Govt notifies Digital Personal Data Protection Rules

New Delhi: The government has released the long-awaited Digital Personal Data Protection Rules 2025 on Friday, which will be implemented in phases spread over 12-18 months.

The rules aim to give citizens control over their data, allow them to check for misuse, and protect their privacy in the online space.

However the rules will become completely operational only after 18 months.

“Now, therefore, in exercise of powers conferred by sub-sections (1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023 (22 of 2023), the Central Government hereby makes the following rules, ... These rules may be called the Digital Personal Data Protection Rules, 2025,” the notification said.

The rules are expected to help citizens avoid spam calls and unauthorised access to their personal data, video, and voice via any digital means.

Individuals under the rules get power to revoke their consent at any time they wish through consent managers.

Some parts of the rules will be implemented immediately, while provisions like registration and obligations of consent managers come into force one year after the date of the notification.

The process related to data processing and rules that will regulate data platforms will come into effect after 18 months.

The rules have notified the structure and functions of the Data Protection Board which will operate digitally and conduct proceedings in a manner that does not require physical presence of any individual.

The board will be authorised to levy penalties based on the nature of the breach as listed in the DPDP Act 2023. The DPDP Act 2023 has provisions to impose penalties of up to Rs 250 per breach on data fiduciaries. However, it has kept a graded penalty system to protect small businesses. The rules tighten noose on data breaches.

Any platform that learns about data breach will need to intimate each affected data principal, in a concise, clear and plain manner and without delay, through her user account or any mode of communication registered by her with the platform.

The rules came into force eight years after the Supreme Court, on August 24, 2017, held that the Right to Privacy is a Fundamental Right with restrictions specified and relatable to fundamental rights as embedded in the Constitution.

While the rules published under the Digital Personal Data Protection Act 2023 grant the right to citizens to protect their data, it also expects them not to suppress any information about themselves for any government-issued IDs or documents, refrain from filing false or frivolous complaints, and provide only verifiable information when requesting data correction or deletion.

With the DPDP Rules in place, citizens can take recourse if their phone numbers are leaked for unauthorised calls. The rules will help investigate and identify the entity that leaked the phone number of an individual without consent, and penal actions can be taken against those found guilty.

The provisions of DPDP Rules restrict rights of citizen in cases of enforcing court orders, prevention, detection, investigation or prosecution of any offence, also for an individual who is in overseas and has signed any contract or given consent to a foreign entity. It will not be applicable in cases related to ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan and in cases where the centre decides to exempt certain data fiduciaries including start-ups mainly for implementing government schemes, research and innovation purposes.