Intrinsic to India’s long-drawn transition towards chartering a privacy-safe environment, the Ministry of Electronics and Information Technology (MeitY), Government of India, enacted the Digital Personal Data Protection Act, 2023 (DPDPA 2023) during the monsoon session of the Parliament, on 11th August 2023. The Act sets obligations for Data Fiduciaries and Significant Data Fiduciaries, provides safeguards for children’s data, vest rights in individuals, allows cross-border data transfers, outlines exemptions from the Act as well and provides contour of the Data Protection Board (DPB), financial penalties, and grievance management system.
In continuation of the enactment, MeitY published the Digital Personal Data Protection Rules 2025 (DPDP Rules 2025) on 3rd January 2025, which fleshes out the sections of the Act and provides directions toward operationalising the provisions. While this is a step in the right direction, as we move forward, some rules require further deliberation to ensure that we have a data protection regulation that balances state interest, business development, and consumer protection.
Towards that objective, this preliminary analysis document explores the key legal and policy provisions enumerated in the rules while discussing the potential impact of such provisions on individuals and businesses. The document deliberates on some of the key provisions within DPDP Rules 2025, which would impact the ecosystem as we move towards operationalisation.
Disclaimer: This document presents a preliminary analysis of the draft rules under the Digital Personal Data Protection (DPDP) Act, 2023 does not necessarily constitute as the position of The Dialogue. It is intended solely to provide an initial overview of key provisions and potential areas of impact. A comprehensive analysis with stated recommendations will be prepared for submission to MeitY.
