The Ministry of Electronics and Information Technology (MeitY) has released the draft of the much-anticipated draft Digital Personal Data Protection Rules 2025 (DPDP Rules) for public consultation on January 3, 2025. The draft version of the DPDP Rules 2025 is now available for public consultation till 18th February, 2025

The DPDPA 2023 aims to protect individuals’ personal data while ensuring responsible use by organizations, balancing privacy with innovation.

All entities processing personal data, including businesses, government agencies, and digital platforms, must comply.

It grants individuals rights such as accessing, correcting, and erasing data, as well as withdrawing consent for processing data.

The principles include lawful data processing, purpose limitation, data minimization, accuracy, and security.

Significant Data Fiduciaries (SDFs) are Data Fiduciaries notified by the Central Government based on factors like volume and sensitivity of personal data processed. SDFs must appoint a Data Protection Officer, conduct periodic data audits, and perform Data Protection Impact Assessments.

Organizations must notify affected individuals and authorities of breaches and implement robust security measures.

The DPDPA mandates “verifiable consent” from a parent or guardian before processing minors’ data and prohibits tracking, behavioural monitoring, and targeted advertising. Certain exceptions are carved out in the draft DPDP Rules for this.

1. Yes, individuals can request data deletion and Data Fiduciaries have to comply with such a request, unless data retention is required by law for specific purposes.

They must obtain consent, maintain data accuracy, implement security safeguards, and provide transparency on data use.

The Central Government can restrict cross-border data transfers to certain countries.