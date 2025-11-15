The government has notified the Digital Personal Data Protection (DPDP) Rules, and large parts of the DPDP Act, establishing the operational framework for India’s first comprehensive data privacy law more than two years after Parliament passed the legislation and eight years after the Supreme Court recognised privacy as a fundamental right. The final rules say companies must implement security safeguards including encryption, access controls and logging mechanisms. (Shutterstock)

The rules, published in the official gazette on November 13, lay down detailed timelines and obligations for companies handling personal data and create enforceable rights for users, a crucial part of legal framework to operationalise the Supreme Court’s recognition of privacy as a fundamental right in the 2017 Puttaswamy judgment.

Companies have 18 months to comply with the main provisions — they have until May 2027 to comply with all data-handling, retention, consent, child-protection, audit and breach-related requirements, a timeline experts say is a reasonable compliance window.

The rules give a one-year window before the provisions on consent manager registration and related obligations take effect, while the basic framework, including establishment and functioning of the Data Protection Board (DPB), will take effect immediately.

In two separate notifications, the government also formally established the DPB with its head office in the National Capital Region, and that it will comprise four members. Rule 17(1) and (2) lay out the composition for the Search-cum-Selection Committee which will decide who the members will be. On being asked what is the minimum eligibility, qualification of the members of the DPB, IT Secretary S Krishnan said that will depend on the “special knowledge” they possess.

The new rules formally lay down that companies must notify affected users immediately after any personal data breach and inform the DPB within 72 hours with detailed reports on the breach’s nature, extent and impact. The 72-hour deadline mirrors the European Union’s General Data Protection Regulation standard, though India’s framework differs significantly in some aspects — with the government retaining prerogative to prevent breach notifications if it decides to.

Union IT secretary S Krishnan told HT that the provision “balances privacy with needs of law enforcement agencies regarding criminal investigations”, but privacy researchers and lawyers flagged the aspect — specified in rule 23(2) — as a cause for concern. “This allows the central government to access citizens’ personal data on vague grounds and without sufficient guardrails, violating the Puttaswamy judgment,” said Shweta Venkatesan, a fellow at Esya Centre, a New Delhi-based policy think tank.

Dhruv Garg, partner at the Indian Governance & Policy Project added that the civil society concerns regarding Rule 5 remain: broad executive discretion, risks of profiling, and limited independent oversight.

The final rules say companies must implement security safeguards including encryption, access controls and logging mechanisms. Additionally, the rules introduce that companies now must retain processing logs and personal data for a minimum of one year even after the specified purpose is served, to enable investigation and remediation.

“This mandate could create significant operational and cost-related challenges for both data fiduciaries and data processors, particularly smaller entities with limited storage and compliance infrastructure,” said Kamesh Shekar, associate director at The Dialogue, a tech policy think-tank.

Garg added, “This improves auditability — but raises real privacy concerns over persistence of digital footprints as well as require all tech service providers to maintain large logs.”

Large platforms — e-commerce entities and social media intermediaries with at least 20 million, and online gaming intermediaries with 5 million users — must delete personal data after three years of user inactivity. Users will receive 48-hour notice before deletion. The requirement exempts account access credentials and stored monetary tokens or credits.

Children’s data protection

Companies must obtain verifiable parental consent before processing any child’s personal data, with verification through reliable identity documents or virtual tokens issued by authorised entities. However, Shekar adds that “the requirement to establish a verifiable consent process that adequately accounts for varying levels of adult digital literacy”, remains unresolved.

Under the DPDP Act, data fiduciaries are prohibited from tracking or behaviourally monitoring children, as well as from conducting targeted advertising directed at them. The earlier draft rules carved out five limited purposes for which this prohibition would not apply. The new Rules introduce an additional exemption, that is tracking to determine a child’s real-time location when necessary for her safety, security, or protection.

For consent managers, most obligations remain largely unchanged from the draft rules, except for a new requirement to publish their grievance-redressal timelines within 90 days and update their systems accordingly. What remains the same is that to register, entities must be Indian companies with a minimum net worth of ₹2 crore. They must maintain consent records for seven years but cannot access or read the personal data being shared through their platforms.

Consent managers aim to create a centralised dashboard where users can control permissions across multiple services. For instance, a user could set preferences for marketing communications or data sharing through their consent manager account, which would then apply across all companies using that platform.

User rights and grievance redressal

Users can withdraw consent with the same ease as giving it, according to the rules. Companies must respond to grievances within 90 days and publish prominent contact information for data protection officers or designated personnel.

The DPB must complete inquiries within six months, extendable by three months. Appeals against Board orders will go to the Telecom Disputes Settlement and Appellate Tribunal.

Cross-border transfers allowed

Personal data may be transferred outside India, subject to restrictions the government may impose for transfers to foreign states or their agencies. The rules do not specify which data categories must remain within India, deferring that decision for future notification. This data localisation framework remains one of the key unresolved aspects.

Significant Data Fiduciary obligations

Entities the government notifies as Significant Data Fiduciaries (SDF) must conduct annual Data Protection Impact Assessments and independent audits, submitting reports to the Board. They must also ensure algorithmic processing does not pose risks to user rights. The government has not yet specified which companies or categories will be designated as significant.

The government can also identify certain kinds of personal data that cannot be sent outside India by SDF, based on recommendations from a committee it sets up. An SDF must make sure this specified data, and the traffic data related to it, stays within India. Shekar noted, “The data localisation requirements for SDFs may have unintended implications for innovation and operational flexibility, especially for organisations dependent on global cloud infrastructure.”

Parliament passed the DPDP Act in August 2023, but the law could not be enforced without rules specifying operational details. Draft rules were published for public consultation on January 3, 2025, inviting objections and suggestions within 45 days. The final rules incorporate feedback from that consultation process.