The Union government noticed large parts of the Digital Personal Data Protection (DPDP) Act, 2023 on Friday, addressing the need for a law to protect the data privacy of Indian citizens. The DPDP Rules, 2025 are also a significant step forward in compliance with the Supreme Court’s 2017 K.S. Puttaswamy v.s Union of India judgment affirming the right to privacy. The law, passed in Au- gust 2023 in Parliament, requires firms to safe- guard the digital data of Indian citizens, with ex- emptions for the “State and its instrumentalities”.
About Digital data protection law
The Government of India has notified the Digital Personal Data Protection (DPDP) Rules, 2025, marking the full operationalisation of the DPDP Act, 2023. Together, the Act and Rules create a simple, citizen-focused and innovation-friendly framework for the responsible use of digital personal data.
Enacted by Parliament on 11 August 2023, the DPDP Act establishes a comprehensive framework for protecting digital personal data, setting out the obligations of entities handling such data (Data Fiduciaries) and the rights and duties of individuals (Data Principals). It follows the SARAL design —Simple, Accessible, Rational and Actionable—using plain language and illustrations to support ease of understanding and compliance.
The Act is guided by seven core principles including consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability.
Inclusive and Consultative Rule-Making
Phased and Practical Implementation
Clear Protocols for Personal Data Breach Notification
Safeguards for Children and Persons with Disabilities
Transparency and Accountability Measures
Strengthening Rights of Data Principals
Digital-First Data Protection Board
It may take until May 2027 for large tech firms to be subject to the full force of the Act, which also provides for the constitution of the Data Protection Board of India (DPBI) by the Centre.
There were a total of four on Friday — sets the number of members in the DPBI at four. The board can hold inquiries in response to complaints and impose penalties in case of data breaches. The board’s members, who have not yet been chosen, will be appointed by the Ministry of Electronics and Information Technology (MeitY).
“On international data transfers, Nasscom- DSCI recognises the importance of developing mechanisms that support interoperability and facilitate co-operation with India’s key trading partners,” Nasscom said.
The Rules “provides statutory backing for enabling personal data collection by state agencies with scant oversight, thereby entrenching state control over personal data,” the IFF said.
IAS-2026 - OPTIONAL / GEOGRAPHY / PUBLIC ADMINISTRATION / SOCIOLOGY / ANTHROPOLOGY / ORIENTATION ON 03 & 04-10-2025 
