The Central Government has formally notified the Digital Personal Data Protection (DPDP) Rules, 2025, which lay down the operational framework for implementing the Digital Personal Data Protection Act, 2023.
The notification, issued by the Ministry of Electronics and Information Technology and published in the Gazette of India, marks the culmination of a public consultation process on the draft rules released in January this year.
According to the notification, the rules have been framed after considering objections and suggestions received from stakeholders. The government has also prescribed a phased rollout schedule.
The rules begin with detailed definitions, including terms like “user account”, “verifiable consent”, and “techno-legal measures” that govern digital processes adopted by the Data Protection Board and the Appellate Tribunal.
They also specify the form and content of the notice that must be given to data principals, mandating clear and plain language, itemised details of personal data being processed, and communication links enabling the withdrawal of consent and the exercise of rights.
In one of the pivotal components, the notification elaborates on the verifiable consent required for processing the personal data of children. Data fiduciaries must adopt technical and organisational measures to ensure that consent is obtained from an identifiable adult parent or guardian, verified either through reliable identity details held with the fiduciary or through authorised tokens or Digital Locker systems.
Multiple illustrations outline processes for account creation involving minors, including checks to confirm age, identity and parental status.
The rules also prescribe additional obligations for Significant Data Fiduciaries, requiring them to undertake annual Data Protection Impact Assessments and audits, verify the safety of algorithmic tools, and comply with restrictions on the cross-border flow of certain personal data, as specified by the government.
To uphold the rights of data principals, every data fiduciary must publish mechanisms for filing requests, grievance redressal, and identifiers needed for authentication. They must respond within a reasonable period, not exceeding 90 days, and enable the nomination of individuals to exercise rights on behalf of a data principal.
The rules also detail the structure, powers, and functioning of the Data Protection Board, including quorum, decision-making processes, conflict-of-interest safeguards, authentication of orders, and the requirement to operate as a digital office, enabling remote proceedings.
Appeals against Board orders can be filed digitally before the Appellate Tribunal.
The act has listed authorised government officers who are empowered to seek information from data fiduciaries for specified purposes related to sovereignty, law enforcement or regulatory functions.
With the formal notification of the rules, India’s data protection ecosystem now enters a structured implementation phase.
