Two years after the Digital Personal Data Protection (DPDP) Act was passed in Parliament, the Centre notified the administrative rules that are required for putting the law into effect on Friday. Subhayan Chakraborty decodes what the regime will mean for diverse groups, explains the staggered implementation of provisions and traces the twists and turns in India’s 15-years long quest for privacy and protection of personal data.
What will the final rules of the DPDP Act mean?
For data privacy: Data fiduciaries can retain personal data for at least one year for national security, enabling the government to use or disclose any information under any law.
For cross-border flows: Personal data may flow across borders, but the Centre can restrict or demand access to certain data based on government committee recommendations or foreign state requests.
For children: Hospitals, clinics, schools and day-care centres can track or monitor children, and direct targeted advertising, without parental consent, under a web of conditions and limitations.
For geopolitics: No provision of the Act pertaining to personal data shall apply in the interest of national sovereignty or friendly relations with foreign states.
Long time coming
September 2011: Erstwhile Planning Commission constitutes a committee under former Chief Justice of the Delhi High Court AP Shah to study possible invasion of citizen’s fundamental right to privacy after the government began national programmes for the unique identification number, national intelligence grid, DNA profiling, privileged communications and brain mapping.
October 2012: The committee recommends a framework for privacy legislation, setting the first formal stage for India’s data protection efforts.
August 2017: The Supreme Court, in the landmark Puttaswamy judgement, declares privacy a fundamental right, catalysing the push for a dedicated data protection law.
December 2018: The Centre forms the BN Srikrishna Committee to draft a personal data protection framework.
December 2019: The Personal Data Protection Bill, 2019, is introduced in Parliament, but faces several rounds of scrutiny and criticism.
August 2022: The 2019 Bill is withdrawn after a joint parliamentary committee recommended 81 amendments and 12 major recommendations.
November 2022: The Ministry of Electronics and IT releases a fresh Digital Personal Data Protection Bill, 2022, for public consultation.
August 2023: The Digital Personal Data Protection (DPDP) Bill is introduced, passed in both Houses of Parliament, receives Presidential assent.
January 2025: Draft DPDP rules released for public consultation by MeitY.
July 2025: Concerns about the DPDP Act’s impact on the Right to Information (RTI) Act and democratic accountability are raised, with prominent legal voices writing open letters to government officials about the law.
November 2025: Final DPDP rules notified after lengthy consultations and 6,915 written inputs from industry, academia and civil society.
Key numbers in DPDP provisions:
Staggered implementation: What comes into effect when?
From November 13:
After 12 months:
After 18 months:
Rules on notice given by data fiduciary to data principal
Hefty penalties on data fiduciaries and individuals
What will the final rules of the DPDP Act mean?
For data privacy: Data fiduciaries can retain personal data for at least one year for national security, enabling the government to use or disclose any information under any law.
For cross-border flows: Personal data may flow across borders, but the Centre can restrict or demand access to certain data based on government committee recommendations or foreign state requests.
For children: Hospitals, clinics, schools and day-care centres can track or monitor children, and direct targeted advertising, without parental consent, under a web of conditions and limitations.
For geopolitics: No provision of the Act pertaining to personal data shall apply in the interest of national sovereignty or friendly relations with foreign states.
Long time coming
September 2011: Erstwhile Planning Commission constitutes a committee under former Chief Justice of the Delhi High Court AP Shah to study possible invasion of citizen’s fundamental right to privacy after the government began national programmes for the unique identification number, national intelligence grid, DNA profiling, privileged communications and brain mapping.
October 2012: The committee recommends a framework for privacy legislation, setting the first formal stage for India’s data protection efforts.
August 2017: The Supreme Court, in the landmark Puttaswamy judgement, declares privacy a fundamental right, catalysing the push for a dedicated data protection law.
December 2018: The Centre forms the BN Srikrishna Committee to draft a personal data protection framework.
December 2019: The Personal Data Protection Bill, 2019, is introduced in Parliament, but faces several rounds of scrutiny and criticism.
August 2022: The 2019 Bill is withdrawn after a joint parliamentary committee recommended 81 amendments and 12 major recommendations.
November 2022: The Ministry of Electronics and IT releases a fresh Digital Personal Data Protection Bill, 2022, for public consultation.
August 2023: The Digital Personal Data Protection (DPDP) Bill is introduced, passed in both Houses of Parliament, receives Presidential assent.
January 2025: Draft DPDP rules released for public consultation by MeitY.
July 2025: Concerns about the DPDP Act’s impact on the Right to Information (RTI) Act and democratic accountability are raised, with prominent legal voices writing open letters to government officials about the law.
November 2025: Final DPDP rules notified after lengthy consultations and 6,915 written inputs from industry, academia and civil society.
Key numbers in DPDP provisions:
- 48 hours before the time period for erasing personal data is completed, the data fiduciary should inform the data principal.
- Within 72 hours of being aware of a personal data breach, data fiduciary should intimate the Data Protection Board of its nature, extent, timing and location, and likely impact.
- A 90-day deadline is given to the data fiduciary and consent manager to respond to data principals' grievances.
- Every 12 months, a significant data fiduciary has to undertake a data protection impact assessment and an audit to ensure it can meet DPDP rule provisions.
- Minimum one-year-long storage of personal data by data fiduciary mandated from the date of processing, for the purpose of national security.
- At least seven years must pass before consent managers can delete records of consents given by data principals, and details of personal data being shared with a transferee data fiduciary.
Staggered implementation: What comes into effect when?
From November 13:
- DPDP rules, key legal definitions for terms such as 'techno-legal measures', 'verifiable consent’ and 'user accounts'.
- Terms and procedures for the functioning of Data Protection Board of India, process to appoint chairperson and other members, their service guidelines.
After 12 months:
- Registration of consent manager with Data Protection Board, and their obligations under the Act.
After 18 months:
- Rules for processing of personal data for government subsidy, benefits, service, certificate, licences or permits.
- Government powers to call for personal information from data fiduciaries and intermediaries.
Rules on notice given by data fiduciary to data principal
- Security safeguards to be put in by data fiduciaries, responsibilities during personal data breaches and publishing of details of data protection officers.
- Verifiable consent mechanisms for processing of personal data of children, and disabled citizens.
- Rules allowing greater government control over cross-border flow of personal data.
Hefty penalties on data fiduciaries and individuals
- Not observing reasonable security safeguards to prevent personal data breach: Up to Rs 250 crore.
- Not notifying Data Protection Board of India, or the affected data principal of a personal data breach: Up to Rs 200 crore.
- Not observing additional obligations in relation to children: Up to 200 crore.
- Significant Data fiduciary not abiding with additional obligations placed on them: Up to Rs 150 crore.
- Breach of any other provisions of the DPDP Act and its rules: Up to Rs 50 crore.
- Individuals impersonating another person, or suppressing material information while providing their data: Up to Rs 10,000 crore.
