DIGITAL PERSONAL DATA PROTECTION RULES
1. Context
The Digital Personal Data Protection Rules (DPDP), 2025 were notified this week, kicking off the formation of the Data Protection Board of India (DPBI), and the legal framework for safeguarding the data of Indians online. The DPDP Act itself was passed in Parliament in August 2023, and the draft of the Rules that were notified on November 14, 2025 were released for consultation in January.
2. What do the DPDP Act and Rules do?
- The Government of India issued the Digital Personal Data Protection (DPDP) Rules, 2025 on 14 November 2025, completing the implementation of the Digital Personal Data Protection Act, 2023.
- With both the Act and Rules now in place, India has a comprehensive, citizen-oriented framework that balances personal data rights with legitimate data processing requirements.
- Before finalising the Rules, the Ministry of Electronics and Information Technology sought inputs from the public. Consultations were organised across several major cities—Delhi, Mumbai, Guwahati, Kolkata, Hyderabad, Bengaluru and Chennai—drawing participation from startups, MSMEs, industry associations, civil society organisations, and government bodies.
- Citizens also contributed actively. Altogether, 6,915 suggestions and comments were submitted, significantly influencing the final version of the Rules.
- The notification of these Rules establishes a practical, innovation-supportive data protection regime for the country. It promotes clarity, encourages adherence to the law, and enhances public confidence in India’s expanding digital landscape.
3. Digital Personal Data Protection Act, 2023
- The Digital Personal Data Protection Act was passed by Parliament on 11 August 2023, establishing a comprehensive legal structure for safeguarding digital personal information in India.
- It outlines the responsibilities of organisations when they gather or process such data. The Act is built on the SARAL philosophy—Simple, Accessible, Rational and Actionable—using straightforward language and clear examples so that individuals and businesses can easily understand the requirements.
- The Act is anchored in seven foundational principles: consent and transparency, limitation of purpose, minimal collection of data, accuracy, restricted data retention, strong security measures and accountability. These principles shape each step of data handling and ensure that personal information is processed only for legitimate and defined purposes.
- A key highlight of the law is the establishment of the Data Protection Board of India, an autonomous authority responsible for monitoring compliance, investigating violations and ensuring that necessary corrective actions are taken.
- The Board is central to protecting user rights and fostering confidence in the data protection framework
Key Terms under the DPDP Act, 2023
|
4. Overview of the Digital Personal Data Protection Rules, 2025
The Digital Personal Data Protection Rules, 2025 operationalise the DPDP Act, 2023, creating a practical and transparent system for safeguarding personal data in India’s rapidly growing digital landscape. These Rules place strong emphasis on citizen rights and responsible data handling by organisations. Their objective is to prevent misuse of personal information, minimise digital risks, and foster an environment that supports safe innovation—thereby strengthening trust in India’s digital economy.
To achieve these goals, the Rules lay down several key provisions:
- A phased compliance period of 18 months has been introduced so organisations have adequate time to upgrade systems and adopt sound data-protection practices.
- All Data Fiduciaries must issue a separate, easy-to-read consent notice clearly stating the specific purpose for which personal data is collected and processed.
- Consent Managers—entities that help people manage their permissions—must operate as companies incorporated in India.
- The Rules also define a clear and prompt procedure for reporting data breaches. In the event of a breach, the Data Fiduciary must immediately notify every affected person in simple language, outlining what occurred, potential consequences and the corrective measures taken. The communication must also include relevant contact details for assistance.
- Each Data Fiduciary is required to provide accessible contact information for queries related to personal data—whether that is a designated officer or a Data Protection Officer. Significant Data Fiduciaries have additional responsibilities: they must conduct external audits, undertake impact assessments and implement stricter controls when using emerging or sensitive technologies.
- They may also be required to comply with government directions regarding restricted data categories, including localisation requirements when necessary.
- The Rules strengthen the rights granted under the Act. Individuals can request access to their personal information, corrections or updates, and deletion in permitted situations.
- They may also authorize another person to exercise these rights on their behalf. Data Fiduciaries must respond to such requests within 90 days.
- Additionally, the Rules provide for a fully digital Data Protection Board of India with four members. Citizens will be able to submit complaints online and track them through a dedicated website and mobile app, making grievance resolution faster and more efficient.
- Appeals against the Board’s orders will be handled by the Telecom Disputes Settlement and Appellate Tribunal (TDSAT)
5. How the DPDP Rules Empower Individuals?
The DPDP framework puts citizens at the heart of India’s data protection regime. Its core purpose is to ensure that individuals have clear authority over their personal information and can trust that it is handled responsibly. The rules are drafted in simple, user-friendly language so people can easily understand their rights, while also ensuring that organisations remain accountable for how they manage personal data.
Key Rights and Safeguards Provided to Citizens:
- Right to Give or Withhold Consent
Individuals have the freedom to agree or refuse the use of their personal data. Consent must be informed, specific, and easy to comprehend, and it can be withdrawn at any point. - Right to Know How Data is Used
People are entitled to know what information has been collected about them, the purpose of its collection, and the ways it is being processed. Organisations must share this information in a clear and straightforward format. - Right to Access Personal Data
Any individual may request a copy of the personal data that a Data Fiduciary holds about them. - Right to Correct Personal Data
Citizens can ask for corrections if their personal information is wrong, inaccurate, or incomplete. - Right to Update Personal Data
Individuals may request updates when their details change—such as a new phone number or address. - Right to Delete Personal Data
People have the option to seek erasure of their personal data under specific circumstances. The Data Fiduciary must review and act on such requests within the stipulated timeframe. - Right to Appoint a Representative
Every person may nominate someone else to exercise their data rights on their behalf—useful during illness or other situations where they cannot act themselves. - Mandatory Response Within 90 Days
Data Fiduciaries must respond to requests for access, correction, updating, or deletion within a maximum of ninety days, promoting timely redressal and accountability. - Protection in Case of Data Breaches
If a data breach occurs, affected individuals must be informed promptly. The notification must explain the incident and outline the steps they can take to reduce any potential harm. - Clear Contact Point for Help
Organisations must provide easily accessible contact details—either of a designated official or a Data Protection Officer—for queries or complaints related to personal data. - Extra Safeguards for Children
Processing children’s personal data requires verifiable consent from a parent or guardian, except when the data is used for essential services like medical care, education or immediate safety.
6. How the DPDP Framework Works in Harmony with the RTI Act?
- As the DPDP Act and its Rules strengthen citizens’ privacy protections, they also clarify how these enhanced rights coexist with the Right to Information (RTI) Act, which ensures public access to information.
- The amendments made through the DPDP Act modify Section 8(1)(j) of the RTI Act in a manner that upholds both privacy and transparency without undermining either.
- This change is consistent with the Supreme Court’s recognition of privacy as a fundamental right in the Puttaswamy judgment.
- It aligns the RTI law with judicial reasoning that has, for years, applied reasonable limits to protect personal information.
- By formally incorporating this approach into the statute, the amendment removes ambiguity and avoids any clash between the RTI Act’s transparency mandate and the privacy protections embedded in the DPDP framework.
- Importantly, the updated provision does not prohibit the release of personal data. Instead, it requires authorities to make a careful, case-specific assessment before sharing such information, keeping the individual’s privacy interests in mind.
- Meanwhile, Section 8(2) of the RTI Act remains unchanged. It empowers public authorities to disclose information whenever the public interest is compelling enough to outweigh potential harm to protected interests.
- This ensures that the core purpose of the RTI Act—promoting openness, accountability and informed citizen participation—continues to shape how information requests are handled
|
For Prelims: Personality rights, Delhi High Court, Madras High Court, Right to property, trademark, right to privacy, Article 21, Copyright Act, 1957
For Mains:
1. Explain how can the legal framework for protecting personality rights in India be strengthened to better address the challenges of the digital age. (250 Words)
|
|
Previous Year Questions
1. What is the position of the Right to Property in India? (UPSC 2021)
A. Legal right available to citizens only
B. Legal right available to any person
C. Fundamental Right available, to citizens only
D. Neither Fundamental Right nor legal right
Answer: B
2. In order to comply with TRIPS Agreement, India enacted the Geographical Indications of Goods (Registration & Protection) Act, 1999. The difference/differences between a "Trade Mark" and a Geographical Indication is/are (UPSC 2010)
1. A Trade Mark is an individual or a company's right whereas a Geographical Indication is a community's right.
2. A Trade Mark can be licensed whereas a Geographical Indication cannot be licensed.
3. A Trade Mark is assigned to the manufactured goods whereas the Geographical Indication is assigned to the agricultural goods/products and handicrafts only.
Which of the statements given above is/are correct?
A. 1 only B. 1 and 2 only C. 2 and 3 only D. 1, 2 and 3
Answer: B
3. Which of the following statements regarding Article 21 of the Constitution of India is/ is correct? (CDS GK 2017)
1. Article 21 is violated when under-trial prisoners are detained under judicial custody for an indefinite period.
2. Right to life is one of the basic human rights and not even the state has the authority to violate that right.
3. Under Article 21, the right of a woman to make reproductive choices is not a dimension of personal liberty.
Select the correct answer using the code given below.
A. 1, 2 and 3 B. 1 and 2 only C. 1 and 3 only D. 2 only
Answer: B
4. Article 21 of Indian Constitution secures: (OPSC OAS 2018)
A. Right to life only
B. Right to personal liberty only
C. Right to liberty and privacy
D. Right to life, personal liberty and right to privacy
Answer: D
5. ‘Right to Privacy’ is protected under which Article of the Constitution of India? (UPSC 2021) (a) Article 15 Answer: C 6. Right to Privacy is protected as an intrinsic part of Right to Life and Personal Liberty. Which of the following in the Constitution of India correctly and appropriately imply the above statement? (2018) (a) Article 14 and the provisions under the 42nd Amendment to the Constitution. (b) Article 17 and the Directive Principles of State Policy in Part IV. (c) Article 21 and the freedoms guaranteed in Part III. (d) Article 24 and the provisions under the 44th Amendment to the Constitution. Answer: C |
Source: The Hindu
