Ministry of Electronics and Information Technology (MeitY) has drafted Digital Personal Data Protection (DPDP) Rules, 2025 to facilitate the implementation of DPDP Act, 2023. It aims to strengthen the legal framework for the protection of digital personal data by providing necessary details and an actionable framework.
The rules are designed to empower citizens in a rapidly growing digital economy. They seek to protect citizens’ rights in accordance with the DPDP Act, while achieving the right balance between regulation and innovation, so that benefits of India’s growing innovation ecosystem are available to all citizens and India’s digital economy. They also address specific challenges like unauthorised commercial use of data, digital harms and personal data breaches.
The rules place citizens at the heart of the data protection framework. Data fiduciaries must provide clear and accessible information about how personal data is processed, enabling informed consent. Citizens are empowered with rights to demand data erasure, appoint digital nominees, and access user-friendly mechanisms to manage their data.
Further, the rules empower citizens by giving them greater control over their data. Provisions for informed consent, the right to erasure and grievance redressal enhance trust in digital platforms. Parents and guardians are empowered to ensure online safety for their children.
India’s model strikes a unique balance between fostering innovation and regulation to protect personal data. Unlike restrictive global frameworks, these rules encourage economic growth while prioritising citizen welfare. Stakeholders view this as a new global template for data governance.
Meanwhile, the framework envisages lesser compliance burden for smaller businesses and start-ups. An adequate period would be provided so that all stakeholders, from small enterprises to large corporates, may transition smoothly to achieve compliance with the new law.
Furthermore, the rules embrace a “digital by design” philosophy. Consent mechanisms, grievance redressal and the functioning of Data Protection Board are all envisaged as “born digital”, to ensure ease of living and ease of doing business. The Board will function as a digital office, with a digital platform and app to enable citizens to approach it digitally and to have their complaints adjudicated without their physical presence being required.
From processing complaints to interacting with data fiduciaries, workflows are optimised to ensure speed and transparency. This reflects India’s forward-looking approach to governance and builds trust between citizens and data fiduciaries.
Moreover, businesses benefit from a pragmatic framework. Graded responsibilities cater to start-ups and micro, small and medium-sized enterprises (MSMEs) with lower compliance burden, while significant data fiduciaries have higher obligations. Sector-specific data protection measures can complement the core personal data protection framework created by the Act and the rules.
The Data Protection Board’s digital office approach would ensure quick and transparent resolution of complaints. The Board is required to take into consideration factors such as the nature and gravity of default, efforts made to mitigate impact, etc., while imposing penalties for defaults. Further, data fiduciaries may voluntarily give undertakings at any stage of proceedings, which if accepted by the Board would result in dropping of the same. This balances the need to protect the rights of citizens, while providing a fair adjudicatory framework for those processing personal data.
Provisions for annual data protection impact assessments and audits for significant data fiduciaries ensure effective arrangements to secure compliance. The draft rules are based on wide ranging inputs gathered from various stakeholders and study of global best practices. They are grounded in the principles enshrined in the DPDP Act.
Recognising the importance of citizen engagement, the government plans a comprehensive awareness campaign. These initiatives will educate citizens about their rights and responsibilities under the new framework, fostering a culture of data responsibility.
Through these rules, India demonstrates leadership in shaping an equitable digital future. The draft rules are a testament to India’s commitment to ensuring protection of digital personal data of citizens while securing innovation-driven and inclusive growth.
In addition, MeitY has invited feedback/comments from the public and stakeholders till February 18, 2025, through MyGov platform, in line with the Government’s commitment to adopt an inclusive approach to law-making.
