The rules, which will govern the DigitalPersonal Data Protection Act, 2023, protect personal information under data fiduciary by setting standard procedures for collecting, accessing and safeguarding the data. The rules highlight the obligations of data-handling entities and the entitlements of individuals.

The ministry had released the draft DPDP rules in January 2025, seeking comments and suggestions. After considering the feedback, MeitY notified the final rules today.

As per the new rules, the data fiduciary (any entity collecting personal data) will have the following responsibilities:

• Use simple language and provide enough detail so that the data principal (the user) can give informed and specific consent regarding share their personal data
• Clearly mention about how any user can withdraw their consent so that the process is easy
• Use appropriate security measures to safeguard users' personal data
• Provide visibility on the accessing of such personal data
• Inform the data principal in case of any data breach and also disclose remedial measures taken to prevent recurrence
• Delete such personal data unless its retention is required to comply with any applicable law
• Implement appropriate technical and organisational measures to ensure that a parent's verifiable consent is obtained before processing any child's personal data
• Obtain verifiable consent from someone claiming to be the lawful guardian of a person with disability
• Complete a Data Protection Impact Assessment (DPIA) and an audit once every year to ensure it is following the Act and its rules

Along with the rules, the Centre said that the Data Protection Board of India will be headquartered in New Delhi. The Board will function as a fully digital institution, enabling citizens to file and track complaints online through a dedicated platform and mobile app.

The Execution Burden

Notably, the draft shared by the Centre in January is almost similar to the one shared now. During the feedback period, the government received several comments.

For instance, earlier in August, the Internet and Mobile Association of India (IAMAI) said that the ambiguities in the DPDP Act, concerning the processing of publicly available personal data may pose challenges for tech startups and small businesses.

The association said that requiring AI companies to determine if all publicly accessible personal data had been voluntarily made available by data principals themselves was practically unfeasible.

It suggested that the government should consider exempting data fiduciaries from the Act's requirements in cases where personal data is being used solely for the development of AI models. However, no such exemption has been made in the rules.

Similarly, the National Payments Corporation of India (NPCI) and some leading digital payment platforms such as Google Pay, PhonePe and Amazon Pay, also sought exemption from the DPDP Act.