Dawn of India's new privacy era

Following close to eight years of intense deliberation, India's government has operationalized a Personal Data Protection Framework specifically designed to meet the needs of residents and businesses alike. With the Ministry of Electronics and Information Technology's 13 Nov. official notification of the Digital Personal Data Protection Rules, 2025, India's Digital Personal Data Protection Act has come into effect. 

Though the DPDPA passed 11 Aug. 2023, it was not operational until the notification of the rules, as timelines specifying its applicability were relegated to be outlined in the rules. Thus, the notification of the rules was critical to the DPDPA taking effect.

Alongside the rules, the government issued notifications to bring key provisions of the act into force and set out phased implementation timelines over the next 18 months. Minister of Electronics and Information Technology Ashwini Vaishnaw has stated intent to seek an amendment that would shorten the compliance transition period. 

The final rules are more or less similar to the draft released for consultation earlier in the year, though a few changes have been made in certain provisions. 

The final rules include an additional requirement to clearly mention the specified purpose(s) of personal data processing. With respect to data retention provisions, a new one-year minimum retention requirement is imposed on data fiduciaries. This inclusion primarily aims to facilitate responses to state agency requests related to national security, investigations and the determination of significant data fiduciary status. 

The rules also include a purpose-based exemption regarding children's data processing. These exemptions are narrowly defined to only cover health- and safety-specific purposes.