Overview
- The Ministry of Electronics and Information Technology has notified the DPDP Rules 2025 and brought large parts of the 2023 data protection law into effect through official orders.
- Certain obligations for data fiduciaries, including publishing a designated Data Protection Officer’s details, are deferred until November 2026, when the Consent Manager framework also starts.
- Large technology firms come under the law’s full force by May 2027, and a separate notification fixes the Data Protection Board of India at four members, with appointments yet to be made.
- The rules require verifiable parental consent before processing children’s personal data and mandate annual impact assessments and audits for Significant Data Fiduciaries.
- Personal data transfers outside India are permitted subject to conditions the Centre may specify, while transparency advocates say the law’s RTI change in force from November 14 weakens access to personal information.