/local-samosal/media/agency_attachments/sdHo8lJbdoq1EhywCxNZ.png)
/local-samosal/media/media_files/2025/10/06/brand-to-watch-out-for-2026-2025-10-06-19-16-22.jpg)
/local-samosal/media/member_avatars/2025/03/13/2025-03-13t051037070z-1740570375864.jpg )
Follow Us/local-samosal/media/media_files/2025/11/26/3-2025-11-26-11-35-30.png)
After years of delays, India has published the Digital Personal Data Protection Rules 2025 on 13 November 2025. These rules provide the framework for how companies and government bodies will handle your personal information under the Digital Personal Data Protection Act passed in 2023. The rules span over 40 pages and will roll out in phases over the next eighteen months, fundamentally reshaping how organisations collect, store, and use data. However, civil society groups warn the framework may enable state surveillance rather than protect citizens' digital rights.
What the Rules Mean for Users
/filters:format(webp)/local-samosal/media/media_files/2025/11/26/2-2025-11-26-11-35-55.png)
At the heart of these rules is consent—your explicit permission for someone to use your personal data. The most innovative feature is the introduction of "Consent Managers," intermediaries who help you control permissions for your data. Imagine you want to share your bank statement with a loan company. Instead of giving it directly, you could use a consent manager's platform to control exactly what information is shared, for how long, and revoke permission whenever you want. These consent managers must be Indian companies with at least Rs. 2 crore in net worth and must maintain detailed records of all consent decisions for at least seven years.
The rules mandate "reasonable security safeguards" to prevent data breaches, including encryption and access controls. If a breach occurs, companies must notify you within 72 hours, explaining what happened and what data was compromised. They must also inform the new Data Protection Board, which will oversee enforcement.
For anyone under 18, companies must obtain "verifiable consent" from parents before processing data. However, there are significant exemptions: schools can track students for educational activities or safety without parental consent, healthcare providers can process children's data for treatment, and transport services can track location for safety purposes.
The rules specify that e-commerce platforms, online gaming sites, and social media companies must delete your personal data three years after you last interacted with them—unless you log back in. However, companies must retain processing logs for at least one year even after deletion.
Government Access and Surveillance Concerns
/filters:format(webp)/local-samosal/media/media_files/2025/11/26/4-2025-11-26-11-36-10.png)
The most troubling aspect is Rule 23, which allows the government to demand data from any company with minimal oversight. The government can "require any Data Fiduciary or intermediary to furnish such information as may be called for" for purposes including "sovereignty and integrity of India or security of the State." Crucially, the government can also instruct companies not to tell you about these data requests, essentially enabling secret surveillance.
The Internet Freedom Foundation (IFF), which has worked on data protection issues since 2022, is particularly concerned about this provision. In their statement, IFF warns that Rule 23 "grants unchecked power to the State to demand personal data from Data Fiduciaries without consent, citing vague justifications like national security." The categories of data access are so broadly defined that they invite abuse, with no strict necessity test or judicial authorisation required.
IFF emphasises that "Such gag rules prevent the public from ever knowing the extent of state surveillance." This secrecy eliminates an important check on government power and prevents transparency about how widely these surveillance powers are used.
When government bodies process your data for issuing licences or providing subsidies, they must follow certain standards. However, broad exemptions allow state agencies to process personal data for virtually any function "under any law for the time being in force"—an extraordinarily wide carve-out.
Major Gaps and Weaknesses
/filters:format(webp)/local-samosal/media/media_files/2025/11/26/1-2025-11-26-11-36-33.png)
Despite the comprehensive framework, significant concerns remain. The consent manager concept sounds promising, but the high barriers to entry may limit the number that actually emerge, potentially creating monopolies rather than competitive services. The rules don't specify how consent managers will be held accountable if they mishandle your records.
The repeated use of vague terms like "reasonable" and "appropriate" creates ambiguity. What constitutes reasonable security for a small startup versus a tech giant? Without concrete standards, enforcement becomes subjective and inconsistent. Ruhail Choudhury, a corporate lawyer, highlights the gap: "The IT act and BNSS provides legal provisions to deal with cyber crimes too, but considering the fact that our criminal laws are vintage and are very old therefore several important forward looking amendments in such laws are immediately required."
The Data Protection Board's effectiveness depends on its resources and independence—neither guaranteed. IFF criticised the Board's composition in their detailed submission, warning that the concentration of appointment powers in the executive "deepens executive control" and departs from global best practice where data protection authorities are independent regulators.
The rules also ignore the principle of data minimisation. Syed Kazi from Digital Empowerment Foundation advocates: "We collect only the absolutely required data from our members. If you don't collect unnecessary data, there will be lesser data privacy violations you need to worry about." However, companies aren't required to justify why they collect each piece of information, meaning organisations may continue collecting maximum data "just in case."
Valentina Raman and Zineb Mouhyi, Directors at YouthxYouth, observe: "It is very unrealistic to think at in this day and age your data will not be found online, no matter how much you protect it. Because that is, infact, the job of some people- to find data."
The Path Forward
/filters:format(webp)/local-samosal/media/media_files/2025/11/26/5-2025-11-26-11-36-49.png)
As these rules begin implementation over eighteen months, their real-world impact depends on several factors: the Data Protection Board's independence and resources, the emergence of viable consent managers, corporate compliance culture, and civil society vigilance.
IFF has called for urgent reforms, including restoring balance between privacy and transparency, ensuring independent oversight by reconstituting the Data Protection Board, and narrowing state exemptions and surveillance powers. They urge that "Blanket, secret data demands have no place in a rights respecting democracy."
The rules provide meaningful advances: consent requirements, breach notifications, data deletion timelines, and special protections for children. These are important steps for a country where digital rights have historically received limited attention. However, the framework's success depends on implementation rigour and willingness to address its gaps.
The next eighteen months will reveal whether India has created a robust data protection regime or merely a paper tiger that looks impressive but lacks real teeth. For millions of Indians whose digital footprints grow daily, the stakes couldn't be higher.