News
›
India · DPDP Rules 2025 + Data Protection Board
·
India · Update
·
Editor-reviewed · 14 Nov 2025
India
Data Protection Board of India
·
Update
·
14 November 2025
India Notifies the DPDP Rules 2025, Operationalising the Data Protection Board
On 14 November 2025, India's Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules, 2025, giving full effect to the DPDP Act 2023 after 6,915 public-consultation inputs. The Rules establish a fully digital Data Protection Board of India (4 Members; online complaint portal + mobile app; appeals to TDSAT), set an 18-month phased compliance window, mandate plain-language consent notices, codify Data Principal rights (access, correct, update, erase, nominate) with a 90-day response window, breach-notification obligations, and special protections for children and persons with disabilities. RTI Act §8(1)(j) is amended consistent with the Puttaswamy privacy judgment. Budget head: MeitY Demand No. 27 §3.04 — FY2025-26 ₹5 cr budget (₹2 cr revised actual), FY2026-27 ₹10 cr budgeted.
On 14 November 2025, India's Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules, 2025, giving full effect to the DPDP Act 2023 after 6,915 public-consultation inputs across Delhi, Mumbai, Guwahati, Kolkata, Hyderabad, Bengaluru and Chennai.
The Rules establish a fully digital Data Protection Board of India, to consist of four Members. Citizens may file complaints online and track cases through a dedicated portal and mobile app; appeals go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). MeitY's Demand for Grants 2026-27 lists the Board as budget head 3.04: ₹10 cr budgeted, up from ₹5 cr in FY2025-26 (₹2 cr revised actual).
Substantive obligations: an 18-month phased compliance window for Data Fiduciaries; plain-language consent notices stating specific purposes; Data Principal rights to access, correct, update, erase and nominate, with a 90-day response window; breach-notification duties; stricter checks for new or sensitive technologies, including local-storage directions for restricted data categories.
Children's personal data requires verifiable parental or guardian consent, except for healthcare, education or real-time safety. Persons with disabilities receive equivalent protection through a verified lawful guardian. Section 8(1)(j) of the RTI Act is amended consistent with the Supreme Court's Puttaswamy privacy judgment.
Operational notes
- Compliance window: 18 months phased; Data Fiduciaries should begin re-papering consent flows and rights-request processes for the 90-day response window.
- Board structure per primary source: digital-first, 4 Members; appeals to TDSAT. Chairperson and Member names not yet publicly notified at PAI verify date 5 May 2026.
- Budget reality: MeitY Demand No. 27 §3.04 — FY2025-26 ₹5 cr budget vs ₹2 cr revised actual; FY2026-27 ₹10 cr budgeted. Board is in operational ramp-up.
- RTI implications: §8(1)(j) amended; transparency requests touching personal data must be assessed against the DPDP framework before disclosure.
- Children + persons with disabilities: verifiable parental/guardian consent required. Healthcare, education and real-time safety are explicit carve-outs.
Sources
All claims derived from the Gazette of India Extraordinary, Part II §3(i) No. 760 (notified 13 November 2025, published 14 November 2025), the PIB DPDP Rules 2025 explainer (17 Nov 2025), MeitY Demand for Grants 2026-27 (sbe27.pdf) and PIB Budget 2024-25 release (PRID 2036078). The PAI Research Team reviews each story against source before publication. Claim ID: pai-20251114-india-dpdp-rules-2025-board.