In News:

The notification of the Digital Personal Data Protection (DPDP) Rules, 2025 marks the full operationalisation of India’s DPDP Act, 2023, establishing the country’s first comprehensive data protection regime. This development comes eight years after the Supreme Court’s landmark K.S. Puttaswamy (2017) judgment recognised privacy as a fundamental right under Article 21. The Rules aim to create a structured compliance ecosystem, define stakeholder responsibilities, and institutionalise enforcement through the Data Protection Board of India (DPBI).

Key Features of the Framework

The DPDP architecture follows a citizen-centric and simplified (SARAL) approach, using accessible language and structured compliance obligations.

Rights of Data Principals (citizens) include consent-based processing, correction and erasure of data, and grievance redressal.

Obligations of Data Fiduciaries (entities processing data) include lawful processing, purpose limitation, security safeguards, and breach reporting.

However, implementation is phased. Immediate provisions include operationalisation of the DPBI (four-member body headquartered in New Delhi) and an amendment to the RTI Act, 2005, restricting disclosure of personal information. Core user protectionssuch as informed consent, purpose limitation, breach notification, and appointment of Data Protection Officers (DPOs)will be enforced over the next 12–18 months, with large technology firms expected to achieve full compliance by 2027.

Significant Data Fiduciaries (SDFs)

Entities will be classified as SDFs based on the volume and sensitivity of data processed and potential risks to sovereignty, democracy, security, and public order. Major technology companies are likely to fall under this category. SDFs face higher obligations, including data protection impact assessments and verifiable parental consent for children’s data.

Data Localisation and Cross-Border Transfers

The Rules introduce conditional data localisation, empowering the government to specify categories of personal and traffic data that must remain within India. A designated committee will determine these categories. While aimed at national security and regulatory oversight, this move has raised industry concerns regarding compliance costs and digital trade implications.

Children’s Data and Safety

Companies must implement mechanisms for verifiable parental consent, though the government has allowed flexibility in designing these systems. Behavioural tracking and targeted advertising directed at children are largely restricted, with limited exceptions to prevent exposure to harmful content.

Breach Notification and Penalties

Data Fiduciaries must inform affected individuals without delay about the nature, scope, consequences, and mitigation steps of a data breach. Penalties for failure to implement adequate safeguards can reach ?250 crore, with enforcement powers vested in the DPBI.

Concerns and Criticisms

Several issues remain contentious:

• RTI Amendment: Removal of the public interest override for personal data of public officials is seen as weakening transparency.
• Government Exemptions: Broad exemptions for state agencies on grounds such as national security may dilute privacy safeguards.
• Delayed Protections: Key user rights becoming operational only after 12–18 months creates a transitional vulnerability.
• Regulatory Capacity: A four-member DPBI may face capacity constraints given India’s digital scale.
• Compliance Burden: Startups and smaller firms may struggle with technical and procedural requirements.

Way Forward

Strengthening institutional capacity and independence of the DPBI is essential. Clearer guidelines on data localisation and parental consent, restoration of the privacy–transparency balance under RTI, and standardised compliance templates can ease implementation. Public awareness and baseline cybersecurity norms will also be crucial.

Conclusion

The DPDP Rules, 2025 represent a landmark step in aligning India’s digital growth with constitutional privacy guarantees. The long-term success of this regime will depend on balanced implementation, regulatory accountability, and continued stakeholder consultation to ensure that innovation, national security, and individual rights evolve together.