New Delhi. Indian citizens will now get security from unwanted calls, spam messages and unauthorized data access. If a person’s phone number is leaked without his permission, then investigation and then action can be taken against those who do so. Actually, the Government of India has officially notified the Digital Personal Data Protection Rules 2025 (DPDP Rules 2025) on 14 November. The purpose of these new rules is to give Indian citizens control over their online privacy and personal data. The government clarified that these rules have been made under Sections 40(1) and 40(2) of the Digital Personal Data Protection Act, 2023.
The notification said, “Now the Central Government makes the following rules, which will be called the Digital Personal Data Protection Rules, 2025.” These rules will be fully implemented within 12 to 18 months. Some provisions will come into effect immediately, while others will be implemented in a phased manner.
Many important points have been included in the new rules. Now, before taking any person’s data, any organization will have to explain why and for what purpose the data is being taken. This information should be given in simple and clear language, so that any person can easily understand. Also, appointment of a Consent Manager has been made mandatory, who will ensure that the rules are followed properly.
Data will have to be kept safe at all costs
To keep data secure, organizations must adopt encryption, firewalls and other security measures. If for any reason data is leaked, the affected person will be informed immediately and in clear words. The message will explain when and how the data was leaked, what is its impact and what further steps are being taken.
According to the rules, no organization can keep the data for more than one year, unless it is required for some legal reason. If the data deletion process is initiated, the user must be informed 48 hours in advance. In addition, each entity handling data must make public the contact details of the person who is responsible for responding to questions related to the data.
Special provisions have been made for data of children (under 18 years of age) and persons with disabilities. Children’s data can be processed only when the consent of the parent or guardian is obtained. Similarly, processing data of a person with a disability would require the permission of the legal guardian.
Data Protection Board will be formed, will get power to punish
The government has announced the formation of a Data Protection Board under these rules. This board will decide the penalty according to the nature of data breach. A maximum fine of up to Rs 250 per violation can be imposed on any data fiduciary (data handling institution). Keeping small businesses in mind, the penalty system has been made tiered, so that there is no unnecessary burden on them.
The Supreme Court had said an important thing in 2017
The roots of this law are linked to a historic decision of the Supreme Court in 2017, in which the court had said that the right to privacy is a fundamental right under the Constitution of India. After this, in 2023, the government issued the Digital Personal Data Protection Act, in which citizens were given the right to keep their data safe. However, the government also ensured that this does not affect the information on government documents or identity cards.
Some relaxations have also been given in the new rules. If a matter involves a legal investigation, court order, investigation or prevention of crime, the government or the concerned entity can access some data. Apart from this, some startups may be allowed to process data for government-run schemes, research or innovation.
