India's First Data Protection Rules: A New Era of Privacy

18 Nov, 2025

India has recently taken a monumental step towards safeguarding personal data through the notification of the Data Protection Rules by the Ministry of Electronics and IT (MeitY). This development marks the country’s first functional privacy law, arriving eight years after the Supreme Court recognized the right to privacy as a fundamental right. The long-awaited rules come two years after the Digital Personal Data Protection Act (DPDP Act) received presidential assent in August 2023.

While the law is now operational, only certain aspects are currently enforceable. Key protections for citizens, such as the requirement for entities to obtain informed consent before processing personal data, will take between 12 to 18 months to be implemented. This phased approach raises questions about timely protections for individuals in a digital age where data breaches are increasingly common.

The Data Protection Board of India (DPB) has been established as the primary adjudicatory body to ensure compliance with the law. However, it includes a controversial amendment to the Right to Information (RTI) Act, preventing the disclosure of personal information about public officials, even when public interest is at stake. This has been a point of contention among civil society and watchdog organizations.

Under the DPDP Rules, the government will categorize significant data fiduciaries based on the volume and sensitivity of the data they handle. This classification will also consider the potential risks to India's sovereignty, security, and public order. Major tech firms such as Meta, Google, and Microsoft are expected to fall under this classification, which comes with stringent data localization requirements.

Furthermore, tech companies are tasked with collecting parental consent before processing children's personal data. The government has opted not to propose a specific mechanism for this, leaving companies to determine their own systems, a decision that might complicate compliance. The rules do stipulate that limited processing of data for children is permitted to prevent harmful content and advertisements.

In case of a data breach, data fiduciaries must notify affected individuals promptly, detailing the nature, extent, and timing of the breach, along with the consequences for users. Failure to implement adequate safeguards could result in hefty fines reaching up to Rs 250 crore.

Despite the positive aspects of the new rules, there are significant concerns regarding the government’s extensive exemptions for processing citizens’ data under the guise of national security and public order. Critics argue that these provisions could undermine the very fabric of data privacy rights, raising alarms about potential misuse.

Overall, while the Data Protection Rules signal a step forward in personal data protection in India, the journey ahead will require careful monitoring and advocacy to ensure that citizens' rights are upheld in the face of evolving digital challenges.