The Ministry of Electronics and Information Technology on Thursday notified the Digital Personal Data Protection Rules, 2025, bringing into effect the Digital Personal Data Protection Act passed in 2023.
The Rules outline how personal data is to be collected, processed and protected by both the state and private entities.
With the notification, the provision that amends the Right to Information Act – to bar the disclosure of personal information about public officials even when such disclosure may serve a larger public interest – also came into effect.
Critics have described this change as a serious threat to the principles of transparency and accountability that the Right to Information Act was designed to uphold.
Section 44(3) of the 2023 Digital Personal Data Protection Act imposed a blanket ban on the disclosure of personal information. It has not defined what constitutes “personal information”.
Section 8(1)(j) states: “Information which relates to personal information and the disclosure of which has not relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information”.
What the Rules say
The Rules clarify how organisations processing personal data should handle it, notify individuals of breaches of their data and ensure consent for data collection.
These organisations, which the act calls data fiduciaries, must provide clear notices to users that are easy to understand, explaining why they are collecting data and how it will be used. These notices must explain the types of data being collected. Moreover, for users, withdrawing consent for their data to be used should be as simple as granting it.
When handling children’s data, most organisations must get permission from a parent or guardian. The identity of the parents can be confirmed using official identity documents.
If personal data is leaked or accessed without permission, organisations must quickly inform both the users affected and the Data Protection Board about the incident. A detailed report must follow within 72 hours.
The rules require organisations to follow basic security practices like encryption, data masking, which refers to hiding sensitive information and conducting regular checks or audits for misuse. They must also keep records of who accesses the data for at least one year.
Large organisations, classified as “significant data fiduciaries”, have additional obligations. They must conduct annual audits, data protection impact assessments and ensure that their algorithms do not pose risks to users.
E-commerce platforms, online gaming companies and social media firms with large Indian user bases must store user data for three years.
The Data Protection Board will oversee rule enforcement and grievance redressal under the act. While the rules for appointing and operating the board will take effect immediately, other compliance requirements will be implemented gradually.
Also Read: Why the draft personal data protection rules are contentious
Just 0.2% of readers pay for news. The others don’t care if it dies. You can help make a difference. Support independent journalism – join Scroll now.
We’re not driven by clicks or corporate interests – just honest, independent reporting. Keep us going. Support Scroll today!