Digital Personal Data Protection Rules, 2025
π° Context
The Union government has notified the Digital Personal Data Protection (DPDP) Rules, 2025, operationalising parts of the Digital Personal Data Protection Act, 2023. It has also triggered formation of the Data Protection Board of India (DPBI) and notified an amendment to the Right to Information Act (RTI), 2005, sparking criticism from transparency activists.
1οΈβ£ What are the Digital Personal Data Protection (DPDP) Rules?
The DPDP Act, 2023, along with the newly notified Rules, is Indiaβs dedicated digital personal data protection framework, comparable to:
-
EUβs GDPR (General Data Protection Regulation)
-
Singaporeβs PDPA (Personal Data Protection Act, 2012)
The Act sets baseline obligations for how companies must handle citizensβ digital personal data.
2οΈβ£ Key Concepts
| Term | Meaning |
|---|---|
| Data Principal | The individual whose personal data is collected (i.e., the user or citizen) |
| Data Fiduciary | Entity (company/organisation) determining purpose and means of processing personal data |
| Significant Data Fiduciary (SDF) | Large entities with high-volume data processing obligations (extra compliance) |
| Data Protection Officer (DPO) | Officer appointed by SDFs to ensure compliance |
| Consent Manager | Service enabling users to manage consent across platforms |
3οΈβ£ Major Provisions of the DPDP Act & Rules
1οΈβ£ Informed consent required, with clear notice of:
-
data being collected
-
purpose and usage
2οΈβ£ User rights:
-
modify, erase, or delete personal data
-
withdraw consent
-
automatic deletion after long inactivity
3οΈβ£ Security mandates:
-
access control, encryption, security audits
4οΈβ£ Breach reporting:
Must be reported as soon as possible.
5οΈβ£ Penalties:
βΉ10,000 to βΉ250 crore for non-compliance.
4οΈβ£ How does the Act protect children?
-
Restrictions on targeted advertising and certain data processing for minors.
-
Parental consent required.
-
Rules allow parental location tracking exemptions.
5οΈβ£ Has the Data Protection Board of India (DPBI) been formed?
Yes, the notification initiates its formation.
-
The DPBI will:
-
enforce the Act
-
adjudicate penalties
-
function under MeitY
-
consist of four members
-
However, many compliance obligations come into force after 12β18 months.
6οΈβ£ Controversial Amendment to the Right to Information Act, 2005
The DPDP Act amended Section 8(1)(j) of the RTI Act.
π£ Earlier provision:
Personal information could be denied unless larger public interest justified disclosure.
π΄ New Change:
That public interest override has been removed, giving government bodies wider discretion to deny information as “personal”.
Why activists oppose it?
-
Could undermine transparency and social audits
-
May limit access to ration muster rolls, NREGA worksites, expenditure logs
-
Could shield misconduct of powerful officials
7οΈβ£ What has the Mazdoor Kisan Shakti Sangathan (MKSS) said?
-
Strongly opposed the amendment
-
Argues it threatens grassroots accountability and anti-corruption efforts
-
MKSS founding member Nikhil Dey said:
βWe the people will fight back.β -
Along with NCPRI, warns that broader definition of personal data may:
β hinder discovery of graft
β restrict transparency
β affect citizen-led audits
8οΈβ£ Comparison with GDPR (For Mains Answers)
| Aspect | GDPR (EU) | DPDP (India) |
|---|---|---|
| Scope | Personal + Sensitive data | Only digital personal data |
| Cross Border Transfer | Strong restrictions | Permissive, with notified restrictions |
| Independent Regulator | Strong autonomy | DPBI under MeitY (less independent) |
