On November 13, 2025, the Indian government notified sweeping new Digital Personal Data Protection Rules, 2025, ushering in a new era for privacy and data governance in the world’s largest democracy. The move, which formalizes the much-debated Digital Personal Data Protection Act, 2023, sets the stage for a phased rollout of obligations and rights, and immediately establishes the Data Protection Board of India in the National Capital Region.
The new rules, which came into force on Friday, November 14, 2025, are being touted by some as a landmark step toward safeguarding the personal data of nearly a billion online users in India. According to Reuters, these regulations require global technology giants such as Meta, Google, and OpenAI to minimize the collection of personal data, limit it to only what is necessary for specified purposes, and provide clear explanations to users about why their data is being collected. Additionally, companies must now allow users to opt out of data collection and inform them promptly if their information is involved in a data breach.
“This marks the most significant operational step in India’s new privacy regime since the DPDP Act 2023 came into force,” said Dhruv Garg of the Indian Governance and Policy Project research group, as reported by Reuters. The rules are widely seen as aligning India’s privacy framework with global standards such as the European Union’s General Data Protection Regulation (GDPR), even as the rapid adoption of artificial intelligence (AI) and digital services continues to reshape the country’s digital landscape.
However, civil society organizations and digital rights advocates have raised serious concerns about the new rules’ effectiveness and the balance of power they create. The Internet Freedom Foundation (IFF), a leading digital rights group in India, issued a detailed critique pointing out that the rules, while significant, have left key structural issues unaddressed. According to the IFF’s analysis published by CounterCurrents, the rule-making process lacked transparency and meaningful public consultation, despite detailed feedback from stakeholders emphasizing constitutional principles and user rights.
One of the most contentious aspects of the new framework is its staggered implementation. While certain sections of the DPDP Act—specifically, those relating to the Data Protection Board (sections 18–26) and ancillary provisions—come into effect immediately, the core data protection obligations and rights (sections 3–17) will only become effective eighteen months from the notification date. Similarly, the DPDP Rules, 2025, bring into force definitions and board-related provisions right away, with rules on consent managers applying after one year and the majority of operative provisions, including those governing notices, state processing, security, rights, cross-border transfers, and exemptions, delayed for eighteen months.
Rule 3 of the new rules mandates that notices to users be provided in “clear and plain language,” with an itemized description of the personal data being collected and the specific purposes for processing. Rule 14 sets a maximum ninety-day period for data fiduciaries—entities responsible for handling personal data—to address grievances from data principals, a move intended to streamline redressal. But critics argue that these measures, while positive, do not go far enough.
The IFF noted that the rules fail to require disclosure of categories of data recipients, specific retention periods, or safeguards for cross-border data transfers, perpetuating what they describe as “information asymmetry between individuals and large platforms.” This, they argue, undermines the principle of meaningful consent and leaves ordinary users without a truly rights-centered data protection framework.
Perhaps the most controversial provision is Rule 23, which grants the state broad, unchecked powers to demand personal data from data fiduciaries without user consent. The state can invoke reasons such as national security, sovereignty, or the integrity of India—terms that critics say are so vaguely defined they invite abuse. There is no requirement for judicial authorization or post-facto oversight, and data fiduciaries are explicitly prohibited from informing users when their data has been requisitioned for national security reasons. This “gag rule” on transparency, the IFF warns, could enable mass surveillance and privacy violations without any public knowledge or recourse.
Rule 8(3) further requires data fiduciaries to retain personal data, associated traffic data, and processing logs for at least one year after the purpose of processing has been achieved. For significant data fiduciaries, the retention period is extended to three years. According to the IFF, this inverts the internationally recognized data minimization principle and risks normalizing long-term behavioral logging by both state and private actors.
Another area of concern is the structure and independence of the newly established Data Protection Board of India. The board, which consists of four members and is based in the National Capital Region, is appointed and controlled by the executive branch. The IFF warns that this concentration of appointment powers “deepens executive control” and departs from global best practices, where data protection authorities are typically designed as independent regulators. Without sufficient autonomy or transparency—such as the requirement to publish decisions and annual reports—critics fear the board may be unable to act as an effective watchdog.
Rule 5 of the DPDP Rules, 2025, allows state applications for subsidies, benefits, services, certificates, licenses, and permits to be treated as requests to open or use a “user account,” with the details specified in the Second Schedule. The IFF cautions that this could expand centralized identifiers and data capture within India’s Digital Public Infrastructure (DPI), without sufficient necessity, proportionality, or parliamentary scrutiny.
Despite these criticisms, the government maintains that the rules represent a strong step toward protecting users in a rapidly digitizing economy. With India’s status as a major market for AI services like ChatGPT, Perplexity, and Google Gemini, the new rules are expected to have significant implications for global technology companies operating in the country. According to Reuters, India is also drafting additional regulations to increase compliance requirements for AI companies and social media firms, signaling a broader effort to regulate the digital ecosystem.
The IFF, for its part, has called for several key reforms to restore balance between privacy and transparency. These include amending the law to protect the right to information, introducing a journalistic purpose exemption, ensuring independent oversight of the Data Protection Board, and narrowing state exemptions and surveillance powers. “Blanket, secret data demands have no place in a rights respecting democracy,” the IFF stated, urging the government to initiate surveillance law reform and bring intelligence gathering under checks and balances.
As India embarks on this new regulatory path, the tension between safeguarding privacy and enabling state access to data remains unresolved. The coming months—and the staggered implementation of the law’s core provisions—will be a crucial test of whether India can strike the right balance between digital innovation, user rights, and national interests.
