Part I: Introduction
The world is standing at the wake of digital transformation where data privacy is not an ancillary affair, rather a fundamental right which is deeply engraved within the scope of personal agency and human dignity. On November 13, 2025, India entered a decisive stage in its date protection regime when the Ministry of Electronics and Information Technology (‘MeitY’) formally issued the Digital Personal Data Protection Act, (‘Act’) alongside of the Digital Personal Data Protection Rules (‘Rules’)[1] Together, these instruments bring India’s long-awaited privacy framework from theory to reality and represent the biggest change in the nation’s privacy laws to date. They indicate a move away from the IT Act’s regulations on data handling and towards a robust, rights-based system that prioritises corporate accountability and individual control over personal data.
#India’s data protection landscape sits at the intersection of constitutional promise and legislative gaps.[1] From K.S Puttuswamy v. Union of India[2], which affirmed privacy as a fundamental right, to the uneven rollout of statutory protections, privacy jurisprudence has evolved in a largely reactive manner, shaped by political will and pressures of the digital economy. With the new DPDP Rules, the call has now shifted from a minimal compliance to substantive, rights-centered data governance, recognizing personal data as an extension of individual identity that warrants robust constitutional and regulatory protection.
The Rules detail how corporations must manage digital personal data, from transparent, purpose-bound collection and explicit consent mechanisms to rigorous security safeguards and timely breach reporting. They also operationalize citizens’ digital rights, including access, correction, erasure and withdrawal of consent while establishing procedural obligations for data fiduciaries. Essentially, the Rules introduce phased compliance timelines that balance regulatory ambition with practicality, recognizing the diverse maturity levels of Indian Businesses.[4] Against a backdrop where data has become an economic engine and digital interactions pervade everyday life, these Rules aim to recalibrate the relationship between individuals and the organisations that collect their data, fostering trust, transparency and accountability in India’s quickly expanding digital ecosystem.
Part II: From the DPDP Act to DPDP Rules: Why the Rules Matter
The Digital Personal Data Privacy Act, 2023 sets out an overview of broad principles and fundamental rights such as consent, purpose limitations and data principle rights for protecting digital personal data in India. However, on its own the Act does not prescribe how organisations must implement these obligations. That practical clarity comes from the DPDP Rules, 2025 a subordinate legislation. Notified under the Act that fills in the procedural and technical details such as consent mechanics, timelines and safeguards for processing and breach reporting.
Subordinate legislation like DPDP Rules is critical because primary statues often establish frameworks but leave execution and rule-making authorities. This mirrors approaches in other regimes for example the EU’s GDPR expressly contemplates delegated and implementing rules to flesh out application details without changing core law.[5]
Part III: Consent as the Cornerstone of Data Processing
Under the DPDP Rules, 2025, consent is central to lawful processing of any form of personal data and it must meet a higher standard that the simple banners or bundled agreements common in the past. Consent must be free, specific to each purpose, informed by clear notice, and unambiguous through a clear affirmative action before a fiduciary can process personal data. Notices must be in plain language, itemise the categories of data collected, explain the precise purpose of processing and provide clear mechanisms for exercising rights, including consent withdrawal.[6] Importantly the rules require that withdrawing consent be as easy as giving it, and data fiduciaries must provide accessible links or interfaces for this purpose. The introduction of Consent Managers – registered intermediaries that enable Data Principles to give, review, manage and withdraw consent across platforms – represents a structural evolution from earlier models where consent was often bundled within lengthy terms and conditions.[7] Consent managers exist to give individuals a centralised, transparent platform for controlling consent.
Part IV: Obligations of Data Fiduciaries under the DPDP Rules, 2025
Under the DPDP Rules, 2025, Data Fiduciaries – the entities that decide why and how personal data is processed face a set of core obligations designed to operationalize the principles of the Act and strengthen privacy protections. At the heart of these duties is purpose limitation and data minimization: fiduciaries must collect and process personal data only for specific, lawful purposes informed to the Data Principal and relevant to the service provided, avoiding unnecessary data collection or retention beyond what is required. They must also ensure accuracy, keeping data complete and up to date.
The Rules require fiduciaries to implement reasonable security safeguards proportionate to the risks posed by processing activities. These include technical and organizational measures such as encryption, access controls, activity logs, backups, and continuous monitoring to protect confidentiality, integrity and availability of data. Logs and processing records must be retained for at least one year to support oversight and investigations.[8] Data retention and deletion obligations are also more prescriptive: once the purpose is fulfilled or consent is withdrawn, data should be erased unless law requires retention, and individuals must be notified ahead of deletion.[9] Fiduciaries must establish grievance redressal mechanisms and address complaints within a defined timeframe, publish clear contact details for privacy queries and maintain documentation reflecting compliance efforts. For Significant Data Fiduciaries designated by the government , these duties are stricter requiring dedicated Data Protection Officers, periodic audits and impact assessments to manage high-risk processing.[10]
Part V: Data Breach Reporting and Accountability Mechanisms
The DPDP Rules, 2025 emphasise the law’s enforcement intent by introducing a structured and serious regime for reporting data breaches. When a breach happens, a Data Fiduciary is required to notify the impacted parties as soon as possible in plain language, outlining what happened, the likely consequences, the mitigation measures implemented, and the contact details for assistance. In addition, unless the Board grants additional time, the fiduciary must promptly notify the Data Protection Board (DPB) of the incident and submit a thorough update within 72 hours of learning of the breach.[11]. Compared to best practices, this dual notification to users and the regulator increases the operational compliance burden for organisations, but it also improves accountability and transparency in incident handling. The strategy adapts timelines and content to India’s regulatory environment while generally adhering to international standards, such as the GDPR’s 72-hour breach notification requirement.[12]
Part VI: Children’s Data and Enhanced Protection Standards
Under the DPDPD framework, a child is defined as any individual below 18 years old of age. Before processing the personal data of a child, a Data Fiduciary must obtain verifiable parental or lawful guardian consent, which involves checking that the consenting adult’s identity and age are authentic through reliable identity information or authorized virtual tokens. Tracking, behavioral monitoring, and targeted advertising directed at children are expressly prohibited unless narrowly permitted for safety, educational, or healthcare purposes.[13] These enhanced safeguards have substantial implications for sectors such as ed-tech, gaming and social media, which must redesign onboarding and analytics systems to avoid unlawful profiling of minors.
Part VII: Cross-Border Data Transfers and India’s Strategic Position
The DPDP Rules allow cross-border transfer of personal data, but only subject to conditions prescribed by the Central Government regarding adequate protection standards in destination jurisdictions. This framework lets multinational corporations continue international operations while giving the government discretion to restrict transfers to certain countries or entities if national interests or data protection adequacy concerns arise. Unlike some strict data localization approaches, India’s regime seeks balanced strategy, permitting global data flows with safeguards, rather than imposing outright localization, but requiring careful compliance monitoring and transfer safeguards.[14]
Part VIII: What the DPDP Rules Mean for Corporations in Practice
The DPDP Rules, 2025 transform data privacy from a legal concept into a practical business requirement for companies that operate in India’s digital economy. To understand how data moves through their systems, identify risks, and match current procedures with DPDP obligations, businesses may need to conduct internal audits and gap assessments. Organisations are prompted to unify consent records, retention schedules, and rights-handling mechanisms across Legal, IT, Security, HR, and Marketing functions when this structural introspection reveals fragmented data systems. Because the fiduciary is still accountable for processor failures, contractual relationships with vendors and processors must be reviewed to make sure that third parties adhere to DPDP security and accountability standards. Although there are fewer blind spots that could result in violations or improper handling of consent, such vendor oversight increases the workload associated with compliance. Privacy compliance has evolved from a legal or IT concern to a board-level risk issue that impacts strategic planning and customer trust because breaches, rights violations, or notification lapses can result in severe penalties up to Rs. 250 crores and reputational harm.[15]
Part IX: Conclusion
The DPDP Rules, 2025 signify a fundamental cultural change in India’s perspective on digital rights, organisational accountability, and data governance; they are much more than a new set of legal requirements. Fundamentally, the Rules aim to foster a privacy-first mindset throughout corporate ecosystems, converting compliance from a specific legal obligation into a more comprehensive culture of responsible stewardship. This change presents a strategic opportunity for businesses: those that integrate privacy by design, bolster internal governance, and communicate effectively with users will not only avoid fines but also establish long-lasting trust in a digital marketplace that is becoming more and more scrutinised.
The Rules also pave the way for an expanding corpus of administrative guidelines and jurisprudence that will shape consent, risk assessment, cross-border data practices, and fiduciary accountability in the years to come. India can anticipate changing standards influenced by rulings from the Data Protection Board, sectoral regulators, and the judiciary when challenged, much like the early years of GDPR interpretation in Europe. In the end, India’s data protection trajectory reflects a hybrid model that safeguards personal freedom while promoting international data flows and innovation. The DPDP framework is positioned to firmly anchor India within the developing global privacy ecosystem as enforcement develops and institutional capacity grows, indicating the country’s readiness to interact with international standards while developing solutions specific to its own digital reality.
[1] DPDP 2025 rules explained as they come into effect: What they mean for you, Times of India (Nov. 14, 2025), https://timesofindia.indiatimes.com/technology/tech-news/dpdp-rules-2025-rules-explained-as-they-come-into-effect-what-they-mean-for-you/articleshow/125325252.cms
[2] Abdullah Zubair Motiwala, A Jurisprudential Analysis of the DPDP Rules 2025 and the Evolution of Data Privacy Laws in India (Apr. 30, 2025), SSRN Scholarly Paper No. 5335388
[3] Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors., (2017) 10 S.C.C. 1 (India)
[4] DPDP Rules 2025: India’s Push for Clearer, Simpler Data Privacy Policies, Entrepreneur (Jan. 7, 2025), https://www.entrepreneur.com/en-in/news-and-trends/dpdp-rules-2025-indias-push-for-clearer-simpler-data/485224
[5] GDPR, 2016 O.J. (L 119).
[6] Digital Personal Data Protection Rules, 2025, First Schedule Part. B (India).
[7] Digital Personal Data Protection Rules, 2025, Rule 4 (India), notified by the Ministry of Electronics and Information Technology on Nov. 14, 2025.
[8] Digital Personal Data Protection Rules, 2025, Rule 6 (India), notified by the Ministry of Electronics and Information Technology on Nov. 14, 2025.
[9] Digital Personal Data Protection Rules, 2025, Rule 8 (India), notified by the Ministry of Electronics and Information Technology on Nov. 14, 2025.
[10] Digital Personal Data Protection Rules, 2025, Rule 13 (India), notified by the Ministry of Electronics and Information Technology on Nov. 14, 2025.
[11] Digital Personal Data Protection Rules, 2025, Rule 7 (India), notified by the Ministry of Electronics and Information Technology on Nov. 14, 2025.
[12] Regulation (EU) 2016/679, Art. 33, GDPR 2016 O.J. (L 119)
[13] Digital Personal Data Protection Rules, 2025, Rule 10 (India), notified by the Ministry of Electronics and Information Technology on Nov. 14, 2025.
[14] Digital Personal Data Protection Rules, 2025, Rule 15 (India), notified by the Ministry of Electronics and Information Technology on Nov. 14, 2025.
[15] Digital Personal Data Protection Act, 2023, The Schedule, Gazette of India, Sec. 1, at 21.
