Decoding India's draft DPDPA rules for the world

India's Ministry of Electronics and Information Technology released the draft Digital Personal Data Protection (Act) Rules, 2025 for public consultation until 18 Feb. This marks a significant milestone in the evolving data protection landscape of the world's largest democracy. The rules complement the Digital Personal Data Protection Act, 2023 and explain how its provisions should be operationalized. The draft rules were published along with an explanatory note clarifying some of its aspects.

The clock is ticking

The draft rules outline the implementation timeline for India's new data protection regime, beginning with the establishment of the Data Protection Board of India as the enforcement authority established under the DPDPA. The board's constitution will take effect immediately upon the official notification of the rules in the Official Gazette, following the conclusion of the public consultation period. However, the dates on when the rules would be final remains unclear. The remaining provisions of the rules will be implemented on such dates that are specified in the final version. News reports suggest the government seeks to allow businesses about two-year timeframe to implement this law.

Admittedly, precise timeframes for notifying substantive provisions under the rules may have enhanced regulatory certainty. However, a two-year transition period provides businesses, particularly small and medium enterprises, in India's culturally diverse digital economy a valuable opportunity to prepare and come up to speed with this quantum leap in India's data protection landscape.

Notice as a granular and independent document