India Notifies DPDP Rules, 2025, Bringing Landmark Data Law Into Force
Officials described the notification as a “turning point” in India’s digital governance journey.
New Delhi: India on Thursday officially notified the Digital Personal Data Protection (DPDP) Rules, 2025, setting in motion the country’s long-awaited data protection framework and establishing operational norms for how companies collect, store and process personal data.
Issued by the Ministry of Electronics and Information Technology (MeitY), the Rules activate crucial provisions of the DPDP Act, 2023, including consent standards, security safeguards, timelines for breach reporting and procedures for cross-border data transfers.
Officials described the notification as a “turning point” in India’s digital governance journey. The government had opened draft rules for consultation earlier this year, prompting intense discussions with startups, big tech, industry associations and civil society groups.
The Rules now give businesses concrete compliance obligations, while the Data Protection Board gains sharper enforcement powers. Companies will need to overhaul privacy policies, redesign consent prompts and strengthen breach response protocols before deadlines commence.
