DPDP rules 2025 notified: Global tech platforms to face stricter obligations, higher penalties

The Ministry of Electronics and Information Technology (MeitY) has recently released the final Digital Personal Data Protection (DPDP) Rules 2025, setting in motion a comprehensive overhaul of India’s data protection ecosystem. The rules impose stringent obligations on businesses—ranging from Big Tech platforms such as Facebook, WhatsApp, Instagram, and Amazon to domestic start-ups—along with penalties of up to Rs 25 crore for violations. Companies have been granted an 18-month transition window to align their systems with the new standards.

The government is holding discussions with industry representatives and other stakeholders to shorten the compliance timeline under the Digital Personal Data Protection (DPDP) Act and its accompanying rules, currently set at 18 months, Union Electronics and Information Technology Minister Ashwini Vaishnaw said on Monday. 

He noted that the initial set of rules had been framed with what he described as a “balanced and reasonable” transition period, taking into account both the industry’s requests and the government's objectives. “We are actively engaging with the industry to explore ways to further tighten these timelines,” Vaishnaw added.

The Ministry of Electronics and Information Technology (MeitY) has also conveyed to companies that, given their existing experience in meeting data protection requirements in other global jurisdictions, they should be able to adapt and implement similar compliance frameworks in India as well.

New rules

Under the framework, a Data Fiduciary must adopt stronger internal controls, especially when outsourcing data processing. This includes enforceable contracts with Data Processors to ensure equivalent security practices. A central feature of the rules is the creation of a fully digital Data Protection Board, which will handle complaints and issue orders. Appeals against its decisions will lie with the TDSAT, giving aggrieved users and companies a clear appellate mechanism.

Robust security and child safety

The DPDP Rules 2025 place heavy emphasis on technical safeguards. Companies must deploy tools such as encryption, masking, obfuscation, and tokenisation to reduce the risk of unauthorised access. In addition, they must maintain detailed activity logs for every instance of access, storage, or sharing of personal data, retaining these logs for at least a year unless another law dictates otherwise.

Platforms catering to minors face tighter controls. Before providing services to users under 18, companies must obtain verifiable parental consent, and in cases mandated by law, confirm that the consenting adult is authentic. This affects social media platforms, gaming services, and digital learning providers most directly.

Entities designated as Significant Data Fiduciaries must undergo independent audits, prepare data protection impact assessments, and conduct additional due diligence checks when introducing new technologies. They must also comply with government-notified restrictions, including potential data localisation requirements.

Expanded user rights

The rules enhance the rights of Data Principals, who may now request access, correction, updating, or deletion of their personal data, with companies required to respond within 90 days. If a user remains inactive for three years, their data must be deleted unless required for legal compliance. Before deletion, the Data Fiduciary must provide a 48-hour advance notification, giving users an opportunity to reactivate their accounts.

In the event of a breach, organisations must promptly inform affected users in clear and simple language via their registered communication channels.

Industry response

Experts say the rules balance clarity with compliance challenges. Mishi Choudhary, Founder of SFLC.in, said the rules “are simple in words but will require investment in implementation,” noting that while large companies already have established compliance structures, “smaller players will need significant restructuring and additional tools” to meet tight reporting timelines. She warned that Rule 23, which gives the government expanded access to private databases, “creates substantial privacy, surveillance, and business risks.”

On the other hand, industry leaders view the framework as a step forward. Sujit Patel, CEO & MD of SCS Tech India, called the rollout “an important milestone in India’s digital journey,” adding that it provides long-awaited clarity on consent, transparency, and breach-response expectations. The rules, he said, bring India closer to global data governance standards and “strengthen the trust that customers and partners expect,” offering a structured path to improved privacy, accountability, and sustainable digital growth.