© IE Online Media Services Pvt Ltd
Tags:
Journalism of Courage
Digital Personal Data Protection Rules 2025 Explained: Recently, the central government recently notified the Digital Personal Data Protection Rules, 2025. This marks a crucial step in India’s journey toward enforcing its data protection regime. These rules operationalise the Digital Personal Data Protection Act, 2023 (DPDP Act).
To gain insights into the practical implementation of the newly notified rules, The Indian Express spoke to cyberlaw expert Advocate Pavan Duggal who specialises in the field of Cyberlaw and Artificial Intelligence Law.
Excerpts follow:
Duggal: Well, this is one of the legislations where the parliament has given power to the government to come up with different operational timelines for different sections. So, this legislation, (the DPDP Act) does not come into force immediately for all the sections.
Some sections come into force immediately. These are sections pertaining to appointment of the data protection board, so that the government can actually start the process for appointing the data protection board and its chairperson and members. But most of the other provisions, whether it is for consent or whether it is for notice, will come in after one year of the date of notification.
So, that is going to come up by the middle of November 2026. For some provisions, 18 months has been given. So, basically, it is a tiered approach.
The ultimate idea is the government wants the ecosystem to be more secure, more robust. The stakeholders need to have appropriate mechanisms and time for going ahead and preparing for the same. Why? Because this is one of the unique legislations in Indian history where we have been providing with unprecedented statutory fines of Rs. 250 crore per one contravention, which effectively means that you contravene this law and you get to pay Rs. 250 crore rupees not to any individual complainant, but to the government.
Duggal: Well, it is very clear that the government has to set up the guidelines on how the restrictions have to work. They will be notified by the government from time to time in the next one year, because this comes into effect only from next year, November. So, the government will be coming up with notifications in that regard.
Duggal: I think the biggest compliance challenge will be in terms of mindset for proactive compliance. Most of the companies in India do not really focus on proactive compliance. They are more focused on reactive approaches, thinking that, look, we will cross the bridge. In India, we have this wonderful concept of the Indian jugaad school of management. I don’t think that we will be able to do any Jugaad.
Why? Because this is a proactive compliance mindset issue which is required to be put in. The reason for this is very simple. You don’t practically comply and you could potentially be paying Rs. 250 crore.
Duggal: Well, this new law will apply to every company, but for big companies, they will become a significant data fiduciary because they are dealing with a much bigger quantum of personal data. They are required to do additional compliance under the provisions of the DPDP Act.
So, they will now have to spend more on proactive compliance so that they can try to protect themselves from exposure to statutory fines. In any case, it’s going to be far cheaper to spend on compliance than to pay for a statutory fine of Rs. 250 crores.
Duggal: In case of a personal data breach, a data fiduciary will have to take two steps. Firstly, in the first six hours, it will have to report it to the nodal agency on cybersecurity in the computer emergency response team. In addition, it will also be required to report in detail to the Data Protection Board of India within 22 hours of the report.
In addition, it will also be nice if they can also notify the concerned data principals that their data has been compromised. The only problem is that the government is yet to specify the mechanism on how the data principals have to be notified about such data breach.
Duggal: A person who loses his data, gets nothing under the DPDP Act. Actually, the DPDP Act is a very unfair act. It does not give any remedy to the data principals. They do not get anything. It’s the government who gets everything in the form of a statutory fine. The law is more unfair to the data principal.
