Context:

On 14 November 2025, the Ministry of Electronics and Information Technology (MeitY) formally notified the rules under the Digital Personal Data Protection Act, 2023 (DPDP Act), thereby operationalising India’s first dedicated legislation for digital personal data protection. This marks a significant milestone in the country’s journey towards strengthening data governance, digital rights and accountability of entities processing personal data.

Background:

·        The DPDP Act was passed by the Indian Parliament in August 2023.

·        However, the Act’s actual enforceability depended on notification of the rules and related administrative mechanisms.

·        In January 2025, MeitY released a draft of the rules for public consultation.

·        After reviewing feedback, conducting inter‐ministerial consultations and industry engagement, the final rules were notified on 14 November 2025.

Key Provisions of the Rules:

1.      Obligations on Data Fiduciaries & Consent:

o    Organisations (“data fiduciaries”) must provide clear, itemised notice to users (“data principals”) about what personal data is collected, for what purpose, and how long it will be retained.

o    Consent must be verifiable, especially in relation to children or persons with disabilities.

o    Right to withdraw consent is expressly covered.

2.      Data Retention & Deletion:

o    The rules impose time‐limits on retaining personal data: once purpose is fulfilled or data becomes inactive, deletion obligations apply.

o    For large platforms (e-commerce, gaming, social media intermediaries), there are stricter timelines for erasure.

3.     Breach Notification:

o    In the event of a data breach, fiduciaries must notify the data principal and the adjudicatory body—the Data Protection Board of India (DPB) within 72 hours of becoming aware.

o    The notification must include nature of breach, extent, timing, consequences, and mitigation measures.

4.     Establishment of Data Protection Board:

o    The rules formally establish the Data Protection Board of India, headquartered in the National Capital Region (NCR).

o    The Board will consist of four members, including a Chairperson, and will function as the adjudicating body under the Act.

5.     Transition/Compliance Timeline

·        Although the rules take effect on notification, entities get an 18‐month transition window for full compliance of operational obligations.

Significance and Implications:

• • Operationalising the Act: With the rules notified, the DPDP Act moves from being a legislative instrument to being enforceable—this triggers accountability of firms handling digital personal data.
  • Strengthening user rights: The rules put the data principal (user) closer to the centre—consent, deletion, breach awareness and transparency become legally mandated.
  • Enforcement architecture: The establishment of the Data Protection Board is a key institutional move; it will investigate breaches, adjudicate, and impose penalties under the Act.
  • Global positioning: India now joins the growing club of jurisdictions with dedicated data protection laws. While different from models like the EU’s General Data Protection Regulation (GDPR), this framework signals India’s intent to regulate data accountability and flow.