India Notifies Rules for Digital Privacy Law

India Notifies Rules for Digital Privacy Law

Why in News?

The Centre has notified the Digital Personal Data Protection (DPDP) Rules, 2025, operationalising India’s first data privacy law, two years after the DPDP Act received Presidential assent. However, several major citizen safeguards will take 12–18 months to become fully enforceable, reflecting a flexible approach to implementation in light of potential supply shocks and the need to maintain price stability.

Key Provisions Notified Under DPDP Rules:

• The government has operationalised the Data Protection Board of India (DPB), which will act as the adjudicatory body for violations and compliance under the DPDP Act, with the aim of maintaining macroeconomic stability through data governance and contributing to the broader monetary policy framework.
• Major protections—such as informed consent, purpose limitation, and mandatory data breach notifications—will become effective only after 18 months, allowing for a flexible transition period that considers potential domestic shocks and inflation expectations.
• Companies are required to inform users without delay about any data breach, including details of its nature, extent, potential risks, and mitigation measures, similar to how headline inflation data is reported to maintain policy credibility.
• Penalties for failing to implement adequate safeguards may go up to ₹250 crore, reflecting the seriousness of data protection in the context of consumer price index sensitivity and its impact on the general price level.
• The rules avoid prescribing any uniform mechanism for taking consent; instead, they allow flexibility, following concerns raised by social media companies and considering the need for budget management in implementation, which aligns with the principles of fiscal responsibility.
• Behavioral tracking and targeted ads for children are restricted, with limited exceptions to ensure safety, demonstrating an editorial approach to protecting vulnerable groups and addressing potential policy biases.
• The controversial amendment limiting disclosure of personal information of public officials under the RTI Act has also been notified, balancing transparency with privacy concerns and institutional autonomy.

Implications for Industry and Government

• The rules tighten oversight on Significant Data Fiduciaries (SDFs), which will include large tech firms such as Meta, Google, Apple, Microsoft, and Amazon, potentially impacting their role in economic stability and influencing relative prices in the digital economy.
• Classification as SDFs will depend on the volume, sensitivity, and potential national security impact of the data they process, considering the broader implications for macroeconomic stability and the inflation target set by the monetary policy framework.
• A major provision restricts transfer of certain categories of personal data outside India, effectively creating a form of data localisation, expected to face pushback from global tech companies due to potential impacts on cross-border economic activities and aggregate demand.
• A government committee will determine what types of data SDFs may process within India and under what conditions, taking into account global uncertainties, supply shocks, and their effects on price stability.
• Industry bodies like NASSCOM and DSCI have urged the government to adopt internationally interoperable mechanisms for cross-border data flows, highlighting the need for flexible inflation targeting in data governance policies to maintain an acceptable inflation rate.
• Critics argue that the Act provides wide exemptions to government agencies on grounds such as national security, public order, and foreign relations, reducing accountability and potentially affecting functional autonomy of institutions, which could impact the overall monetary policy framework.
• Civil society and even NITI Aayog have raised concerns about dilution of the Right to Information (RTI) through expanded privacy exemptions, which could impact transparency in reporting economic indicators like the consumer price index and food inflation.