Quick Overview
India has notified the Digital Personal Data Protection (DPDP) Rules, 2025, operationalising the DPDP Act, 2023. The Rules establish a citizen-centric framework to protect personal data, enhance transparency, and foster a secure and innovation-friendly digital economy.
Why in News?
The Indian government has notified the Digital Personal Data Protection (DPDP) Rules, 2025, completing the operationalisation of the DPDP Act, 2023. Together, they create a practical framework for responsible use of digital personal data, strengthening citizen rights and organisational accountability.
What are the DPDP Rules, 2025?
Objective: Operationalise the DPDP Act, providing a practical system for personal data protection.
Key Features:
Phased Implementation: 18-month compliance window for organisations.
Consent Management: Simple, purpose-specific notices; all Consent Managers must be India-based.
Breach Notification: Immediate communication to affected individuals with clear guidance.
Transparency & Accountability: Contact info for queries; audits and impact assessments for significant Data Fiduciaries.
Digital-First Data Protection Board: Fully digital board for filing and tracking complaints; appeals via TDSAT.
Strengthening Rights of Data Principals: Access, correction, update, deletion rights, and nomination for third-party representation.
About DPDP Act, 2023
Objective: Provides India’s legal framework for digital personal data protection using the SARAL approach (Simple, Accessible, Rational, Actionable).
Core Principles: Consent & transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, accountability.
Data Protection Board: Independent authority to oversee compliance and investigate breaches.
Key Terms:
Data Fiduciary: Decides how and why personal data is processed.
Data Principal: The individual to whom data relates, including children/disabled with guardians.
Data Processor & Consent Manager: Entities that process data or manage consent.
Appellate Tribunal: TDSAT hears appeals against Board decisions.
Penalties: Fines up to ₹250 crore for security breaches; ₹200 crore for child-related violations; ₹50 crore for other violations.
Balancing Privacy & RTI
Section 8(1)(j) of RTI Act amended to protect privacy.
Section 8(2) allows disclosure if public interest outweighs privacy, maintaining transparency while safeguarding rights.
Rights of Citizens under DPDP Framework
Right/Protection | Description |
|---|---|
Right to Give/Refuse Consent | Consent can be granted or withdrawn anytime. |
Right to Know | Citizens can inquire about collection, processing, and use of data. |
Right to Access | Request copies of personal data held by Data Fiduciaries. |
Right to Correct | Correct inaccurate or incomplete data. |
Right to Update | Update changed details like address/contact. |
Right to Erase | Request deletion within allowed timeframe. |
Right to Nominate | Authorise someone to exercise data rights on their behalf. |
Mandatory 90-Day Response | Fiduciaries must respond to requests within 90 days. |
Protection During Breaches | Citizens informed promptly about incidents. |
Clear Contact | Dedicated Data Protection Officer or contact for queries. |
Special Protection for Children & PwDs | Parental/guardian consent required, except essential services. |
Conclusion
The DPDP Act, 2023 and Rules, 2025 create a secure, transparent, and citizen-focused system, strengthening privacy rights while fostering a digital ecosystem conducive to innovation and trust.
CLAT/Exam Relevance Summary
Prelims: Key terms, rights of citizens, penalties, and DPDP-Rules compliance timelines.
Mains: Policy analysis of citizen-centric data protection, legal framework harmonising RTI and privacy, and evaluation of India’s digital economy governance.