Introduction
India is enhancing its data protection framework with the introduction of the Draft Digital Personal Data Protection Rules, 2025[i] (‘Draft Rules’). Issued by the Ministry of Electronics and Information Technology, these rules, framed under the Digital Personal Data Protection Act, 2023 (‘DPDPA’), aim to create a secure and transparent framework for handling personal information in a digital-first world.
The government has invited public comments on these Draft Rules until 18.02.2025 through the MyGov platform. While some provisions become enforceable immediately, others await further notifications. These rules are set to impact businesses, individuals, and government agencies alike. This article breaks down the Draft Rules in a practical, easy-to-understand manner, highlighting their potential real-life impact.
Scope & Applicability: Who Must Follow These Rules?
The Draft Rules apply to all entities handling personal data, including businesses (referred to as Data Fiduciaries), government departments, and individuals acting as Consent Managers. Imagine you run an e-commerce business. Customers who sign up on your platform provide their names, addresses, and payment details. Under these rules, your business is now responsible for informing consumers (Data Principals) about how their data will be used, obtaining their consent, and securing their data.
Data Fiduciaries are entities responsible for determining how personal data is processed, while Consent Managers assist in managing user consent. Data Principals are the individuals whose personal data is subject to processing.
Key Rules & What They Say
Notice & Informed Consent (R. 3): A core principle of the Draft Rules is that Data Fiduciaries must provide clear and easily understandable notices to users before collecting their personal data. These notices must include a comprehensive list of the personal data being collected, the purpose of data processing, and clear instructions on withdrawing consent or filing complaints, ensuring transparency and simplicity. When signing up for a social media account, users often click on a long ‘Terms and Conditions’ link without reading it. The Draft Rules require companies to make this information more accessible and easier to understand so users know exactly what they agree to.
Overseeing & Regulating Consent Managers (R. 4): Consent Managers are responsible for helping users manage their data-related permissions. They act as intermediaries between users and businesses, ensuring users can give, withdraw, or modify their consent easily. Imagine a health app that tracks your fitness activities. If you consent to share your data with a dietician, a Consent Manager platform will allow you to revoke that consent if you change your mind. R. 4 of the Draft Rules requires such Consent Managers to be registered with and operate under the oversight of the Data Protection Board (‘Board’), ensuring user data remains confidential.
Data Processing by the State & its Instrumentalities (R. 5): The government can process personal data without express consent to provide subsidies, benefits, services, or certificates. However, such processing must meet certain legal and policy requirements. For example, a government department issuing a driving license can process personal data like your name, address, and biometric details to verify your identity. However, it must ensure that this data is used only for the intended purpose and remains secure.
Preventing & Handling Data Breaches (R. 6 & 7): Data Fiduciaries must implement reasonable security safeguards to protect personal data from breaches. This includes encryption, access control, enabling detection of unauthorized access, and retaining data backups for one year. Consider an online payment app that stores your credit card information. To prevent hackers from accessing this sensitive data, the app must use security measures like encrypting the data and restricting access to authorized personnel only. In the event of a data breach, the Data Fiduciary must notify both the affected users and the Board within 72 hours. Under r. 7, in the event of a data breach, the Data Fiduciary must provide the Data Principal with details such as the nature, extent, timing, and location of the breach, its likely consequences, risk mitigation measures being taken, and the business contact information of a person who can respond to any queries from the Data Principal.
Data No Longer Serving its Intended Purpose (R. 8): Data Fiduciaries are obligated to delete personal data that no longer serves its intended purpose, following the prescribed notice period of 48 hours to the Data Principals. For instance, an e-commerce platform might store your order history. If you have not logged in for three years, they must inform you before deleting your data, allowing you to log in and save it if needed.
Contact Person for Data Queries (R. 9): This rule mandates that every Data Fiduciary must prominently publish the contact details of a person or Data Protection Officer who can address queries from Data Principals about processing their personal data. If a user has questions about how a mobile app uses their data, they should easily find the contact information of someone who can provide answers, either on the app or the company’s website.
Verifiable Consent for Children’s Data (R. 10): Data Fiduciaries must obtain verifiable consent from a parent or legal guardian to process children's data. This rule also applies to individuals with disabilities who have a lawful guardian. For example, when creating a social media account for a minor, the platform must verify the identity of the parent, providing consent to ensure the child’s data is processed legally. It is noteworthy that this rule includes illustrations to clarify how the Data Fiduciary will verify the parent’s or guardian’s identity.
Exemptions from Certain Obligations for Children’s Data (R. 11): Certain Data Fiduciaries, such as healthcare providers and educational institutions, are exempt from specific obligations under the DPDPA when processing children’s data, provided the processing is necessary for the child’s well-being. For instance, a school tracking attendance or health records can process this data without adhering to all obligations under the DPDPA as long as it is in the child’s best interest.
Additional Obligations for Significant Data Fiduciaries (R. 12): Significant Data Fiduciaries, such as large tech companies, have additional responsibilities under this rule. They must conduct regular Data Protection Impact Assessments and audits, submitting reports to the Board to ensure compliance with the law. They must also undertake measures to ensure that personal data, as specified by the Central Government based on a committee’s recommendations, is processed to prevent its transfer outside India.
Rights of Data Principals (R. 13): This rule provides various rights to Data Principals, allowing users to request access to their data, ask for corrections or erasure, and nominate someone to manage their data in case of death. It also requires Data Fiduciary and Consent Managers to establish a grievance redressal system to address the grievances of Data Principals, ensuring the system’s effectiveness.
Cross-Border Data Transfers (R. 14): The Draft Rules impose restrictions on cross-border data transfers, allowing such transfers only under conditions specified by the Central Government in accordance with r. 14. For example, an Indian bank storing customer information on servers located abroad must ensure compliance with government regulations before transferring the data.
Government’s Power to Call for Information (R. 22): This rule grants the government the authority to request information from Data Fiduciaries or intermediaries for specific purposes. For instance, if there is a security threat, the government may ask a social media platform to share user data to prevent potential harm. However, the request must be made through authorized officers, and the Data Fiduciary must comply with legal procedures. The specific purposes for which the government can call for information are enumerated in the Seventh Schedule of the Draft Rules, including conducting assessments, performing legal functions, or fulfilling disclosure obligations under the law.
Mixed Industry Views on the Draft Rules
The Draft Rules have been met with cautious optimism from experts in the tech industry[ii]. However, concerns have been raised regarding ambiguities in certain provisions, particularly the extensive powers granted to the State and its instrumentalities under r. 5. Additionally, while r. 6 mandates security measures, it also includes provisions for creating data backups that must be retained by Data Fiduciaries for up to one year. Experts have observed that the Draft Rules lack specific exemptions for AI training and fail to outline detailed standards for implementing the required safeguards[iii]. Provisions under r. 12 empower the Central Government to specify the types of data that Significant Data Fiduciaries must localize within India’s borders. While this could enhance security for citizens, it may result in increased compliance and operational costs for businesses. While some of these concerns may be addressed during the public consultation process, others may remain unresolved.
Notably, the Draft Rules have paved the way for regulatory-tech startups to emerge as key players in managing compliance for businesses. Companies providing services such as consent management, encryption, and data lifecycle tracking are positioned to thrive in this evolving regulatory environment[iv]. While large corporations are expected to adapt to this compliance framework faster than their emerging contemporaries, there are concerns about how these rules will perform globally once fully implemented, especially since a major chunk of these rules (i.e., rules 3 to 15, 21, and 22) await notifications to come into effect[v].
For businesses looking to become Consent Managers under the Draft Rules, certain criteria, such as a minimum net worth of Rs. 2 crores, a reputation for fairness and integrity, and the requirement for independence to avoid conflicts of interest among senior management, have only been loosely mentioned without clarifying their scope or extent. Further gaps remain, including the lack of a definition or specific requirements for the impact assessment and audit to be conducted under r. 12 by Significant Data Fiduciaries[vi]. There is also ambiguity around how exactly Data Fiduciaries will verify the age of the Data Principal, given the failure to verify age through DigiLocker and Aadhaar. Additionally, there are concerns that the rules may discourage innovation by imposing an undefined compliance burden[vii].
Conclusion
The Draft Rules introduce stricter obligations on Data Fiduciaries to ensure transparency, accountability, and security in data handling. However, they also appear to grant more power to the State than to Data Principals, which is a matter of perspective. Objectively, the Draft Rules establish more specific consent requirements, a stronger focus on security measures, and new provisions for children’s data. However, the broader implications of these rules extend beyond mere compliance obligations.
There is less to criticize and more to welcome in the Draft Rules, as they potentially lay a strong foundation for safeguarding personal data in India. From a practical perspective, businesses must adapt their data practices to comply with these rules. For users, the rules provide greater control over their personal data. While the rules address various concerns, their successful implementation will depend on how effectively businesses adapt and how stringently the government enforces them.
For instance, the designated contact person for queries from Data Principals should be easily accessible and responsive, rather than merely assigning a landline number without adequate follow-up. If the government can effectively put the nots and the knots to work, the Draft Rules would truly deserve applause.
End Notes
[i] Issued vide Notification No. GSR 02(E) dated 03.01.2025 – Gazette of India : Extraordinary
[ii] Experts cautiously welcome Digital Personal Data Protection Rules, 2025, The Hindu, January 4, 2025.
[iii] Ibid.
[iv] DPDP Rules may Open New Biz Doors for Regulatory-tech Firms, Economic Times, January 6, 2025.
[v] Explanatory note to Digital Personal Data Protection Rules, 2025 – available at: https://www.meity.gov.in/writereaddata/files/Explanatory-Note-DPDP-Rules-2025.pdf
[vi] The Long Road to Data Protection, Business Standard, January 6, 2025.
[vii] Ibid.
Authored by Srishty Jaura, Advocate at Metalegal Advocates. The views expressed are personal and do not constitute legal opinions.