The Government of India disclosed in Parliament that the proposed Digital Personal Data Protection (DPDP) Rules, 2025, designed to operationalize the DPDP Act of 2023, have received 6,915 stakeholder inputs from citizens, industry experts and civil society. The Act aims to strike a balance between individual data privacy and lawful data processing, and the draft rules have sparked considerable public engagement.

Introduced to Parliament in August 2023 and subsequently enacted, the DPDP Act marks India’s first legislative framework for digital personal data rights. It mandates data fiduciaries—entities that collect or process personal data—to implement reasonable safeguards and uphold individuals’ rights around consent, correction, and data breaches.

The government emphasized that public inputs are integral to shaping final legislation intended to foster transparent and accountable data handling. As Minister of State for Electronics & IT, Jitin Prasada, stated in the Rajya Sabha, the policies underpinning the DPDP framework “aim to ensure a safe, trusted, and accountable cyberspace for all users.”

Public awareness and capacity-building form key pillars alongside the legislative groundwork. To date, the Information Security Education and Awareness (ISEA) programme has conducted 3,637 workshops, reaching over 820,000 participants across government officials, law enforcement, students, and the public. Awareness campaigns such as Cyber Security Awareness Month and Safer Internet Day aim to instill cyber hygiene practices. India’s CyberShakti initiative, launched in October 2024, seeks to build a skilled women workforce in cybersecurity.

Supporting digital resilience structurally, the government continues to strengthen institutions such as CERT-In, NCIIPC, and the National Cyber Coordination Centre. CERT-In regularly issues cybersecurity advisories, while NCIIPC oversees security of critical information infrastructure. The Cyber Swachhta Kendra, a botnet cleaning and malware analysis center, provides tools and guidance to organisations and individuals.

The large volume of inputs—6,915 comments—reflects growing public consciousness and stakeholder interest in the data protection debate. Analysts observe, however, that broader outreach campaigns are needed, especially in regional languages, to ensure representation from rural and digitally excluded populations.

India’s data protection journey draws comparisons with global frameworks such as the EU’s GDPR. While GDPR governs both digital and offline personal data, the DPDP Act applies to digital data only. Nonetheless, both models share a focus on consent, rights to challenge data inaccuracies, and obligations on data processors. The Act also envisages the creation of a Data Protection Board of India—an adjudicatory body empowered to address complaints and breaches under Section 18 of the legislation.

As the government reviews the rules, key issues under discussion include data fiduciary responsibilities, cross-border data transfer protocols, grievance redressal mechanisms, and penalties for non-compliance. Experts suggest that industry will closely scrutinize provisions relating to data localization, anonymization mandates, and breach notification timelines.

The government’s inclusive approach—inviting thousands of public inputs and anchoring it alongside cyber awareness campaigns—demonstrates its ambition to create policy calibrated to India’s diverse digital demography. Final rules are expected to be notified once inputs are reviewed and incorporated into a refined framework.

In summary, the draft DPDP Rules, 2025 have attracted meaningful public participation with nearly 7,000 submissions, underlining citizen interest in digital privacy. Combined with capacity building, sector-specific training, and institutional strengthening, the government is edging closer to a robust, rights-based data protection architecture in India.