The Government of India passed the Digital Personal Data Protection Act, 2023 (“DPDP Act, 2023”) on 11th August 2023. This followed six years of policy making, starting when the Central Government constituted the BN Srikrishna Committee in 2017, which drafted the first Draft Personal Data Protection Bill, 2018. In January 2025, the draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”) were released for public consultation. After considering objections and suggestions, the Central Government notified the final version of Digital Personal Data Protection Rules, 2025 (“DPDP Rules”). 8 years after the Supreme Court’s judgment in (Retd) Justice K.S. Puttaswamy and Anr. vs Union Of India and Ors., the Ministry of Electronics and Information Technology have notified the DPDP Rules, to initiate the implementation of India’s first comprehensive data protection regime.
In this piece, we compare the notified version of the DPDP Rules, 2025 with their draft predecessor, to provide key observations on the modifications or revisions made after the public consultation process.
Rule 1 – Short title and commencement
The DPDP Rules specifies a timeline for implementation of various sections of the DPDP Act –
- Provisions relating to definitions of various terminologies within the Act, the Data Protection Board of India (“DPBI”) and Miscellaneous section (including the amendment to exemptions under the Right to Information Act, 2005) shall come into force from November 14th, 2025.
- Provisions relating to registration of Consent Managers and the Powers and Functions of the DPBI will come into force in an year from today.
- Rest of the provisions will come into force eighteen months from today.
As of 14th November, 2025, pertaining to the functioning of the Data Protection Board have entered into force. Rules pertaining to Consent Managers will enter into force a year later, in November 2026. After 18 months, in May 2027, the remainder of the Rules, pertaining to the operational elements of the DPDP Act will enter into force.
Rule 2 – Definitions
The definitional clause, Rule 2 was limited to defining the “Act” referred to in the Draft Rules. The notified Rules now clarifies the use of the terms “techno-legal measures”, “user account”, and “verifiable consent,” and adds a new sub-rule (2).
Sub-rule (1) states that, “techno-legal measures” are those measures referred to in Rules 20 and 22, “verifiable consent” means consent specified in Rule 10 or 11, and “user account” is the online account registered by the Data Principal with the Data Fiduciary by means of which the services of the Data Fiduciary are accessed by the Data Principal. Profiles, pages, handles, email addresses, mobile numbers, and other similar presences are included within the purview of “user account.”
Sub-rule (2), also newly introduced, further states that in the case of any words of expression that are used in the DPDP Rules, but are defined only in the DPDP Act, 2023 and not in the Rules, the meanings of such words and expressions as defined in the Act shall be assigned to their use in the Rules respectively.
Rule 3 – Notice to be given by a Data Fiduciary to a Data Principal
The Data Fiduciaries are now required to provide specific (instead of an itemised) description of goods or services that will be provided or the uses that will be enabled by the processing of personal data.
Rule 4 – Registration and obligations of Consent Manager
No substantive changes.
Rule 5- Processing of personal data for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities
No substantive changes.
Rule 6 – Reasonable Security Safeguards
Makes a small change in sub-rules (1)(a) and (1)(d) which illustrate the appropriate data security measures, and measures for continued processing in event of data being compromised, respectively. Where the Draft Rules used the term “includes” to illustrate these measures, this has been changed to the term “such as” in the DPDP Rules.
Further, the terms “wherever applicable” has been added to sub-rules (1)(b) and (1)(f), which describe the requirements for appropriate measures to control access to computer resources used, and appropriate provision in the contract for taking reasonable security safeguards. The rest of the provision remains unchanged.
Rule 7 – Intimation of personal data breach
No substantive changes.
Rule 8 – Time period for specified purpose to be deemed as no longer being served
Rule 8(3) introduces a legal mandate for Data Fiduciaries to retain personal data, associated traffic data and other logs of the processing for a minimum period of one year, for the purposes established under the Seventh Schedule of the Rules.
Rule 9 – Contact information of person to answer questions about processing
No substantive changes.
Rule 10 – Verifiable consent for processing of personal data of child
Compared to the Draft Rules, Rule 10 introduces a clearer requirement that the consenting parent must be an “identifiable adult” and specifies that such identification may occur through self-declaration by the parent and child, or through virtual tokens issued by an authorised entity. However there is still no clarity on how the Data Fiduciaries will confirm the parent- child relationship between the said adult and child. It remains unclear for the data fiduciaries as to when a self-declaration is considered sufficient or if they have to rely on virtual tokens to map identity and age.
Rule 11 – Verifiable consent for processing of personal data of a person with disability who has a lawful guardian.
A separate rule has been included for processing personal data of persons with disabilities from children. No substantive changes to the obligations itself, except that the definition of “persons with disability” has been updated to require that such a person only will be considered as a person with disability if they are unable to take legally binding decisions despite adequate support. The provision that restricts access to harmful content is also broadened to cover information, services, and advertisements, from just information.
Rule 12 – Exemptions from certain obligations applicable to processing of personal data of child
Rule 12 remains unchanged, the corresponding Fourth Schedule has some substantive changes. A new permitted purpose “determination of real time location of a child” in the interest of her safety has been added expanding the previous scope of tracking of location beyond the earlier, more limited context of school-related transport. This change potentially expands the circumstances under which children’s geolocation data may be collected and processed. In the notes section, the definition of “advertisement” has been added and aligned to Consumer Protection Act and the scope of “clinical establishments” has been narrowed.
Rule 13 – Additional obligations of Significant Data Fiduciaries
An additional obligation has been imposed on Significant Data Fiduciaries to ensure that certain specified personal data is not transferred outside the territory of India. A committee will be constituted by the Central Government to recommend the kinds of personal data that cannot be transferred.
The DPDP Rules make an addition by adding a definition for this “committee”. This committee will include officials from the Ministry of Electronics and Technology and may include officials from other Ministries or Department of the Central Government.
Rule 14 – Rights of Data Principals
In relation to Rights of Data Principals, Data Fiduciaries will have to prominently publish (on its website, application or both) the details of means through which Data Principals can exercise their rights, such as access to personal data, grievance redressal, erasure etc. This is similar to the language used in Rule 3(2) of the IT Rules 2021, that obligates intermediaries to provide a grievance redressal mechanism. Additionally, Rule 14(3) has been revised to include a timeline for Data Fiduciaries to respond to any grievances within a time period that does not exceed 90 days.
Rule 15 – Transfer of personal data outside the territory of India
Rule 15 has been reworded to provide an affirmation of transfer, rather than a restriction on transfer.
The Draft Rules specified that the transfer of personal data processed within India or outside India in connection with activities related to offering goods and services to Data Principals in India, to any country outside India would be subject to certain prescribed restrictions.
The DPDP Rules do away with the distinction between personal data processed within and outside India, and state that any personal data processed under the Act can be transferred outside India subject to certain restrictions which will be notified.
Rule 16 -Exemption from Act for research, archiving or statistical purposes.
No substantive changes.
Rule 17 – Appointment of Chairperson and other Members
There is no change to the appointment procedure, except in sub-rule (4), which states that no act or proceeding of the Search-cum-Selection Committee shall be called into question merely on the ground of existence of any vacancy or absences in the committee or defect in its constitution. The Draft Rules had extended this immunity only towards the Committee appointing the Chairperson. Under the DPDP Rules, this now includes the Search-cum-Selection Committees appointing the Chairperson, as well as the other Members.
The related Fifth Schedule, which details the terms and conditions of service of the Chairperson and other Members, remains unchanged from the Draft Rules.
Rule 18 – Salary, allowances and other terms and conditions of service of Chairperson and other Members.
No substantive changes.
Rule 19 – Procedure for meetings of Board and authentication of its orders, directions and instruments.
No substantive changes.
Rule 20 – Functioning of Board as digital office.
No substantive changes.
Rule 21 – Terms and conditions of appointment and service of officers and employees of Board.
The DPDP Rules remove the requirement of the Draft Rules that the appointment of officers and employees of the Board should be done “in such manner as the Central Government may by general or special order specify.” Under the DPDP Rules sub-rule (1), the only requirement is that the Central Government must previously approve of the appointment.
The related Sixth Schedule, which details the terms and conditions of service of these officers and employees, remains unchanged from the Draft Rules.
Rule 22 – Appeal to Appellate Tribunal
Within sub-clause 1 of Rule 22, the words “on its website” are replaced with “may decide”, creating procedural ambiguity in relation to filing appeals with the Appellate Tribunal under the DPDP Act, 2023.
Rule 23 – Calling for information from Data Fiduciary or intermediary
The DPDP Rules add a clarification and state that an intermediary is defined as under the IT Act, 2000. Further, the Draft Rules mentioned that the provision of information would be to fulfill obligations under Section 26 of the DPDP Act. This clause has been removed from the notified version of Rule 23. The Seventh Schedule has no changes as well.
