After a long wait since August 2023 when the Parliament passed the Digital Personal Data Protection Act, 2023 ("DPDP Act"), on 3rd January 2025, the Ministry of Electronics and Information Technology (MeitY) has published draft DPDP Rules ("Draft Rules") for public consultation. The Draft Rules intend to clarify how the collection, processing and storage of personal data will be governed in India. We have analysed the Draft Rules and through this article, we aim to summarise the requirements and preparation needed for businesses to be compliant with DPDP Act and the Rules when these are enforced.
The Draft Rules do bring certain clarity on how the MeitY intends to roll out the new law though these are far from clarifying all the operative provisions of the Act and one must expect few amendments and further regulations that will truly launch the data privacy regime in India. The intention is to first set up the regulatory authority i.e. the Data Protection Board of India ("Board"). The operative provisions stated in the Draft Rules will be implemented later thereby giving time to businesses to implement the new requirements and make adjustments in their governance and compliance programs. This approach is also in sync with the global approach adopted for introduction of data privacy legislations across the world with General Data Privacy Regulation of the European Union ("GDPR") leading the way and providing ample time of almost two years to the industry to be ready before the operative provisions came into force.
Notices and Consents
DPDP Act sets a tone for consent-based data privacy regime and leaving only "certain legitimate uses" as ground for processing personal data. Hence, businesses processing personal data and identifying the purpose and means of processing personal data ("Data Fiduciaries") would be required to determine whether consent of the Data Principal is required, or it is being put to certain legitimate uses. Interestingly, even to arrive at the legitimate use determination, the Data Fiduciary ought to have taken consent of the Data Principal for certain purposes. Hence, as far as the non-governmental organizations are concerned, they would be required to give notice to the Data Principals either prior to or at the time of collecting personal data and obtain necessary consent.
The Act specifies that the consent of the Data Fiduciary should be free, specific, informed, unconditional and unambiguous with clear affirmative action signifying agreement to process personal data necessary for specific purposes. The notice must detail the personal data being collected, the purpose of its use, and the goods or services for which it is required. The notice should also include information regarding the manner in which the Data Principals can exercise their rights, withdraw consent and the procedure for making a complaint to the Board. The Draft Rules mandate that Data Fiduciaries must provide a clear, standalone and simple language notice to Data Principals for obtaining their consent for collection of personal data.
Provisions for appointment of Consent Manager
The Act introduces a new intermediary which is the consent manager. The consent manager will be a company incorporated in India and registered with the Board as a consent manager thereby adding a regulatory layer to the data privacy regime. The main purpose of the consent manager will be to act as a single point of contact between the Data Principal and the Data Fiduciary to give, manage, review and withdraw their consent through accessible, transparent and interoperable platform.
Companies acting as Data Fiduciaries may integrate consent managers to streamline consent management for Data Principals under the DPDP Act. By ensuring interoperability and transparency, these registered consent managers are expected to facilitate giving, managing, and withdrawing consent while remaining independent and staying free from conflicts of interest with Data Fiduciaries.
The consent managers will be accountable to Data Principals and shall act as per the guidelines prescribed from time to time. Therefore, further regulations on the operations of consent manager are expected to be introduced by the MeitY soon. These regulations will be necessary for the operative part of the Act and may further delay the enforcement of the data privacy regime in India which has been in limbo for a long time now.
India already has a similar structure in place. The Reserve Bank of India introduced Account Aggregator (AA) framework just a couple of years ago. While AAs enable consent-based financial data sharing, the Draft Rules introduce consent managers for broader personal data management. While both systems prioritize consent-based data sharing, it is argued that the AA framework already fulfils this role in the financial sector, making consent managers potentially redundant. However, consent managers have a broader application beyond financial data, enhancing overall data privacy management across industries.
Significant data fiduciaries ("SDF")
DPDP Act provides that the Central Government can notify any Data Fiduciary or a class of data fiduciaries as SDF based on certain factors such as volume and sensitivity of personal data processed, risk to the rights of data principal etc. The much-awaited Draft Rules do not provide further details on factors that may be included in classification of a Data Fiduciary as an SDF. Given the wide scope of section 10 of the DPDP Act, it is likely that a wide range of industries may be classified as SDFs with a distinguishing factor being volume of data being consumed or stored by them.
The Draft Rules do outline additional obligations that SDFs must adhere to, which include the following:
- appointing a data protection officer, as independent data auditor to carry out the audit and to undertake annual data protection impact assessments and periodic audits and to submit a report to the Board containing crucial observations under the data protection impact assessment and audit;
- carry out due diligence to verify that the algorithmic software deployed by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of data principals; and
- undertake measures to ensure that the personal data specified by the Central Government is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside India.
Data localization requirement under the Draft Rules further add to the ambiguity to an already unclear classification of SDFs. This leaves businesses unsure about compliances they need to be ready for. A critical gap in the proposed framework is the absence of provisions ensuring reasonable time for compliance after being designated an SDF. Businesses need clarity on these timelines to adequately prepare for the additional regulatory measures they will be required to implement.
Development of robust risk management infrastructure
Data Fiduciaries are responsible for security of the personal data in their possession or under their control. While the requirement of establishing reasonable security safeguards is standard across various data privacy laws across the globe, the DPDP Act is unique in shifting the entire burden of compliance, even by third party processors, with the Data Fiduciaries only. Data Processors do not appear to be directly liable to either the Data Principals or to the regulator thereby making it imperative for the Data Fiduciaries to have a rather stringent data processing agreement with the Data Processors. This may further increase the cost of compliance as Data Fiduciaries might have to ensure compliance by enhanced reporting requirements, conducting periodic audits, developing and imposing robust data protection and security policies, demanding implementation of advanced technological tools, requiring specialized teams be constituted to deal with data breach reporting and risk mitigation and obtaining insurances to cover for risks that this arrangement may pose.
In this regard, the Draft Rules attempt to identify minimum security safeguards to prevent data breach. These include various measures such as:
- securing personal data by use of encryption, obfuscation, masking, use of virtual tokens mapped to personal data;
- controlling who can access data and hence restricting the access to computer resources;
- maintaining access logs, monitoring and reviewing for detection of unauthorised access, investigation and remediation;
- maintenance of data backups to ensure continued processing of personal data even in the event of compromise of confidentiality, integrity or availability;
- implementation of appropriate technological tools that detect, prevent and assist in investigation of unauthorised access of personal data; and
- other technical and organizational measures to ensure effective observance of security safeguards.
The distinction between Data Fiduciaries and SDFs will remain unclear until the government issues final rules. Rule 22 empowers MeitY to request additional information to identify SDFs. It appears that the government can notify SDFs even before Rule 22 becomes fully operational, adding to the unpredictability. This creates a dual challenge: companies notified early must prepare quickly, while those identified later will need sufficient time to comply with SDF-specific obligations.
What Should Business Do?
In our view, before the final Rules come into picture, businesses may take proactive steps to be ready for the upcoming compliances. This might include:
- Carrying out Data Mapping exercises: Conducting detailed audit of the data collection, storage, and transfer practices to understand what type of personal data they store, process, purpose of processing by each unit/business arm/even internal function and its life cycle;
- Classifying the data: Classifying the data based on type, sensitivity, purpose and longevity;
- Data minimisation: Implement data minimisation and retention policies to limit unnecessary data storage and use;
- SDF classification: Since the criteria for notifying the SDFs is unclear, large businesses handling large volumes of data or working across several regulated sectors should assume their classification as SDFs, start documenting data governance policies and impact assessments keeping in view the additional obligations levied on the SDFs. This may also include reviewing and aligning the existing data retention policies with the 'purpose limitation principle', ensuring that the data is retained only for the required period;
- Data localisation: Even though the data localisation requirements are still unclear, certain specific categories of data that cannot be transferred outside India.
For clear understanding, the above is summarised in the below table:
Action | Why it matters | Steps to be taken |
---|---|---|
Data flow mapping | To identify potential risks | Map personal and traffic data flows |
Prepare for additional SDF obligations | To avoid last-minute compliance rush | Review privacy policies, appoint a Data Protection Officer |
Strengthen Consent Management | To align with emerging consent retention requirements | Implement consent management tools |
Data Localization Preparation | To prepare for possible storage mandates in India | Evaluate cloud providers, plan for local storage |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.