In a move that was long overdue, the Government of India has published proposed new rules (the “Digital Personal Data Protection Rules 2025” or “DPDP Rules”) which are intended to provide a framework for implementation of India’s much publicized new data privacy legislation, the Digital Personal Data Protection Act 2023 (DPDPA). Industry has been waiting with bated breath for the delegated legislation- in order to understand the full impact that the law will have on their businesses.
The DPDP Rules have been published only with the intention of inviting feedback till 18th February 2025. However, rarely does the Government accept substantial changes to its views on a law, and the DPDP Rules will likely be passed in substantially the same manner as have been currently published, with possibly only some minor changes.
The position vis-à-vis the enforceability of the DPDPA does not change despite this publication. It remains very much a law in ‘suspended animation’ and not immediately enforceable. In fact, it is notable that even the proposed new DPDP Rules contemplate coming into effect in multiple phases, with a future date to be notified by the Government for the coming into force of the substantive provisions within them. It appears that only the provisions relating to the formation of the Data Protection Board of India (DPB) will become immediately effective once the final DPDP Rules are published after 18 February, and once the Government has had the opportunity to take stock of the feedback and objections from all stakeholders.
So what are key questions and issues relevant for your business?
1. Implementation Timelines – What should one expect?
As mentioned above, the DPDPA has not come into effect. The DPDP Rules are presently a mere draft that have been published to invite comment.
