Digital Personal Data Protection (DPDP) Rules, 2025

By /

Syllabus: Government policies and interventions for development in various sectors and issues arising out of their design and implementation.

Background

  • The Digital Personal Data Protection Rules, 2025 were notified to operationalise the DPDP Act, 2023.
  • They trigger the formation of the Data Protection Board of India (DPBI) and initiate India’s digital privacy framework.
  • Draft Rules were released in January 2025; final Rules notified on November 14, 2025.

Core Provisions of the DPDP Act & Rules

  • Data Governance Framework
    • The DPDP Act sets baseline obligations for data fiduciaries handling personal data.
    • Data principals (users) must be informed about data collection and its purpose.
    • Users can modify, erase, or request deletion of their data.
    • Firms must erase data after long-term user inactivity.
  • Compliance Requirements
    • Large firms classified as Significant Data Fiduciaries must implement:
      • Access controls, encryption, security audits.
      • Mandatory Data Protection Officer (DPO) within one year.
  • Children’s Data Protection
    • Restricts targeted advertising and sensitive data collection from children.
    • Rules allow a parental exemption for tracking a child’s location.
  • Consent Management
    • Establishes a Consent Manager system enabling users to manage permissions across platforms.
  • Breach Reporting
    • Data breaches must be reported promptly to the DPBI.
  • Penalties
    • Fines range from ₹10,000 to ₹250 crore based on violation category.

Implementation Timeline

  • Majority of compliance obligations delayed by 12–18 months.
  • Only DPBI formation and RTI Act amendment take effect immediately.
  • DPBI Formation
    • The DPBI is a subordinate office under MeitY with four members.
    • Responsible for enforcement, inquiries, and penalties.

Key Issues with DPDP Rules 2025

  • Delayed Implementation of Protections
    • Rules postpone implementation of almost all user-protective provisions to 2027.
    • This delay follows already prolonged consultations and slow framing of Rules.
    • The 12–18 month compliance window for major tech companies undermines urgency.
  • Immediate Dilution of RTI Act
    • Nature of Change
      • Section 8(1)(j) — previously allowed disclosure of “personal information” if public interest justified it.
      • DPDP Act removes the public interest override, enabling authorities to deny more RTI requests.
    • This sharply reduces transparency and reverses two decades of RTI-driven accountability.
  • Weak Institutional Framework
    • Data Protection Board of India (DPBI) remains institutionally weak and lacks independence.
    • DPBI will function under MeitY, creating conflict of interest as the same Ministry promotes global tech investment while overseeing investigations into data misuse by Big Tech.
  • Reduced Safeguards Against State Overreach
    • The Act already provides broad exemptions for government agencies.
    • Rules fail to limit these exemptions or establish robust oversight mechanisms.
  • Limited Change from Draft Rules
    • Final Rules show minimal changes from the January 2025 draft, despite lengthy consultation.
    • This reflects poor responsiveness to stakeholder feedback.

Conclusion

  • The DPDP Rules 2025 undermine privacy and weaken RTI, leaving citizens exposed to unchecked state surveillance and Big Tech data practices.
  • The promise of “privacy and accountability” remains largely unfulfilled.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top