India has officially notified the Digital Personal Data Protection (DPDP) Rules, 2025, under the Digital Personal Data Protection Act, 2023, marking the operational start of its modern privacy regime. These rules establish a clear legal framework for how personal data must be collected, used and managed across India—covering consent, data-fiduciary responsibilities and the soon-to-be-set-up Data Protection Board of India. The significance isn’t just domestic; for global tech firms, it signals that India is aligning with evolving international norms around data governance.
One of the most notable features of the new rules is the tightening of consent requirements and purpose limitation: organisations must now clearly justify why personal data is collected and allow individuals to opt out when appropriate. There are also heightened safeguards around children’s data, mandates for verifiable parental consent, and provisions covering cross-border transfers. This suite of regulations has broad implications for companies with operations or user-bases in India, especially as AI and data-driven services expand.
Why is the discussion so intense now? Partly because India manages one of the largest digital populations in the world, and the scale of data generated here makes regulation more urgent. With the convergence of big data, AI, cloud and global tech flows, the new rules create both compliance imperatives and opportunities for innovation under a clearer legal framework. The timing — as AI systems increasingly use personal data — means that how India regulates data will influence not just local businesses but global AI supply chains.
At the same time, the rules are not without controversy. Industry stakeholders have flagged potential burdens—particularly for smaller firms or startups—as well as ambiguities around terms like “significant data fiduciary” or what constitutes “reasonable security practices.” In short: while the regulatory advance is widely welcomed, companies and policymakers alike must work through the details of implementation, enforcement and impact.
