New Delhi: The government has notified a substantial part of the Digital Personal Data Protection (DPDP) Rules, 2025, bringing India a step closer to fully operationalising its first comprehensive data protection regime since the Digital Personal Data Protection Act was passed in Parliament in August 2023.
With the core framework now taking effect in phases, legal experts say the rules largely mirror earlier drafts but mark a decisive shift in how personal data will be governed in the country.
Akshat Agrawal, Founder & Counsel, AASA Chambers, said the notified provisions acknowledge “the practical reality of time taken to appoint personnel through the search-cum-selection process and lay enough transitory time for clarifications and commentary on the actual substantive provisions for stakeholders as well as potential Board constituents who may internalise the provisions better in the course of time.”
However, he noted that some aspects still need refinement, pointing to the reference to techno-legal measures in Rule 20, which he said “may need to be clarified to indicate the exact measures that may be desirable for the Rule to see any practical reality.” He added that emergency powers under Rule 19(6) also require clearer definitions “to avoid arbitrariness” and should include mechanisms to review unilateral decisions in “an emergency situation.”
DPDP Act and Rules are now live — The Privacy Notice from the Data Fiduciary shall:
1. Be presented and understood easily, independent of any other information shared by the Data Fiduciary.
2. Be clear, concise, and written in plain language.
3. Provide a fair and complete… pic.twitter.com/g5m5DVy44r— Digital India (@_DigitalIndia) November 14, 2025
According to Rahul Hingmire, Managing Partner, Vis Legis Law Practice, the rules fundamentally influence how organisations transact and manage personal data. “DPDP Rules now shape every transaction, pushing all stakeholders toward clearer processes and tighter risk control,” he said. Hingmire added that explicit consent norms reduce ambiguity, while stringent breach-notification duties “force faster responses that limit reputational and financial damage.”
However, he cautioned that retention and deletion rules create challenges for entities with legacy systems and that new security-control expectations “add pressure for businesses with underdeveloped technology practices.” Despite these hurdles, he said the strengthened rights for data principals “firmly establish DPDP compliance as a baseline in most commercial dealings.”
Calling the notification a major doctrinal milestone, Ankit Sahni, Partner at Ajay Sahni & Associates, said it marks “a jurisprudential inflexion point in India’s data governance architecture.” He highlighted that the government has adopted a calibrated rollout, with Rules 1, 2 and 17 to 21 effective immediately, Rule 4 kicking in after one year, and the core compliance provisions becoming operative after eighteen months. Sahni said these timelines provide a structured runway for companies to re-engineer consent, security, and grievance mechanisms while maintaining business continuity. “As practitioners, we now have a materially clearer compliance grid that balances lawful processing with principled limitations,” he said.
Rodney D Ryder, Partner, ANM-Scriboard, described the notification as “an epochal moment for the country’s data governance landscape,” noting that it finally moves India from anticipation to a clearly defined compliance regime. He emphasised that the phased model gives businesses adequate time to implement structural reforms. “With clearly defined phased-wise implementation timelines, mandatory audits for significant data fiduciaries, strict breach-notification duties and robust standards for consent, security and retention, the Rules firmly operationalise India’s data protection regime,” he said, adding that the framework will significantly shape the use of data in AI systems.
Mitakshara Goyal, Co-founder, Svarniti Law Offices, said the notification means India “finally has an operational, first-of-its-kind data protection law.” She noted that the rules outline duties on notice, consent, children’s data and retention limits, especially for large platforms. However, she cautioned that “the real test now is enforcement capacity and whether regulators can actually hold Bigtech and Indian companies to these standards.” Goyal added that by issuing strict erasure timelines and rules for sectors like e-commerce, gaming and social media, the government has signalled that misuse of personal data “is no longer a cost-free business model in India.”
Rohit Jain, Managing Partner, Singhania & Co., said the DPDP Rules 2025 bring “enhanced transparency, safety, and technical standards to protect digital personal data in India,” operating as a detailed procedural manual for implementing the Act. Highlighting key elements—from the new framework for Consent Managers and stringent breach notification norms to phased implementation and security safeguards, he said the rules “mark a significant strengthening and clarification of duties, rights, and procedural safeguards.” He also pointed to new obligations such as annual audits for significant fiduciaries, restrictions on cross-border data transfers, enhanced rights of data principals and full operational details for the Data Protection Board.
With the notification now issued, experts broadly agree that the DPDP Rules bring clarity and structure to India’s digital rights regime, while simultaneously setting the stage for rigorous compliance expectations across industries.
Discussion about this post