DPDP Rules: An Attempt To Bring Order To The Chaos

Introduction

After a long wait, the overhaul of India's dated data protection framework has finally been set in motion. On November 13, 2025, the Ministry of Electronics and Information Technology ("MeitY") issued the Digital Personal Data Protection Rules, 2025 ("DPDP Rules") which is intended to operationalise the Digital Personal Data Protection Act, 2023 ("DPDP Act")¹ (hereafter collectively referred to as "DPDP Framework"). The MeitY also issued notifications setting out the enforcement and implementation timelines for the DPDP Act ("Implementation Timelines Notification"), and the establishment of the Data Protection Board ("DPB"), which will be headquartered in National Capital Region of India ("DPB Notification").²

With the issuance of the DPDP Rules (which remained largely similar to the draft version of the rules, published for stakeholder feedback earlier this year)³, there is now a clear road map that both, entities and individuals, have in relation to the implementation of the DPDP Framework.

Evolution of the Data Protection Framework

Before 2023, India lacked a comprehensive data protection law which could meaningfully respect privacy and protect all personal data. Instead, for years, reliance was placed on Section 43A of the Information Technology Act, 2000 ("IT Act") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011("SPDI Rules"), which was focused on 'sensitive personal data or information' ("IT Framework") with the IT Act providing very limited protection to personal data in general.⁴

It was only in 2017, in Justice K.S. Puttaswamy v. Union of India, that a nine-judge Supreme Court bench recognised the right to privacy as an intrinsic part of the fundamental right to life and personal liberty,⁵ which could be available to citizens and non-citizens alike. The Supreme Court did recommend a robust data privacy framework to be set up by the Central Government,⁶ which ultimately culminated in the finalisation and passing of the DPDP Act. The DPDP Act received Presidential assent and was notified on August 11, 2023, in the Indian Gazette. It is intended to supersede the long-standing IT Framework, once in full force and effect.⁷

The enforcement / operationalisation of several provisions remained contingent on the finalisation of the delegated legislation in the form of the DPDP Rules which the MeitY has now published along with the Implementation Timelines Notification and the DPB Notification.⁸

To read this article in full, please click here.

Footnotes

1. Our article on the DPDP Act is available here, and our FAQs on the DPDP Act are available here.
2. The DPDP Act is available here; the DPDP Rules are available here; the Implementation Timelines Notification is available here; notifications in relation to composition of DPB and location of its head office are available here and here.
3. Our article on the draft DPDP Rules is available here.
4. Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under Section 43A of the Information Technology Act, 2000, dated April 11, 2011, available here.
5. Article 21 of the Constitution of India, 1950.
6. Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1, para, 328.
7. Section 44(2)(a) of the DPDP Act.
8. Earlier this year, on January 3, 2025, the MeitY released draft DPDP Rules for public consultation, and comments were accepted until March 05, 2025. After reviewing the inputs received, MeitY has now finalised the DPDP Rules.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.