The Government of India has notified the Digital Personal Data Protection Rules, 2025, taking an important step towards regulating the processing, protection and governance of personal data in the country. This paves the way for the implementation of the Digital Personal Data Protection Act, 2023. These rules will set new guidelines to protect the privacy rights of data trustees, consent managers and users. Many provisions will come into effect immediately, while others will be implemented within 12-18 months. Thus, the implementation will be done in a phased manner.
Definition of data trustees
According to the rules, companies and platforms that collect and process personal data will be considered data trustees. The user whose data is being processed is the data principal. Additionally, the consent manager is an authorized and neutral arbiter that allows users to manage their own permissions.
A data protection board will be established
According to the notification, a four-member data protection board will be set up to monitor data leaks and regulatory compliance in India. These rules also clarify the time limit for reporting data leaks. All data fiduciaries must report personal data to the Board within 72 hours of a personal data leak, while affected users are mandated to notify them immediately.
Strictness regarding data of minors
The government is taking strict steps regarding data protection of children. All platforms must seek parental consent and cannot track minor users for advertising or profiling. Although relief has been given to government agencies in some cases, they have not been completely exempted. Additionally, the government has retained the right to subpoena any company handling data of Indian users. In some cases, the government may prevent fiduciaries from providing this information if they believe that providing users with information about a data breach would increase the risk.
Data of inactive users will be deleted after three years
According to the new rules, fiduciaries will now have to delete personal data of inactive users after three years. However, they may keep data for longer periods if legally required. They must also maintain data logs for one year, which must include information on consent, disclosure, processing activity and withdrawal actions.
