On 13 November, the Ministry of Electronics and Information Technology (‘MEITY’) notified the Digital Personal Data Protection Rules, 2025 (‘DPDP Rules’) and set out clear timelines for enforcement of the Digital Personal Data Protection Act, 2023 (‘DPDPA’) and the DPDP Rules. While the DPDP Rules do not, in large part, deviate from the MEITY’s draft rules released in January (‘Draft Rules’), we have outlined the key changes under these Rules, as well as the way ahead for the law.
Enforcement timelines
It is noteworthy that much of the administrative provisions of the DPDPA and DPDP Rules, including those relating to the establishment of the Data Protection Board of India (‘DPBI’) have come into immediate effect. With the DPBI anticipated to be established and functional in less than a year from now, substantive provisions of the law are slated to come into force in two tranches viz.:
* Consent Managers including their registrations, obligations and powers of the DPBI to inquire into their non-compliance and take necessary action are set to come into effect from one year from the date of publication i.e., by November 2026; and
* All other substantive provisions of the DPDPA & DPDP Rules are set to come into effect at the end of 18 (eighteen) months i.e., by May 2027.
With the above enforcement timelines and the DPDP Rules in place, it may be prudent for organizations to prioritize initial discovery and scoping exercises. This may help in preparing for integration of consent mechanisms to align with roll out timelines for consent management platforms, and thereafter with the effective date for all other provisions of the DPDPA.
Sifting through the incremental changes
As outlined above, while few changes have been made to the DPDP Rules on comparison with the Draft Rules, the changes, albeit a few, merit examination:
* Changes in Privacy Notice: The erstwhile Draft Rules proposed an ‘itemized’ description of the goods and services or uses to be enabled by processing of personal data to be disclosed and provided to the Data Principal. On the other hand, the finalized DPDP Rules require a ‘specific’ description of such goods and services. Ostensibly, this may imply a departure from exhaustively listing descriptions of goods and services and focusing on the specific descriptions of goods, services or uses which are tied to the purpose and datasets.
For example, an organization that provides a host of products and services would now be required to identify and enlist, as part of their notice, the specific uses or services (within the service catalogue) that would be enabled by such collection of personal data.
* Time Period and Specific Purpose: A new introduction in the DPDP Rules is an obligation cast upon all Data Fiduciaries to retain personal data processed, associated traffic data and other logs of personal data processed by them (or their Processor) for a minimum period of 1 (one) year, upon which such data would be erased. The present provision is applicable only for use by State or its instrumentalities for any of the following purposes:
* To fulfill the interests of sovereignty, integrity or security of the State;
* Performance of any function under law;
* Disclosure for fulfilling legal obligations; and
* Carrying out assessments for notification of Significant Data Fiduciaries (‘SDF’).
Consequently, any Data Fiduciary that retains such personal data would be required to process only for the said use, and any further processing, including for secondary purposes, would not be covered by this provision.
* Flexibility in Security Safeguards: Although the nature of security safeguards such as data security measures, access control, logging, unauthorized access detection, continuity of processing, documentation and technical and organizational measures remain similar, the DPDP Rules introduce certain flexible language in data security and processing continuity measures, with use of indicative phrases rather than inclusive ones.
* Verifiable Parental Consent: The requirement of ‘verifiable parental consent’ was provided earlier, however, further clarity has been fleshed out in the DPDP Rules, with reference to the manner in which the same may be undertaken. Data Fiduciaries may do so using reliable details of identity and age of individual available with them, voluntarily provided by the individual, or seek to verify such details using virtual tokens.
While the erstwhile Draft Rules included virtual tokens, the DPDP Rules tie in the requirement that such virtual tokens must be issued by an authorized entity viz.:
* Entities entrusted by law or Government with issuance of details of identity and age or virtual tokens mapped to such details;
* Persons appointed or permitted by the aforesaid entities for such issuance; and
* Digital locker service providers that are notified by the Government under the Information Technology Act, 2000.
* Exemption for Children’s Data: An important inclusion in the context of children's data processing is a purpose-based exemption that has been extended under the DPDP Rules. The requirements relating to parental consent and restrictions on tracking, behavioral monitoring and targeted advertising would not apply in the context of and for the purposes of determining real-time location of a child provided that such processing is restricted to the real-time location for safety, protection and security and in the interest of the child.
These exemptions may be relevant in the context of child safety and tracking apps or platforms, school transport systems handling telematics data, child-specific ride sharing and tracking applications and other similar platforms.
* Solicitation of Information: The DPDP Rules enable the Government to call for information from Data Fiduciaries and intermediaries (as defined under the IT Act), with the time period within which such information must be furnished specified in such order. In addition to the same, there also exist restrictions around disclosure of such information, especially if such disclosures may affect sovereignty, integrity or security of the State. In such cases, Data Fiduciaries or intermediaries are restricted from disclosing the same. This restriction on disclosure has been extended to any information that is provided to Data Principals, for example, in response to the right of access, information or other rights under the DPDPA.
* Grievance Redressal: While the Draft Rules proposed a requirement to have grievance redressal mechanism and the time period for such grievance redressal to be specified on the website, the DPDP Rules further clarify that such time period shall not exceed 90 (ninety) days and do not also specify any requirement around costs incurred or any exceptions for particularly burdensome requests received from Data Principals.
* State Processing: As part of the State’s standards for processing personal data (which are utilized when processing data for provision of subsidies, benefits, services, certificates, licenses or permits or for research, archiving or statistical purposes), the requirements have been expanded to require processing being taken while making reasonable efforts to ensure completeness and consistency of personal data.
Looking ahead
With the DPDP Rules and implementation timeline in place, organizations must consider moving swiftly to compliance endeavours in a phased manner, with undertaking data discovery, developing inventory, mapping ingresses and egresses of data, and gathering necessary visibility for data resources and assets and conducting necessary gap exercises. Thereafter, organizations may implement necessary measures to address gaps identified and adopt necessary remediation, training and sensitization exercises.
[The author is a Principal Associate in Data Privacy and TMT practice at Lakshmikumaran & Sridharan Attorneys, Hyderabad]
