Digital data protection rules notified
Affirm right of individual to privacy, need for law to protect data
Unlock Exclusive Insights with The Tribune Premium
Take your experience further with Premium access. Thought-provoking Opinions, Expert Analysis, In-depth Insights and other Member Only Benefits
Advertisement
The Ministry of Electronics and Information Technology has notified the Digital Personal Data Protection (DPDP) Rules, 2025, a crucial step towards safeguarding personal data in the digital age. The rules affirms the right of an individual to privacy, and the need for a law to protect data.
The rules, which were circulated in January this year, lay down the framework of the Digital Personal Data Protection Act, 2023, passed in Parliament two years ago.
Advertisement
The Act spells out broad principles, consent, rights of individuals and obligations of data fiduciaries --- those who will collect and use personal data. With the rules now in place, the privacy regime will finally begin to take shape.
The Act requires firms to safeguard digital data of Indians, and prescribes a set of penalties for firms breaching these obligations on data privacy. The rules will be evoked in two phases. The amendment has come into force from November 14. However, actual obligations of ‘data fiduciaries’ – those who will collect and use personal data -- will have time until November 2026 to comply with provisions, such as putting out the details of their designated data protection officer (DPO).
Also, it will be by May 2027 for large technology firms to be subject to the full force of the Act. A Data Protection Board of India (DPBI) has also been set up. It can hold inquiries in response to complaints and impose penalties in case of breach of data. The board’s members, who have not yet been chosen, will be appointed by the Ministry of Electronics and Information Technology.
Advertisement
The rules provide the operational framework to implement the Act’s provisions. Data fiduciaries need to adopt technical and organisational measures to ensure that verifiable consent of a parent is obtained before processing any personal data of a child. Due diligence will be observed to confirm that the person identifying as the parent is an adult, verified through reliable identity and age details available with the data fiduciary, voluntarily provided by the individual, or through a virtual token issued by an authorised entity. A data fiduciary is required to erase personal data once the specified purpose is served, unless retention is required by law.
The DPDP Act, 2023 has gone through three iterations since 2017, with the first one in 2018 imposing conditions like data localisation.
Advertisement
Advertisement