Digital Personal Data Protection Rules 2025

It’s been almost a year since the draft Rules were released, and the final text brings much-needed clarity to how India’s data protection law will work in practice.  

When will the Rules come into effect? 

1. Provisions relating to the Data Protection Board (DPB) and certain procedural aspects take effect immediately on publication in the official gazette. 

2. Obligations relating to consent managers, and powers of the DPB start 12 months after publication. 

3. Operational requirements including notice, security safeguards, breach reporting, retention, children’s data, SDF obligations, international transfers, research exemption, and government information powers will take place 18 months after publication, i.e., 13 May 2027. 

 Notice for consent 

Businesses must provide clear, standalone notices to users about how their personal data will be handled (Rule 3). These notices must: 

1. Include an itemised description of the personal data to be processed; 

2. Provide the specified purpose or purpose(s) of processing; and 

3. Offer a specific description of the goods, services, or uses that the processing enables; 

4. Be presented independently of other information, in clear and plain language; and 

5. Include links or other clear means to withdraw consent, exercise rights, and complain to the DPB. 

A small but important change from the draft is that the Rules now refer to “specified purpose(s)”, which suggests that some degree of purpose bundling for the consent may be permissible. While this may offer some limited practical relief, actual market practice will need to develop through implementation and Board guidance. 

Consent Managers? 

Consent Managers allow individuals to give, manage, review, and withdraw consent for processing personal data (Rule 4). To act as a consent manager, entities must: 

1. Register with the DPB; 

2. Be incorporated in India and meet minimum net-worth and governance requirements; and 

3. Operate independently, avoiding conflicts of interest with data fiduciaries whose consents they manage. 

How can government organisations process personal data? 

Rule 5 and the Second Schedule set out how government bodies can process personal data when delivering subsidies, benefits, services, licences, or permits. Processing must be: 

1. Lawful and necessary for the purpose; 

2. Limited to what is needed; and 

3. Supported by appropriate security safeguards and retention limits. 

Government entities must also ensure data accuracy and inform individuals about how their data is being used. 

Security safeguards  

Data fiduciaries must, at the minimum: 

1. Secure personal data using measures like encryption, obfuscation or masking, or virtual tokens; 

2. Implement appropriate access controls and keep visibility on who accesses data; 

3. Maintain access logs for at least one year; 

4. Monitor and review logs regularly; 

5. Put in place business continuity and recovery measures; 

6. Flow down security obligations to data processors through contracts; and 

7. Implement technical and organisational measures (Rule 6). 

Data breach? 

When a data fiduciary becomes “aware” of a personal data breach, it must: 

1. Inform affected data principals “without delay”, with details such as a description of the breach, potential consequences, steps being taken, and what individuals can do to protect themselves; and 

2. Notify the Data Protection Board in two stages: 

3. A first intimation “without delay” describing the breach, its extent, timing, location, and likely impact; and 

4. A detailed report within 72 hours (subject to extension by the Board), covering causes, impact, mitigation steps, remedial measures, and information about notifications to data principals (Rule 7). 

There is no risk or harm threshold, all personal data breaches are treated the same, meaning all data breaches must be notified to both individuals and to the Board. 

Data Retention Timeline 

The retention framework under Rule 8 has two layers: 

• Specific rules for certain large platforms: Certain large fiduciaries (specifically e-commerce entities, online gaming intermediaries, and social media intermediaries above specified user thresholds) must erase personal data after three years of user inactivity, with a 48-hour pre-deletion notice, subject to exceptions for legal obligations or other grounds in the DPDP Act. 

• New one-year minimum retention for all data fiduciaries: The Rules add a new requirement: all data fiduciaries must retain personal data, associated traffic data, and certain logs for at least one year for specified purposes such as responding to lawful requests or supporting investigations, after which such data must be erased unless another law requires longer retention. 

Entities outside the three specified classes will still need to determine when the specified purpose is no longer served and implement retention and deletion policies accordingly, while also respecting this one-year minimum data retention requirement. 

Obbtaining parental consent for children’s data? 

Under rule 10, the core structure for processing children’s data is: data fiduciaries must adopt appropriate technical and organisational measures to ensure that parental consent is obtained before processing any personal data of a child. In addition, fiduciaries must conduct due diligence to confirm that the individual identifying themselves as the parent or lawful guardian is in fact an adult. The Rules outline three pathways for this verification: using reliable information the fiduciary already holds, relying on identity or age details voluntarily provided by the parent, or using a token or credential issued by the government or an authorised entity on its behalf. 

Children’s data, what has changed? 

The Rules exempt only specific classes of entities and tightly defined purposes from the requirement to obtain parental consent and the restriction on tracking, monitoring, and targeted advertising (Fourth Schedule). These apply mainly to clinical and healthcare establishments, allied health professionals, educational institutions, and certain childcare and caregiving settings, and only when processing is for the listed purposes.  

Notably, there is an addition of two new permitted purposes: (i) determining a child’s real-time location for specified child-focused services, and (ii) tracking and monitoring where this is necessary to ensure that a service or advertisement is not likely to have a detrimental effect on the child’s well-being  potentially recognising that some personalisation is allowed to keep children safe online. 

Significant Data Fiduciaries  

Per Rule 13, SDFs must: 

1. Conduct a Data Protection Impact Assessment (DPIA) and an audit every 12 months; 

2. Submit a report to the Board capturing significant observations from the DPIA and audit; 

3. Verify that technical measures, including algorithmic software used to host, display, upload, modify, publish, transmit, store, update, or share personal data, do not pose likely risks to data principals’ rights; and 

4. Comply with any Government directions that certain categories of personal data and associated traffic data must not be transferred outside India, based on the recommendations of a Committee. 

Data principals and their rights 

Rule 14 requires data fiduciaries and consent managers to publish clear and accessible information on how data principals can exercise their rights. This includes: 

1. Procedures for submitting requests; 

2. Identification or verification requirements (for example, use of customer IDs or account numbers); and 

3. Details of grievance redressal mechanisms and timelines. 

 Data Protection Board  

Rule 17–21 cover the structure and functioning of the DPB: 

1. The Central Government will set up search and selection committees for the Chairperson and Members, made up of senior officials and domain experts. 

2. Appointees are expected to have expertise in areas like law, data governance, technology, or regulation. 

3. The Board will function as a “digital office”, using techno-legal measures for electronic filings, hearings, and communications. 

The main change from the draft is that these provisions now come into effect immediately, providing a clearer signal on when the Board can be operationalised. 

Rule 23 preserves the government’s broad powers to call for information from data fiduciaries and intermediaries, as outlined in the Seventh Schedule. Authorised officers can require entities to furnish information for specified purposes, including national security and other public-interest grounds. 

Stay informed on global innovation policy and technological governance. For expert insights, on DPDP rules and compliance visit www.tsaaro.com  

Source-https://www.meity.gov.in/static/uploads/2025/11/53450e6e5dc0bfa85ebd78686cadad39.pdf 

News of the week 

1) India AI Governance Guidelines: Empowering Ethical and Responsible AI 

Published by IndiaAI, India has launched its draft AI Governance Guidelines, a proportional, future-focused and adaptive framework born from the Government of India’s 2023 recognition of AI’s vast opportunities and risks in a country of scale, socio-economic diversity and strong digital ambitions; an Advisory Group chaired by the Principal Scientific Advisor tasked a Subcommittee to produce actionable recommendations  and after public consultation that drew over 2,500 submissions from government bodies, academia, think tanks, industry associations, private organisations and individuals, a Drafting Committee led by Professor Balaraman Ravindran  with members developed the guidelines through engagement with public feedback, legal precedents, existing literature and international practice; launched in the public domain to both maximise AI’s developmental and economic gains by fostering innovation and large-scale adoption and to mitigate risks that could harm individuals, society and democratic values, the guidelines provide a framework for safe, trustworthy, responsible, inclusive and accountable AI and are organised into four parts  

• Part 1: Key Principles, fairness, accountability, safety, inclusivity and human-centric trustworthiness  

• Part 2: Key Recommendations enablement, regulation and oversight including infrastructure, risk management, accountability and institutional mechanisms such as an AI Governance Group and an AI Safety Institute;  

• Part 3: Action Plan, short, medium and long-term actions including capacity building, risk classification, voluntary commitments and iterative refinement of legal/regulatory measure; and 

• Part 4: Practical Guidelines, sector-specific guidance to encourage responsible practice, self-regulation and proportionate oversight.  

while the scope covers data management, algorithmic transparency, risk classification, responsible use of generative AI, safety and reliability testing, and grievance redressal, emphasising human oversight, capacity building, standard-setting and continuous collaboration among government, academia, industry and civil society to build an, inclusive AI ecosystem that advances innovation while protecting citizens’ rights and ethical standards for sustainable, equitable growth. 

Source- https://indiaai.gov.in/article/india-ai-governance-guidelines-empowering-ethical-and-responsible-ai  

 2) Global Chips, Local Bets: NVIDIA and Qualcomm Boost India’s Deep-Tech Leap 

NVIDIA and Qualcomm Ventures have joined the India Deep Tech Alliance (IDTA), signalling a major shift toward India becoming a creator of core technologies rather than just a talent hub, with combined commitments contributing to a funding pool estimated at $850 million to $2 billion for AI, semiconductors, robotics and advanced manufacturing. Their backing strengthens not only research and product development but also the deep-tech infrastructure powering India’s digital economy from payments and streaming to gaming and education while India accelerates data-centre expansion and GPU-ready facilities to meet rising AI demands. Supported by policy tailwinds like the ₹76,000 crore Semiconductor Mission, the Anusandhan NRF’s ₹1 lakh crore RDI scheme, and draft AI and synthetic-media regulations. 

Source- https://m.economictimes.com/tech/technology/nvidia-supplier-sk-hynix-bets-on-chip-super-cycle-after-booking-record-profit/amp_articleshow/124887155.cms