The Ministry of Electronics and Information Technology (MeitY) has released the Digital Personal Data Protection Rules, 2025, which comes two years after the release of the Digital Personal Data Protection Act, 2023, bringing clarity and certainty to privacy laws in India.
The provisions in newly released rules will be implemented on different dates.
Rules 1, 2 and 17 to 21 will be enforced immediately, while rule 4 will be implemented next year and rules 3, 5 to 16 and 22 to 23 will be implemented after 18 months.
Rules 17 to 21 deal with the functioning of the search-cum-selection committee. Rule 4 deals with a consent manager’s registration and obligations. Rule 3 is about a data fiduciary’s notice to a data principal, rules 5 to 16 are about data processing, consent of children and people with a disability, significant data fiduciary obligations, and other matters. Rule 22 covers appeals to the appellate tribunal and rule 23 is about the central government seeking information from data fiduciaries.
The MeitY has also notified the establishment of the data protection board with its main office in the capital with four members.
Discussion over delayed implementation of these rules raised uncertainty in the privacy landscape in India and the affect on businesses. India Business Law Journal had also covered this issue.
Implementation of various provisions in the act has also been notified.
