- within Privacy topic(s)
- within Privacy, Media, Telecoms, IT, Entertainment, Food, Drugs, Healthcare and Life Sciences topic(s)
- with readers working within the Technology industries
The Ministry of Electronics and Information Technology ("MeitY") formally notified the Digital Personal Data Protection Rules, 2025 ("DPDP Rules") on 13th November 2025, a crucial step towards safeguarding personal data in the digital era and operationalising the Digital Personal Data Protection Act, 2023 ("DPDP Act"). MeitY had introduced and circulated the Draft Digital Personal Data Protection Rules in January 2025 ("Draft Rules") and an analysis of the Draft Rules and the DPDP Rules reveals several key modifications, additions and clarifications.
In this update we discuss the key modifications from the Draft Rules and the key provisions of the DPDP Rules including the obligations that would need to be complied with going forward. Our earlier updates and analysis on DPDP Act and Draft Rules can be accessed here: DPDP Act and Draft Rules.
A. Key Changes and Modifications:
1. Commencement and Implementation: The DPDP Rules introduce a phased commencement schedule which was not specifically laid out in the Draft Rules. The DPDP Rules will therefore be enforced as follows:
- Rules 1, 2 and 17-21 will be effective immediately, i.e. from 13.11.2025. These rules relate to the constitution, appointment mechanism, roles, authority and procedural operations of the Data Protection Board of India ("DPBI").
- Rule 4 will be effective 1 year later, i.e. from 13.11.2026. This rule relates to the registration and obligations of Consent Managers, i.e., a person registered with the DPBI, who acts as a single point of contact to enable a Data Principal (an individual to whom the personal data relates to) to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.
- Rules 3, 5-16, 22-23 will be effective 18 months later, i.e. from 13.05.2027. These rules are the operative part and deal with various requirements such as notice, consent, security safeguards, data breach notification, certain exemptions etc.
2. Definitions: The DPDP Rules introduce specific definitions for key terms that were not explicitly defined in the Draft Rules.
- "Techno-legal measures:" This term is introduced in relation to the digital functioning of the DPBI and refers to conducting proceedings that do not require physical presence of any individual.
- "User account:" This was earlier defined under a specific rule (Rule 7, relating to notification of personal data breach) under the Draft Rules but has now been shifted to the main definition section in the DPDP Rules for better clarity and consistent applicability.
- "Verifiable consent:" This is now explicitly defined in the DPDP Rules with reference to the consent mechanisms for dealing with processing data related to children and persons with disabilities.
3. Data Retention Obligations: A significant provision has been added in the DPDP Rules relating to data retention, requiring Data Fiduciaries1 to retain personal data, associated traffic data and processing logs for a minimum period of 1 year from the date of processing for the purposes laid out under the Seventh Schedule such as use, by the government or any of its instrumentalities, of personal data of a Data Principal2 in the interest of sovereignty and integrity of India or security of the State. This obligation exists even if the original purpose of collecting such data has been served, unless a longer retention period is required by another law. Such a provision was not present in the Draft Rules.
Therefore, Data Fiduciaries would now have to maintain a robust database to retain data in a manner which is secure.
4. Consent for Children3 and Persons with Disabilities: The rules for obtaining verifiable consent in case of children and persons with disabilities has now been restructured under the DPDP Rules into two separate rules for better consent mechanism and clarity:
- The Draft Rules combined the provisions for children and persons with disabilities into a single rule. However, the DPDP Rules separate these into two distinct rules: Rule 10 for children and Rule 11 for persons with disabilities. This separation now provides greater clarity on the specific due diligence required by Data Fiduciaries for each category.
- Processing children's data requires verifiable parental consent, obtained through age and identity verification through authorised entities. For persons with disabilities, consent must come from a legally verified guardian appointed by a court or designated authority.
5. Exemptions for Processing Children's Data: The DPDP Rules expand the scope of exemptions for processing children's data and includes a new purpose for exemption: "For the determinations of real-time location of a child," provided that it is for the purpose of their safety and protection.
6. Grievance Redressal Timeline: The DPDP Rules introduce a specific timeline for grievance redressal. Rule 14(3) of the DPDP Rules mandates every Data Fiduciary and Consent Manager to establish a grievance redressal system that responds to grievances within a "reasonable period not exceeding ninety days." The Draft Rules required grievance redressal within a reasonable period but did not specify a maximum duration.
7. Cross-Border Data Transfer: While the Draft Rules contained two different conditions depending on whether data was processed within India or outside India for services targeting India, the DPDP Rules merges both scenarios into one straightforward rule wherein any data transfer outside India is possible subject to government-specified conditions and orders relating to access and availability to foreign states or agencies i.e., in the absence of any such government restrictive orders or directions, data can be transferred outside of India.
B. Key Provisions of the DPDP Rules and Obligation of Data Fiduciaries:
1. Notice Requirements: Data Fiduciaries must issue clear, easily understandable notices that are presented independently to inform Data Principals about what personal data is being collected, the specific purpose of such processing and the specific description of the goods and services that such processing will enable. Additionally, it will also include simple procedures to withdraw consent and direct, accessible links for exercising these rights and submitting complaints to the DPBI.
2. Security Safeguards: Data Fiduciaries are required to implement robust technical controls, including encryption, masking, virtual tokens, strict access controls and visibility logs for monitoring unauthorised activity. They must also maintain reliable backup systems and retain all relevant logs for at least 1 year to support security investigations and oversight.
3. Breach Notification Requirements: In the event of a breach, the Data Fiduciary must intimate the DPBI, without any delay, a description of the breach, and further submit a detailed report to the DPBI within 72 hours, outlining the specific circumstances, impact and remedial steps taken and the notifications that have been sent to the Data Principals. With regards to the intimation to the Data Principals, the DPDP Rules do not lay down a specific timeline and only states that it must do so "without delay." Further, it mandates that such notification must include the scale of the breach, potential consequences, steps being taken by the Data Fiduciary to mitigate the risk, recommended safety measures that can be undertaken by the affected individuals along with contact details of a person who will be able to respond to the Data Principal on behalf of the Data Fiduciary.
4. Children's and Disability-Related Consent: As mentioned above, processing children's data requires verifiable parental consent, obtained through age and identity verification through authorised entities. For persons with disabilities, consent must come from a legally verified guardian appointed by a court or designated authority or a local level committee, in accordance with the applicable guardianship laws.
5. Additional Obligations of Significant Data Fiduciaries4: Such fiduciaries must meet heightened compliance standards, which includes conducting Data Protection Impact Assessment ("DPIA") annually, undergoing periodic audits performed by external auditors, performing algorithmic risk assessments for software involved in processing personal data, restricting certain categories of personal data from being transferred outside India and reporting key findings from such audits and DPIAs to the DPB.
6. Data Principal Rights and Redressal: Data Principals must have access to clear information about data processing, simple mechanisms to withdraw consent, grievance redressal processes with responses within 90 days and the ability to nominate representatives to act on their behalf. Data Fiduciaries and Consent Managers must ensure these options are published on their websites/apps and that responses are provided through accessible communication channels.
7. Exemptions for Research, Archiving and Statistics: The DPDP Rules state that the provisions of the DPDP Act will not apply to processing of personal data done solely for research, archiving and statistical purposes provided such processing is done in accordance with the Second Schedule of the DPDP Rules i.e. it must be lawful, accurate, for a specific purpose and done with reasonable safeguards in place.
8. Consent Manager Registration and Obligations: The DPDP Rules establish a formal registration mechanism for Consent Managers (who act in a fiduciary capacity in relation to the Data Principal) and prescribe detailed eligibility conditions relating to financial, technical and operational capacity, governance standards, and platform interoperability. Consent Managers must meet these prescribed requirements, operate an interoperable system certified as per DPBI standards, and ensure their governing documents reflect compliance obligations. They are required to store and manage consent artefacts, maintain activity logs, publish grievance redressal mechanisms, and enable Data Principals to give, review or withdraw consent either directly to a Data Fiduciary or through another Data Fiduciary onboarded on the platform.
9. Automatic Erasure Timelines for Specified Classes of Data Fiduciaries: The DPDP Rules introduce mandatory erasure timelines for certain large digital platforms, as specified in the Third Schedule. E-commerce entities (having two crore registered users in India), online gaming intermediaries (having fifty lakhs registered users in India), and social media intermediaries (having two crore registered users in India) must erase personal data if a Data Principal has not accessed their account, utilised the service or exercised any rights for a continuous period of three years, unless retention is required under any other law. These entities must notify Data Principals at least forty-eight hours before erasure and must also retain associated logs for a minimum of one year for compliance and audit purposes.
10. Data Protection Board of India: The DPDP Rules constitute a four-member DPB and grants it the power to register or suspend Consent Managers, investigate data breaches, carry out inquiries within 6 months (extendable by 3), issue directions and operate as a fully digital office using techno-legal systems.
The notification of the DPDP Rules marks a significant step in shaping India's data protection ecosystem. Organisations will need to take a closer look at their data handling practices to ensure full compliance. In particular social media and e-commerce companies such as Meta, Amazon, Flipkart etc., will need to assess their registered thresholds for additional compliance under the DPDP Rules. At the same time, news media houses have expressed concern regarding the absence of a clear exemption for journalistic activities under the DPDP Act and DPDP Rules. The Editors Guild of India has accordingly sought clarifications from MeitY, submitting 35 detailed questions relating to consent requirements, exemptions, data retention, research use-cases and the scope of public-interest reporting.5 While the DPDP Rules are set to take effect in a phased manner, it is essential for organisations across sectors, including digital platforms, media houses etc., to start putting necessary mechanisms in place well in advance in order to ensure seamless and timely compliance.
Footnotes
1. "Data Fiduciary" is defined under Section 2(i) of the DPDP Act as any person who alone or in conjunction with other persons determined the purpose and means of processing of personal data.
2. "Data Principal" has been defined under Section 2(j) of the DPDP Act as the individual to whom the personal data relates.
3. A "Child" has been defined as an individual who has not completed the age of 18 years under the DPDP Act.
4. "Significant Data Fiduciary" has been defined under Section 2(z) of the DPDP Act as any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under Section 10 wherein such Data Fiduciaries are classified as SDFs based on and assessment of the volume and sensitivity of personal data being processed, risk to the rights of Data Principals, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the state and public order.
Disclaimer: LexCounsel provides this e-update on a complimentary basis solely for informational purposes. It is not intended to constitute, and should not be taken as, legal advice, or a communication intended to solicit or establish any attorney-client relationship between LexCounsel and the reader(s). LexCounsel shall not have any obligations or liabilities towards any acts or omission of any reader(s) consequent to any information contained in this e-newsletter. The readers are advised to consult competent professionals in their own judgment before acting on the basis of any information provided hereby.
[View Source]
