In a significant move towards regulating the digital landscape, the Indian government has recently unveiled the draft Digital Personal Data Protection Rules, 2025 for stakeholder consultations. These long-awaited draft rules (which have been released after a significant gap of 16 months post finalisation of the parent legislation) seek to address the burgeoning concerns around data security, consent, transparency and user rights in an era dominated by technological advancement. As the country grapples with the challenges posed by rapid digitalization, will these draft rules – framed with simplicity – establish a framework that balances innovation with the protection of personal information? This article explores the key features of the draft rules, their implications and the broader impact that the new data regime, once it comes into force, may have on the compliance framework.
India overhauled its data regime in the form of the Digital Personal Data Protection Act, 2023 (the Act). However, even though the Act received presidential assent in August 2023, it has not yet come into force as several provisions of the Act need to be supplemented by way of rules.
The government has recently released a draft of 22 rules (the Draft Rules) for stakeholder comments. The Draft Rules will remain available till 18 February 2025 for public consultation.
We set out below some of the key provisions of these Draft Rules.
A. Consent notices: Consent forms the bedrock of the new data regime in India, with only certain 'legitimate uses' bypassing this necessity. The Draft Rules outline the minimum requirements that must be present in every notice to seek consent. These include, that the notice must be clear, standalone, and easily understandable, separate from any other information being provided by the data fiduciary. The notice should employ plain language and must include, at a minimum: (i) the specific purpose of processing; (ii) an itemised description of the personal data being processed; and (iii) a list of goods and services that will be provided or facilitated by the processing. Further, the notice will have to mandatorily set out a communication link for the data principal to access the data fiduciary's website and / or application along with any other means that a data principal could use for the purposes of, inter alia, withdrawing their consent and requesting the erasure of their personal data.
It is helpful that the Draft Rules provide further clarity and specificity on consent-related matters. Although the Draft Rules provide flexibility for data fiduciaries to create their own bespoke form of a consent notice, it would have been helpful if it had also provided a template of the form of consent notice that data fiduciaries could use.
B. Consent managers: The Act introduced the concept of 'consent managers' for data principals to manage their consent. It provided that such entities will act as a single point of contact for data principals to provide, manage, and withdraw their consent to data fiduciaries via an interoperable platform, but did not provide any further detail about how the consent manager construct will work.
The Draft Rules now provide the framework for the operations of a consent manager, including the conditions of registration. A consent manager must be incorporated in India, have a minimum net worth of INR 2 crores (~USD 230,000), and maintain an independently certified interoperable platform enabling data principals to manage their consent. Consent managers will need to maintain adequate safety standards and detailed logs of how data principals have managed their consent.
Consent managers will act as fiduciaries for data principals and will need to avoid any conflicts of interest with data fiduciaries. This is a welcome requirement given that several data fiduciaries such as Big Tech companies and financial institutions have expressed interest in establishing their own consent managers.
The Draft Rules also make it clear that a consent manager must not itself be able to 'read' the personal data of data principals, and cannot sub-contract or assign any of its obligations. A change of control of a consent manager will require the prior approval of the Data Protection Board.
We believe that the consent manager framework will form an important part of the personal data ecosystem going forward, given the likely volume of consent requests that data principals will encounter daily, and the ongoing requirement for personal data to be smoothly and securely shared (with consent) between data fiduciaries on a safe interoperable platform.
C. Treatment of personal data breaches: The Draft Rules provide that on becoming aware of a personal data breach, a data fiduciary must notify affected data principals "without delay". Such notification shall provide (to the best of the data fiduciary's knowledge and information) a description of the breach, the likely consequences, mitigation and safety measures and details of a contact person within the data fiduciary. The Draft Rules do not contain any materiality threshold after which this notification requirement is triggered (which is consistent with the Act). The lack of a materiality threshold could lead to a significant compliance burden on fiduciaries and may well also desensitise data principals, thereby reducing their responsiveness to critical breaches which actually put their data at risk.
The data fiduciary is required to make a similar notification to the Data Protection Board, with a further update to be provided within 72 hours of becoming aware of such breach (or within such longer period permitted by the Data Protection Board). Such further update should include a report on the notifications made to affected data principals.
This 72-hour timeline for data breach reporting can be contrasted with the April 2022 directions of the Indian Computer Emergency Response Team (CERT-In) – which require "incidents" (which include data breaches and data leaks) to be reported to the CERT-In within 6 hours of the relevant entity noticing, or being notified about, the incidents. If the statutory provision pursuant to which the CERT-In directions were issued remains in force even after the Act comes into effect, the two (contradictory) notification regimes will run in parallel to each other. We think it would be better to take personal data-related issues (including data breach reporting) out of CERT-In's mandate to avoid multiple reporting timelines and further given that there will be a dedicated Data Protection Board established to deal with such breaches.
D. Cross-border personal data transfers: The Act provides the Central Government with the ability to restrict any cross-border transfer of personal data by a data fiduciary for processing in a particular country or any territory outside India. Given the wording, the expectation of various stakeholders has been that the Central Government would simply notify a list of 'blacklisted' jurisdictions to which the transfer of data would be prohibited.
The Draft Rules, however, have taken a different approach. They provide that a committee of the Central Government may specify that significant data fiduciaries may be required to retain certain types of personal data, along with any traffic data which essentially provides details about the movement and flow of such data (for instance, information about the geographical location of a device, IP addresses, websites visited, and timestamps of online activities) only in India. This appears to impose a localization requirement that is not present in the Act, and we think this provision in the Draft Rules is likely to meet with resistance (and potential legal challenge) if retained in its current form. The so-called Big Tech companies have lobbied hard in the past for the removal of such localization requirements, so it remains to be seen if this provision will be retained after the consultation period.
The Draft Rules also provide that cross-border transfers of personal data may be subject to the relevant data fiduciary meeting such requirements that the Central Government may specify in respect of making such data available to any foreign state or its instrumentality. This may result in a conflict with foreign laws (which could well require such data to be disclosed to the foreign state), which will create considerable compliance uncertainty for data fiduciaries.
E. Verifiable consent requirement: Under the Act, data fiduciaries must obtain verifiable consent from the parent or lawful guardian of a child (or, in the case of persons with disabilities, their lawful guardian) before processing their personal data. As a result, the Draft Rules impose obligations on data fiduciaries to confirm the parent's identity when obtaining such consent. Data fiduciaries must ensure that the person giving the consent is identifiable as a parent (and authorised, for lawful guardians of persons with disabilities). Although the Draft Rules provide examples about how such verification can be done (through reliable identity and age details available with the fiduciary, or identity and age details or a token mapped to such details issued by the Government), this will likely be a point that many data fiduciaries will have comments on. This is primarily since the only "error proof" method of conducting such verification appears to be to verify each and every user and their age (as a related concern is that under 18-year-old users may not accurately disclose their age when they apply to register on platforms).
Dealing with the data of minors is not an issue specific to India (newspaper reports suggest that this has been a major reason for the delay in the issue of the Draft Rules), and many jurisdictions have struggled to address such issues. We believe that the trend (at least to start with) will be to use tokens to conduct verification, but this is an area where even the final form of the Draft Rules could continue to undergo changes in the near to medium term, as verification technologies and methodologies evolve.
F. Security safeguards to be implemented: Under the Draft Rules, a data fiduciary is required to implement reasonable security safeguards to protect personal data and prevent any breaches. The minimum requirements in this regard include, inter alia, encryption, obfuscation, masking of virtual tokens mapped to any personal data, access control, monitoring for unauthorised access, data back-ups, maintaining confidentiality, technical and organizational measures for effective observance of security standards and specific inclusion of appropriate reasonable security measures in the contracts entered by a data fiduciary with a data processor.
Concerns are being expressed about these requirements being applied to all data fiduciaries and smaller tech (especially fin-tech). Companies are already stating that the compliance costs in this regard will divert significant funds which will decelerate their further growth. It remains to be seen if the final form of the Draft Rules contain any demarcation between the requirements for "significant data fiduciaries" and other smaller fiduciaries – on balance, we think this is unlikely.
G. Timelines for erasure of personal data by certain data fiduciaries: The Draft Rules specifically designate timelines for erasure of personal data by e-commerce entities and social media intermediaries (having not less than 20 million registered users in India) and online gaming intermediaries (having not less than 5 million registered users in India). Such entities are required to erase personal data of users within three years from the date on which the data principal last approached the data fiduciary for the performance of the specified purpose or for exercise of their rights, or the commencement of the Draft Rules, whichever is later.
The personal data must be erased after the data principal has been provided with at least 48 hours' prior notice. It appears that other data fiduciaries will have some flexibility to determine their retention periods.
H. Assessments and audits by significant data fiduciaries: The Act introduced the concept of 'significant data fiduciaries' that would need to comply with additional obligations, on account of factors such as the volume and sensitivity of personal data processed by them. These include carrying out periodic audits and data protection impact assessments. The Draft Rules clarify that such audits and assessments will need to be carried out at least annually.
I. Next Steps: After the period for public consultation and comments ends in February 2025, the Minister has stated in recent interviews that he expects the final form of the Draft Rules to be placed before the Indian Parliament in the third quarter of 2025. He has also stated that the operative provisions of the new regime will be rolled out in a period of up to 24 months (the period may be shorter for more sophisticated data fiduciaries which already deal with regimes such as the GDPR). It remains to be seen whether such timelines are adhered to, given the historic pace of progress of implementation of the new regime so far. Concerns are already being expressed about the readiness of government and government-adjacent entities – which will be among the largest repositories of personal data in India – to implement the new law in 24 months.
What has of course been clear for some time is that – whether or not the timelines slip – compliance with personal data requirements will be the most significant new compliance requirement to emerge in India in recent times. Entities dealing with Indian personal data would be well advised to start preparing for the new regime sooner rather than later. We believe that although the rules are in draft form, they are not likely to undergo wholesale changes so commencing preparatory work on the basis of the Draft Rules is probably sensible.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.