Overview
- The government has notified the Digital Personal Data Protection Rules 2025, putting the first tranche into effect and operationalising the 2023 data law.
- A four-member Data Protection Board headquartered in the National Capital Region is established with defined appointment procedures and powers.
- The framework requires verifiable consent with withdrawal rights, mandates a minimum one-year retention of personal data, traffic data and logs, and obliges a 48-hour prior notice before erasure.
- Data fiduciaries must inform users of breaches without undue delay and report incidents to the Board within 72 hours, with penalties reported up to Rs 50 crore for rights violations and Rs 250 crore for security failures.
- Implementation is staged: registration and Consent Manager functions begin in November 2026 and remaining compliance obligations take effect in May 2027, as civil-society groups warn of broad state-access and secrecy provisions.