The Ministry of Electronics and Information Technology announced the Digital Personal Data Protection Rules, 2025, on November 13, marking a major development in India’s data privacy regime. These new rules aim to strengthen digital governance and safeguard personal information more effectively.
The Ministry of Electronics and Information Technology officially announced the Digital Personal Data Protection Rules, 2025, on November 13, marking a significant step forward in India’s data privacy and governance landscape.
This notification follows a public consultation held in January 2025, during which stakeholders provided their feedback on the draft rules.
According to the Rules, Data Fiduciaries are obligated to implement appropriate technical and organizational measures to obtain verifiable parental consent before processing any child’s personal data.
A Data Fiduciary, as defined by the Act, refers to any individual or entity that determines the purposes and means of processing personal data, either independently or jointly.
Additionally, the Rules stipulate that Significant Data Fiduciaries must conduct an annual Data Protection Impact Assessment (DPIA) and undergo an independent audit each year to ensure compliance with the Act and its Rules.
The Central Government may designate a Data Fiduciary as ‘Significant’ based on factors like the volume and sensitivity of data handled and potential risks to the rights of the Data Principal, who is the individual to whom the data pertains.
In the case of a personal data breach, Data Fiduciaries are required to promptly notify both the affected individuals and the Data Protection Board of India, including detailed information about the breach’s scale, occurrence time, potential implications, and recommended protective measures.
The Rules also state that the Data Protection Board of India will be established under a Search-cum-Selection Committee chaired by the Cabinet Secretary. This Board will function as a digital-only office, and decisions at its meetings will be made by majority vote among the members present and voting.
Furthermore, the Rules make it clear that while personal data processed under the Act can be transferred outside of India, such transfers will still be subject to any restrictions or conditions set by the Central Government.
FOLLOW US ON YOUTUBE FOR MORE LEGAL UPDATES
