Source: PIB 

Why in News?  

India notified the Digital Personal Data Protection (DPDP) Rules, 2025. This marks the full operationalisation of the Digital Personal Data Protection (DPDP) Act, 2023. 

• Together, the Act and the Rules form a clear and citizen-centred framework for the responsible use of digital personal data. 

What are the Digital Personal Data Protection (DPDP) Rules, 2025? 

• About: The DPDP Rules, 2025 operationalise the DPDP Act by creating a clear, practical system for personal data protection.  
  • They strengthen citizen rights, ensure responsible data use by organisations and curb unauthorized use of data.  
  • The Rules reduce digital harms, support innovation and help build a secure, trusted digital economy for India. 
  • The DPDP framework puts citizens at the centre of data protection, giving them clear control over how their personal data is used. 

Core Provisions 

• Phased and Practical Implementation: The Rules allow an 18-month compliance window, giving organisations time to update systems and adopt responsible practices.  
  • Data Fiduciaries must issue simple, purpose-specific consent notices, and all Consent Managers must be India-based companies. 
• Personal Data Breach Notification: Data breaches must be reported to affected individuals without delay, using plain language that explains the incident, potential impact and steps taken, along with clear contact details for assistance. 
• Transparency and Accountability: Data Fiduciaries must display clear contact information for data-related queries.  
  • Significant Data Fiduciaries must undergo independent audits, conduct impact assessments and follow stricter rules, including government directions on restricted or locally stored data. 
• Digital-First Data Protection Board: The Rules set up a fully digital Data Protection Board with four members, allowing citizens to file and track complaints online through a portal and app. 
  • Appeals against the Board’s decisions will be heard by the Appellate Tribunal, TDSAT. 
• Strengthening Rights of Data Principals: Individuals can access, correct, update or request deletion of their personal data, and may nominate someone to act on their behalf. All such requests must be resolved within 90 days.

What is the Digital Personal Data Protection (DPDP) Act, 2023? 

• About:  The DPDP Act, passed in August 2023, sets out India’s framework for protecting digital personal data.  
  • It explains the duties of organisations handling such data and follows the SARAL (Simple, Accessible, Rational and Actionable) approach so that the rules remain simple, clear and easy to follow. 
  • The DPDP framework also aligns with the Right to Information (RTI) Act, 2005 by balancing privacy rights with the public’s right to information. 
• Core Principles: The law rests on seven core principles. These include consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards and accountability.  
  • These principles guide every stage of data processing. They also ensure that personal data is used only for lawful and specific purposes. 
• Data Protection Board of India: The Act sets up the Data Protection Board as an independent body to oversee compliance, investigate breaches and ensure corrective steps.  
  • It helps protect individual rights and strengthens trust in India’s digital environment. 
• Key Terms Under the DPDP Act, 2023: 
  • Data Fiduciary: An entity that decides why and how personal data is processed, either alone or with others. 
  • Data Principal: The individual to whom the personal data relates.  
    • In the case of a child, this includes a parent or lawful guardian.  
    • For a person with a disability who cannot act independently, this includes the lawful guardian acting on their behalf. 
  • Data Processor: Any entity that processes personal data on behalf of a Data Fiduciary. 
  • Consent Manager: An entity that provides a single, transparent and interoperable platform through which a Data Principal may give, manage, review or withdraw consent. 
  • Appellate Tribunal: The Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which hears appeals against decisions of the Data Protection Board. 
• Penalties Under the DPDP Act, 2023:  The Act imposes strict penalties on Data Fiduciaries, including fines up to Rs 250 crore for failing to maintain security safeguards.  
  • Not reporting data breaches or violating child-related provisions can lead to penalties up to Rs 200 crore, while other violations may attract fines up to Rs 50 crore. 
• Significance: DPDP increases privacy rights but still keeps the RTI Act working as before. It ensures both privacy and access to information can work together. 
  • The amendment to Section 8(1)(j) of the RTI Act through the DPDP Act balances the fundamental right to privacy, as affirmed by the Supreme Court in Justice K.S. Puttaswamy v. Union of India (2017), with the right to information.  
    • This amendment aligns with established judicial reasoning on reasonable restrictions, codifies existing jurisprudence, and helps avoid potential conflicts between the laws. 
    • However, Section 8(2) of the RTI Act still permits disclosure of Information when public interest is more important than privacy harm. This keeps the core purpose of RTI intact promoting openness and accountability in public life. 
  • The amendment removes legal uncertainty and prevents clashes between privacy protection and information access. It maintains the essence of the RTI Act while strengthening privacy under DPDP.

What are the Rights and Protections for Citizens under India’s DPDP Framework?

Conclusion

The DPDP Act, 2023 and Rules, 2025 create a clear, citizen-focused system for handling personal data, strengthening privacy rights and enforcing organisational accountability. The framework supports a secure, transparent and innovation-friendly digital ecosystem, helping India advance its digital economy while protecting user trust.