The Digital Personal Data Protection Act, 2023 (“DPDPA“) is India’s first standalone personal data protection legislation which was released in August 2023. The law aims to strike a balance between protection of individuals’ right to privacy and personal data, and lawful processing of such data by the Data Fiduciaries1. The Ministry of Electronics and Information Technology (“MeitY”), the nodal ministry for implementation of the DPDPA, has on January 3, 2025, released the Draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”) for public consultation.
| Sr. No. | Rules | Description | Analysis |
| Rule 3 – Notice by Data Fiduciary to Data Principal2 | The DPDPA requires Data Fiduciaries to provide Data Principals with notice prior to, or at the time of obtaining consent for processing their personal data. The Draft Rules specify that the notice must be clear, standalone, and understandable, distinct from any other information shared by the Data Fiduciary. The language of the notice must be clear and plain and is required to include, at the minimum: (i) the specific purpose for processing, (ii) description of personal data being processed and (iii description of goods and services to be provided or used to be enabled by such processing. Further, Draft Rules require the notice to provide a communication link of the platform of the Data Fiduciary and description of how the Data Principal may (i) withdraw their consent; (ii) exercise their rights under the DPDPA; and (iii) make a complaint to the Board3. | No template or format has been provided in the Draft rules for the notice and the notice cannot be clubbed with the End User License Agreement and Terms of Service of the website etc. The timeline for providing notice for processing the personal data is still unclear. Draft Rules do not explicitly prescribe the manner of providing for the withdrawal of consent, or exercise of the Data Principal’s rights (including grievance redressal right), allowing flexibility to Data Fiduciaries in implementing their own practices as per their operational and business needs. | |
| Rule 4 – Consent Manager | The DPDPA contemplates establishment of consent manager that offer Data Principals, a platform to give, manage, review, and withdraw their consent provided to Data Fiduciaries. These consent managers are held accountable to the Data Principals for ensuring proper management of their consent. They are required to register with the Board and the eligibility criteria to become a consent manager is as follows: It is a company incorporated under Indian law with minimum net worth of INR 2 Crores. It has financial, technical, and operational capability, including adequate volume of business, capital and earning prospects. Its financial condition and general character of management are sound. Record of fairness and integrity of its directors, senior management and other key personnel should be there. Its memorandum of association and articles of association should contain sufficient conflict of interest provisions. Independent certification that (i) the consent manager’s platform is in accordance with standards prescribed by the Board, and (ii) appropriate technical and organisational measures are in place to comply with such standards, and (iii) adherence to obligations on disclosure of information regarding key personnel, including shareholding information. Conflict of Interest Consent managers are required to act in a fiduciary capacity and avoid conflict of interest with the Data Fiduciary. Such conflict may be on account of promoters, key managerial personnel, directors, and senior management (i) holding directorship, financial interest, employment or beneficial interest with Data Fiduciaries and/or (ii) a material pecuniary relationship between such persons and Data Fiduciaries, to this extent, consent managers are also required to transparently disclose (i) details of their promoters, directors, senior management, key managerial personnel or senior management holding more than 2% of shares in every body corporate and (ii) details of every person that holds more than 2% shares in the consent management company. Further, transfer of control (by way of sale or merger) in the consent manager is not permitted unless authorised by the Board. Obligations Consent Manager shall enable a Data Principal using its platform to give consent to the processing of the personal data by a Data Fiduciary onboarded onto such platform either directly to such Data Fiduciary or through another Data Fiduciary onboarded onto such platform, who maintains such personal data with the consent of that Data Principal. Consent managers are obligated to maintain records of: (i) consents, (ii) notices and (iii) data-sharing transactions related to their platform. These records must be stored for a period of seven years or longer as may be agreed or as required by law and access should be provided to Data Principal on their request in machine-readable form. Consent managers shall develop and maintain a website or app through which Data Principal may access the services. Consent managers cannot sub-contract or assign the performance of any of its obligations and take reasonable security standards to prevent personal data breach. | The broad restrictions placed with respect to conflict of interest may prohibit Data Fiduciaries and its group entities from acting as consent managers for datasets processed within the same group. It should be clarified that the conflict of interest may be only in relation to Data Fiduciaries being onboarded by the consent manager. It is unclear to what layers this data can be passed by one Data Fiduciary to another along with the nature of the business. For instance, can one bank (Data Fiduciary) transfer the personal data to another bank only or to any insurance company as well? Is there any cap on the transfer of the personal data by Data Fiduciaries? | |
| Rule 6 – Reasonable Security Standards | The Draft Rules prescribe minimum security standards that Data Fiduciary shall adopt to protect personal data in its possession or control such as: (i) implementing data security measures including encryption, obfuscation, masking or use of virtual tokens, (ii) control access to the computer resources and retention of logs and personal data for one year to detect unauthorized access, and (iii) inclusion of “appropriate” contractual provisions in the contract between the Data Fiduciary and the data processor to adopt reasonable security safeguards. | The Draft Rules do not clarify the types of logs that must be maintained. Data fiduciaries will now have to build in the prescribed list of minimum safeguards for existing data processor agreements, as well as new arrangements. However, they will have flexibility in implementing security standards, as long as they meet the minimum requirements prescribed. | |
| Rule 7 – Intimation of Personal Data Breach | Informing Data Principal – Data Fiduciaries must, upon becoming aware of a personal data breach, and to the best of their knowledge, notify all affected Data Principals without delay. These notifications which can be provided to the Data Principals’ user accounts or means of accessing a Data Fiduciary’s services must contain certain information, such as: a description of the breach including its nature, extent, timing, location of occurrence, relevant consequences, safety measures to be taken and business contact information of the Data Fiduciary. Informing the Data Protection Board – The Draft Rules are silent on the exact mode that Data Fiduciaries must use to notify the Board of personal data breaches. They prescribe a two-tiered notification process differentiated by timing and content. The initial notification to the Data Protection Board containing basic information (e.g. description, nature, timing, location of breach) must be made without delay upon the Data Fiduciary becoming aware of a breach. On the other hand, the detailed notification (containing information such as the broad facts relating to the events, circumstances and reasons leading to the breach; and proposed or implemented mitigation measures) must be made within 72 hours of the data fiduciary becoming aware of a breach. Data Fiduciaries can request the Board to extend the 72-hours timeline. | To ensure compliance, organizations may implement internal monitoring mechanisms and have dedicated IT personnels in place to detect, escalate and report incidents in alignment with the diverse requirements of applicable laws. | |
| Rule 8 – Data No longer required | Data Fiduciary shall erase such personal data unless it is required by law to retain once the purpose for retention is over. The Data Principal shall be informed 48 hours before the erasure unless they logs into their account for performance of specific purpose or to exercise their rights. Every Data Fiduciary shall prominently publish on its website or app, and mention in every response to a Data Principal, the business contact information of the Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary the questions of the Data Principal about the processing of their personal data. | As per the DPDPA, significant Data Fiduciaries are required to appoint individuals as Data Protection Officers. However, as per the DPDPA, other data fiduciaries may appoint persons, which include artificial persons, to answer questions on the exercise of rights of Data Principals. However, there appears to be a trend in which Indian courts are increasingly requiring individual officers’ information to be published by platforms to enable greater accessibility by users, and responsiveness by platforms. | |
| Rule 10 – Verifiable Consent For Processing Data Of Children and Persons With Disabilities | The Draft Rules require a Data Fiduciary to adopt appropriate technical and organizational measures to obtain verifiable consent of a parent for processing personal data of a child. This can be undertaken through: (i) reliable details of identity and age of the parent, already available with the Data Fiduciary or (ii) voluntary provision of such details or (iii) a virtual token mapped to such details, issued by an entity entrusted by law or a person appointed or permitted by such entity, including a Digital Locker service provider. Data Fiduciaries are also required to observe due diligence to ensure that a person identifying themselves as the lawful guardian of a person with disability has been duly appointed under applicable law. The Draft Rules specify certain classes of Data Fiduciaries and purposes for which (1) no verifiable parental consent is required; and (2) tracking, behavioural monitoring of, or targeting advertisements at children is permitted. For instance, clinical establishments and mental health establishments are exempted when processing personal data of a child to provide healthcare services. Processing to confirm if a data principal is a child or creating a child’s user account for limited email communication, amongst other things, has been similarly exempted. | The Draft Rules do not prescribe a specific manner of obtaining verifiable parental consent and simply refer to reliable details of age or identity, providing flexibility to Data Fiduciaries in adopting their own standards. There is also no clarity on the scope of the due diligence obligation under the said rule. | |
| Rule 12 – Additional Obligations of SDF | The Draft Rules reiterate the obligations on Significant Data Fiduciaries (“SDF”) (i.e. Data Fiduciaries which will be notified under the DPDPA basis factors such as volume and sensitivity of personal data processed) to undertake annual data protection impact assessment and audit. There is no further clarity provided regarding the manner of conducting such assessments. The Draft Rules also introduce a new provision requiring SDFs to undertake due diligence to verify that algorithmic software deployed by it (if any) are not likely to pose a risk to the rights of Data Principals. | ||
| Rule 13 – Data Principal Rights | The DPDPA prescribes Data Principals rights including right to access information about their personal data and the Draft Rules further elaborate that Data Fiduciaries and/or consent managers (where applicable) should publish on their application and/or websites: (i) the procedure for the Data Principals to make a request for exercise of their rights and (ii) the details of the Data Principal required to identify them as per the terms of service of the Data Fiduciary/consent manager. Accordingly, the Data Fiduciaries and consent managers are required to implement technical and organizational measures to respond to data subject requests and grievances. Data fiduciaries and consent managers are allowed to establish their own timelines for addressing grievances. The Data Principal may make a request to exercise their rights in accordance procedure published by the data fiduciary/consent manager and the Data Principal may nominate one or more individuals to exercise their rights. | From a compliance perspective, the absence of prescriptive and coded grievance redressal/Data Principal request procedures is beneficial for Data Fiduciaries. It provides flexibility to entities to adopt procedures suitable to their business model. It is advantageous that there are no defined procedures for appointing a nominee and data fiduciaries have the flexibility to establish their own terms and conditions for such nominations. | |
| Rule 14 – Processing Personal Data Outside India | Under the DPDPA, the Central Government has the power to blacklist territories to which personal data cannot be transferred. The Draft Rules now introduce additional restrictions. The Draft Rules specify that any entity processing personal data within India, or outside India in connection with offering goods or services to Data Principals in India, may transfer personal data to a foreign state or persons/entities under its control, only if it complies with restrictions imposed by the Indian Government on transferring such data. Under the Draft Rules, it appears that the powers of the Indian Government has been expanded to issue orders imposing additional compliance measures for Data Fiduciaries, undertaking cross-border transfers of personal data to foreign states and persons/entities under its control. | The intent behind this provision could be that cross-border transfer of personal data may be permitted, subject to compliance with the prescribed conditions instead of blacklisting certain foreign states. | |
| Rule 16 – Data Protection Board | The Draft Rules prescribe the constitution and functions of the Board which the Central Government will form, with a chairperson and other members. The Draft Rules do not specify any qualification and candidature requirements for the appointments. The functions of the Board include overseeing complaints and notifications regarding data breaches, complaints from data principals, and enforcement compliance with DPDPA obligations. | ||
| Rule 22 – Calling for Information from Data Fiduciary | The DPDPA empowers the Central Government to require Data Fiduciaries to furnish specific information. The Draft Rules notify the government authorities authorised to make such requests and elaborate the purposes for making such requests in the interest of sovereignty, integrity and security of the state. | ||
| Schedule III – Personal Data Retention Periods For E-Commerce Entities, Online Gaming Intermediaries, And Social Media Intermediaries | The Draft Rules prescribe data retention periods for certain Data Fiduciaries, i.e., (1) e-commerce entities with at least 2 crore registered users in India; (2) online gaming intermediaries with at least 50 lakh registered users in India; and (3) social media intermediaries with at least 2 crore registered users in India. With certain exceptions, the above-identified Data Fiduciaries can retain personal data for three years from (1) when the data principal last approached them for the performance of the specified purpose; or (2) the commencement of the Rules, whichever is later. All Identified Data Fiduciaries must erase personal data in their possession once this period ends. | The Draft Rules do not prescribe retention periods for any other classes of Data Fiduciaries. This suggests that such Data Fiduciaries may make a case-to-case determination of the retention period, based on their assessment of whether a specified purpose has elapsed. |