DPDP Rules: An Attempt to Bring Order to the Chaos

1. INTRODUCTION

After a long wait, the overhaul of India’s dated data protection framework has finally been set in motion. On November 13, 2025, the Ministry of Electronics and Information Technology (“MeitY”) issued the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”) which is intended to operationalise the Digital Personal Data Protection Act, 2023 (“DPDP Act”)¹ (hereafter collectively referred to as “DPDP Framework”). The MeitY also issued notifications setting out the enforcement and implementation timelines for the DPDP Act (“Implementation Timelines Notification”), and the establishment of the Data Protection Board (“DPB”), which will be headquartered in National Capital Region of India (“DPB Notification”).²  

With the issuance of the DPDP Rules (which remained largely similar to the draft version of the rules, published for stakeholder feedback earlier this year)³, there is now a clear road map that both, entities and individuals, have in relation to the implementation of the DPDP Framework. 

2. EVOLUTION OF THE DATA PROTECTION FRAMEWORK

Before 2023, India lacked a comprehensive data protection law which could meaningfully respect privacy and protect all personal data. Instead, for years, reliance was placed on Section 43A of the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011(“SPDI Rules”), which was focused on ‘sensitive personal data or information’ (“IT Framework”) with the IT Act providing very limited protection to personal data in general.⁴ 

It was only in 2017, in Justice K.S. Puttaswamy v. Union of India (“Puttaswamy Judgement”), that a nine-judge Supreme Court bench recognised the right to privacy as an intrinsic part of the fundamental right to life and personal liberty,⁵ which could be available to citizens and non-citizens alike. The Supreme Court did recommend a robust data privacy framework to be set up by the Central Government,⁶ which ultimately culminated in the finalisation and passing of the DPDP Act. The DPDP Act received Presidential assent and was notified on August 11, 2023, in the Indian Gazette. It is intended to supersede the long-standing IT Framework, once in full force and effect.⁷  

The enforcement / operationalisation of several provisions remained contingent on the finalisation of the delegated legislation in the form of the DPDP Rules which the MeitY has now published along with the Implementation Timelines Notification and the DPB Notification.⁸  

3. KEY HIGHLIGHTS 

Applicability Timelines

The provisions of the DPDP Rules shall also come into force in the same phased manner and in line with the coming into force of the relevant sections in the DPDP Act. We have set out the phased implementation roadmap below: 

1. Phase 1: Effective immediately from November 13, 2025: As part of the first phase, the provisions pertaining to the definitions and those related to the establishment of the DPB, along with certain procedural aspects, come into effect immediately from November 13, 2025.⁹ It is critical to note that for the time being, the existing IT Framework will continue to serve as India’s primary data protection legislation.
    
2. Phase 2: Effective from November 13, 2026: As part of the second phase, the provisions related to registration of consent managers and the powers of the DPB to inquire and impose penalties for breach of such registration conditions by the consent managers shall come into effect from November 13, 2026.¹⁰ During this phase as well, the IT Framework will continue to be India’s primary data protection legislation, instead of the DPDP Framework. The DPB, during this phase, will be able to inquire into breach of registration requirements of consent managers. However, the DPB can impose penalties under the DPDP Framework only once the next phase is in effect, as Section 33, which grants DPB this power, will take effect only in Phase 3.  
    
3. Phase 3: Effective from May 13, 2027: As part of the third and final phase, all other provisions - which includes the substantive parts of the DPDP Framework (such as, the requirement for notice, consent, obligations of the data fiduciary, rights and duties of data principals, additional obligations of significant data fiduciaries, etc.), shall come into effect from May 13, 2027.¹¹ Only upon the third phase coming into effect, the DPDP Framework as a whole will come into force as the primary data protection legislation in India, finally superseding the IT Framework. The DPB will be equipped to decide on any complaints relating to non-compliance of the DPDP Framework. 

Key Implications:  

While MeitY has given a timeframe of one and a half years for entities to align their internal practices, policies and processes to the DPDP Framework, it is recommended that businesses commence such processes sooner rather than later, to ensure smooth, easy, cost-efficient and timely implementation.  

Additionally, given the stringent penalties prescribed under the DPDP Act for non-compliance,¹² it is more incumbent on entities to have such processes in place.¹³ 

Data localisation requirements for significant data fiduciaries 

Complete data localisation obligations for India remain restricted to significant data fiduciaries (“SDFs”).  In this regard, the DPDP Rules prescribe that the Central Government will constitute a committee that would be empowered to determine data localisation restrictions applicable to SDFs. Such committee will include members of the MeitY and other officials from different ministries and departments of the Central Government.¹⁴  

However, there are no prescribed metrics based on which these committee members will be selected (or even the different ministries and departments from which ‘other officials’ will be selected) or the basis on which they will issue recommendations.  

Key implications: 

Having visibility into the constitution of this committee is important because the recommendations made by such committee may have serious ramifications for SDFs - specifically if the SDFs include major global conglomerates and may end up being bound by strict data localisation norms, which could in turn significantly impact their business and growth both, globally and in India.  

Until this clarity comes through well in advance, businesses that may qualify as SDFs may not be able to effectively plan their operations, which could have an associated impact on meeting compliance timelines as well. 

Specific data retention requirements applicable to all data fiduciaries 

The DPDP Rules have prescribed a minimum 1 (one) year retention timeline which is applicable to all data fiduciaries - requiring them to mandatorily retain personal data, associated traffic data and other logs of processing of such personal data for a period of 1 (one) year from such processing, for specific purposes that have been prescribed in the DPDP Rules.¹⁵  

These purposes are: (i) usage by the State and its instrumentalities in the interest of sovereignty and integrity of India or security of the State; (ii) usage by the state and its instrumentalities for performance of functions under applicable laws, or for disclosure of information for fulfilling obligations under applicable law; (iii) assessing whether a data fiduciary or class of data fiduciaries need to be notified as SDF.¹⁶ Upon expiry of this period, data fiduciaries are required to delete the data, unless further retention is required for compliance with other applicable laws.  

Key Implications: 

The minimum retention period of 1 (one) year is notwithstanding the completion / fulfilment of specified purpose(s) for which personal data was originally collected or even withdrawal of the consent by the data principal.¹⁷  

Given that the intent behind such retention is for the State to be able to use such data sets for the aforementioned specific purposes, the data fiduciaries will have to ensure that they adopt adequate internal safeguards to ensure that the data sets so retained for compliance with the mandatory retention period are not processed by such data fiduciaries and processors, except in connection with the purposes set out above.  

Data retention requirements applicable to specific classes of data fiduciaries 

The DPDP Act empowers the Central Government to prescribe retention timelines for certain classes of data fiduciaries. While the DPDP Rules have prescribed such requirements, there is no clear rationale for the imposition of additional obligations on only certain categories of digital service providers to begin with. If the degree of risk or chances of unchecked usage of personal data were to be a consideration, then it still remains unanswered as to why data fiduciaries such as gaming publishers (who could also engage in similar nature / degree of processing) have been excluded from the foregoing list. This could potentially create a non-level playing field in the industry.  

For the digital service providers to whom such requirements apply, i.e., e-commerce entities, social media intermediaries, or online gaming intermediaries that satisfy the prescribed thresholds, the 1 (one) year retention timeline can be said to be applicable notwithstanding the withdrawal of consent for processing by the data principal as well as over and above the 3 (three) year timeline prescribed for such data fiduciaries (if applicable). 

Key Implications: 

For the aforementioned digital service providers, after the expiry of the 3 (three) year retention period (which is only relevant in evaluating when specified purpose can be deemed to be completed, and not when consent is actually withdrawn by the data principal), an additional 1 (one) year retention period would have to be adhered to by such data fiduciaries. 

Data breach reporting requirements 

As regards data breach reporting requirements, the requirements under the DPDP Rules are predominantly in line with what was proposed under the draft version of the DPDP Rules. The only minor modification prescribed in the DPDP Rules is that, at the stage of reporting the breach to the data principal, data fiduciaries are no longer required to disclose the location of the occurrence of such breach.¹⁸ However, the initial reporting made to the DPB about such breach is required to contain details in relation to the location of the occurrence of the breach.¹⁹ 

It is also interesting to note that the DPDP Rules have stuck to the blanket requirement of reporting all personal data breaches in accordance with the same standards and requirements, irrespective of the nature of breach, or anticipated harm or risk. The way personal data is defined in the DPDP Act, it is intended to be quite broad and all-encompassing.²⁰ Unlike the DPDP Rules, other global data protection legislations provide gradations for reporting personal data breaches to lessen the procedural and administrative burden on the data fiduciaries as well as the authorities to avoid information and review fatigue - which means that data fiduciaries are not required to report all breaches without any exceptions. One such example is the European Union - General Data Protection Regulation (“GDPR”), which offers flexibility in reporting based on the risk levels.²¹  

Separately, while the breach reporting requirements have not been altered much, certain aspects such as the timeline for reporting to data principals, and the initial reporting to the DPB still remain unclear given the vague requirement of making such reporting ‘without delay’. That said, given that detailed reporting in relation to such breach has to be made within 72 (seventy-two) hours (or later if permitted by the DPB) to the DPB, which must contain details about the intimation made to the data principal, it can be assumed that the initial reporting to the data principal would mandatorily have to be made prior to such 72 (seventy-two) hours’ deadline and likely, considerably earlier to meet the intent of the legislation. Despite the seemingly short timelines, the clock only starts ticking once the data fiduciary has knowledge of the breach incident. This is in-line with existing incident reporting requirements laid out by Cert-In,²² as well as sectoral reporting requirements such as those laid out by the Reserve Bank of India (“RBI”),²³ the Securities and Exchange Board of India (“SEBI”),²⁴ and the Insurance Regulatory and Development Authority of India (“IRDAI”)²⁵. 

Key Implications 

Data fiduciaries would in any case be required to keep the location where such breach has occurred on record - with the only difference being that such location need not be disclosed to the affected data principal. 

Data fiduciaries can assume that intimations ‘without delay’ (to the data principal and the initial reporting to the DPB) would necessarily have to be as early as possible and before the timeline of 72 (seventy-two) hours (or within such later timeline, if permitted by the DPB) from having knowledge of the breach incident, provided under the DPDP Framework for follow up detailed reporting. 

For data fiduciaries governed by the aforementioned sectoral regulators, given that the requirement under all frameworks is to make reporting upon becoming aware or being made aware of a breach incident, such data fiduciaries can initiate all reporting (as applicable to them) in the parallel. 

Additional obligations applicable to SDFs 

While the DPDP Rules have largely retained all the additional obligations applicable to SDFs as prescribed in the draft version of the DPDP Rules, there are some minor changes that are relevant to note. In context of the due diligence measures SDFs are required to undertake, they are required to verify that the means used for processing data are not likely to pose a risk to the rights of data principals.  

Instead of assuming all data fiduciaries would deploy ‘algorithmic software’ for ‘hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it’,²⁶ the language in the DPDP Rules now reflects that technical measures ‘including’ algorithmic software can be adopted. 

Key Implications 

The clarificatory language introduced in the DPDP Rules now gives SDFs the flexibility to deploy different technical measures as they may deem appropriate, which can include algorithmic software.   

No requirement for maintaining of itemised description of goods or services for which data is being collected in the privacy notice  

Under the DPDP Framework, every request for consent from the data principal must be accompanied by or preceded with a notice - which should inform the data principal about:  

the personal data and the purpose for which the data is to be processed;  

the manner of exercising their rights by the data principals; and  

the manner in which data principals may make complaint to the DPB.²⁷  

The DPDP Rules clarify that the notice must be presented and be understandable in an independent manner, regardless of any other information as may be available to the data principal.²⁸ It also prescribes that the notice must at the minimum, be in clear and plain language, include an itemised description of the personal data to be processed and the specified purpose or purposes of, as well as the specific description of the goods or services to be offered or enabled by the processing.²⁹  

Key Implications:  

This is a deviation from the earlier proposed language which required an itemised description of the goods or services to be provided or uses to be enabled, using personal data. This change appears intentional, allowing the data fiduciaries room to articulate the purposes for which personal data will be processed without necessarily having to furnish exhaustive lists of goods and services. 

In effect, this approach seeks to preserve transparency while avoiding undue burden and excessive specificity.  

Lack of clarity on notice obligations re personal data sets collected with consent before the DPDP Framework 

While the DPDP Rules detail out the manner of serving notice for prospective consents, it does not shed clarity on the manner of display of notice in relation to the processing of personal data pursuant to the consent of data principals given before the commencement of the DPDP Act. This is especially critical given that the DPDP Act specifically mentions that the manner in which this intimation is to be given, would be prescribed by the Central Government.³⁰ Due to the proposed provision on notice, it was expected for this to be addressed in the final version of the rules.  

Key Implications:  

The absence of detailed process for intimation to data principals in re consent provided pre-commencement of the DPDP Framework, this can be interpreted to mean that, till the Central Government issues any separate rules in relation to this, entities can develop their own mechanisms in accordance with the intent of the DPDP Framework. For this purpose, entities can also rely on the illustration given in the DPDP Act from which guidance can be taken that such intimation may be given in the form of an email / in-app notification or ‘other effective’ methods for intimating data principals of inter alia the data being processed along with the purposes of such processing.  

The absence of specific directions by the Central Government on the manner should, however, not impact the applicability of this requirement once this requirement is in effect as part of the third phase of implementation. 

Need for maintaining robust user-facing platforms for ensuring full compliance with notice requirements  

The DPDP Rules have also asserted the mandatory requirement of maintaining digital / online presence by all data fiduciaries by necessarily requiring specification of ‘communication link’ in their notice allowing the data principals to exercise their rights, withdraw consent or make a complaint to the DPB.³¹ While the data fiduciary can choose to make other methods available as well, the requirement of a communication link (which can be a website, a microsite or any online customer support system) is mandatory.  

Key Implications:  

Entities should begin the development of their user-facing platforms to reduce any disruptions for data principals in re exercise of their rights.  

Entities that previously collected personal data sets through offline means (such as through offline events, brick and mortar stores), later digitised them and did not maintain such robust technology measures, will have to now revisit their strategies.   

It must also be ensured that the ease with which a data principal can exercise their right of withdrawal of consent is similar to the ease with which consent was given in the first place.³² Entities should accordingly revisit their UI / UX to ensure compliance with this requirement.  

Relevance of consent managers in question 

Consent managers were introduced as a concept under the DPDP Framework to serve as intermediaries between data principals and data fiduciaries, and stand-in as effective partners to ensure that rights of data principals are protected. These entities, once registered with the DPB, are intended to be accountable to data principals and act as a single point of contact for data principals for them to manage their consent through an interoperable platform of the consent managers,³³ on which different data fiduciaries will be onboarded along with data principals.³⁴ The DPDP Rules establish clear eligibility criteria for entities seeking registration as consent managers.³⁵ However, the DPDP Rules do not mandate data fiduciaries to be onboarded with the consent managers, or state that data fiduciaries are to be onboarded with multiple consent managers. Further, there is no clarity on the degree of integration that may be required between the data fiduciaries and the consent manager, for it to perform its role effectively. 

Key Implications:  

The position of the consent manager may accordingly be rendered potentially redundant and given the lack of clarity on whether it is mandated for data fiduciaries to register with them, entities need not necessarily seek registrations with the consent managers as of now.  

The conditions for registration as a consent manager are quite stringent, and it will have to be seen as to how many entities come forward, take such measures and thereafter successfully onboard data fiduciaries to make this model a successful one. 

Principles-based data security requirements 

The DPDP Act requires data fiduciaries to adopt ‘reasonable security safeguards’ to prevent personal data breaches and to ensure adequate protection of personal data.³⁶  To operationalise this, the DPDP Rules prescribe principles based minimum standards, such as: (i) adoption of appropriate data security measures such as securing of personal data through encryption, obfuscation, masking or use of virtual tokens mapped to that personal data; and (ii) appropriate measures to control access to computer resources used by the data fiduciary or a data processor, where applicable etc. While these standards are mandated, their adoption alone may not necessarily be sufficient to meet the requirements of implementing ‘reasonable security safeguards’ under the DPDP Framework.  

Key Implications: 

The adequacy of security measures implemented by the data fiduciary will ultimately depend on the specific data fiduciary and the nature, volume, and sensitivity of the personal data it processes. The deliberate inclusive language in the drafting appears to allow fiduciaries the flexibility to assess their risk profiles, operational capabilities, and contextual requirements, and to implement additional safeguards where necessary. Accordingly, this will be a subjective determination to be made by data fiduciaries, and if ever scrutinised, will be left to the fiduciary to appropriately justify adequacy.  

This has been a welcome shift, from a more prescriptive approach under the IT Framework (that is, suggesting ‘ISO 27001’ as one such reasonable security standard, which may also become outdated over time), to a principles-based approach. In these circumstances, entities will be free to determine their technological processes that help them achieve such reasonable security safeguards. 

Having said that, with the imposition of requirements pertaining to access control measures of computer resources being used by data processors as well (using which personal data may be processed), entities now may have to revisit their contractual arrangements, giving more granular control to data fiduciaries over such resources of the data processors. In fact, one of the reasonable security safeguards under the DPDP Rules requires data fiduciaries, as a mandatory pre-requisite to have appropriate provisions in the contract with the data processors for ensuring that the data processors are taking reasonable safeguards.³⁷ This may be implemented by way of imposition of audit rights / self-certification where relevant coupled with vendor diligence. However, this certainly can be onerous both on entities acting as data fiduciaries or as data processors - given that data fiduciaries are now obligated to move away from a ‘light-touch approach’ to data processors now having to potentially agree to more contractually onerous audit and diligence terms. 

Ambiguities on verifiable consent prior to processing of personal data of children 

The DPDP Act mandates a data fiduciary to obtain verifiable consent of a parent / lawful guardian prior to processing the personal data of a child.³⁸ The DPDP Rules require the data fiduciary to adopt ‘appropriate technical and organisational measures’ to ensure verifiable consent is obtained - and also impose the requirement of adopting due diligence measures for checking that the individual stating themselves to be a parent is an adult³⁹ who is identifiable.  

Such due diligence measures would essentially entail: (i) reliable details of identity and age of said individual that may already be available with the data fiduciary; or (ii) details of identity and age voluntarily provided: (a) by the individual; or (b) through a virtual token mapped to such details, issued by an authorised entity.⁴⁰   

Interestingly and importantly, the responsibility of determination of the user (data principal) as an adult or a child has not been placed on the data fiduciary, who will have to rely on an indication or declaration to this effect from the user. However, the data fiduciary mandatorily will be required to provide tools and mechanisms for the user to identify himself as an adult or child (such as through a checkbox) and thereafter carry on the verification process.  

The DPDP Rules while mandating the parent / lawful guardian of the child to give consent, do not clarify how the fiduciary can conclusively determine such a relationship. On the contrary, the DPDP Rules appear to indicate that as long as an identifiable adult provides consent, this requirement would be satisfied - without needing to prove their parental / guardianship status.  

While there is no direct liability under the DPDP Framework that the adult may face on account of providing consent for a child without having parental / guardianship authority over the child, this could potentially expose the data fiduciary to claims of unlawful processing.  

Key Implications: 

The data fiduciary can mitigate this risk by ensuring adequate contractual obligations on the adult providing the information (which could be undertaken by modifying user facing terms and privacy notices). The adult could agree to adequate representations stating that they indeed possess necessary authority over the child on whose behalf they are providing the required consent, and would also be liable to indemnify the data fiduciary in the event of any irregularity. 

Additionally, the manner of compliance with this provision remains to be seen, especially in regard to the extent to which data fiduciaries will attempt to safeguard themselves from any liability under this provision. The approach may have to be determined by industry practice, which will reveal the risk mitigation measures being adopted by the data fiduciaries and the extent to which they rely on information provided versus attempt to actively verify the information provided.  

Cross-border data transfers 

The DPDP Rules clarify that the transfer of personal data outside India may be subject to restrictions and requirements that will be issued from time to time by the Central Government, given through general or special orders,⁴¹ in relation to cross-border data transfers to a foreign state government or any entity or person under control of any agency of the foreign state government.⁴²  

Key Implications: 

Data fiduciaries have to: (i) regularly update their internal data handling policies to ensure that a general check is being undertaken by them to determine if cross-border data transfers are being made to entities which may be controlled by a foreign state government; and (ii) ensure that their internal data handling policies are regularly updated to capture any updates in Central Government orders in re such requirements and restrictions, to ensure compliance.  

It remains to be seen how interpretation of this provision will evolve over time since all data fiduciaries abroad are under jurisdictional control of authorities in that jurisdiction - and accordingly personal data transfers may be subject to enhanced checks. 

Clarity in re rights available to data principals 

As regards the rights available to data principals under the DPDP Act, the DPDP Rules seem to have clarified the manner in which such rights may be exercised. The language in the draft version of the DPDP Rules indicated that the means made available by the data fiduciary could only be used for exercising rights in relation to accessing information about personal data and its erasure. However, the DPDP Rules have now done away with this restrictive language, indicating that the means deployed by the data fiduciaries can be utilised by data principals for exercise of all rights available to them under the DPDP Act.⁴³ 

Similarly, the language in the draft version of the DPDP Rules indicated that for a data principal ‘to exercise the right to nominate’, the data principal could nominate one or more persons through the means made available by the data fiduciary. This provision rendered the concept and right of nomination redundant since exercise of nomination right itself would require a nominee. However, this appears to have been an inadvertent oversight, since this provision has now been modified under the DPDP Rules to state that ‘to exercise rights available under the Act’ (and not just the right to nominate), the data principal can utilise the means made available by the data fiduciary and go ahead and nominate one or more persons.⁴⁴ This language modification was crucial because the earlier language seemed to only lay out ‘how the right to nominate available with a data principal could be exercised’, as opposed to laying out ‘the means through which the data principal can exercise all their rights through a nominee in the event of death or incapacity of the data principal.’. 

Key implications 

Data fiduciaries would be required to ensure that they deploy means that can be used by data principals to exercise all rights available under the DPDP Act.  

Data fiduciaries will also have to make relevant arrangements to enable data principals to nominate one or more persons to exercise their rights in case of their death or incapacity. 

Timelines in re grievance redressal 

It is also important to note that the DPDP Rules have now prescribed an outer timeline of 90 (ninety) days within which the data fiduciary is required to respond to grievances of the data principal.⁴⁵ This however, does not necessarily mean that grievances are expected to be resolved in 90 (ninety) days - the DPDP Rules have not explicitly prescribed any time period within which grievance resolution has to be completed. In this regard, it will be interesting for data fiduciaries who are subject to other regulations such as the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules 2021”)⁴⁶ and the Consumer Protection (E-Commerce) Rules, 2020 (“E-Commerce Rules”),⁴⁷ to have a consolidated grievance redressal framework that takes into consideration the varying requirements under different regulations. 

Key Implications 

Data fiduciaries will need to deploy adequate means and measures to ensure that the grievance response timeline of 90 (ninety) days is adhered to. 

Data Fiduciaries governed by the IT Rules and / or E-Commerce Rules could either opt to have a standard timeline (based on the shortest applicable timeline across the varying regulations applicable to them) for all grievances. Alternatively, they could have different internal timelines that they ensure adherence to and have consequent compliance tracking mechanisms, that are determined based on the nature of the grievance and the timelines prescribed under the legislation it falls under. 

Call for information by the Central Government 

The DPDP Rules empower the Central Government (through authorised persons as prescribed in the Seventh Schedule of the DPDP Rules) to call for information from data fiduciaries and intermediaries for specific purposes as set out in such Seventh Schedule.⁴⁸ Such information is then to be furnished by such data fiduciary or intermediary, within the time period prescribed by such authorised persons at the time of information request. In this regard, it is relevant to note that the DPDP Rules explicitly state that in the event of any disclosure of the fact that such information has been furnished to the Central Government that is likely to prejudicially affect the sovereignty and integrity of India or security of the State, then the fact that such information has been furnished ‘cannot be disclosed to affected data principals or any other person, without prior written consent of the authorised persons’⁴⁹ who had sought such information. This requirement is considerably distinct from what was prescribed in the draft version of the DPDP Rules in this regard - which vaguely stated that in cases of aforementioned circumstances of risks to India, disclosure can be made only after obtaining prior written permission. The language in the draft version of the DPDP Rules did not clarify whom such disclosure should not be made to, except with prior permission - which in turn left this provision quite open-ended. However, with the revised language in the DPDP Rules, this gap has been addressed.   

It is also relevant to note that the draft version of the DPDP Rules explicitly called out that provision of information pursuant to such request from the Central Government would be by way of fulfilment of obligation under Section 36 of the DPDP Act, which empowers the Central Government to ask the DPB or any data fiduciary or any intermediary to furnish information for the purposes of the DPDP Act. This reference to Section 36 of the DPDP Act has now been done away with in the DPDP Rules. The intent behind such removal is unclear and could be interpreted to mean that Section 36 provides for broad disclosure-related powers available with the Central Government, with Rule 23 being one of the instances in which powers under Section 36 can be exercised. Another reason for such removal could be to clarify that the scope of the Central Government’s powers to call for information under Section 36 is a general overarching power provided to meet the objective of the DPDP Act and is not limited to the specific purposes set out in Rule 23 read with the Seventh Schedule of the DPDP Rules.  

Key Implications 

Data fiduciaries or intermediaries could be asked to disclose information, and in cases where the fact that such information has been disclosed could pose risks to India, a prior written consent from the relevant authorised persons would have to be obtained before making such disclosures about the furnishing of information to the affected data principals or any other person. 

4 CONCLUSION  

The issuance of the DPDP Rules marks a significant development in the data protection journey of the Indian data protection framework - bringing in significant clarity in relation to the implementation of the DPDP Act. The phased implementation timeline also now provides data fiduciaries some time to align their processes to comply with the more substantive provisions of the framework.  

While the DPDP Rules have introduced welcome clarifications, particularly around key requirements such as specifics of notice, verifiable consent mechanisms for processing children’s data, and the exercise of data principal rights, etc., certain aspects remain unaddressed. The framework lacks clarity on notice obligations in re the personal data sets collected prior to the commencement of the DPDP Act, the practical utility of consent managers remains uncertain given the absence of mandatory onboarding requirements for data fiduciaries, and the conditions for cross-border data transfer still await orders from the Central Government. Moreover, while the principles for reasonable security safeguards have been laid out, their true efficacy will be put to test only when the data fiduciaries begin implementation.  Additionally, concerns also persist around the blanket data breach reporting requirements that do not account for any risk gradation.  

A notable feature of the DPDP Framework is its treatment of ‘legitimate use’, particularly where data principals voluntarily provide personal data for a specified purpose.⁵⁰ This is a beneficial development for businesses, as it recognises that not all processing requires formal consent and can reduce unnecessary compliance burdens for routine, expected interactions. 

That said, the legal impact of this provision will depend heavily on how data fiduciaries interpret its scope. Given that consent is not required when data is voluntarily furnished, fiduciaries may be incentivised to draft broad purpose statements to bring a wide range of processing within the umbrella of ‘specified purpose’. If applied expansively, this could erode the specificity and transparency that the consent requirement is intended to guarantee. 

Separately, by exempting disclosures involving personal data, the DPDP Framework narrows the transparency obligations previously enabled under the Right to Information Act, 2005.⁵¹ While legitimate use can streamline data processing and reduce unnecessary administrative burdens, its practical impact will ultimately depend on how responsibly and narrowly data fiduciaries apply it and how effectively the safeguards against overreach are enforced. 

As the data fiduciaries prepare themselves for the May 13, 2027 deadline, the real test of the DPDP Framework would lie in its implementation and enforcement by the DPB. The success of the Indian data protection regime will ultimately depend on the DPB’s approach to enforcement, the Central Government’s upcoming orders / notifications and the extent to which these strike a balance between protecting the right to privacy of the data principals and legitimate data processing activities. With the much-awaited clarity on the timelines for the implementation of the DPDP Framework, the focus must now be on building institutional capacity, developing industry best practices as well as ensuring that the principles which are enshrined in the data protection framework actually translate into meaningful adoption of data protection practices.