In a move that was long overdue, the Government of India has published proposed new rules (the "Digital Personal Data Protection Rules 2025" or "DPDP Rules") which are intended to provide a framework for implementation of India's much publicized new data privacy legislation, the Digital Personal Data Protection Act 2023 (DPDPA). Industry has been waiting with bated breath for the delegated legislation- in order to understand the full impact that the law will have on their businesses.
The DPDP Rules have been published only with the intention of inviting feedback till 18th February 2025. However, rarely does the Government accept substantial changes to its views on a law, and the DPDP Rules will likely be passed in substantially the same manner as have been currently published, with possibly only some minor changes.
The position vis-à-vis the enforceability of the DPDPA does not change despite this publication. It remains very much a law in 'suspended animation' and not immediately enforceable. In fact, it is notable that even the proposed new DPDP Rules contemplate coming into effect in multiple phases, with a future date to be notified by the Government for the coming into force of the substantive provisions within them. It appears that only the provisions relating to the formation of the Data Protection Board of India (DPB) will become immediately effective once the final DPDP Rules are published after 18 February, and once the Government has had the opportunity to take stock of the feedback and objections from all stakeholders.
So what are key questions and issues relevant for your business?
1. Implementation Timelines - What should one expect?
As mentioned above, the DPDPA has not come into effect. The DPDP Rules are presently a mere draft that have been published to invite comment. The soonest that the DPDPA can be made effective is technically at the end of February 2025, but we expect it to take at least a few months more. Furthermore, the substantive portions of the legislation which relate to compliance requirements are like to be further delayed before coming into force, since they will need to be specifically notified by the Government.
2. What changes need to be made to privacy notices?
The DPDP Rules state that privacy notices need to provide an itemized list of the personal data being processed with an itemized description of the goods or services or other such purpose of the processing and repeat the provisions in the DPDPA relating to the notice being comprehensible and using plain language. They do not however provide a clarification on how many languages the privacy notice needs to be made available in – though it appears from the provisions of the DPDPA that these notices must be made available in English as well as all 22 other languages listed in the Eighth Schedule of the Indian Constitution, and this has been confirmed by the Ministry of Electronics and Information Technology as well.1 The DPDP Rules also require a link to be provided to permit data subjects (called data principals in the DPDPA and the DPDP Rules) to allow them to enforce their rights under the law, including making complaints to the regulatory body- the DPB.
Businesses would be best served by beginning a data mapping process to determine the categories of personal data they are collecting/have collected from data principals, and the specific purposes of such collection in order to prepare for the updates to their privacy notices that will be required upon the enactment of the DPDPA and the DPDP Rules. As is perhaps obvious, much more granular detail will be required in privacy notices going forward under the DPDPA.
3. Who can qualify to be a consent manager?
Consent Managers under the DPDPA are entities registered with the DPB who are intended to act as a point of contact for data principals to manage the consent(s) granted by them under the DPDPA across various data fiduciaries (a term the Indian law uses to describe data controllers). The DPDP Rules prescribe preconditions for an entity being a registered Consent Manager, including being a company incorporated in India, having a net worth of at least INR 20,000,000 (approximately USD 233,000) and having an adequate potential volume of business, capital structure, and earning prospects- requirements which currently seem arbitrary and unclear, and will likely be further clarified upon the DPB's determinations on applications for Consent Managers.
The DPDP Rules also impose certain specific obligations that Consent Managers are required to adhere to:
- Implementing measures (possibly those such as encryption or pseudonymization) to ensure that the personal data they process in their capacity as Consent Manager is not directly accessible by them- making them blind to such data
- Maintaining records of the consent actions taken by the data principal for at least 7 years and making such records available to the data principal
- Ensuring no conflict of interest with data fiduciaries, including with their promoters or key managerial personnel
- Publishing details of promoters, directors, key managerial personnel and senior management of the company, and shareholding details
- Having in place adequate audit mechanisms regarding its organizational and technical controls and safeguards, fulfilment of the conditions of registration as a Consent Manager, and adherence with its obligations under the DPDPA and DPDP Rules
It remains to be seen how this concept will play out practically and what business models such Consent Managers may implement to earn revenue. Additionally, given the restriction on conflict of interest with data fiduciaries, it remains to be seen how existing tech companies that have the technical expertise and infrastructure to provide this service (such as Meta and Alphabet) would be able to act as registered Consent Managers under the DPDPA.
4. Under what circumstances can the state process your data without your consent?
There remain a rather wide set of circumstances under which the Indian Government can obtain access to and process personal data- which include the performance of any of the functions of the state in the interest of sovereignty and integrity of the state. These rather wide-ranging provisions that had caused concern in some quarters remain unrestricted even by the DPDP Rules. The rules have however made an attempt to further clarify the provisions of Section 7(b) of the DPDPA where the state may process personal data to provide subsidy, benefit, service or grant licenses and permits to the data principal. Such processing may be done by the State for providing any subsidy, benefit, service, certificate, license or permit when it is provided or issued under "law or policy" or "using public funds". The DPDP Rules further clarify that "using public funds" is in reference to such provision being made by incurring expenditure from the Consolidated Fund of India or of a state, or the public account of India or of a state, or in the case of a local authority, the funds of such authority.
5. What are the security safeguards that you need to put in place where operating in India?
The DPDPA and the DPDP Rules require that reasonable security safeguards be put in place by data fiduciaries, without specifying what 'reasonable' would mean. As a result, there will be some ambiguity over what will truly be held to be adequate and will likely only become clear over a period of time as precedent develops on the issue. The DPDP Rules make a reference to encryption, obfuscation and masking as examples of what may be deemed to be appropriate, and also state that access to data should be controlled, logs be retained of access to data and that measures be taken to prevent loss or destruction by way of backing up data, and that the need to follow security safeguards be specifically written into any agreements between data fiduciaries and data processors on their behalf. Interestingly, there is no restriction on the size or category of entity that needs to retain such logs (that need to be retained for at least a year), and smaller digital businesses may find the retention requirement to be a drain on their resources.
6. What do the rules say about data breach reporting requirements?
The DPDPA and the DPDP Rules prescribe various reporting requirements for personal data breaches, which extend to all such breaches regardless of size or severity. Upon a breach, the data fiduciary is required to notify all affected data principals and the DPB "without delay" of the nature, extent, timing and location of the breach. Additionally, data principals must be notified of the consequences likely to arise from the breach, the risk mitigation and safety measures being taken by the data fiduciary, and contact details of a person who can answer any questions the data principal may have of the data fiduciary. A lack of a specific timeline for these reports and the fact that they are to be made for each and every data breach may lead to significant compliance burdens for data fiduciaries.
In addition to the above, within 72 hours of becoming aware of the breach, data fiduciaries are required to provide a detailed report to the DPB including any further information relating to the initial report, the facts and circumstances leading to the breach, risk mitigation and safety measures being implemented, findings relating to the person who caused the breach, and details of the intimation which has been provided to the affected data principals.
These reporting requirements will operate in parallel with the pre-existing requirement imposed by the Indian Computer Emergency Response Team ("CERT-In") where any 'cyber incident' including a data breach must be notified to CERT-In within 6 hours of becoming aware of such an incident.
7. How long can data be kept under the new rules?
The DPDPA requires data fiduciaries to erase personal data upon the withdrawal of consent by the data principal, or when it is reasonable to assume that the specified purpose for the processing is no longer being served, whichever is earlier. In addition to this, the DPDP Rules place specific data retention timelines for certain categories of data fiduciaries. All e-commerce entities and social media intermediaries with more than twenty million registered users in India, and all online gaming intermediaries with more than five million registered users in India must delete personal data if, for a period of three years, the data principal does not approach such data fiduciaries for the performance of the specified purpose or for exercising their rights under the DPDPA, or three years from the commencement of the DPDP Rules, whichever is latest.
8. What requirements do the rules have relating to the data of minors?
As per the DPDPA, prior to processing the personal data of anyone under the age of 18 or a person with a disability, data fiduciaries must seek consent from the parent or legal guardian as applicable for such processing. The DPDP Rules elaborate upon this requirement and prescribe that data fiduciaries must adopt "appropriate technical and organisational measures" to ensure that verifiable consent of the parent/legal guardian is being taken, and must observe due diligence to verify the same, either by using reliable details of the parent/legal guardian's age and identity already available to the data fiduciary, or by voluntarily provided details of age and identity issued by a governmental authority (including using the DigiLocker service). Given the non-specific nature of the requirements here, the degree of scrutiny expected from data fiduciaries to seek such verifiable parental consent is somewhat unclear in the provisions of the DPDP Rules.
The DPDP Rules also provide for certain specific exemptions wherein the requirement for obtaining parental consent and the restriction on tracking and behavioural monitoring of children would not be applicable. These are limited to processing of personal data by healthcare/educational establishments, and for the purposes of exercising any powers under applicable law, providing subsidies/benefits/certificates etc., creation of email IDs, ensuring that information likely to be detrimental to a child is not accessible to them, and for exercising the data fiduciary's due diligence requirements as mentioned above.
9. What are "significant data fiduciaries"? What incremental compliance requirements do they have?
Significant data fiduciaries are a class of data fiduciaries which may be notified by the Government on the basis of factors such as the volume and sensitivity of personal data being processed, the risk to the data principal's rights, potential impact on electoral democracy or the sovereignty or integrity of India, security of the State and public order. No clarification has been provided in the DPDP Rules for what classes of data fiduciaries will be notified as significant data fiduciaries.
Significant data fiduciaries have several additional obligations under the DPDPA such as the appointment of a Data Protection Officer located in India, and conducting periodic data protection impact assessments (DPIA) and audits. In addition to these requirements, the DPDP Rules specify that such DPIA and audit must be conducted once every twelve months, and that significant data fiduciaries must ensure that any algorithmic software employed by them to process personal data must not be likely to pose a risk to data principal rights. There is also an additional data localization requirement on significant data fiduciaries under the DPDP Rules, which has been discussed below.
10. Do the rules specify restrictions on cross border transfers of data?
In what seems like a departure from the cross-border data transfer provisions in the DPDPA (which allows only for the Government to blacklist certain countries to which personal data of Indian data principals may not be transferred), the DPDP Rules place an additional data localization requirement on significant data fiduciaries. As per the DPDP Rules, the Government may, on recommendation of a committee constituted by it, notify categories of personal data which would be restricted from being transferred outside India.
This requirement on the face of it appears to extend beyond the bounds of the DPDPA, and is likely to be a significant issue highlighted during the public consultation exercise. It remains to be seen whether it will be addressed by the government in the final version of the DPDP Rules, or whether it will be passed into law as is and then challenged in courts at a later stage.
11. Do the rules provide any clarification on what would classify as the 'purposes of employment' as was provided as a basis of processing in the DPDPA?
One of the 'legitimate purposes' under the DPDPA under which personal data may be processed without consent is "for the purposes of employment". The vague nature of this phrase meant that some clarification on what these purposes are was expected in the DPDP Rules. However, the provisions shed no light on the scope of the "purposes of employment" for which personal data may be processed without consent. This leaves a significant lack of clarity as to what this legitimate purpose would cover, and this clarity will now likely be provided in the form of precedent.
12. Is there any exemption to foreign entities processing personal data of Indian data principals without a presence in India?
The DPDP Rules grant no exemption from the implementation of the law against foreign entities if they process personal data. If such personal data is of a digital form, and relates to offering goods and services to data principals located in India, the applicability of the law, and hence need to comply with its provisions is unavoidable.
To conclude, the DPDP Rules- while they provide some clarity, also raise a number of questions. Leaving the Data Fiduciary in a position where it has to act as an investigating/fact finding agency will certainly cause some degree of anxiety in the industry, as will the provisions that relate to restrictions on cross border transfers of data that seem to exceed the purview provided to them within the contents of the DPDPA under which they are made. Added to these, the fact that every data breach needs to be reported to the data principal may well place an unreasonable burden on businesses.
It remains to be seen whether the above inadequacies, amongst others are addressed in the final form of the rules when published after the 18 February 2025. The above having been said, given that the new law now appears to be at the precipice of implementation, businesses would be well advised to take preparatory steps- such as identifying and categorizing the data they have in their possession and contemplating systems that they will need to put in place.
Footnote
"Further, digital platforms will have to inform and take consent of people in English or any of the 22 Indian languages listed in the Constitution, in the language of their choice."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
