Published On: March 12th 2026
Authored By: Avilipsa Paltasingh
Indore Institute of Law
Introduction
India, with a population of around 1.4 billion, faces numerous cyberattacks daily. People’s personal data were being misused, and their basic fundamental right, that is, the right to privacy, was under continuous threat. Sometimes, personal data was being misused by the government itself. The situation grew more acute when the new LPG (Liberalisation, Privatisation, and Globalisation) reforms[1] were introduced, bringing significant transformation into India’s IT sector, service sector, and banking sector. Although these reforms had a greater impact on India’s economic growth, they also posed risks to the fundamental rights of Indian citizens, as their personal data was being misused due to increasing digitalisation. The Digital Personal Data Protection Act, 2023 (DPDPA) was introduced by the Parliament of India to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such data for lawful purposes. This Act was passed after extensive deliberation by the Srikrishna Committee,[2] constituted by the Ministry of Electronics and Information Technology.[3] Subsequently, the DPDPA faced several technical and procedural requirements that necessitated the creation of subordinate rules. Accordingly, the DPDP Rules 2025 were notified by the Government of India under the DPDPA. The Rules provide a more operational and detailed framework for implementation of the Act, specifying obligations of data fiduciaries and procedures for data principals, breach reporting, cross-border transfers, and the functioning of the Data Protection Board of India.[4] It is therefore not sufficient to have the law alone; effective implementation matters equally.
Keywords: Digital Personal Data Protection Act, 2023 (DPDPA); DPDPA Rules 2025; Right to Privacy; Data Fiduciaries; Data Principals; Data Protection Board of India.
Act vs. Rules: Understanding the Shift from Principle to Practice
An Act can be made stronger and more effective only when it is properly implemented through rules. An Act without rules or procedures for its implementation serves little practical purpose. At the same time, poorly designed rules can weaken even the strongest legislation. Therefore, both must be carefully balanced to ensure that an Act achieves genuine impact through its implementing rules.
The Need for DPDPA 2023 in India’s Digital Era
Before the DPDPA 2023,[5] various rules, bills, and draft proposals aimed to protect the privacy of individuals’ personal data. However, these efforts encountered numerous technical and legislative challenges, rendering effective regulation of personal data impossible. The DPDPA 2023 was ultimately enacted following the landmark constitutional judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India,[6] wherein the Supreme Court declared that the right to privacy is a fundamental right under Article 21[7] of the Constitution of India.
The DPDPA 2023 represents the collective legislative effort to protect the privacy of individuals in a world where personal data circulates on the internet for numerous purposes, whether for acquiring services or applying for employment. The conceptual foundation of the DPDP Act can be traced to the data privacy regulation of the European Union, the General Data Protection Regulation (GDPR).[8] The Act ensures that the collection of personal digital data adheres to established legal boundaries. Further, rights are also granted to individuals whose data is collected, including the right to withdraw consent, access and edit their data, and seek corrections. Granting these rights strengthens public trust in the digital world and makes individuals feel secure and empowered.
Understanding the Digital Personal Data Protection Rules, 2025: Structure and Objectives
The DPDP Rules 2025[9] serve as the actionable blueprint for the DPDP Act 2023[10] by systematically outlining the procedures for collecting, storing, processing, protecting, transferring, and ultimately erasing personal data. These Rules introduce new responsibilities by imposing strict timelines and establishing a governance structure that is far more comprehensive than many businesses anticipated. Their primary aim is to empower individuals with greater control over their personal information. Consent Management is one of the core principles, making it necessary for data fiduciaries to obtain the user’s consent before accessing their personal data.
Significant provisions from the DPDP Rules 2025 include:
1. Clear Definitions for Compliance (Rule 2)
2. Mandatory Plain-Language Notices (Rule 3)
3. Stricter Governance for Consent Management (Rule 4 and First Schedule)
4. Minimum Security Standards for All Organisations (Rule 6)
5. Mandatory Breach Reporting Within 72 Hours (Rule 7)
6. Defined Data Retention and Erasure Obligations (Rule 8 and Third Schedule)
7. Enhanced Protections for Children, Rights Handling, and Cross-Border Data Transfers (Rules 10 to 16)
Extra-Territorial Reach and the SARAL Compliance Framework under the DPDP Rules, 2025
The Rules apply to all organisations and entities that process digital personal data within India, as well as to those outside India that offer goods or services to citizens in India. The DPDP Rules 2025 incorporate an extra-territorial reach that aligns with global data protection standards.[11] The Rules elevated the DPDP Act 2023 by adopting the SARAL[12] approach, which stands for Simple, Accessible, Rational, and Actionable. This framework creates clear illustrations so that both individuals and businesses can understand their obligations without undue difficulty.
Consent Managers: India’s Innovative Model for Centralised Consent Control
The Rules emphasise the role of Consent Managers, a concept that is novel to India’s regulatory framework. These managers serve as intermediaries, allowing individuals to control their data permissions across different platforms. The Rules set strict registration requirements, including financial minimums. For instance, a Consent Manager must maintain a net worth of at least two crore rupees and possess sufficient technological capacity to manage large-scale consent processes.
Consent Managers must operate with complete neutrality and avoid any bias when obtaining consent from data principals. Their primary purpose is to assist with giving, reviewing, managing, and withdrawing consent[13] without exploiting the underlying data. They are also required to maintain detailed records of all consents, notices, data-sharing logs, and withdrawals for a minimum of seven years.
This extended retention period reflects the government’s commitment to accountability and traceability in a digital ecosystem where data flows freely across systems and organisations.
How the DPDP Rules Empower Data Principals
The DPDP framework places data principals (individuals) at the centre of India’s digital protection system, making it genuinely people-centric. It aims to provide individuals with clear control over their personal data and to build public trust that their data is handled with due care. The framework also holds entities accountable for the manner in which they use personal data.
Rights and protections enshrined for data principals include:
1. Right to give or deny consent: All individuals have the right to consent to, or refuse, the use of their personal data. Consent must be clear and unambiguous. Individuals also have the right to withdraw their consent at any time.
2. Right to know how their data is being used: Individuals have the right to information regarding why their data has been collected and how it is being used.
3. Right to nominate another person: Every individual has the right to appoint someone on their behalf who will exercise their data rights.
4. Mandatory response within ninety days: Data fiduciaries are obligated to address all requests relating to access, correction, updating, or erasure within a timeframe of ninety days.
5. Protection during personal data breaches: If a breach occurs, individuals must be informed promptly. The notification must contain a clear and detailed explanation of what happened and what steps may be taken in response.
6. Clear contact for queries and complaints: Data fiduciaries must provide a pathway for individuals to raise questions or complaints relating to their personal data.
7. Special protection for children: Where a child’s personal data is involved, data fiduciaries are required to obtain the consent of the child’s parent or lawful guardian. However, where data relates to essential services such as healthcare, education, or real-time safety, consent may not be strictly necessary so as to enable timely and effective action.
8. Special protection for persons with disabilities: Where a person with a disability is unable to make lawful decisions, even with support, their lawful guardian must provide consent on their behalf.
Core Obligations of Data Fiduciaries under the DPDP Rules, 2025
The Rules impose numerous obligations on data fiduciaries with the aim of curbing unauthorised commercial use of data, reducing digital harms, and creating a safe environment for innovation.
Key obligations include:
1. Separate consent notice: Every data fiduciary must issue a separate consent notice that can be easily understood by individuals. The notice must clearly explain the specific purpose for which data is being collected and used.
2. Timely breach notification: Data fiduciaries must inform affected individuals of any breach without delay.
3. Communication channels for queries: Data fiduciaries must clearly provide means of communication through which individuals may raise queries relating to their personal data.
4. Stricter safeguards for sensitive technologies: Data fiduciaries must apply stricter due diligence when deploying or engaging with sensitive technologies that process personal data.
How the DPDP Aligns with the RTI Act
The DPDP Act and Rules align closely with the Right to Information Act, 2005 (RTI Act). The changes introduced through the DPDPA revise Section 8(1)(j) of the RTI Act[14] in a manner that respects the rights of both data principals and the broader public interest, without undermining either.
The amendment reflects the Supreme Court’s recognition of the right to privacy as a fundamental right in Justice K.S. Puttaswamy (Retd.) v. Union of India.[15] It also prevents any conflict between the transparency regime of the RTI Act and the privacy safeguards introduced under the DPDP framework. This reflects the core essence of the RTI Act, which is to promote openness and accountability in public life, continuing to guide decision-making in the digital age.
Conclusion
The DPDPA 2023 and the DPDP Rules 2025 together mark an important milestone in building a transparent and trustworthy digital environment in India. They provide clarity to individuals regarding how their data will be collected, used, and handled, thereby strengthening public trust in the digital ecosystem. Grounded in constitutional values, judicial precedent, and a commitment to individual rights, these instruments position India to move towards a transparent, innovation-friendly data governance framework whose ultimate purpose is to serve its citizens.
References
[1] LPG (Liberalisation, Privatisation, and Globalisation) Reforms, Government of India economic policy framework introduced in 1991.
[2] Srikrishna Committee, formally the Committee of Experts on a Data Protection Framework for India, constituted by the Ministry of Electronics and Information Technology in 2017.
[3] Ministry of Electronics and Information Technology (MeitY), Government of India. Available at: https://www.meity.gov.in
[4] Data Protection Board of India, constituted under the Digital Personal Data Protection Act, 2023, No. 22 of 2023, India Code (2023).
[5] Digital Personal Data Protection Act, 2023, No. 22 of 2023, India Code (2023).
[6] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).
[7] Constitution of India, art. 21 (Right to Life and Personal Liberty).
[8] General Data Protection Regulation, Regulation (EU) 2016/679, Official Journal of the European Union (2016).
[9] Digital Personal Data Protection Rules, 2025 (Draft), Ministry of Electronics and Information Technology, Government of India. Available at: https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
[10] Digital Personal Data Protection Act, 2023, No. 22 of 2023, India Code (2023).
[11] Press Information Bureau, Government of India, DPDP Rules 2025 Notification. Available at: https://www.pib.gov.in/PressReleasePage.aspx?PRID=2190014
[12] SARAL (Simple, Accessible, Rational, and Actionable) framework, Ministry of Electronics and Information Technology. Available at: https://static.pib.gov.in/WriteReadData/specificdocs/documents/2025/jan/doc202515481101.pdf
[13] Digital Personal Data Protection Rules, 2025 (Draft), Rule 4 and First Schedule (Consent Manager obligations).
[14] Right to Information Act, 2005, No. 22 of 2005, India Code, s. 8(1)(j), as amended by the Digital Personal Data Protection Act, 2023.
[15] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).
