Operationalising Digital Privacy: Analyzing India’s DPDP Rules, 2025

Tushar Soni, Himachal Pradesh National Law University, Shimla

Introduction

On 14-15 November, The Ministry of Electronics and Information Technology (MeitY) has officially notified the Digital Protection Data Protection (DPDP) Rules, 2025, making the DPDP Act 2023, more authoritative. This move will offer the Indian users high-level privacy promises which will eventually be practical to them also.

What’s special in this move is that the Indian Government didn’t rush in implementing these rules instead many obligations has been placed before the companies in over 12-18 months, giving them sufficient time to adopt these rules. Experts appreciate this movement citing it a thoughtful and measured, not a harsh or restrained step.

Why The Delay Was Worth It?

Two years ago, Parliament passed the DPDP Act. But until now, much of the law remained aspirational:powerful on paper but lacking a robust mechanism for enforcement. The newly implemented rules hopes to fill the gaps and and give clarity on how the data of the users is collected, protected and deleted.

IT firms, startups, and civil society have welcomed the development, and this will eventually lead to smooth implementation of the act . As MeitY itself put it, the Rules are designed to be “citizen‐friendly and innovation‐friendly”, using simple language and a “SARAL” (Simple, Accessible, Rational, Actionable) design. This step will eventually mark shift from opaque to transparent and accessible regulations.