The central government on November 14 has notified its Digital Personal Data Protection Rules 2025 (DPDP Rules 2025), aimed at providing Indian citizens with control over their personal data and privacy in online spaces.

Advertisement

“Now, therefore, in exercise of powers conferred by sub-sections (1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023 (22 of 2023), the Central Government hereby makes the following rules, ... These rules may be called the Digital Personal Data Protection Rules, 2025,” the notification said.

The long-awaited framework is set to be implemented over 12-18 months, with some coming into effect immediately, while other provisions being introduced in a phase-like manner.

What are some provisions under DPDP Rules 2025? Provisions in the new rules include registration and obligations of consent managers, notice from data fiduciaries to individuals for processing their data and some other major norms related to processing of personal data.

Advertisement

The rules are expected to help citizens avoid spam calls and unauthorised access to their personal data, video, and voice via any digital means.

For example, you can use the DPDP Rules to address leaked phone numbers and unauthorised calls by investigating and identifying which entity was responsible. Penal actions are available for leaking an individual's phone number without their consent.

Here are some of the protections extended to citizens: Proper display and statement of data collected, its use, and reason for collection to be made in clear and plain language.

Consent manager to be registered to oversee implementation of the DPDP Rules 2025.

Reasonable safeguards to be implemented to protect personal data in possession or under control of a data fiduciary, including security measures such as encryption, firewalls, and more.

In case of a data breach, affected parties must be intimated in a concise, clear and plain manner and without delay, through the user account or any mode of communication registered by them. Nature and timing of the breach, impact and future safeguards to be outlined.

Data is not to be stored beyond a one-year period unless required for compliance under law. Users must be intimated 48 hours before erasure of personal data barring continued use of account / platform.

All data fiduciaries are required to prominently publish the contact information of person to answer questions about data processing.

Verifiable consent to be taken from parent or guardian before processing personal data of children (citizens under 18 years of age).

Verifiable consent of lawful guardian to be obtained to process personal data of person with disability.

Advertisement

Also Read | Nithin Kamath breaks down buyback taxation as Infosys announces ₹18,000 cr plan

What are the penalties laid out? As per the notification, a Data Protection Board will be established in order to impose penalties based on the nature of the breach as listed in the DPDP Act 2023. The mechanism levies penalties of up to ₹250 per breach on data fiduciaries.

To protect small businesses, the penalty system is graded.

DPDP Rules: Background and key highlights The DPDP rules came into force on August 24, 2017, after the Supreme Court of India eight years back, held that the Right to Privacy is a Fundamental Right with restrictions specified and relatable to fundamental rights as embedded in the Constitution.

In 2023, the Digital Personal Data Protection Act was published granting citizens the right to protect their data, while not suppressing information from government-issued IDs or documents, refrain from filing false or frivolous complaints, and provide only verifiable information when requesting data correction or deletion.

Further, provisions of the rules exempts rights of citizen in case of enforcing legal rights, court orders, prevention, detection, investigation or prosecution of any offence, an individual is overseas and signed any contract or given consent to a foreign entity, ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan and in cases where the Centre decides to exempt certain data fiduciaries including start-ups mainly for implementing government schemes, research and innovation purposes.

Advertisement