Overview
- The Digital Personal Data Protection Rules, 2025 were notified on November 17 with a phased rollout: consent-manager provisions in roughly 12 months and core obligations like consent notices, safeguards, user rights and breach notifications in about 18 months.
- IT Minister Ashwini Vaishnaw said the government is consulting industry to compress the 18‑month compliance window and indicated amendments could follow after the Data Protection Board is constituted.
- With the notification, provisions establishing the Data Protection Board take effect now, enabling enforcement, complaint handling and inquiries under the DPDP framework.
- The Rules outline criteria to designate “significant data fiduciaries” and task a government committee with defining cross‑border restrictions, with major global tech firms widely expected to fall under this category.
- Breach rules require notifying affected individuals without delay, with experts interpreting rapid reports to CERT‑IN within six hours and to the Board within about 22 hours, and penalties can reach up to Rs 250 crore per contravention; companies are preparing for higher compliance costs and new parental‑consent mechanisms for children’s data.