India’s search for a data protection framework has been like a maze of committee reports, legislative stalls, and shouting matches between stakeholders, for almost ten years. The country has now made a decisive step in the digital world.
The Ministry of Electronics and Information Technology (MeitY) has formally issued the strong Data Protection Rules, 2025 strong thereby marking the operational commencement of the strong Digital Personal Data Protection Act (DPDP Act) strong though only partially.
This impressive turn of events can be traced back to 2017 when the Supreme Court of India defined privacy as a fundamental right. Since that time, the nation has had several drafts, expert committees, and public consultations. After the strong DPDP Act was given the strong President’s assent in August 2023 strongly, the stakeholders were waiting for the operational rules. It is their coming in late 2025 that constitutes India’s first real move towards a digital ecosystem regulated by privacy.
The complete implementation is postponed for at least another 12 to 18 months, as per the details. Although the Data Protection Board of India (DPB), the main judicial authority, has been set up, some fundamental provisions like informed consent, purpose limitation, and mandatory breach notification are still to be implemented. These will be introduced step by step so that companies will have time to get ready.
The notification by the government creates the Data Protection Board (DPB) right away. It is based in New Delhi and consists of four members. The Board will be responsible for compliance, dealing with complaints, and issuing fines. In the case of serious breaches, the fines may go up to Rs 250 crore.
Another provision that is being implemented straight away is the amendment to the Right to Information (RTI) Act, which limits the giving out of personal information about public officials even if it is in the public interest. This move has caused a renewed debate on transparency versus privacy.
Data localisation is the main point around which the new rules revolve. The Centre will indicate the types of personal data for which “significant data fiduciaries” Big Tech giants like Meta, Google, Apple, Microsoft, and Amazon will be allowed to handle the data locally, thus assuring that “the data is not transferred outside India”. Another panel will determine these criteria.
In effect, this is a local data requirement that worldwide businesses have been resisting for a long time. However, Nasscom and the Data Security Council of India (DSCI) issued a nuanced statement, in which they welcomed the rules but also urged the establishment of mechanisms that “facilitate interoperability and collaboration with India’s major trading partners”.
The DPDP Rules emphasize the children’s safety while online. They obligate that companies must obtain verifiable parental consent before handling children’s data, but they do not specify one government-approved method. This allows technology companies to have the liberty of choosing the method, while still being responsible.
As Sreenidhi Srinivasan, Partner at Ikigai Law, says, “The regulations do not specify the methods, thereby giving companies the freedom to devise safer ways while at the same time they address the issues of, for example, harmful content and targeted advertising to children.”
According to the system, data fiduciaries are required to inform the persons whose data have been compromised “without delay” about the occurrence of a data breach giving details of the nature, extent, and likely consequences of the event. The data managers are also required to put in place the following security measures: encryption, access control, and data backup. If they fail to do so, they may be subjected to heavy financial penalties.
Additionally, the Act requires that before the collection of personal data, entities should bind themselves to provide easy-to-understand, separate notices—explaining not only the data to be collected and the reason, but also the precise services made possible by such processing.
Opponents of the legislation point to the extensive exemptions granted to government agencies as one of its main features and warn of the risks of the government taking advantage of “national security” or “public order” to expand its power. Even the government-initiated NITI Aayog, back then, voiced its concerns about the weakening of the RTI Act. However, the government insists that the law is a well-balanced measure aimed at ensuring privacy without impeding governance and innovation.
India’s data protection framework is not just a dream but a late arrival and better timed than never. Over the next year and a half, the DPDP Act will be implemented thus putting to test whether the world’s biggest democracy is capable of balancing its citizens’ right to privacy with the requirements of a trillion-dollar digital economy. In fact, the rules have prepared the ground; the actual work is starting now in the complex intersection of freedom, security, and innovation.
