The Ministry of Electronics and Information Technology (MeitY) formally notified the DPDP Rules 2025 yesterday. As the regulatory landscape evolves, these much-awaited Rules were expected to bring long-overdue clarity and structure to India’s privacy framework. While some ambiguities have been resolved, critical issues continue to hinder the realisation of robust data protection in the country.
What has improved?
Some aspects that drew criticism in earlier drafts have been clarified in the final Rules. Most notably, the processes around consent notices (Rule 3), data breach intimation (Rule 7), and requirements for “reasonable” security safeguards (Rule 6) are now mapped out in greater detail. This should offer both data fiduciaries and individuals more certainty in handling personal data and responding to breaches.
Another welcome change is the reduction in the data retention period. Under Rule 8, personal data can now be held only for one year, reduced from the earlier three years. This is a significant positive for individuals worried about the indefinite storage and potential misuse of their personal data.
Where the Rules fall short
Despite these moves, the Rules remain problematic on multiple fronts: * Children’s data and verifiable consent: Rule 10 continues to mandate verifiable parental consent for processing children’s data, now specifying that the parent must be an “identifiable adult” using a virtual token or voluntary identity details. However, the mechanics of verifying both the relationship and identity remain unclear. It is still ambiguous whether children will face mandatory self-declaration or if fiduciaries may start enforcing identity verification to avoid penalties — a process that risks over-collection of personal data and creates privacy risks. * Cross-border data transfers: The Rules retain restrictions on the transfer of personal data outside India but do not specify the essential criteria for imposing such restrictions. This ongoing uncertainty can hinder cross-border digital trade and complicate compliance for global businesses. * Research and archiving exemptions: Rule 16 continues to exempt data usage for “research, archiving, or statistical purposes” without clear definitions for these categories. This loophole may allow data processing outside the ambit of the Act without adequate oversight.
Implementation
The Rules will be rolled out in phases. The Data Protection Board is being established immediately, with Consent Manager registration to follow within a year. Full enforcement of the remaining provisions is expected within the next 18 months.
While the DPDP Rules 2025 mark progress in India’s long data privacy journey, gaps in clarity and scope — particularly concerning children’s data, rights of research exemption, and cross-border transfers — remain.