India Activates Digital Privacy Law

November 15, 2025
by Wealthy Brains
Uncategorized

The new rules allow for a staggered implementation road map, giving companies, data fiduciaries, data principals, and other stakeholders up to 18 months to comply with the administrative guidelines under the DPDP Act.

Kindly note that this illustration generated using ChatGPT has only been posted for representational purposes.

The government on Friday notified the administrative rules under the Digital Personal Data Protection (DPDP) Act, marking India’s entry into a select group of countries with a federal digital personal data privacy regime.

Industry and legal experts welcomed the detailed rules, as India’s digital ecosystem finally has a clear framework for handling data.

By comparison, consent managers will have up to 12 months to register to act on behalf of users.

The notification of the DPDP Rules also marks the operationalisation of India’s privacy law, nearly 14 years after it was first envisioned.

Under the new rules, the ministry of electronics and information technology (Meity) has mandated that all data fiduciaries must seek specific and informed consent of data principals in ‘clear and plain language’.

The consent sought will include a detailed and itemised description of the personal data to be processed, along with the specific purpose for which the data fiduciary is collecting it.

Though the government has allowed cross-border transfer of personal data processed by data fiduciaries operating in India, it has specified that such platforms and companies must comply with requirements set by the central government from time to time, particularly if such data is being made available to any foreign state or an entity under that state’s control.

This was a contentious issue for several big tech firms that were not in favour of data localisation.

“This is reflective of the geopolitical environment and concerns around India’s tech sovereignty. Global companies are likely to push back against any localisation mandates that create operational difficulties,” said Aparajita Bharti, founding partner at public policy advocacy body The Quantum Hub.

All companies, social media platforms, and Internet intermediaries that handle users’ digital personal data will fall under the category of data fiduciaries.

Users whose personal data is processed by these entities will be referred to as data principals.

Such data fiduciaries must also allow users to easily withdraw their consent at any time, exercise other rights mentioned in the Act, and file complaints with the Data Protection Board (DPB).

“Organisations may need to reassess their consent frameworks to ensure that consent is specific, informed, and clearly distinguishable from standard terms of use that users typically auto-accept,” said Harsh Walia, partner at law firm Khaitan & Co.

The new rules give Internet and social media intermediaries, as well as all other companies dealing with users’ digital data, up to 18 months to put in place systems that comply with the Act and its administrative rules.

Companies seeking to act as consent managers must register with the DPB within 12 months, according to the rules.

“This deliberate temporal staging enables organisations to undertake impact assessments, restructure data flows, recalibrate vendor governance, and align audit frameworks in a coherent and legally robust manner,” said Goldie Dhama, partner at Deloitte.

Companies handling personal data must make reasonable efforts to protect it, whether through encryption, obfuscation, masking, or the use of virtual tokens mapped to the personal data.

To prevent unauthorised access, data fiduciaries must implement systems capable of detecting such access.

In the event of unauthorised access, companies must investigate its cause and document the measures taken to prevent recurrence.

Companies must retain such logs and personal data for at least one year, unless required by law to keep it for an extended period.

In the event of a breach, data fiduciaries will be required to notify all users affected, as well as the DPB, within 72 hours of becoming aware of the violation.

The data fiduciary must inform users of the nature and extent of the breach, when it occurred, its consequences, the mitigation measures being implemented, and any safety steps that users should take.

The DPB must also be notified of the circumstances leading to the breach, the individuals responsible, and the remedial measures undertaken to prevent recurrence.

Ecommerce companies and social media intermediaries with more than 20 million registered users in India, as well as online gaming companies with more than 5 million registered users, must delete users’ personal data if they remain inactive for three consecutive years, according to the new rules.

Before deleting such personal data, these intermediaries must give users a 48-hour notice, informing them the data will be deleted unless they log in to the platform within this period.

Significant data fiduciaries, or platforms with more than 5 million registered users in India, will be required to undertake an annual audit and a Data Protection Impact Assessment to ensure continued compliance with the DPDP Act.

These platforms will also be required to verify annually that their technical measures, including algorithms and software, are not “likely to pose a risk” to users’ rights.

A new era begins