Evolution Of Data Privacy Law In India: Understanding Digital Personal Data Protection Rules, 2025

Evolution of the Data Privacy Law in India

While delivering the verdict in Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors. [2017 10 SCR 569], commonly referred to as the 'Right to Privacy' judgment, the Supreme Court of India recognised that the Right to Privacy is intrinsic to the Right to Life and Personal Liberty guaranteed under Article 21 of the Constitution of India. The Right to Privacy was also, held to be part of the freedoms guaranteed by Part III of the Constitution, thereby establishing it as a Fundamental Right.

A batch of petitions challenging different aspects of the Aadhaar Scheme, led by the one filed by Late Justice K. S. Puttaswamy in the year 2012, came for consideration before the Supreme Court. In the petition(s), the norms for the compilation of demographic biometric data by the Government of India were questioned on the ground of violation of the Right to Privacy. It was argued that the Aadhaar Scheme was unconstitutional as Right to Privacy was intrinsic to Life and Personal Liberty under Article 21.

While appearing for the State, the then Attorney General contended that the status of the Right to Privacy as a fundamental right remained uncertain, particularly in light of two landmark judgments; M.P. Sharma v. Satish Chandra, District Magistrate, Delhi [1954 SCR 1077] and Kharak Singh v. State of Uttar Pradesh [1964 1 SCR 332], decided by an Eight-Judge Bench and a Six-Judge Bench, respectively. In both cases, the court had observed that the Constitution did not explicitly recognize the Right to Privacy as a fundamental right. The State however, acknowledged that over time, several subsequent rulings had affirmed the Right to Privacy as a fundamental right. It emphasized that since the later judgments were delivered by benches of smaller strength compared to those which delivered verdicts in the M.P. Sharma and Kharak Singh cases, they carried lesser authoritative value.

Due to presence of divergent views on the issue, the petition(s) were referred to a Nine Judge Bench of the Supreme Court, which unanimously held that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”. The Court also, overruled its previous verdicts in M.P. Sharma and Kharak Singh.

Digital Personal Data Protection Act, 2023

In the aftermath, the Government appointed a committee of experts for Data Protection under the chairmanship of Justice B. N. Srikrishna, which submitted its report in July 2018 along with a draft of the Data Protection Bill. The Report carried a wide range of recommendations to strengthen the privacy law in India. Its proposals included restrictions on processing and collection of data, Data Protection Authority, right to be forgotten, data localisation, explicit consent requirements for sensitive personal data, etc. Accordingly, a revised draft of the Bill was released by the Ministry of Electronics and Information Technology on November 18, 2022, titled as the Digital Personal Data Protection Bill, 2022. The Bill got matured in the Digital Personal Data Protection Act, 2023 [“the Act”], after getting passed by both the houses of the parliament and receiving the assent from the President of India on August 11, 2023.

Although the Act laid out a roadmap for combating the data privacy challenges, yet being a new law, the provisions of the Act were relatively generic in nature. The stakeholders from both inside and outside of the Government had been sensing the need of a comprehensive framework in order to effectively enforce the provisions of the Act. Accordingly, to bridge the gap, the Ministry of Electronics and Information Technology, Government of India [“MEITY”] has notified the Digital Personal Data Protection Rules, 2025, key highlights of which are hereinafter.

Digital Personal Data Protection Rules, 2025

Rule 1 Short Title & Commencement

• This rule gives the formal name: Digital Personal Data Protection Rules, 2025. 
• It also lays out when different sets of rules will come into force.

Implication

The rules are not to activate simultaneously. There shall be a phased rollout in order to provide time to the businesses for preparation.

Rule 2 Definitions

• Provides definitions for key terms used in the rules (e.g., Data Fiduciary, Data Principal) by referencing the Act.

Implication

Ensures clarity and eliminates ambiguity on meaning and application of the terms which is critical for compliance.

Rule 3 Notice given by Data Fiduciary to Data Principal

• Data Fiduciaries must give a clear and unambiguous privacy notice to Data principals. 
• The notice should include;
  • • • an itemised list of the personal data being collected. 
      • the specific purpose(s) for processing the data.
      • information on how the data principal can withdraw consent, exercise their rights, and/or file complaints. 

Implication 

The transparency shall be enhanced as the individuals must be told as to exactly why and for what purpose their data is being collected.

Rule 4 Registration and Obligations of Consent Manager

• Defines how an entity can become a 'Consent Manager' on registering with the Data Protection Board.
• Consent Managers must maintain certain records (like the date with regard to the consent given and withdrawn) and also, meet obligations as per schedule in the rules. 

Implication 

This introduces a formal mechanism to manage user consent in a neutral way which shall be mediated by a trusted third-party.

Rule 5 Processing of personal data for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities

• Covers how personal data can be processed by the State (or its instrumentalities) when issuing subsidies, benefits, services, certificates, licences, or permits.
• Specifies that processing under this rule should follow the standards set out in the Second Schedule. 

Implication 

While the State can process data for public interest activities, there are guardrails to ensure that this is done within the data protection standards.

Rule 6 Reasonable Security Safeguards

• Data Fiduciaries must implement adequate security like encryption, masking, tokenization, access control, activity monitoring, backups etcetera to protect and preserve the data
• The logs and the ancillary data must be retained for at least one (1) year. 

Implication Data Fiduciaries shall have to ensure high standards of data security in order to mitigate risk of data breaches.

Rule 7 Intimation of Personal Data Breach

• When a data breach happens, the Data Fiduciaries must notify:
  • • • the affected Data Principals (users) via their registered contact.
      • the Data Protection Board with an initial preliminary report, followed by a detailed one preferable within seventy two (72) hours of the breach. 
  • The notice to the users should contain details like nature of breach, likely consequences, mitigation, and contact information. 

Implication 

The accountability on part of Data Fiduciaries is bound to strengthen with the regulatory oversight of the Board.

Rule 8 Time Period after which Specified Purpose is Deemed No Longer Served

• • This rule deals with data retention and deletion of the data after the “specified purpose” of processing is no longer active, the data fiduciaries are obligated to erase the personal data, unless the same is legally required to be retained. 
  • The entities like the popular social media platforms or other large intermediaries must erase data after three (3) years of inactivity, except in the case of keeping the account active or token services. 
  • The Data principals shall have to be mandatorily informed forty eight (48) hours before erasure of their data. 

Implication

There shall be limits on the duration for holding the data. This would protects user privacy by preventing indefinite data retention.

Rule 9 Contact Information for Queries about Processing

• • Every Data Fiduciary must clearly publish the contact details of the Data Protection Officer or the other point of contact, as the case may be, on their website or the app. 
  • This point of contact mentioned should also, be included in all applicable communications and/or notices issued to the Data Principals. 

Implication 

The users shall always know whom to reach out to for their data-related queries or concerns. This would improve transparency and responsiveness.

Rule 10 Verifiable Consent for Processing of Children's / Disabled Persons' Data

• • When processing data of a child under 18 years of age, or a person with a disability who has a legal guardian, the data fiduciary must obtain verifiable consent from the parent or guardian. 
  • The term 'verifiable' implies that there must be a reliable mechanism to check that the person giving consent is really the guardian. 

Implication

There shall be an added layer of protection for the vulnerable groups including children and the persons with disabilities. The platforms shall need robust mechanisms like age verification, parental consent etcetera to ensure proper compliance.

Rule 11 Verifiable consent for processing of personal data of person with disability who has lawful guardian.

• While obtaining verifiable consent from an individual identifying herself as the lawful guardian of a person with disability, shall observe due diligence to verify that such guardian is appointed by a court of law, or by a designated authority or by a local level committee, under the law applicable to guardianship.

Implication

Data Fiduciary has to exercise due caution while obtaining consent from a guardian to ensure that such guardian is appointed by a court of law or a designated authority which shall mean the authority under section 15 of the Rights of Persons with Disabilities Act, 2016.

Rule 12 Exemptions from certain obligations applicable to processing of personal data of child

• Some processing by Data Fiduciaries is exempt from the stricter child data rules. For instance, processing for safety, monitoring, or certain institutional functions may be allowed. 

Implication 

Data Fiduciaries shall have the flexibility for use of data for essential or non-commercial uses but this shall exclude the unregularized processing of children's data.

Rule 13 Additional obligations of Significant Data Fiduciary (SDF)

• • Entities that qualify as SDFs (because of scale, nature, sensitivity) have extra duties. 
  • They must:
• Conduct an  annual Data Protection Impact Assessment (DPIA). 
• Conduct audits of data protection practices. 
• Take due care to ensure any algorithmic tools in use do not risk individuals' rights. 

Implication

The larger entities / organizations shall be under stronger oversight. This shall be helpful in regulating the use of algorithms and Artificial Intelligence (AI) based processing.

Rule 14 Rights of Data Principals

• • This rule (along with others) mandates data fiduciaries and consent managers to clearly explain how data principals can exercise their rights. 
  • Rights include access, correction, deletion, and nomination of someone (digital nominee) to act on their behalf. 

Implication

The individuals shall have the power to manage their data. They would be aware of the rights in respect of the their data.

Rule 15 Transfer of personal data outside the territory of India.

• Data can be transferred outside India, but subject to conditions laid down by the Central Government. 
• For Significant Data Fiduciaries, there may be restrictions on which data / traffic data can be transferred abroad, based on a government-notified list. 

ImplicationWhile global data exchanges are allowed, the Government shall retain control over it and can restrict and regulate the flow of sensitive data traffic data from going abroad. The entities shall have to conform to the policies.

Rule 16 Exemption from Act for research, archiving or statistical purposes.

• The provisions of the Act shall not apply to the processing of personal data necessary for research, archiving or statistical purposes if it is carried on in accordance with the standards specified in Second Schedule.

Rule 17–21 Data Protection Board

• The Central Government shall constitute a Search-cum-Selection Committee for the constitution of a Data Protection Board with Cabinet Secretary as the chairperson and the Secretaries to the Department of Legal Affairs and the Ministry of Electronics and Information Technology Government of India and two experts of repute having special knowledge or practical experience in a field which in the opinion of the Central Government may be useful to the Board as member, to recommend individuals for appointment as Chairperson of the Board.
• The Board shall have a digital office, without prejudice to its power to summon and enforce the attendance of any person and examine her on oath, may adopt techno-legal measures to conduct proceedings in a manner that does not require physical presence of any individual.
• The terms and conditions of service of officers and employees of the Board shall be such as are specified in Sixth Schedule.

Implication

The regulatory mechanism is designed to be modern and digital, making it easier for individuals to approach the Board without physical hurdles.

Rule 22Appeal to the Appellate Board

• On payment of fee similar to the ones paid in respect of the appeals filed under the Telecom Regulatory Authority of India Act, 1997, appeals to the Appellate Tribunal, can be filed against order(s) and/or direction(s) of the Data Protection Board, the same shall be payable digitally using the Unified Payments Interface (UPI) or such other payment system authorised by the Reserve Bank of India.
• The Appellate Tribunal shall:
  • • • not be bound by the procedure laid down by the Code of Civil Procedure, 1908 (5 of 1908), but shall be guided by the principles of natural justice and, subject to the provisions of the Act, may regulate its own procedure.
      • function as a digital office which, without prejudice to its power to summon and enforce the attendance of any person and examine her on oath, may adopt techno-legal measures to conduct proceedings in a manner that does not require physical presence of any individual.

Implication

The aggrieved entities shall have the remedy of appeal against the orders of the Data Protection Board.

Rule 23 Calling for information from Data Fiduciary or intermediary

• The Central Government may require a Data Fiduciary or intermediary to furnish such information as specified under the Seventh Schedule, within a given time frame.
• Where the disclosure of information is likely to affect the sovereignty and integrity of India or security of the State, the Central Government may require the Data Fiduciary or intermediary to not disclose such furnishing to affected Data Principal or any other person except with the previous permission, in writing, of the authorised person.
• The term “intermediary” shall carry the same meaning as assigned to it in the Information Technology Act, 2000.

Implication

The Government shall have the power to regulate and prevent misuse of the sensitive information.

Key Takeaways of the DPDP Rules, 2025

1. Consent Framework  Personal data collection requires clear and transparent consent, specifying the purpose and allowing individuals to withdraw consent at any time.
2. Consent Managers  The rules introduce registered entities tasked with managing, recording, and facilitating revocation of user consent across digital services.
3. Data Security and Breach Notification Organizations must implement robust technical and organizational safeguards, with any data breaches reported to the Data Protection Board within 72 hours.
4. Rights of Data Principals  Individuals are granted rights to access, correct, and delete their personal data, and may designate a representative to exercise these rights on their behalf.
5. Enhanced Oversight Organizations classified as Significant Data Fiduciaries are subject to periodic audits and Data Protection Impact Assessments (DPIAs), while certain exemptions apply to government and essential service providers.
6. Regulatory and Appellate Mechanism The Data Protection Board oversees compliance, investigates complaints, and enforces rules, while appeals against its decisions can be preferred before the Appellate Tribunal.

Author is an Advocate, practising at Supreme Court of India and High Court of Jammu & Kashmir and Ladakh.

Views Are Personal.