Summary of this article
Digital Personal Data Protection Rules, 2025 (DPDP) has been revealed.
These regulations will roll out in phases over the next 12 to 18 months.
The primary objective to enable individuals to exercise greater authority over how personal data is used.
The government has revealed the much-awaited Digital Personal Data Protection Rules, 2025 (DPDP). This marks a major step in strengthening citizens' rights over their personal information in the digital space. These regulations will roll out in phases over the next 12 to 18 months. This duration is fixed to make sure there is adequate time for smooth implementation and execution across all sectors. Some of the provisions will come into effect immediately, and the rest of the complex ones will be enforced during the implementation window.
This new framework comes with the primary objective to enable individuals to exercise greater authority over how personal data is used. This would also ensure the detection of misuse of any data, and safeguard their privacy across all platforms. These sets of rules and regulations are expected to significantly reduce spam calls, unnecessary communication, and unauthorised access to personal details. This includes implementing a stricter set of obligations for entities responsible for handling such information. These changes are being introduced under the powers granted by Section 40(1) and 40(2) of the Digital Personal Data Protection Act, 2023 (DPDP Act 2023), which will be called the Digital Personal Data Protection Rules, 2025.
As an important part of the implementation, a Data Protection Board will be established. This would ensure responsibility for investigating breaches of DPDP and imposing penalties based on the intensity and nature of the violation. The Act issues a penalty of Rs 250 per breach, though it offers relaxation for smaller businesses and startups so they are not burdened beyond their repayment capacities.
These regulations come nearly eight years after the Supreme Court's judgment, which affirmed the Right to Privacy as a Fundamental Right under the Constitution. The Right to Privacy comes with certain reasonable restrictions, while the DPDP empowers citizens to protect their digital identities. These rules are not just for the organisations, they also apply to the users; people are expected not to withhold critical details when applying for government documents and identifications, to avoid lodging false complaints, and to submit only the information that can be verified.
More importantly, these rules provide citizens and users with a mechanism to seek action and assistance if and when their personal data is leaked without consent. Authorities will now be able to trace the sources of such activities.
