日本人

DRAFT DIGITAL DATA PROTECTION RULES, 2025

Home     Articles      DRAFT DIGITAL DATA PROTECTION RULES, 2025

DRAFT DIGITAL DATA PROTECTION RULES, 2025

March 11, 2025

  • Introduction:

Digital data protection has become increasingly crucial in the age of artificial intelligence, especially as individuals’ likenesses are now considered “imitable” and major social media platforms face frequent accusations of using personal data for targeted advertising. In this context, the Digital Personal Data Protection Act represents a significant step forward.

However, the introduction of the Draft DPDP Rules is expected to provide further relief to citizens, designated as “Data Principals” (DPs) under the Act. These Draft Rules, released on January 3, 2025, for public consultation, usher in a new era of data privacy in India. Developed under the Digital Personal Data Protection Act (DPDPA) of 2023, the rules aim to bolster personal data protection, enhance individual rights, and provide clear operational guidelines for data fiduciaries.

The rules clarify several provisions of the Act, such as obtaining consent, the responsibilities of Consent Managers, procedures in the event of a data breach, and the management of data storage and processing. They also cover the processing of children’s data, the functions of the Data Protection Board, and the appeal process, among other aspects. These rules aim to reshape data management practices across the country while reinforcing the protection of user data in line with the Data Principal’s rights.

The Draft Rules apply to a wide range of entities, including digital intermediaries, user-facing platforms, apps, websites, cloud service providers, and any organization involved in collecting or managing data. While the Draft Rules address many existing gaps, there remain areas of ambiguity, with some provisions left to the discretion of the Union government. Although MeitY has explained that this flexible approach is deliberate, aiming to avoid overly rigid regulations given the fast-paced evolution of digital technology, these omissions have raised concerns. Therefore, the Draft Rules warrant further review and discussion to fully assess their potential impact and to ensure comprehensive clarity. In this article, we will examine the provisions of the Draft Rules and explore the challenges that remain.

ANALYSIS OF THE PROVISIONS RELATING TO THE PROCESSING OF PERSONAL DATA

1. Seeking Consent from Data Principal:

Section 5 of the DPDP Act 2023, any request made to a Data Principal under Section 6 for consent must be preceded or accompanied by a notice from the Data Fiduciary. This notice aims to inform the Data Principal about the purpose and method of processing their personal data.

The Consent should be freely given, specific, clear and unambiguous as per the requirement of Section 6 and other relevant provisions of the Act.

The DPDP Rules further clarify these requirements, emphasizing that the request for consent must be accompanied by a clear and comprehensible notice from the Data Fiduciary. The notice should meet the following conditions:

  1. It must be written in plain, easy-to-understand language and specify the type of information being collected. The notice must be presented separately from any other information provided to the Data Principal to avoid confusion.
  2. It must include an itemized description of the purpose and nature of the data processing, ensuring transparency in line with Section 6 of the DPDP Act 2023.
  3. Simplified Withdrawal : Withdrawing consent should be as easy as giving it. Section 6(4) of the DPDP Act 2023 allows Data Principals to withdraw their consent at any time effortlessly. Data Fiduciaries are required to implement user-friendly mechanisms for consent withdrawal. A unique, mandatory link must be provided to enable the Data Principal to withdraw consent, exercise their rights, or file complaints with the Data Protection Board of India, which was established under the DPDP Act 2023. This provision underscores the significance of personal data protection and right to privacy, which was recognized in the landmark judgment by Hon’ble Supreme Court in K S Puttaswamy (Retd.) V. UOI.

2. Obligation of the Consent Manager:

The DPDP Act 2023 introduces the concept of a “Consent Manager,” a registered entity with the Board that serves as a central point of contact for Data Principals to manage, provide, and withdraw consent through an accessible, transparent, and interoperable platform. To operate as a Consent Manager, the entity must meet several conditions outlined in the new DPDP Rules.

Key characteristics of a Consent Manager include:

  1.  The entity must be a domestically incorporated company with a minimum net worth of two crore rupees.
  2. It must demonstrate sufficient capacity in technical, operational, and financial aspects, with leadership known for integrity and fairness, and maintain records for at least seven years.
  3. The Consent Manager must act in the best interests of Data Fiduciaries and maintain adherence to specific data protection standards as set by the Board.
  4. The Consent Manager cannot subcontract or delegate its obligations under the Act and must seek prior approval from the Board for any changes in control, such as mergers or sales.

The Consent Manager’s responsibilities are significant, as they must provide a secure and transparent platform for Data Principals to manage consent and data-sharing interactions with Data Fiduciaries, without accessing personal data. They are also required to maintain digital records of consent requests and data-sharing activities for a minimum of seven years and provide Data Principals with access to these records. Furthermore, the Consent Manager must offer a website or app as the primary method for accessing their services, implement strong security protocols to prevent data breaches, and e stablish effective audit mechanisms. Failure to comply with these obligations may lead to the suspension or cancellation of the Consent Manager’s registration by the Board, after an opportunity for a hearing.

3. Security Measures:

Rule 6 of the Draft DPDP Rules places a responsibility on Data Fiduciaries to implement reasonable security safeguards to protect the personal data in their possession. These measures are designed to ensure the confidentiality, integrity, and availability of the data. Data Fiduciaries must adopt security practices such as encryption, access control, monitoring for unauthorized access, and regular data backups, among other protections.

Additionally, the safeguards must include provisions for detecting and addressing potential data breaches, as well as maintaining detailed logs of data activities. Contracts with Data Processors must also stipulate that appropriate security measures are in place to protect personal data. Overall, these security measures must align with both technical and organizational standards to prevent data breaches and ensure that personal data remains secure at all stages of processing.

4. Intimation of Personal Breach:

When a Data Fiduciary becomes aware of a personal data breach, they are required to take several actions to ensure transparency and accountability:

  1. Inform the Board Promptly: The Data Fiduciary must promptly notify the Board with a comprehensive description of the breach. This includes details such as the nature of the breach, the duration and time frame, the location, the type and extent of the data involved, and any potential impact.
  2. Detailed Report Within 72 Hours: Within 72 hours of becoming aware of the breach, the Data Fiduciary must provide additional details. This report should cover the events leading to the breach, the number of Data Principals affected, any updates on previous notifications, the actions taken or planned to mitigate risks, information about the person responsible, and any remedial measures to prevent future incidents.
  3. Inform Affected Data Principals: The Data Fiduciary is also required to inform affected Data Principals in a clear and concise manner. This notification should outline the breach, its timing and extent, potential consequences for the Data Principal, the actions taken to mitigate the breach, recommended measures for the Data Principal’s protection, and contact information for inquiries (a designated Data Protection Officer for Significant Data Fiduciaries). Notifications should be sent through the user account or a registered communication mode. If necessary, the Board may grant an extension for the notification deadline upon the Data Fiduciary’s written request, provided there are valid grounds for the delay.
  4. Time Period for specified purpose to be deemed as no longer being served: The DPDP Act, 2023 mandates that Data Fiduciaries erase personal data once the Data Principal withdraws consent or when it is reasonable to conclude that the specified purpose is no longer being served, unless retention is required by law.

The new Rules set a time period of three (3) years from last interaction of data principal with data fiduciary or from the commencement of DPDP Act, 2023, whichever is later, for the personal data to be erased. However, this retention period does not apply when the data is necessary for the Data Principal to access their account, services, or virtual tokens. The Rules apply specifically to intermediaries with large user bases, such as e-commerce platforms, online gaming intermediaries, and social media entities.

Before erasing the data, the Data Fiduciary is required to notify the Data Principal at least 48 hours in advance, informing them that their data will be erased due to inactivity. If the Data Principal initiates contact or logs into their account before the deadline, the erasure will not occur. This notification must be sent through a registered communication mode or the user account, ensuring that the Data Principal has a chance to preserve their data if desired. This process ensures that personal data is only retained when necessary for legal or ongoing purposes, offering the Data Principal the opportunity to maintain their data through active engagement.

5. Verifiable consent for processing personal data of Children and Persons with disabilities:

Under the UK’s GDPR, consent for processing a child’s personal data must be provided by an adult with parental responsibility if the child is under 13, a provision that is more relaxed compared to the EU’s GDPR, where the age threshold is 16. This is similar to the U.S. Children’s Online Privacy Protection Act (COPPA), which also sets the age of parental consent at 13. The stricter EU regulations highlight the differences in how data controllers are regulated globally. In India, concerns remain in sectors like edtech and online gaming, where processing children’s data is common.

  1. Children’s Personal Data: For individuals under 18, consent for processing their personal data must be obtained from their legal guardian.
  2. Persons with Disabilities: If an individual with disabilities has a legal guardian, consent from that guardian is required for processing their personal data.
  3. Verifiability: Consent must be verifiable, meaning that organizations processing data must ensure the authenticity of the consent provided.

As per Section 9 of the DPDP Act, when processing the personal data of children or persons with disabilities, the Data Fiduciary (DF) must obtain verifiable consent from the child’s parent or legal guardian. Additionally, the DF must ensure that the child’s data is not used for harmful purposes, such as targeted advertising.

To further strengthen these provisions, Rule 10 of the Draft DPDP Rules requires the DF to verify that the person providing consent is indeed the parent or guardian of the child. This verification process may involve confirming the identity, age, and other details of the parent or guardian.

  1. Verification can be achieved by referring to reliable identity and age information that is already available to the Data Fiduciary or has been collected with the individual’s consent.
  2. Alternatively, an electronic token linked to the individual’s identity and age details can be used, which should be generated by an authorized entity, such as a government-appointed body or a Digital Locker service provider, ensuring compliance and authenticity.

Exceptions: There are certain exemptions to these requirements for processing children’s data under Section 9 of the Act. These exemptions apply to specific types of Data Fiduciaries and certain purposes, as outlined in Schedule IV. Part A of the schedule specifies that Data Fiduciaries like healthcare professionals, educational institutions, and childcare providers are exempt from certain provisions, allowing them to process children’s personal data for specific activities such as health services, education, safety monitoring, and transportation tracking. These activities must be necessary for the child’s well-being, and data processing should remain within a clearly defined scope.

6. The Data Protection Board:

The Central Government will set up a Search-cum-Selection Committee to propose suitable candidates for the role of Chairperson of the Data Protection Board. This committee will be led by the Cabinet Secretary and include the Secretary of the Ministry of Electronics and Information Technology (MeitY), the Secretary of the Department of Legal Affairs (DLA), along with two subject matter experts. Besides the Chairperson, the committee will also suggest candidates for other Board Member positions, with the Secretary of MeitY overseeing the entire selection process. After reviewing the committee’s recommendations and evaluating the candidates’ qualifications, the Central Government will make the final appointments to the Board.

7. Cross- Border Data Transfers:

The Draft Rules address the ongoing debate surrounding data localization. According to Rule 12(4), a government committee will determine which data must be stored within India, while Rule 14 outlines specific guidelines for cross-border data sharing. This represents a departure from the DPDP Act’s more flexible stance on international data transfers.

As per Rule 14, the transfer of personal data processed by a Data Fiduciary to any country outside India is contingent on compliance with conditions set by the central government. These conditions may be outlined in general or specific orders. The current draft includes an annexure that will provide further details on data transfers beyond India’s borders.

If the government imposes restrictions on the processing of personal data outside India in the future, organizations using cloud services or processing personal data abroad will need to reassess their IT strategies and infrastructure to ensure compliance with the DPDP Act of 2023.

However, cross-border data transfer policies remain unclear, with no defined list of restricted countries or established frameworks for facilitating transfers. This leaves businesses reliant on future government decisions. Additionally, the rules do not clarify whether Data Protection Impact Assessments (DPIAs) must be conducted by an independent party, nor do they specify the format, content, or requirements for these assessments. Similarly, there is no guidance on the eligibility or empanelment process for data auditors.

8. Additional Obligations for Significant Data Fiduciaries:

This provision imposes specific responsibilities on Significant Data Fiduciaries (SDFs), requiring them to conduct an annual Data Protection Impact Assessment (DPIA) and a comprehensive audit. The results of these assessments and audits must be submitted to the Data Protection Board, including key findings on how the Fiduciary complies with data protection requirements. Additionally, these Fiduciaries are held accountable for ensuring that any algorithmic software used in the processing of personal data, including those for hosting, storage, and sharing, does not jeopardize the rights of Data Principals.

Moreover, entities must implement measures to guarantee that personal data, as identified by the Central Government, is processed in accordance with specific regulations. This includes ensuring that such data, along with related traffic data, is not transferred outside of India.

CHALLENGES:

1. Informed consent and data transparency

Though the DPDP Rules further clarify the requirements, emphasizing that the request for consent must be accompanied by a clear and comprehensible notice from the Data Fiduciary, However the Draft Rules does not prescribe a rigid template or format for the notices so long as other requirements are satisfied.

One of the key challenges with the DPDP Rules lies in the issue of informed consent and the overwhelming amount of data disclosures. Companies often overload users with vast amounts of information, disguising it as comprehensive transparency. This tactic makes it harder for individuals to truly understand what data is being collected and how it will be used, while also increasing the risk of exposing third-party information or violating privacy rights.

The consent framework itself is also problematic. It shifts the responsibility onto the user to fully comprehend lengthy and complex consent notices, creating an unrealistic expectation that users should read and understand every detail. In reality, most users lack the time or ability to do so, leading to the potential for misinformed consent. Moreover, proving that consent is genuinely informed can be legally complicated. Users may not fully grasp what they are consenting to, much like when they sign medical consent forms without fully understanding the risks.

Another concern is the handling of derived data by traditional fiduciaries like banks and telecom companies. While derived data may be considered anonymized, it still presents privacy risks, as it can reveal sensitive insights into a user’s behavior or preferences. The challenge arises when data principals have limited recourse if their derived data is used without proper transparency.

To address these concerns, there’s a need for clearer, more user-friendly consent mechanisms. Platforms should provide users with explicit information about the types of data they are collecting and how it will be shared, particularly with third parties like advertisers. Drawing on global privacy practices, like those in Japan, could help create more robust and comprehensible data protection frameworks.

2. Verifiable consent for processing data of child and persons with disabilities

If the data fiduciary already possesses the parent’s age and identity details, these must meet a reliable identification standard, potentially requiring documentation similar to government-issued IDs. A simple checkbox to confirm identity or age will likely not meet the necessary reliability standard. The DPDPA and Draft Rules do not mandate that data fiduciaries actively verify the age of users or the relationship between a child and their purported parent. Instead, the DPDPA/Draft Rules seem to rely on self-identification by either the child or the parent for compliance purposes. However, they do not address situations where proactive identification of a child is not provided. If a data fiduciary becomes aware of a child’s age through notifications from parents, other users, or technical means, they are expected to take appropriate steps to process the child’s data according to the DPDPA. The Draft Rules offer flexibility in terms of obtaining verifiable parental consent, as they only require “reliable” age or identity details, allowing data fiduciaries to establish their own standards.

Additionally, the scope of the due diligence requirement remains unclear. For instance, the Rights of Persons with Disabilities Act, 2016, authorizes district courts or designated authorities to appoint guardians for individuals with disabilities. It is uncertain whether data fiduciaries will need to collect or verify such court orders or other relevant legal documentation, such as those under the Guardians and Wards Act, 1890, the National Trust for the Welfare of Persons with Autism, and other similar statutes, to meet their due diligence obligations.

3. Cross- border transfer of data

The restrictions on cross-border data transfers introduced under the DPDPA grant the Indian Government the authority to limit or control the transfer of personal data to specific countries or territories. Under the Draft Rules, these powers are further expanded, allowing the government to impose additional compliance measures on data fiduciaries involved in transferring personal data abroad. The intention behind this provision seems to be that cross-border transfers may be allowed, provided that they meet specific conditions, rather than outright banning transfers to certain countries. However, this also means the government could impose restrictions on countries that were previously not subject to any limitations.

A key challenge here is the lack of clarity on the scope of these restrictions. It is uncertain whether the conditions will only apply when personal data is physically transferred out of India or if they will also extend to data shared with foreign-affiliated entities within India (such as foreign-funded companies, diplomats, or sovereign wealth funds). This ambiguity could complicate business operations and legal compliance.

Additionally, this provision may conflict with the legal requirements of other countries, particularly those that mandate access to personal data under their domestic laws (e.g., anti-corruption laws or national security regulations). Such conflicts could prevent Indian entities from complying with foreign government requests for data while adhering to Indian regulations, creating a complex legal and operational dilemma for businesses operating in both jurisdictions.

4. Lack of clarity and overlapping obligations for SDFs

The Draft Rules introduce unclear and overlapping obligations for Significant Data Fiduciaries (SDFs), particularly regarding annual Data Protection Impact Assessments (DPIAs) and audits. The lack of distinction between these two obligations and vague guidelines on conducting due diligence for algorithmic software create compliance uncertainty. To overcome these challenges, clear and detailed guidelines must be provided on the distinct roles of DPIAs and audits to avoid overlap and ensure compliance.

Furthermore, the requirement for SDFs to localize not just personal data but also related data, such as logs and traffic data, adds complexity, especially for foreign entities and global companies. The lack of clear criteria for the government committee deciding on data localization further complicates the situation, increasing operational challenges and costs for businesses. For the data localization requirements, a transparent and consistent framework from the government committee should be established, with clear guidelines on which data categories are subject to localization. This would help businesses, particularly foreign entities, understand their obligations and plan accordingly. Furthermore, simplifying the process for foreign companies by limiting localization to primary personal data (rather than related data like logs and traffic) could reduce operational burdens. These measures would ensure a more predictable and manageable compliance environment for SDFs.

CONCLUSION:

The Draft Digital Personal Data Protection Rules (DPDP Rules), 2025, represent a significant step in India’s efforts to safeguard personal data and enhance privacy rights. These rules aim to provide clarity on consent management, data processing, breach notifications, and the roles of data fiduciaries and consent managers, all of which are crucial for building a robust data protection framework. However, despite their comprehensive nature, the rules introduce several challenges, particularly around cross-border data transfers, the verifiability of consent, and the potential complexities faced by significant data fiduciaries.

The ambiguities in the provisions regarding data localization, the handling of children’s data, and the roles of consent managers also require further clarification to ensure effective implementation. Moreover, the government’s broad discretion in regulating cross-border data flows and the unclear requirements for verifiable consent present significant concerns for businesses, particularly those with global operations.

To effectively address these challenges, it is essential for policymakers to provide clearer guidelines, especially for sectors with complex data management practices, such as edtech, healthcare, and online gaming. Ongoing consultation and refinement of the DPDP Rules will be critical in balancing robust data protection with the need for flexibility in an ever-evolving digital landscape. Ultimately, the success of the DPDP Rules will depend on their ability to foster a transparent, accountable, and secure data ecosystem while also enabling innovation and global collaboration. With continued dialogue between stakeholders, India can set a strong precedent for data privacy protection globally, ensuring that both individuals’ rights and the interests of businesses are upheld in the digital age.

[1] Section 6 of DPDPA

[2] Rule 3 of the Draft Rules

[3] K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1

[4] Part A, First Schedule of Draft Rules

[5] Para 5, First Schedule of Draft Rules

[6] Rule 6 of Draft Rules

[7] Section 8(6) of DPDPA

[8] Rule 7(2)(b) of Draft Rules

[9] Rule 7 of Draft Rules

[10] Third Schedule of Draft Rules

[11] Rule 8(2) of Draft Rules

[12] Part B of Fourth Schedule of Draft Rules

[13] Rule 14 of Draft Rules

[14] Rule 12(2) of Draft Rules

Categories

Join Our List To Stay In Touch

Leave your email id to receive regular updates on
corporate law changes that have impact on businesses.

    Samisti Logo

    Samisti Legal is a corporate law firm with an experienced set of inter-disciplinary legal professionals with an unwavering focus on providing advice based on the business intent.

    PRACTICE AREAS

    OFFICES

    Hyderabad | Mumbai | Bangalore

    Thank you for visiting our website.

    For regular updates, please follow us on:

     

    As per The Bar Council of India Rules and The Advocates Act, 1961, an advocate cannot approach his/her client or advertise or promote his profession by way of advertisements or solicitation. Thus the materials on this website are intended for informational purposes only. The materials on this website are neither intended to be, nor should they be interpreted as, legal advice or opinion. The reader should not consider this information to be an invitation to an attorney client relationship, should not rely on information presented here for any purpose, and should always seek the legal advice of counsel in the appropriate jurisdiction. Transmission and receipt of the information in this site and/or communication with the Samisti Legal LLP (“Samisti Legal / Firm”) via e-mail/ chat / blog or any other mode is not intended to solicit or create, and does not create, an attorney-client relationship between Samisti Legal and any person or entity. The information provided under this website is solely available at your request for informational purposes only, should not be interpreted as soliciting or advertisement…

    By accessing and using this site, the user expressly agrees with, and acknowledges, the following:

    • The user wishes to gain more information about Samisti Legal for his/her/its own information and use.
    • The user has not received any unsolicited invitation from Samisti Legal or any of its members or authorized representatives to view this website.
    • There has been no advertisement, personal communication, solicitation, invitation or inducement of any sort whatsoever to the user from Samisti Legal or any of its members or any authorized representative to solicit any work, including through this website.
    • The information about Samisti Legal is provided to the user only on his/her/its specific request, and any information obtained or materials downloaded from this website is completely at the user’s own volition.
    • Samisti Legal assumes no liability for the interpretation and/or use of the information contained or referred to on this website, nor does it offer a warranty of any kind, either expressed or implied.

    Agree Disagree