ARTICLE
28 January 2025

Draft Digital Personal Data Protection Rules, 2025 (DPDP Rules)

Archer & Angel

Contributor

Archer & Angel is a full-service law firm established in 1999.  Having a  team of seasoned professionals, headed by its Managing Partner Sanjay Chhabra, firm with its multiple offices has a pan india presence and  offers tailored and practical advice to clients across diverse industries worldwide. The firm advises on all aspects of law, including Corporate Commercial, M&A, Intellectual Property, Labour & Employment, Infrastructure, Construction & Real Estate, Litigation & Arbitration, Government Policy & Regulatory, and Information Technology.
The Ministry of Electronics and Information Technology (MeitY) on January 03, 2025, has now released a draft of the Digital Personal Data Protection Rules, 2025.
India Privacy

The Ministry of Electronics and Information Technology (MeitY) on January 03, 2025, has now released a draft of the Digital Personal Data Protection Rules, 2025. The draft rules were awaited for more than 16 months since the enactment of the Digital Personal Data Protection Act, 2023 on 11 August, 2023.

The draft rules are intended to create an accountable, secure and transparent digital space for Indian citizens whilst focusing on various challenges such as safety of personal data and misuse of personal data. The rules are aimed are creating a comprehensive framework for data protection and privacy while upholding citizens' rights and their safety in the growing digital world. The rules are currently in a draft stage, and the Ministry has published them inviting public feedback until February 18, 2025.

KEY PROVISIONS IN THE DRAFT RULES:

  1. Notice: The draft rules provide clear guidance on the kind of Notice which is required to be given under Section 5 of the Act, i.e. for seeking consent from an individual. Such a Notice is required to be given in clear and plain language, for better transparency and understanding of the individual. The Notice is required to disclose a fair account of the details necessary to enable the individual to give specific and informed consent for the processing of their data. The Notice must:
    1. Include an itemized description of the personal data and;
    2. Provide the specified purpose of the data, i.e. what goods or services are being provided, or what use will be enabled by processing their data and;
    3. Allow the individual to withdraw their consent
    4. Allow the individual to address any grievance, including making a complaint to the Data Protection Board.

This provision provides for standards for Notices, but refrains from providing any specific format, thus leaving room for interpretation. For example, the provision which states that an individual should be allowed to withdraw consent with the same ease with which consent was given is easy to understand but may be difficult to enforce. The draft rules thus do away with blanket consents

This measure aims to procure informed consent from the users and provide transparency in personal data collection.

  1. Rights of Children and Persons with Disabilities: Any Data Fiduciary dealing with personal data of minors or persons with disabilities would require verifiable consent from their parents or guardians. Data Fiduciaries will have to obtain consent as well as verify the identity of the parent or guardian providing such consent, by means of checking government-authorized documents or documents stored in a Digital Locker service. Exemptions are provided to certain Data Fiduciaries such as healthcare providers, educational institutions & childcare providers.

    This measure aims to strike a balance between allowing data processing of minors and people with disabilities, while ensuring their safety and security.
  1. Role of Significant Data Fiduciaries (SDFs): The Act provides that certain Data Fiduciaries which are handling sensitive data in large volumes can be categorized as Significant Data Fiduciaries, which are subject to stricter obligations. The draft rules enlist more obligations for such classes of Data Fiduciaries such as undertaking annual Data Protection Impact Assessments, and audits to ensure compliance with rules, by reporting to the Data Protection Board. Additional obligations include due diligence to any software deployed to manage data does not harm individual's rights, as well as to ensure that certain data and processing of such data does not flow outside Indian territory.

    This measure aims at ensuring that large data providers are subject to stricter regulations, however, the requirements to ensure localization of data could impact international trade and services.

    Data Protection Officers: The Act provides that Data Fiduciaries are required to publish contact details of Data Protection Officers, and the draft rules provide the same provisions. The measure aims to provide a means of addressing individual's grievances and clear communication channels, however, there are no specific guidelines on what kind of contact information is to be made available, leaving Data Fiduciaries to decide on the same.

    This measure aims to provide ease of accessibility and ensures accountability to individuals from businesses.
  1. Consent Managers: The Act provides for Consent Managers as a single point of contact, enabling individuals to manage, review and revoke their consent. The draft rules provide a specific mechanism to seek, appoint, and register Consent Managers, and also suspend or cancel them. The role of Consent Managers is to act as a single point of contact for individuals. The draft rules provide specific criteria for entities to register themselves with the Data Protection Board of India, such as net worth, governance, financial condition. The draft rules also provide the obligations of Consent Managers, including protection of personal data, avoiding conflict of interests, placing audit mechanisms, maintaining records for seven years.

    This measure aims to govern the registration, conduct and removal of Consent Managers, by providing them with guidelines on how to manage, control, review and publish data.
  1. Localization of Data: The Rules propose various restrictions on transfer of personal data and information outside of India, introducing requirements of approval by the Central Government for such transfer.

This measure aims at imposing restrictions on Data Fiduciaries processing such personal data and strengthening data sovereignty.

  1. Data Retention Policy: The draft rules provide that certain class of Data Fiduciaries such as e-commerce websites, online gaming intermediaries, and social media platforms have to necessarily erase user data. Data Fiduciaries are required to erase data, which is older than 03 years, if the individual has not interacted with them. Before erasing such data, a notice will be sent to individuals, atleast Forty-Eight (48) hours in advance, allowing them time to log into their account, or otherwise initiate contact.

    This measure aims at aligning data retention with global standards and reduces risks allied with redundant Data Retention.
  1. Security Safeguards: The Act requires Data Fiduciaries to implement reasonable security measures, and the draft rules elaborate further on what kind of measures are required, including encryption, masking, use of virtual tokens, keeping logs, monitoring and review, access control and data backups. In addition, the rules also require appropriate provisions in contracts entered between the Data Fiduciaries and individuals. This measure aims at ensuring Data Protection.
  1. Reporting Data Breach: The Act provides that a Data Fiduciary shall take reasonable security measures to safeguard data, however, in case of a breach, they are obliged to intimate individuals and the Board. The draft rules provide two specific instances of intimation, i.e. each to the individual, and to the Board. In case of a breach, Data Fiduciaries have to promptly inform the affected user detailing the description, consequences, mitigating measures, safety measures regarding the breach, within a reasonable timeline. In addition, an intimation is also required to be sent to the Board within 72 hours, including a description, facts, mitigating measures, findings, remedial measures, and information regarding affected users.

    This measure aims at effective reporting and damage control, ensuring no differentiation between major and minor breaches, mandating both to be reported immediately.

ANALYSIS OF DRAFT RULES:

  1. Gaps and lack of clear guidelines: The rules leave quite a few issues open for interpretation such as the format for notices, systems for storing and protecting data, and so on. One such possible reason for not providing any rigid guidelines or forms could be the nature of rapidly evolving technologies. The impact of leaving open such provisions to wide interpretation remains to be seen.
  1. Complexities of Consent Management: Smaller companies will find it challenging to comply with the data protection and consent requirements, while storing and processing and erasing data within the prescribed rules, leaving them open to harsh penalties.
  1. Obscurity in security standards: A lack of detailed guidelines on security practices is another cause for concern, leaving open the possibility of unfair practices or dark patterns by unscrupulous companies. While there are penalties specified, there is no explicit provision for compliance or independent audits or any security standards. Establishment of Data Protection Board: The Act and rules establish a Data Protection Board which will have significant authorities and ability to impose large penalties, to assist in enforcement of the provisions. Companies also have to comply with reporting requirements to the Board, as well as addressing and handling user grievances.
  1. Impact on Businesses: Businesses, specifically small-scale organizations, would be required to significantly invest in order to meet the requisite of new compliances outlined in the Rules. Companies using customer data will have to work on enhancing security protocols, establishing consent management systems, regulating transparent communications with users, which would require them to restructure all existing mechanisms and infrastructure.
  1. Impact on Users: The Act and rules are aimed at enhancing protection of personal data by providing a set rules and regulations for its management, storage, processing, and erasure. Such rules would provide users with better control over their personal information, provide them with transparency along with information regarding the processing and retention of personal data.

CONCLUSION:

The draft rules were long awaited and aim to play a pivotal role in strengthening India's digital privacy policy while addressing various challenges for individuals and businesses.

Whilst the regulations intend to promote accountability and transparency to ensure safety for individuals, they pose various financial and technical challenges for small and medium corporations in adjusting to the stringent requirements. Organizations can navigate the complexities of this much needed development in the field of Data Protection by adopting high end security measures, investing in compliance infrastructure and fostering a privacy dominant culture.

Feedback from various stakeholders would be crucial in refining the draft rules in balancing operational feasibility for corporations and privacy protection of society at large.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More