India Notifies Administrative Rules for Digital Personal Data Protection Act
Bengaluru: Two years after the passing of the Digital Personal Data Protection (DPDP) Act by Parliament, the government has officially notified the administrative rules needed to implement the law. These regulations, announced on Friday, will govern the processing, protection, and management of personal data within the country.
The DPDP law, crucial for the world’s largest data market with over 800 million internet users, has been in development for 15 years. While several provisions of the Act took effect immediately, others will be phased in over the next 12 to 18 months.
“On May 13, 2027, when the DPDP Act, 2023, is fully operational, India will finally join the ranks of countries with comprehensive data protection laws,” affirmed Rahul Matthan, founding partner of the law firm Trilegal, who was involved in drafting earlier versions of the bill.
Given India’s rapid digitization and the swift adoption of technologies like artificial intelligence, the law aims to establish a robust framework for data governance that addresses privacy concerns. Data fiduciaries, responsible for personal information, will face heavy penalties for any failures in reporting or addressing data breaches. Protections will extend to children’s information, along with ensuring data principals can access, correct, and delete their data records.
A notable feature of the legislation is the establishment of the Data Protection Board of India (DPBI), which has the authority to impose penalties ranging from ₹10,000 to ₹250 crore, payable to the Consolidated Fund of India.
Clear Roadmap for Industry
Once fully implemented, users will gain the right to request data deletion, with organizations required to adhere to strict guidelines on data storage and processing. They will need to delete user data after one year and notify users 48 hours before any data deletion process begins. In cases of data breaches, organizations must inform the DPBI within 72 hours and communicate with affected users as soon as possible. Additionally, the rules mandate that verifiable parental consent is required for processing children’s data, with advertising targeted at those under 18 banned.
The draft rules published in January included a provision for a government-appointed committee to determine if certain data could not be exported. This provision, which faced criticism from industry groups, has been retained in the final rules.
The National Association of Software and Service Companies (Nasscom) and the Data Security Council of India (DSCI) described the notification of the DPDP Rules 2025 as a crucial step in improving India’s data protection framework. They noted that with these rules in effect, the industry now has a more precise and actionable roadmap.
Consent notices under the guidelines must be written in clear, plain language that users can easily understand. Harsh Walia, a partner at law firm Khaitan & Co, emphasized that organizations must reevaluate their consent frameworks to ensure clarity and specificity, separating consent from standard terms of use.
Key elements of the Act include the establishment of a verifiable consent framework, procedural requirements for communication from data fiduciaries, and obligations for consent managers who facilitate consent-based data sharing.
The DPDP Act differentiates between regular data fiduciaries and Significant Data Fiduciaries (SDFs), imposing stricter obligations on the latter due to the volume and sensitivity of their data processing. However, the classification of SDFs remains open-ended, pending further notifications from the government.
Nasscom and DSCI mentioned that certain industry concerns relating to the Act’s basic structure, such as parental consent requirements and the statutory age for children, may not be addressable through subordinate legislation.
Under the DPDP Act, data fiduciaries are prohibited from tracking or behaviorally monitoring children or directing targeted advertisements towards them.
