Privacy & Information Security Law Blog

Nishith Desai Associates reports that on November 13, 2025, India’s Ministry of Electronics and Information Technology enacted India’s Digital Personal Data Protection Rules, 2025 (the “Data Protection Rules”), which operationalize India’s Digital Personal Data Protection Act, 2023 (the “Data Protection Act”). The Data Protection Rules address key aspects of the Data Protection Act, including transparency, consent and registration requirements; data breach notification obligations; data subject rights; and details regarding the Data Protection Board of India.

Key provisions of the Data Protection Rules include:

• Applicability: The Data Protection Rules specify that the Data Protection Act applies to the processing of digital personal data in India, whether collected in digital form or in a non-digitized format and subsequently digitized.  
• Extraterritorial Application: The Data Protection Act has extraterritorial application, and applies to the processing of personal data outside of India (irrespective of the location of the processing entity) if such processing is in connection with the offering of goods or services to data subjects located in India.
• Consent Managers: The Data Protection Act has a single point of contact for the giving, management, and withdrawal of consent to the processing of personal data.   
• Phased Implementation: The Data Protection Rules will go into effect in phases, as follows:

• Immediate Effect: Definitions and constitution of the Data Protection Board.
• 1 Year: Registration and obligations of consent managers.
• 18 Months: Transparency and notice obligations, rights of individuals, data breach notification requirements, and repeal of former IT Act rules.

• Penalties: A breach of the Data Protection Rules can result in penalties of up to approximately $30 million. 

For a complete discussion, see A New Dawn: India’s New Data Protection Regime Finally Takes Flight.