New Delhi, Nov 14: The government on Friday notified the Digital Personal Data Protection (DPDP) Rules 2025, setting out phased implementation over the next 12-18 months. The rules aim to empower citizens to control their personal data, protect privacy online, and curb misuse such as spam calls and unauthorized access to digital content.
Some provisions will come into effect immediately, while others—including registration and obligations of consent managers, notices from data fiduciaries, and major norms on personal data processing—will be implemented gradually.
The rules also establish a Data Protection Board, empowered to levy penalties based on breaches as outlined in the DPDP Act 2023, with fines of up to ₹250 per breach and a graded system to safeguard small businesses.
Citizens will be able to seek recourse if their personal information, such as phone numbers, is leaked without consent. The rules also require individuals to provide verifiable information for data correction or deletion and prohibit filing false or frivolous complaints.
Exemptions apply for enforcing legal rights, court orders, investigation of offences, overseas individuals, foreign entities, and certain data fiduciaries like start-ups implementing government schemes or research initiatives.
The notification follows eight years after the Supreme Court declared the Right to Privacy a Fundamental Right in August 2017, aligning with constitutional safeguards while providing a structured framework for digital data protection. (Agencies)
