Rules Expand India's Data Privacy Law, but Slowly

<p>India’s Digital Personal Data Protection Act, 2023 is a step closer to being in force with the Ministry of Electronics and Information Technology (MEITY) making the Digital Personal Data Protection Rules, 2025 in November 2025. There are still more rules and other forms of delegated legislation to be made, and appointments made to the Data Protection Board of India, but the making these Rules in 2025 completes most of the missing details, enabling the Act to come into force in mid-2027.</p>
<p>This article analyses how the Rules complete the Act in respect of the following: </p>
<p>- The Data Protection Board of India, its structure, procedures, and operation as a ‘digital office’.</p>
<p>- Appeals against the Board’s decisions.</p>
<p>- Obligations of data fiduciaries (controllers and processors), including reduced obligations for government processing of benefits; data breaches (safeguards and notifications); categories for deletion of data; and additional obligations of significant data fiduciaries (SDFs).</p>
<p>- Data transfers.</p>
<p>- Consent managers.</p>
<p>- Exercise of rights of data principals (data subjects) and their representatives.</p>
<p>The conclusion is that the rules are reasonably even-handed between principals and fiduciaries, even though the Act favours business and government.</p>