The advent of the Digital Personal Data Protection Act, 2023 ('DPDP Act'), marked a pivotal moment in India's data protection landscape, laying the foundation for a robust framework to govern the collection, use, and management of personal data.
To further refine and operationalize these provisions, the Ministry of Electronics and Information Technology ('MeitY') on January 3, 2025, released the draft of Digital Personal Data Protection Rules, 2025 ('Rules'), inviting public consultation to shape the future of data governance in India. Stakeholders have been invited to submit objections and suggestions on the draft Rules by February 18, 2025 through the MyGov portal.
This article delves into the evolving landscape of data protection in India, examining the DPDP Act, and the recently proposed draft Rules. It highlights key provisions, including requirements for consent, reasonable security safeguards, notification of personal data breaches, data retention policies, etc. The article also explores specific mandates for Data Fiduciaries, such as the appointment of Data Protection Officers and the handling of children's personal data. By comparing these new frameworks with existing data protection regime - the Information Technology Act, 2000 ('IT Act') and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ('SPDI Rules') framed thereunder, this article provides an overview of the measures designed to enhance transparency, accountability, and data security in India's digital ecosystem.
Key Highlights:
Phased Implementation: As per the draft Rules, the implementation of the Rules will be carried out in phases. Initially, only the administrative provisions concerning the establishment of the enforcement authority - the Data Protection Board ('DP Board'), will take effect. This includes the appointment of the chairperson and members, along with regulations governing their salaries, allowances, meeting protocols, and terms and conditions for the officers and employees of the DP Board. The substantive provisions, from Rules 3 to 15, 21, and 22 will be effective at a date which shall be specified in the Rules.
Consent Requirement: The SPDI Rules mandate that explicit written consent be obtained before collecting sensitive personal data or information ('SPDI') of an individual. Individuals must be informed about the collection, its purpose, the intended recipients of the SPDI, and the address of the entity collecting or retaining the data.
The DPDP Act had introduced additional obligations on the Data Fiduciaries with respect to the manner in obtaining consent and providing a notice to the Data Principal prior to collecting and processing their personal data. The draft Rules have further provided clarity on the specific requirements that the notice shall entail. The notice must be presented in clear, plain language and include sufficient details to enable individuals to provide specific and informed consent. At a minimum, the notice should include an itemized description of the personal data to be processed and the specified purpose of, along with an itemized description of the goods or services to be provided or uses to be enabled by, such processing.
Reasonable Security Safeguards: The SPDI Rules provide that in order to comply with reasonable security practices, a body corporate or its representative must implement certain security measures supported by a comprehensive information security program and policies. These should include managerial, technical, operational, and physical controls tailored to the nature of the business and the sensitivity of the information assets being protected. The international standard IS/ISO/IEC 27001 on Information Security Management Systems is recognized as an example of such a framework.
The draft Rules lay down detailed security safeguards that a Data Fiduciary is required to comply with as a part of its general obligations under the DPDP Act. As per the draft Rules, the Data Fiduciaries are required to implement baseline security measures to safeguard personal data and prevent breaches, including during processing by Data Processors. These measures involve securing personal data through encryption, obfuscation, masking or use of virtual tokens; controlling access to computer resources; maintaining logs for monitoring and detecting unauthorized access; investigation of data breach and remedy to prevent recurrence; and ensuring continued data processing through backups in case of data compromise. Additionally, as per the draft Rules, the contracts between Data Fiduciaries and Data Processors must include provisions for security safeguards, supported by technical and organizational measures to uphold these standards effectively.
Intimation of Personal Data Breach: The IT Act and the SPDI Rules are silent on notifying data owners or processors in the event of a data breach. However, the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 provide certain types of cyber security incidents to be mandatorily reported to the CERT-In (authority set up under the Section 70B of the IT Act) by filling in the prescribed forms on CERT-In's website.
The DPDP Act had introduced provisions as per which the Data Fiduciary is required to give the DP Board and each affected Data Principal intimation in event of a personal data breach, in the manner as prescribed, thereby increasing the compliance requirements on the Data Fiduciary. The draft Rules provide that such intimation must be in a concise, clear and plain manner and without delay, through the user account or any mode of registered communication, detailing the nature, scope, timing, and potential impact of the breach. They must also outline mitigation measures and offer recommendations for safeguarding their data. Additionally, Data Fiduciaries must inform the DP Board without delay, providing a description of the breach, including its nature, scope, timing, location, and potential impact. Comprehensive details must be submitted within 72 hours of becoming aware of the breach, or within an extended timeframe if permitted by the DP Board.
Data Retention: The SPDI Rules provide that a body corporate, or any person acting on its behalf, must not retain SPDI longer than necessary for the lawful purpose for which it was collected. Retention beyond this period is permitted only if required by other applicable laws.
Similar to the current regime, the DPDP Act provides for erasure of personal data upon withdrawal of the consent by the Data Principal or as soon as it is reasonable to assume that the specific purpose for which the personal data was collected is no longer served. As per the DPDP Act, a specified purpose would be deemed to be no longer served if the Data Principal does not engage with the Data Fiduciary for the performance of the said purpose or exercise its right for the time frame specified under the draft Rules for certain classes of Data Fiduciaries. Such Data Fiduciaries are listed under the Third Schedule of the draft Rules and include e-commerce entity (having not less than 2 crore registered users in India), online gaming intermediary (having not less than 50 lakh registered users in India), and social media intermediary (having not less than 2 crore registered users in India). The draft Rules sets out a 3 year time period.
The Data Fiduciary must notify the Data Principal at least 48 hours in advance before erasing the data, giving them a chance to take action to preserve it. This ensures data is only kept when necessary for use or legal obligations while allowing the Data Principal to retain it if desired.
Data Protection Officers: Under the SPDI Rules, body corporates are required to appoint a Grievance Officer to address any discrepancies or grievances related to the processing of information in a time-bound manner and publish the name and contact details on its website. A similar role has been entrusted to the Data Protection Officer, who is mandatorily required to be appointed by Significant Data Fiduciary (who may be notified by the government). The DPDP Act lays down specific requirements for a person who can be a Data Protection Officer which include that such person shall be based in India. Other Data Fiduciaries are required to either appoint a Data Protection Officer or any designated individual to respond to queries raised by individuals regarding the processing of their personal data.
The draft Rules stipulate that all Data Fiduciaries must prominently display on their website or application, the business contact information of the designated individual. If applicable, they must also provide details of the Data Protection Officer. This information must be included in every communication with a Data Principal exercising their rights under the DPDP Act to ensure transparency and accessibility. The requirements under the new data protection law with respect to grievance redressal is more extensive and comprehensive.
Children's Personal Data: The IT Act and SPDI Rules are silent on specific guidelines for processing personal data related to children. The DPDP Act had introduced obligations on the Data Fiduciaries with respect to the personal data of children. The Data Fiduciaries are required to implement stringent technical and organizational measures to obtain verifiable consent from parents or lawful guardians before processing the personal data of children or individuals with disabilities. The DPDP Act also prohibits processing of personal data that is likely to cause effect on the well-being of a child; and tracking or behavioural monitoring of children or targeted advertising (except as may be permitted to certain classes of Data Fiduciaries).
The draft Rules have now laid down specific requirements to obtain verifiable consent from the parents that the Data Fiduciaries which include exercise of due diligence to verify that the individual claiming to be a parent or guardian is an adult and can be identified if required under Indian law. Verification can be achieved through reliable identity and age details already available with the Data Fiduciary or via voluntary submission of such information. Additionally, virtual tokens mapped to identity and age details, issued by authorized entities such as government agencies or digital service providers like Digital Locker systems, may be used for this purpose.
Further, the draft Rules, as outlined in the Fourth Schedule, specify certain classes of Data Fiduciaries that are exempt from obtaining consent of the parents/legal guardians and from tracking or behavioural monitoring of children or targeted advertising. The exemption is valid so long as the processing is limited to the extent necessary for protection of the child/ in the interest/ safety of the child. The Data Fiduciaries included in such class are healthcare professionals, educational institutions and childcare providers. The Fourth Schedule also outlines specific purposes for which above exemption applies and such purposes include processing of data for legal duties, issuing subsidies/benefits to children, creating user account for communication etc.
Cross-Border Data Transfer: The SPDI Rules provide that a body corporate, or a person acting on its behalf, may transfer SPDI to another body corporate or individual within India or abroad, provided the receiving entity ensures the same level of data protection as mandated by the rules. Such transfers are permissible only under specific conditions, including necessity for the performance of a lawful contract between the body corporate and the information provider or when the individual has explicitly consented to the transfer.
The DPDP Act introduced certain restriction on cross border transfer of personal data. According to the DPDP Act, the Central Government may by notification restrict transfer of personal data for processing by a Data Fiduciary to such country outside India. The draft Rules specify that Data Fiduciary processing personal data within India, or outside India in connection with offering goods or services to Data Principals in India, may transfer personal data to a foreign state or persons/entities under its control subject to compliance with restrictions imposed by the Central Government. These requirements may be outlined through general or specific orders and may apply to making personal data available to foreign states, entities, or agencies under the control of such states.
Consent Managers: The DPDP Act had introduced the concept of Consent Managers, entities that act as intermediaries between Data Principals and Data Fiduciaries to streamline the process of obtaining, managing, and withdrawing consent for personal data processing. As per the DPDP Act, the Consent Managers must be registered with the DP Board. They are required to operate transparently, ensuring that consent is obtained in a user-friendly manner. Consent Managers are to play a crucial role in empowering Data Principals by providing them with easy access to provide, view, and withdraw consent as necessary.
The draft Rules have laid down provisions relating to registration and obligations of the Consent Managers. As per the draft Rules, the Consent Managers must be companies incorporated in India with sound financial and operational capacity, a minimum net worth of 2 crore rupees, and a reputation for fairness and integrity. The platform they provide must be interoperable and capable of managing consent efficiently. Once registered, Consent Managers are obligated to maintain records of consent and data sharing, ensuring transparency and access to such records. They must also implement strong security measures to protect personal data, avoid conflicts of interest, and ensure transparency by publishing key management details and ownership structures. The DP Board has the authority to audit the operations of Consent Managers, suspend or cancel their registration if necessary, and issue corrective directions to safeguard the interests of Data Principals.
Conclusion
The introduction of the DPDP Act had marked a significant step toward strengthening data privacy and security in India. With the publication of the draft Rules, clear obligations have been set out for Data Fiduciaries, ensuring more transparency and accountability in the collection and processing of personal data. With provisions addressing consent, data retention, security measures, breach notifications, and the protection of children's data, the draft Rules aim to empower individuals and create a robust framework for managing personal data in the digital age. While the draft Rules provide clarity on certain aspects, there is ambiguity in certain provisions as well. For instance, cross border restrictions may lead to conflict with foreign laws as per which access to personal data pursuant to their domestic laws (e.g. anti-corruption laws). Implementation of the innovative concept of Consent Manager would also have to be seen practically. As these regulations evolve through public consultation and phased implementation, businesses must stay vigilant and adapt to ensure compliance with these emerging standards, while also safeguarding the rights of Data Principals. The continued development of India's data protection landscape is crucial for building trust and protecting the privacy of citizens in an increasingly digital world.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
