India Unveils DPDP Rules 2025 For Stronger Data Protection

What Is the Digital Personal Data Protection (DPDP) Act?

The Digital Personal Data Protection (DPDP) Act, 2023 is India’s comprehensive framework for protecting citizens’ personal information in the digital age. It received presidential assent on August 11, 2023, introducing new standards for data privacy and protection in one of the world’s largest digital markets.

The Indian government created the DPDP to foster trust and growth between individuals and organizations in India’s digital economy. The comprehensive framework represents the nation’s most tangible foray into modern digital data privacy law to date. While the terms are unique to this specific country, their scope and implications could be likened to the European Union’s General Data Privacy Regulation (GDPR) or the U.S. State of California’s Consumer Privacy Rights Act (CPRA).

DPDP Context and Timeline

India first announced the DPDP in 2022 and officially passed it into law a year later in August 2023. Conception and revision by both houses of the Indian parliament came after years of planning and amidst mounting pressure to establish a national policy on data protection. But specific terms have yet to be fully ironed out or implemented. India’s national election in 2024 saw many government initiatives go on pause as the incumbent Bharatiya Janata Party worked to win another term.

On January 3, 2025, the Union Ministry of Electronics and Information Technology (MeitY), took the procedural next step of releasing draft DPDP rules for public comment. 22 provisions and seven schedules within the document detail how the 44 sections of the DPDP Act should be upheld.

Citizens and industry stakeholders have until February 18, 2025, to share their thoughts on the draft rules. Then, the government will review feedback and make any necessary modifications before officially passing the DPDP into law. This final step may take anywhere between a few weeks and a few months. It’s worth noting that the current implementation plan is staggered, with rules 16-20, which address the selection and functioning of the Data Protection Board (DPB), going into force immediately, and all others taking effect at a date soon to be specified by the government.

Who’s Who In the DPDP

The Digital Personal Data Protection Act aims to make things clear for everyone at the table with predefined roles outlining expectations, rights, and responsibilities between individuals and organizations. See an overview below.

Data Principles

These are the people the DPDP was created to protect. The keyword here is ‘people’ – everyday citizens who share their personal information with various organizations and entities in exchange for digital goods and services.

Under the DPDP, data principles have specific rights, including:

• The right to access, correct, and delete their information
• The right to withdraw previously given consent
• The right to be informed about how their data is being used
• The right to file complaints if they believe their rights have been violated

Data Fiduciaries

A Data fiduciary is any organization, individual, company, or entity that collects personal data and determines how that personal data will be processed and for what purpose. This includes businesses, government agencies, and other organizations that collect personal information from users or customers.

For example:

• Ecommerce companies that collect customer data for purchases and recommendations
• Social media platforms that gather user information and content
• Healthcare providers maintaining patient records
• Financial institutions handling customer account information
• Educational institutions storing student data
• Government agencies collecting citizen information
• Online service providers tracking user behavior and preferences
• Mobile app developers collecting usage and device data

Data fiduciaries have significant responsibilities under the DPDP, including:

• Implementing appropriate security measures to protect personal data
• Obtaining valid consent before collecting or processing data (for example cookie consent)
• Being transparent about data collection and usage practices
• Responding to user requests regarding their data rights
• Reporting data breaches to authorities and affected individuals
• Ensuring compliance with all DPDP requirements

Data Processors

Data processors are the organizations that handle data on behalf of data fiduciaries. Bound by contractual terms, they essentially act as intermediaries – performing tasks like data storage, analysis, or processing but not making independent decisions about how the data is used. Common examples include cloud storage providers, payment processors, and data analytics companies.

Consent Managers

A consent manager operates secure, user-friendly interfaces where people can view, grant, or withdraw consent for data processing activities. Think of them as privacy dashboards that give individuals greater control over their digital footprint.

What Do the Draft Digital Personal Data Protection Rules Propose?

The draft rules for the DPDP, formally known as DPDP Rules, 2025, are relatively similar to other data protection laws worldwide – at least for now. MeitY encourages both businesses’ and individuals’ comments, objections, and suggestions as it finalizes key terms. Here’s a summary of the 22 provisions and seven schedules up for review:

Notice Requirements

The DPDP’s foundational purpose of cultivating transparency between Indian internet users and organizations lies in comprehensive notice requirements. Clear, upfront, and jargon-free communications empower everyday citizens’ ability to exercise their given rights.

Data Collection Notifications

Data principles have the right to be notified of the actions data fiduciaries and processors take with their personal information. For data fiduciaries, that means issuing a notice every time any new collection activities are performed.

Notifications must:

• List the type of personal data collected
• Justify why data is being collected
• Explain how the data will be used
• Outline steps and provide easy means for withdrawing consent, exercising rights, and filing complaints

Data Breach Notifications

In the event of a data breach, data fiduciaries must:

• Inform affected individuals promptly, providing details about the breach, its impact, and measures for mitigation.
• Notify the DP Board within 72 hours of detection (or longer, if approved), sharing comprehensive information about the incident.

Criteria for Consent Managers

The DPDP draft clarifies standards organizations must meet in holding the title of ‘consent manager’. First and foremost is identifying as an interoperable consent management platform, which we defined earlier. Only entities registered in India worth INR 20 million (US$233,414) or more can qualify, and those that do are required to acquire prior approval from the DP Board before transferring control or ownership.

Specific Data Processing Rights for Government Organizations

Rules for the scope, use, and justification of data collection are applied differently in certain contexts, specifically when processing data for public service delivery and administrative functions. Information gathered for academic research, archiving, or statistical may also be exempt from DPDP guidelines if they follow the safeguards outlined in Schedule II.

Security Safeguards

The draft rules mandate robust security measures to protect personal data from unauthorized access, modification, disclosure, or destruction. 

Data fiduciaries must implement:

• End-to-end encryption for data transmission and storage
• Multi-factor authentication for system access 
• Regular security audits and vulnerability assessments 
• Comprehensive incident response plans
• Employee training on data protection protocols
• Physical security measures for data storage facilities

Data fiduciaries have the additional responsibility of ensuring their data processors maintain equivalent security standards through contractual obligations and regular compliance monitoring. These safeguards should be periodically reviewed and updated to address emerging security threats and technological advancements.

Data Retention

Data retention refers to the duration of time a data processor can hold onto the information it collects from a data principle. Data privacy laws typically limit this period as much as possible in accordance with the principle of data minimization.

Under the DPDP draft rules, specific retention periods are outlined for different categories of data fiduciaries:

For large platforms:

• Ecommerce platforms with 20+ million users
• Online gaming intermediaries with 5+ million users
• Social media platforms with 20+ million users

These entities must delete user data after three years of account inactivity unless users explicitly maintain their accounts through active engagement or consent renewal.

For other data fiduciaries, the retention period should align with the original purpose of data collection. Once that purpose is fulfilled, the data must be deleted unless specific legal requirements mandate longer retention. Organizations must document and justify their retention schedules, regularly review stored data, and implement automated deletion processes when retention periods expire.