India’s Digital Personal Data Protection Rules Notified, Law Now Operational

India has officially operationalised its first comprehensive digital privacy law with the notification of the Digital Personal Data Protection (DPDP) Rules, 2025, under the DPDP Act, 2023. On November 13, 2025, the Ministry of Electronics and Information Technology (MeitY) issued the rules, which is a big step for India to protect people's personal data in the digital world. 

The rules provide the implementation framework for the DPDP Act, detailing how personal data must be collected, processed, stored, and erased by entities known as Data Fiduciaries. The law applies to both Indian and foreign entities that process data within India.  

Key provisions include: 

• Consent-based data processing (Rule 3): Data fiduciaries must obtain clear, informed consent from individuals (termed “data principals”) before collecting or using their personal data. 

  
  

• Data retention and erasure (Rule 8): Entities listed in the Third Schedule, such as large e-commerce and social media, must delete personal data of inactive users after three years, unless retention is required for legal or regulatory reasons. 

  
  

• Children’s data protection (Rule 10): A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child.  

  
  

• Significant Data Fiduciary Obligations (Rule 13): Data Fiduciaries are required to conduct a Data Protection Impact Assessment and audit annually, submit key findings to the Data Protection Board, and ensure that their technical and algorithmic systems do not infringe upon the rights of Data Principals.  

  
  

• Rights of Data Principals (Rule 14): Data Fiduciaries and Consent Managers must clearly publish how Data Principals can exercise their rights, including identifiers needed for verification. They must resolve grievances within 90 days and allow individuals to nominate others to act on their behalf.  

  
  

• Appeals to Appellate Tribunal (Rule 22): Aggrieved parties may file digital appeals, with fees aligned to the Telecom Regulatory Authority of India Act. The Tribunal operates as a digital office and may conduct techno-legal hearings without physical presence. 

  
  

The rules also outline how government departments may process personal data. While they are exempt from certain consent requirements under Section 7 of the Act, they must still adhere to purpose limitation, data minimisation, and security safeguards. The government is required to publish data processing notices explaining how and why personal data is collected, especially in welfare schemes and public services. 

Implementation will be phased over 18 months, allowing organisations time to build compliance infrastructure. Immediate obligations include consent management and grievance handling, while more complex requirements like data audits and cross-border transfer protocols will be enforced later. The rules also clarify penalties for non-compliance, ranging from ₹50 crore to ₹250 crore depending on the nature and severity of the violation. Privacy experts have welcomed the rules as a step toward accountable data governance. 

📰 Mini Headlines 

• Illuminate Education to Pay $5.1M Under Student Privacy Law for 2021 Data Breach 

Illuminate Education will pay $5.1 million to settle claims under the Student Online Personal Information Protection Act (SOPIPA) following a 2021 data breach that exposed sensitive student records across multiple U.S. school districts. The breach compromised the names, grades, attendance, and other personal data of millions of students. Regulators found that Illuminate failed to implement adequate security safeguards and violated SOPIPA’s restrictions on unauthorised data use. As part of the settlement, the company must enhance cybersecurity protocols, undergo independent audits, and ensure compliance with California’s education privacy standards. 

Data Breach  

Read More →   https://www.mlex.com/mlex/articles/2408666/illuminate-to-pay-5-1m-for-2021-us-data-breach-under-new-education-privacy-laws 

• EU Plans to Ease Data Rules to Accelerate AI Innovation 

The European Union is preparing to relax certain data protection requirements under the General Data Protection Regulation (GDPR) to foster AI development. Proposed changes aim to simplify data access for AI training, reduce compliance burdens for startups, and clarify lawful bases for processing large datasets. Officials stress that core privacy rights will remain intact, but flexibility is needed to compete globally in AI innovation. The move aligns with the EU’s broader digital strategy and complements the forthcoming AI Act.  

AI Development 

Read More →   https://siliconangle.com/2025/11/10/eu-set-relax-data-protection-rules-boost-ai-growth/ 

• Microsoft 365 Copilot to Localise Indian Data for Safer AI by 2025 

  
  

  Microsoft has announced that its AI-powered productivity assistant, Microsoft 365 Copilot, will store and process all Indian user data locally by 2025. The step aligns with India’s Digital Personal Data Protection Act and aims to enhance data security, reduce latency, and ensure regulatory compliance. By localising data, Microsoft promises faster AI responses and greater control for enterprise customers. The initiative reflects growing demand for sovereign cloud solutions and responsible AI deployment in India’s digital ecosystem.  

Data Localisation  

Read More →      https://www.analyticsinsight.net/news/microsoft-365-copilot-to-keep-all-indian-data-local-promising-faster-and-safer-ai-by-2025  

• California Proposes Expanded Protections for Data Privacy Whistleblowers 

The California Privacy Protection Agency (CPPA) has advanced a legislative proposal to strengthen protections for whistleblowers who report violations of the California Consumer Privacy Act (CCPA). The proposal includes anti-retaliation safeguards for employees, contractors, and job applicants who disclose non-compliance, and introduces financial incentives for whistleblowers whose reports lead to enforcement actions. The aim of CPPA is to encourage internal disclosures and improve regulatory oversight of data misuse. The proposal will be considered in the 2026 legislative session. 

California Consumer Privacy Act  

Read More →      https://therecord.media/california-data-privacy-agency-whistleblower-protections-proposal