News Article

India Activates New Privacy Regime: Centre Notifies DPDP Rules with Phased Rollout

New Delhi – In a landmark development for India's digital economy, the Ministry of Electronics and Information Technology (MeitY) has officially notified the Digital Personal Data Protection (DPDP) Rules, 2025. The notification, issued on November 14, 2025, sets in motion the operational framework for the Digital Personal Data Protection Act, 2023, ushering in a new era of data governance eight years after the Supreme Court's historic K.S. Puttaswamy judgment affirmed privacy as a fundamental right.

The long-awaited rules initiate a staggered implementation of the nation's first comprehensive data privacy law, providing a detailed roadmap for compliance while giving industry stakeholders a transition period of 12 to 18 months to align their systems and processes. This phased approach acknowledges the complex operational shifts required, particularly for technology companies, financial institutions, and other entities that process vast amounts of personal data.

At the heart of the new regime is the establishment of the Data Protection Board of India (DPBI), a four-member adjudicatory body tasked with enforcing the Act. The rules confirm that the DPBI will "function as a digital office," conducting hearings and proceedings electronically to ensure efficiency and accessibility. Its members will be appointed via a Search-cum-Selection Committee chaired by the Cabinet Secretary, positioning the Board as a central pillar of the regulatory architecture.

A Closer Look at the Obligations for Data Fiduciaries

The DPDP Rules, 2025, crystallize the responsibilities of "Data Fiduciaries"—any entity that determines the purpose and means of processing personal data. These obligations are designed to enhance transparency, accountability, and individual control over personal information.

Key Compliance Mandates:

• Breach Notification: A stringent dual-notification timeline is now in effect. Upon discovering a personal data breach, a Data Fiduciary must inform the DPBI within 72 hours. Concurrently, they must notify each affected "Data Principal" (the individual user) "without delay," providing clear details about the nature, extent, and potential consequences of the breach.
• Verifiable Parental Consent: The rules mandate that Fiduciaries obtain "verifiable consent" from a parent or legal guardian before processing the personal data of children (defined as individuals under 18). Notably, the government has refrained from prescribing a specific technical mechanism, leaving it to companies to "adopt appropriate technical and organisational measures" to ensure compliance. This flexibility is a response to industry feedback highlighting implementation challenges.
• Enhanced Notice Requirements: Before processing any personal data, Fiduciaries must provide users with a clear and itemised notice. This must include a list of the specific data being collected and a detailed explanation of the purposes for which it will be used.
• Data Retention and Erasure: The rules introduce a "right to be forgotten" by default. Fiduciaries are required to delete the personal data of inactive users after three years, unless a longer retention period is mandated by another law.

The sources state, "In the event of a data breach, data fiduciaries will have to intimate impacted individuals 'without delay' a description of the breach... and the measures implemented and being implemented to mitigate risk."

Additional Burdens for 'Significant Data Fiduciaries'

The framework establishes a higher tier of accountability for "Significant Data Fiduciaries" (SDFs). These entities, to be notified by the Central Government based on factors like the volume and sensitivity of data processed, will face heightened compliance duties. The rules confirm that SDFs, expected to include major global and Indian tech firms, must:

• Conduct Annual Data Protection Impact Assessments (DPIAs): These assessments will proactively identify and mitigate risks associated with data processing activities.
• Undergo Annual Audits: Independent audits are mandated to verify ongoing compliance with the Act and the Rules.
• Appoint a Data Protection Officer (DPO): SDFs must appoint a DPO based in India who will serve as the point of contact for grievance redressal. The deadline for this is November 2026.

These provisions signal the government's intent to impose a robust, risk-based regulatory model, focusing the most stringent oversight on entities that pose the greatest potential risk to individual privacy.

Cross-Border Data Transfers and the RTI Controversy

The rules adopt a pragmatic "blacklisting" approach to cross-border data transfers, a significant departure from the stringent data localisation norms proposed in earlier drafts. Personal data can be transferred outside India by default, unless the Central Government specifically restricts transfers to a particular country via notification. However, a provision allows a special government committee to restrict the storage of certain categories of sensitive personal data outside India, retaining a degree of sovereign control.

Simultaneously, the notification brings into immediate force a controversial amendment to the Right to Information (RTI) Act, 2005. The amendment removes the obligation for public authorities to disclose "personal information" if it does not serve a larger public interest, a move transparency activists argue significantly weakens the RTI framework by shielding public officials from scrutiny. As one source notes, the provision disallows "disclosure of personal information about public officials ... even when it is justified in larger public interest."

Implementation Timeline: A Phased Approach

Legal practitioners and their clients must pay close attention to the phased rollout schedule to ensure timely compliance:

• Effective Immediately (November 14, 2025): Establishment of the DPBI and the controversial amendments to the RTI Act.
• By November 2026 (12 Months): Appointment of Consent Managers and Data Protection Officers (for SDFs).
• By May 2027 (18 Months): Full compliance required for most provisions, including mechanisms for seeking express user permission for data processing for purposes like targeted advertising.

This graduated timeline provides a crucial window for organisations to conduct internal audits, revise privacy policies, train personnel, and implement the necessary techno-legal infrastructure. "Implementation timelines vary across different rules," one report highlights, "with several provisions effective upon notification from today, while others will come into force over the next 12 to 18 months."

Legal and Practical Implications

The notification of the DPDP Rules marks a pivotal moment, shifting the discourse from legislative debate to practical implementation. For legal professionals, this transition necessitates a deep dive into the nuances of the rules to advise clients effectively. Key areas of focus will include drafting compliant privacy notices, establishing robust breach response protocols, and designing verifiable consent mechanisms for minors.

The establishment of the DPBI as a digital-first adjudicatory body will also shape a new field of administrative law practice, with proceedings likely to be swift and technologically driven. The penalties for non-compliance, which can extend up to ₹250 crore for a single breach, create significant financial and reputational risks, making proactive compliance a board-level imperative.

As India's digital economy continues its exponential growth, the DPDP Act and its accompanying rules will form the bedrock of trust between individuals, businesses, and the state. The coming months will be critical in observing how the Data Protection Board interprets its mandate and how industry adapts to a legal landscape that finally gives substantive force to the fundamental right to privacy.