Data Privacy in Digital India Deconstructing the Draft Dpdp Rules, 2025

The Digital Personal Data Protection Act, 2023 marked a transformative moment for India’s data protection landscape, establishing a robust framework for privacy governance, clear compliance obligations, and well-defined rights for individuals. Taking a pivotal step forward, the Ministry of Electronics and Information Technology (MeitY) grabbed the attention of 1.43 billion people in India and the global regulators on January 3, 2025, by unveiling the draft DPDP rules for public consultation, marking a significant moment in India’s data protection journey.

The Act focused primarily on digital personal data of Indian residents and aimed to provide them with greater transparency and control on how their personal data is being used. The act in line with other global data protection regulation talks notice requirements, consent, and rights of data principals. In addition, it also outlined the obligations of data fiduciaries, data principal and data processors, and penalties in case of non-compliance for both the fiduciary and the principal. Now, in 2025, the draft DPDP rules has provided us the next step of the evolving privacy framework, which further list down the operational elements and compliance requirements for the data protection regulation in India. The Act broadly outlined the ‘what’ and ‘why’ of data privacy, the draft rules now serve as an enabler, addressing the ‘how’—providing much- needed clarity on compliance measures for Data Fiduciaries and the privacy expectations of Data Principals.

Additionally, organisations expressed concerns regarding crossborder data transfers, data breaches, and the lack of sector-specific clarity in the Act.

This paper will focus on how the recently released rules have addressed several concerns of the organisations which were also highlighted in the CII-Protiviti State of Data Privacy In India Survey Report, 2024. Let’s delve into the details of the Rules, examining what has been made clear and what still requires further clarity, helping organisations navigate this evolving regulatory landscape with confidence.