Charmian Aw and Ciara O’Leary of Hogan Lovells write:
On 13 November 2025, India’s Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules 2025 (the Rules), following a 10-month wait since the draft Rules were released on 3 January 2025. These Rules operationalize the Digital Personal Data Protection Act 2023 (DPDPA), India’s first comprehensive data protection law. The DPDPA was enacted by the Parliament of India in August 2023, but its application was clarified only after the publication of the draft Rules in January 2025, following an extensive drafting and consultation process.
The DPDPA replaces the previous Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under the Information Technology Act, 2000. However, the old regime will remain in force until the end of the phased implementation of the DPDPA, as outlined below.
Read more at Hogan Lovells.