Draft Digital Personal Data Protection Rules, 2025
Draft Digital Personal Data Protection Rules, 2025
A long-anticipated draft of the Digital Personal Data Protection Rules, 2025 (“Draft Rules”) was released by the Central Government (“Government”) on January 3, 2025 for public consultation and comments, along with an explanatory note on the contents on the Draft Rules. Once brought into effect, these rules will enable implementation of the Digital Personal Data Protection Act, 2023 (the “DPDP Act” or the “Act”), which was published in the Official Gazette on August 11, 2023, although not yet in force. The consultation process on the Draft Rules will continue until February 18, 2025. The rules under the DPDP Act are proposed to be implemented in a staggered manner.
To recap, the DPDP Act lays down the law for processing of digital personal data (any data in digital form about an individual who is identifiable by or in relation to such data) in a manner that recognizes both the rights of individuals to protect their personal data and the need to process such data for lawful purposes and for connected or incidental matters. For an overview of the provisions of the DPDP Act, please see our notes here and here.
Certain key aspects introduced or further clarified under the Draft Rules are discussed below:
CONSENT NOTICE
The Act requires a consent notice to be given by a data fiduciary (i.e., a person who determines the purpose and means of processing personal data, including in conjunction with other persons) to a data principal (i.e., the individual to whom the personal data relates or the parent/ guardian of such individual, if applicable) along with, or prior to, a request for consent for the purpose of processing the latter’s personal data.
Additional requirements relating to the contents/ nature of such notice have been specified in the Draft Rules, including a mandate that such notice should:
1. be understandable, independent of any other information which has been, is, or may be, made available by a data fiduciary;
2. provide a fair account of the details necessary to enable the data principal to give specific and informed consent for the processing of their personal data, in clear and plain language, including at the very least:
a. an itemized description of such personal data; and
b. a description of the specific purposes of processing, along with an itemized description of the goods/services to be provided, or uses to be enabled, by such processing.
3. contain the particular communication link for accessing the website or app, or both, of such data fiduciary, and a description of other means, if any, using which a data principal may:
a. exercise their rights under the Act (including the right to withdraw consent); and
b. make a complaint to the Data Protection Board of India (“DPBI”).
The requirement of providing an itemized description of personal data and a description of specific purposes along with an itemized description of goods/services to be provided or uses to be enabled by the data fiduciary may be a cumbersome task and would likely require organizations processing personal data to relook at their consent/privacy notice. Similarly, the requirement for a consent notice “independent” of any other information may require organizations to ensure that all necessary details to facilitate “informed consent” are set out in the consent notice itself (rather than through links to another document or privacy policy). The Draft Rules do not clarify if the prescribed notice-related requirements would also apply to notices that are required to be issued under the Act, which relates to instances where a data principal has given consent for processing personal data before the Act comes into effect.
REASONABLE SECURITY SAFEGUARDS
Under the Act, a data fiduciary is required to protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a data processor, by taking reasonable security safeguards to prevent personal data breach. Importantly, a breach of this obligation may involve a penalty which may extend to INR 2.5 billion.
The Draft Rules specify certain minimum reasonable security safeguards which should be implemented by a data fiduciary (and in turn its data processors). The specifications in the Draft Rules appear to be generic requirements for most part and not specific (unlike current rules on sensitive personal data which prescribe/recommend specific security and certification standards) – this introduces some subjectivity in determining the adequacy of the security safeguards implemented by a data fiduciary. Further, it is proposed that the prescribed security safeguards (including access controls, maintenance of logs, incident detection, investigation and remediation) would apply to all categories of data fiduciaries (irrespective of the nature of their business and/or the volume and sensitivity of personal data being processed by them). Implementation of these requirements may therefore be onerous for smaller businesses.
TIME PERIOD RESTRICTIONS FOR STORAGE OF DATA
The Draft Rules prescribe retention periods for different classes of data fiduciaries which include e-commerce entities, social media intermediaries and online gaming intermediaries with specified number of registered users in India.
As per the Draft Rules, the personal data processed by these specified data fiduciaries must be erased, unless required for legal compliance, if (a) the processing being undertaken for any purpose (other than enabling the data principal to access their account or accessing a virtual token that is issued by or on behalf of the data fiduciary which can be redeemed for money, goods or services) and (b) the data principal does not engage with the data fiduciary within the prescribed timelines.
Such prescribed timelines will be calculated from the date on which the data principal “last approached the data fiduciary for performance of the specified purpose” or commencement of the DPDP Act, whichever is later. The determination of when each user “last approached the data fiduciary” may be ambiguous and also require certain processes and tools, such as timestamping.
Further, the data fiduciary must inform the data principal at least 48 hours before completion of the time period for erasure of personal data. Organizations may find this to be a cumbersome process and would need to build in adequate technical tools to comply with this requirement.
REPORTING OF PERSONAL DATA BREACHES
The Act requires that, upon occurrence of any personal data breach, a data fiduciary is obligated to notify the DPBI and each affected data principal, in the manner prescribed under the rules. The Draft Rules do not prescribe any specific timeline for the initial breach notification and state that it should be made without delay – this may leave room for some ambiguity although a strict interpretation of this provision would mean that the data principals need to be identified of a data breach almost immediately, which may be a practical challenge. An additional update is required to be provided to the DPBI within 72 hours of the breach. A breach of these obligations may attract a penalty of up to INR 2 billion.
Additional requirements relating to the details to be provided in the breach notice to the data principal and the DPBI have been prescribed in the Draft Rules, including with respect to: description of the breach (nature, extent and timing); consequences of the breach; and the risk mitigation measures implemented. The additional update to the DPBI is required to include findings regarding the person who may have caused the breach, remedial measures taken to prevent recurrence, and a report regarding notices provided to the affected data principals.
At present the above notification obligations are applicable to all categories of data breaches (irrespective of the nature, gravity or materiality of the breach), i.e., it arguably extends to even an isolated instance of unauthorized processing or accidental disclosure of personal data. Further, the mode of reporting to the DPBI is not specified – presumably, the DPBI would enable an online reporting mechanism for this provision.
SIGNIFICANT DATA FIDUCIARIES
The Act introduces the concept of “significant data fiduciaries” to whom additional obligations are applicable (including conducting periodic Data Protection Impact Assessments (“DPIA”)). Such entities are expected to be notified by the Government based on the factors outlined in the Act.
The Draft Rules specify the obligations applicable to significant data fiduciaries, which include: (a) ensuring submission of the results of the DPIA to the DPBI once in every period of 12 months; (b) verifying by way of due diligence, that any algorithmic software deployed by it inter alia for storage, hosting, uploading, transfer or modification of the personal data being processed “is not likely to” pose a risk to the rights of data principals; and (c) ensuring certain types of personal data remains in India and implementing measures to adhere to any specific cross border transfer restrictions prescribed by the Government.
The Draft Rules impose significantly higher compliance requirements on significant data fiduciaries. Compliance with the restriction on cross border transfer of certain categories of personal data may result in an operational and administrative issue with significant cost implications for data giants that currently process data outside India.
Recent statements made by the Union Minister for Electronics & Information Technology (“MeitY Minister”) suggest that the Government is likely to engage external experts to draw up a list of “prohibited sectors” and hold consultations with the IT industry prior to imposing such restrictions on cross border transfers.
CROSS-BORDER DATA TRANSFERS
According to the Act, it was clear that the Government is considering imposing restrictions on the transfer of personal data to certain jurisdictions. The Draft Rules provide additional clarity in this regard, including by specifying that the Government may introduce restrictions (by way of a general or special order) which would apply to transferring/ disclosing personal data to a foreign state or any entity controlled by such foreign state.
VERIFIABLE CONSENT
The Act requires a data fiduciary to obtain verifiable consent of the parent or lawful guardian of a child and/or a person with disability who has a lawful guardian, prior to processing any personal data relating to such data principals, in a manner prescribed under the rules. The Draft Rules prescribe the following requirements in this regard:
Children
A data fiduciary is required to adopt appropriate technical and organizational measures to ensure that a verifiable parental consent is obtained before processing a child’s personal data. They are also required to undertake due diligence to check that an individual identifying themselves as the parent of a child is an adult who is identifiable with reference to “reliable” details of identity and age available with the data fiduciary; or voluntarily provided details of identity and age, or a virtual token issued by an appropriate authority such as those made available by an authorized digital locker service provider.
The Draft Rules provide exceptions to the above requirement to obtain verifiable parental consent, as well as on the prohibition on tracking, behavioral monitoring and targeted advertising with respect to children. Currently, there is insufficient clarity on the implications/ responsibilities of the data fiduciary in a situation where an individual under 18 years does not identify herself as a child.
In addition, statements made to the media by the MeitY Minister indicate that the existing digital architecture created by the Government (including use of virtual tokens) should assist with the implementation of this requirement and that the Government may further update the Draft Rules to employ technological measures to safeguard children’s data.
Persons with disability
While obtaining verifiable consent from a lawful guardian prior to processing personal data relating to a person with disability (where applicable), the data fiduciary is required to observe due diligence to confirm that the individual(s) identifying themselves as the lawful guardian have been appointed by a court of law or the designated authority in accordance with the applicable guardianship law.
CONSENT MANAGERS
The Act defines ‘Consent Managers’ as persons registered with the DPBI who act as single points of contact to enable data principals to give, manage, review and withdraw their consent through an accessible, transparent and interoperable platform, and further provides that Consent Managers will be subject to such obligations and technical, operational, financial and other conditions, as prescribed under the rules. The Draft Rules accordingly deal with such conditions for the registration and obligations of Consent Managers.
Eligibility conditions for registration as a Consent Manager inter alia include a minimum net worth of INR 20 million and fulfillment of specified independent certification requirements relating to its interoperable platform and technical and organizational measures. Further, the charter documents of the Consent Manager must contain provisions to avoid conflicts of interest with data fiduciaries, including in respect of their promoters and key managerial personnel. Certain eligibility conditions prescribed in the Draft Rules appear to be subjective and may need additional clarity.
CONCLUSION
While further clarity is required on various aspects of the DPDP Act (such as thresholds for notification as a significant data fiduciary, cross border transfer restrictions), the Draft Rules are indicative of the approach organizations can take to ensure compliance with the Act on various other aspects. Overall, the Draft Rules are a step in the right direction and with a transparent consultation process, the Draft Rules will hopefully be refined further so that India can finally have a robust data protection framework in place.
In the meantime, businesses in India should use the Draft Rules as a starting point to evaluate and improve upon their IT and cybersecurity systems so that they are ready to comply with the requirements of the DPDP Act and its rules as and when they come into effect.
