 6 (Reasonable security safeguards).
[14] DPDP Act 2023 (n 1), s 10 (Additional obligations of Significant Data Fiduciary).
[15] DPDP Rules 2025 (n 2), r 12 (Obligations of Significant Data Fiduciaries); GDPR (n 3), art 35 (Data protection impact assessment).
[16] DPDP Act 2023 (n 1), ss 11–14 (Rights of Data Principals); DPDP Rules 2025 (n 2), r 10 (Exercise of rights by Data Principal).
[17] DPDP Act 2023 (n 1), s 9 (Processing of personal data of children).
[18] DPDP Act 2023 (n 1), s 2(g) (Definition of Consent Manager); DPDP Rules 2025 (n 2), r 4 (Registration and obligations of Consent Managers).
[19] DPDP Rules 2025 (n 2), r 4(1)(a) (Eligibility criteria for Consent Managers).
[20] DPDP Act 2023 (n 1), s 17 (Exemptions).
[21] DPDP Act 2023 (n 1), s 44(3) (Amendment to s 8(1)(j), Right to Information Act 2005).
