India has formally adopted the Digital Personal Data Protection (DPDP) Rules, 2025, a comprehensive set of regulations implementing the Digital Personal Data Protection Act, 2023. The rules mark a significant transformation of India’s digital governance framework, establishing detailed procedures for consent, data retention, breach notification, children’s data protections, and the responsibilities of companies and government bodies.
The regulation reflects India’s ambition to balance individual privacy, digital innovation, national security, and state functionality. Compared to the EU’s GDPR, the Indian regime is more centralized, consent-driven, and prescriptive in several operational areas.
Clarity and Transparency Requirements
The rules mandate that all Data Fiduciaries must provide clear, standalone notices explaining what personal data will be processed, for what purpose, and through which channels individuals may exercise their rights. Notices must be “clear and plain” and independent of any other contractual or promotional content India-Privacy-Rules-2025.
Consent and Special Protections for Children
A central feature of the DPDP 2025 framework is verifiable consent, especially in relation to children and persons with disabilities. Platforms must verify the adult parent or guardian through reliable identity information or a government-issued virtual token before processing a child’s data India-Privacy-Rules-2025.
These mechanisms make India’s rules among the world’s strictest regarding children’s data.
Data Retention and Erasure
The rules establish explicit timelines. Large platforms—including e-commerce, online gaming, and social media with millions of users—must erase personal data after three years of user inactivity, except when retention is legally required India-Privacy-Rules-2025. Additionally, all Data Fiduciaries must keep logs of processing activities for a minimum of one year before they may be erased India-Privacy-Rules-2025.
Breach Notification Obligations
Upon becoming aware of a personal data breach, Data Fiduciaries must inform affected individuals without delay, providing a description of the breach, its risks, and recommended protective measures. At the same time, they must notify the Data Protection Board and submit a detailed report within 72 hours India-Privacy-Rules-2025.
Significant Data Fiduciaries (SDFs)
Enterprises that process large volumes of data or pose higher risk are designated as Significant Data Fiduciaries. These entities must undergo annual Data Protection Impact Assessments, audits, and technical due-diligence checks to ensure their algorithms and systems do not endanger individuals’ rights or national interests.
International Data Transfers
The DPDP framework allows data transfers outside India but only under government-defined conditions. The Central Government may impose restrictions or specify the requirements for making personal data available to foreign states or entities.
Research and State Exemptions
The rules grant exemptions for processing required for research, statistics, or archiving, provided that strict standards under the Second Schedule are met. The State also retains broad authority to process data for sovereignty, national security, and legal compliance purposes India-Privacy-Rules-2025.
Key Differences Between EU GDPR and India DPDP 2025
| Category | EU GDPR | India DPDP 2025 |
| Legal Basis for Processing | Multiple legal grounds: consent, contract, legal obligation, vital interests, public task, legitimate interest | Primarily consent-based; limited statutory exceptions. No “legitimate interest” basis. |
| Individual Rights | Extensive: access, rectification, erasure, objection, portability, restriction, rights regarding automated decisions | Narrower: access, correction, erasure, grievance filing, nomination. No objection right, no data portability. |
| Children’s Data | General protections; consent age 13–16 depending on Member State | Highly strict verification of parent/guardian; identity validation required; extensive obligations for Data Fiduciaries. |
| Risk-Based Approach | DPIAs and DPOs required based on risk criteria | DPIA and audit required only for Significant Data Fiduciaries (large/high-risk entities). |
| International Transfers | Adequacy decisions, SCCs, BCRs, strong safeguards | Allowed only under government-specified conditions; centralized state control. |
| Data Retention | No fixed timelines; “as long as necessary” | Mandatory timelines (e.g., 3 years of inactivity), 1-year minimum log retention. |
| Enforcement Structure | Independent supervisory authorities in each EU Member State | Centralized Data Protection Board with government-linked appointment process. |
| Fines | Up to 20M EUR or 4% of global turnover | High penalties (hundreds of crores INR), set by statute; exact amounts vary by violation category. |
Summary by DigitalTrade4.EU