DIGITAL PERSONAL DATA PROTECTION RULES, 2025

We are surrounded by data and it keeps generating virtually in everything we do. Data is of two types, one is that we may have to share by our consent and the second type is the data which created every time as soon as we do something virtually- whether it be ordering food, use transportation or booking tickets online. Undoubtedly, this data is of great value and some Companies even tries paying for it. Indeed, in this era of unlimited and free access internet, data is the new currency. With the advancement of technology, almost every document, even the personal ones can be accessed online by the use of Govt. based apps such as Digilocker and MyAadhar. 

Data, being a beneficial tool can sometimes result in huge problems when leaked. Data privacy is a major cause of concern in today’s world. According to survey conducted by the Data Security Council of India (DSCI), almost 87% of Indian consumers are concerned about their data privacy. Mobiles phones are the most common source of data privacy concerns as it has been proved by a survey conducted in the year 2021 that there are over 642 Million mobile users in India making it a potential source of data-stealing apps.

Earlier, there was no dedicated law regarding the data privacy in India. Then, in 2025, the The Ministry of Electronics and Information Technology (MeitY), Government of India, came up with the Digital Personal Data Protection Rules, 2025, to operationalize the 2023 Digital Personal Data Protection Act (the Act) which received the assent of the Hon’ble President of India on 11th August, 2023 and ensure proper protection and personal privacy in the Digital Reality. The notification of the same was released to the public on 3rd January, 2025 which states as follows:-

”Draft of rules proposed to be made by the Central Government in exercise of the powers conferred by sub-sections (1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023 (22 of 2023), on or after the date of coming into force of the Act, are hereby published for the information of all persons likely to be affected thereby; and notice is hereby given that the said draft rules shall be taken into consideration after 18th February, 2025 “

The Digital Personal Data Protection (DPDP) Rules simply provides us with the procedures and obligations important for implementing the Act.

The primary role of this act is to enact the Digital Private Data protection Act, 2023 and to ensure vigorous protection and privacy of personal data in the digital world. The most significant provisions of the Draft Rules are shown below.

  • Notice for Consent: The Digital Personal Data Protection Act (DPDP Act) now requires data guardian to provide a privacy notice in order to request assent from the Data Principal. The notice must be clear and to the point and must include the details of the data being collected, the purpose of collection and how the consent can be withdrawn. 
  • Consent Managers and Rights of Data Principals: A consent manager, as defined under the DPDP Act, is a person registered with the Data Protection Board of India who is required to serve as a single point of contract for Data Holders to provide, manage, review and withdraw the consent through a secure platform. Data Fiduciaries and Consent Managers are required to publish clearly on their website or app the procedure for Data Principals to avail their rights under the Act, Including the right of requesting of access to or deletion of their data.
  • Security Safeguards: Requisite security measures are required to be implemented by the Data Fiduciaries for the protection of personal data, like encryption, monitoring of unauthorized access, access control, and data backups. 
  • Data Breach Notification: The DPDP Act directs Data Fiduciaries to notify the Data Protection Board and affected individuals of any data breach that has taken place within 72 hours. The breach notification should be prompt and include details about the breach, its impact, actions taken to alleviate it and the identity of the responsible individual, if found out.
  • Data Retention: All the e-commerce industries, online gaming entities, and social media platforms that has a significant number of registered users in India are required to retain the personal data of the individuals only for the time necessary and delete the same within a prescribed period of time if the user doesn’t actively uses their account. 
  • Processing of Personal Data of Children: The Data Businesses are required to implement necessary measures to ensure that the consent from parents or guardians of a child is verifiable and that the parents or the legal guardian is identifiable. The entities, under this act, are not allowed to track or monitor the behaviour without the permission of the Central Government. The law also puts an obligation upon the data fiduciaries to not process the data of children if it is likely to cause any harmful effects. Some Data Fiduciaries, like healthcare units or educational institutions, may get exemption from some specific obligations when processing children’s data.
  • Data Protection Impact Assessments (DPIAs): An entity, that is identified as a Significant Data Fiduciary (SDFs) by the Central Government, based on certain specified factors including size and sensitivity of the data processing, is required to conduct a process known as DPIAs that too annually to help the organization in identifying and reducing the risks related with processing personal data. 
  • Cross-Border Data Transfer:  The DPDP Act allows cross-border transfer of data to most countries, but not to specific countries who are on the government’s blacklist adhering to the restrictions imposed by the government. The data can be transferred cross-border if all the requirements are met which are DPIA, Consent of the individual, Security Controls like access control and encryption, Data audits, Documentation of transfer, and Compliance with other obligations.

While, this was a much needed law for the country for the protection of right to privacy of citizens rather than allowing the companies and the government to collect and use the personal data of citizens in any way they like. However, the draft rules, just like the Act have attracted criticism for their lack of transparency and clarity on user rights, breach of data and parental consent. One of the most highlighted issues with the DPDP Rules is the failure to clarify critical aspects of the DPDP Act. Some Advocates and industry research experts also argue that the government’s opaque consultation process doesn’t contain public participation. This act, thus raises several concerns that are discussed below as follows.

  • Neglects the RTI Act: The Bil thins out the provisions of the Right to Information (RTI) Act, which empowers the citizens to know the required information and for holding the governments accountable, hence, is being criticized for the same. The RTI Act provides the provision for protecting the privacy under Section 8(1)(j). The information can be sought if the same has no relation to any public activity or interest or is such that it may cause unallowed invasion of privacy and the Public Information Officer is satisfied with the disclosure. But the proposed Bill is seen to be amending this Section and exempting all personal information from the bounds of the RTI Act.
  • Incompatible with the Right to Privacy: The DPDP Act has been criticized for its incompatibility with the right to privacy. The Act allows the state to use the data without any barriers for national security reasons which could lead to the misuse of data and thus fails to protect the people’s privacy. Under Section 18 of the Act, the Central government is empowered to allow exemption to any government, or even private entities from the provisions of the Act by simple issuing of a notification.
  • Dependency of the Data Protection Board: The Bill does not give independent authority to the Data Protection Board which is the institution responsible for enforcing the law. Since the government is the biggest data depository, it was vitally important that the body that was being set up to be autonomous as to act on violations by the government entities.
  • Digitally accessible: According to the Bill, the Data Protection Board shall be digitally accessible or “digital by design”, that may accept and dispose off the complaints once resolved. But, as per the National Family Health Survey, just 33% of women in India are familiar to the Internet, hence, making the Bill ineffective to the millions of people who are deprived of regular access to the Internet.

As shown in the above noted points, The Digital Personal Data Protection Rules, 2025 has received a lot of criticism. But it is of no doubt that the DPDP Act has marked a significant advancement in data protection in India. It creates a detailed framework and marks the importance of individual rights and also helps them in claiming them if they are violated. This Act enhances the legal aspect of data protection and helps in matching India with global standard. This alignment can help in attracting international business as it may help in ending their concern over data privacy.

Moving forward, it is also correct to say that the effectiveness of The DPDP Act will stand upon the way it is implemented and how the organizations and individuals adhere to the rules prescribed to uphold the principles.

Frequently asked question (FAQs)

Q. Does this act give the Data Principal the right to access their personal data?

A. Yes, a Data Principal has the right to receive a summary regarding their personal data being used, to whom it is being shared and other information from the Data Fiduciary to whom they have shared their data.

Q. What are the rights provided to a Data Principal regarding the correction and deletion of personal data?

A. Data Principals are given the right to get an inaccurate or misleading data corrected, complete incomplete data, update their data, and request deletion with subject to legal compliance.

Q. What is the minimum timeframe within which a Data Fiduciary must respond to grievances?

A. The Data Fiduciary must respond to the grievance within the time period prescribed by the Central Government which depends upon the complexity of the grievance.

Q. What are the necessary duties of a Data Principal under the DPDP Rule, 2025?

A. Data Principal is expected to comply with the related laws of this Act, avoid impersonation, not hide required information, refrain from registering fake grievances, and provide authentic information for data correction or erasure.

Author:-Syed Ahmed Husain, 5th Semester, 3rd Year Law Student of IME Law College, Ghaziabad

Leave a Reply

Your email address will not be published. Required fields are marked *