Introduction
The Ministry of Electronics and Information Technology (MEITy) has published a draft of the Digital Personal Data Protection Rules 2025 (Draft Rules) on 3 January 2025. The Digital Personal Data Protection Act 2023 (DPDP Act) represents a major change in how personal data is processed in India and the Draft Rules offer important insights into how the DPDP Act will operate.
To set the necessary context, the DPDP Act applies to the processing of all personal data within India, if collected or maintained in a digital form. The DPDP Act also has extra-territorial effect and applies to processing of digital personal data outside of India if it is related to offering goods or services to Data Principals within India. There are certain exceptions, such as any processing done for personal use or pertaining to data made available publicly.
The provisions address various operational matters, such as requirements of the privacy notice for Data Principals, consent management, and constitution of the "Data Protection Board of India" (Board) which will conduct proceedings digitally to the extent possible and be tasked with implementing the provisions of the DPDP Act and the rules issued thereunder.
The Board will be established once the Draft Rules are finalised and published in the Official Gazette, while the remaining provisions will come into force on a later date as may be specified.
Key Features
- Notice Requirements1: While the
DPDP Act establishes the requirement for Data Fiduciaries to
provide a "notice" prior to obtaining consent from Data
Principals, the Draft Rules delve into the specifics of what this
privacy notice must contain:
- Independent Document: The notice must be presented and be understandable independently of other information given by the Data Fiduciary.
- Itemised Description: The notice must be in clear and plain language, and give a fair account of the data necessary to enable the Data Principal to give specific and informed consent for the processing of personal data, which must include at the minimum: (i) an itemised description of such personal data, (ii) an itemised description of the goods and services to be provided for, or the uses to be enabled by, the processing of personal data, and (iii) the specified purpose of processing of personal data.
- Communication Link: The notice must provide a link for accessing the Data Fiduciary's website or app for the purposes of: (i) withdrawing consent with the ease of doing so comparable to that with which consent was given, (ii) exercising rights under the DPDP Act, and (iii) making a complaint to the Board.
- Registration of Consent Managers2: Consent Managers are new entities under the DPDP Act that will act as a single point of contact for Data Principals to give, manage, review, and withdraw their consent and will thus play a key role in facilitating data sharing in a compliant manner. A Consent Manager is required to file an application with the Board which, at minimum, fulfils the prescribed criteria under the First Schedule of the Draft Rules, such technical, operational and financial capability, and net worth of at least ₹2 crore (c.$233,000).
- Obligations of a Consent Manager3:
A Consent Manager has the following obligations, and their breach
could lead to suspension/cancellation of its registration:
- Facilitation of Consent: The Consent Manager must enable Data Principals to provide, manage, review, and withdraw consent for personal data processing.
- Record Maintenance: The Consent Manager must maintain detailed records of its consent management, notices, and the sharing of personal data with a Data Fiduciary. Further, the Consent Manager must give the Data Principal access to such records in machine-readable form and maintain records for at least seven years.
- Transparency and Accessibility: The Consent Manager must develop and maintain a website or app as a primary means for Data Principals to access services. It must also publish information about key managerial personnel and any significant shareholders.
- Restrictions on Subcontracting: Consent Managers cannot sub-contract or assign their obligations to any other entity.
- Security: The Consent Manager must take reasonable security safeguards to prevent breaches of personal data. It must maintain confidentiality during data sharing processes.
- Fiduciary Duty: The Consent Manager must act in a fiduciary capacity in relation to the Data Principal. Additionally, the Consent Manager must avoid conflicts of interest with Data Fiduciaries, including those involving senior management or directors.
- Audit: The Consent Manager must implement effective audit mechanisms to review, monitor, evaluate and report the outcome of such audit to the Board periodically.
- Transparency in Control: The Consent Manager must obtain prior approval from the Board before any transfer of control of the company through sale, merger, or similar mechanisms.
- Processing of Personal Data by the State4: Processing of personal data by the State and its instrumentalities is considered a legitimate use if it is necessary for the performance of a statutory duty or function. However, this is subject to certain criteria, such as only processing for the stated lawful purpose, limiting the processing to the data necessary for achieving such purpose, having appropriate security safeguards in place to prevent breaches, and informing the Data Principal of their rights.
- Reasonable Security Safeguards5: A
Data Fiduciary to must implement, at the minimum, the
following reasonable security measures to protect personal
data:
- Encryption: Securing personal data through encryption, obfuscation, masking, or virtual tokens mapped to personal data.
- Data Logs: Monitoring and reviewing access to computers and personal data. Logs and personal data should be retained for a period of one year.
- Confidentiality: Reasonable measures for continued processing in the interests of confidentiality.
- Backups: Data-backups to preserve data in the event of its destruction or loss.
- Contractual Provisions: The DPDP Act requires Data Fiduciaries to engage Data Processors through a valid contract that sets out clear obligations. The Draft Rules require that one such obligation should be to adopt reasonable security safeguards to prevent data breaches.
- Observance: Technical and organisational measures to ensure effective observance of security safeguards.
- Personal Data Breach6: The Draft
Rules set out the procedure for reporting data breaches. Data
Fiduciaries must notify affected Data Principals on becoming aware
and to the best of its knowledge, and such notification must (i) be
clear and straightforward, (ii) explain the breach's nature,
extent, and timing, along with potential consequences for the
affected individuals, (iii) include measures taken to mitigate the
risks and provide safety recommendations for protecting their data,
and (iv) include contact information of a responsible person for
inquiries.
In addition, the Data Fiduciary, within 72 hours of becoming aware, must provide the Board with (i) updated and detailed information, (ii) measures implemented to mitigate risk and prevent recurrence, (iii) findings regarding the person who caused the breach, and (iv) intimations given to affected Data Principals. While the Draft Rules do not specify the form in which such data breach intimation must be made, the DPDP Act empowers the Central Government to prescribe the form and manner of intimation through subsequent rules7. - Retention Periods8: Data
Fiduciaries can retain data for three years from the last user
interaction, after which they must erase personal data (unless
retention is necessary for compliance with any law). The following
class of Data Fiduciaries fall within the scope of this
requirement: (i) an e-commerce entity with at least 20 million
users in India, (ii) an online gaming intermediary with at least 5
million users in India, or (iii) a social media intermediary with
at least 20 million users in India.
However, there are exceptions for certain purposes, such as enabling the Data Principal to access their account or access any virtual token that may be used to avail money, goods or services. - Verifiable Consent9: A Data Fiduciary must implement measures to ensure that the person providing consent for a child's data processing is the child's parent or legal guardian, and that the parent or guardian is identifiable.
- Exemptions from Verifiable
Consent10: The following Data Fiduciaries are
permitted to process the personal data of children: (i) clinical
establishments, mental health establishments, or healthcare
professionals, (ii) allied healthcare professionals, (iii)
educational institutions, and (iv) childcare providers. However,
the processing is restricted to specific activities, such as health
services, educational activities, safety monitoring, and
transportation tracking.
Further, the processing of personal data of children for the following purposes is permitted: (i) processing for legal duties, (ii) issuing subsidies or benefits to children, (iii) creating user accounts for communication purposes, and (iv) ensuring a child does not have access to harmful information. Here, processing is also restricted to what is necessary to perform the purpose. - Additional Obligations of Significant Data
Fiduciaries11: Significant Data Fiduciaries
(SDFs) are a certain category of entities
identified by the Government based on factors like data volume,
sensitivity, and potential impact on national security. The Draft
Rules clarify the additional compliance burdens they will face
compared to regular Data Fiduciaries:
- Data Protection Impact Assessment: SDFs must conduct a Data Protection Impact Assessment (DPIA) and a comprehensive audit once every year. The results must contain the key findings regarding adherence to data protection requirements and must be reported to the Board.
- Algorithmic Software: SDFs must verify whether algorithmic software it uses to process personal data does not pose risk to the Data Principals.
- International Transfer: SDFs must ensure that personal data specified by the Central Government and the traffic data pertaining to its flow is not transferred outside of India.
- Rights of Data Principals12: In order to enable Data Principals to exercise their rights, (i) Data Fiduciaries and Consent Managers must clearly publish the procedure to do so, (ii) Data Principals can request access to and erase of their personal data by contacting the Data Fiduciary, (iii) a Data Fiduciary must provide clear timelines for responding to grievances, and (iv) Data Principals may nominate one or more individuals to exercise their rights under the law.
- Contact Information13: Every Data Fiduciary must prominently display on its website or app, and in responses to Data Principal rights queries, the contact details of the Data Protection Officer for personal data processing inquiries.
- Exemption from DPDP Act14: The DPDP Act does not apply to the processing of personal data necessary for research, archiving or statistical purposes, provided it meets the standard specified under Draft Rules, such as only processing for the stated lawful purpose, limiting the processing to the data necessary for achieving such purpose, having appropriate security safeguards in place to prevent breaches, and informing the data principal of their rights.
- Grievance Redressal: Data Principals can file complaints with the Board regarding data breaches or any violation of their rights under the DPDP Act. The Board will investigate such complaints and can issue orders to Data Fiduciaries or Consent Managers, including directing them to take corrective actions or pay compensation to the affected individual15. The Draft Rules also provide an avenue for appeal16 against the Board's orders to the Telecom Disputes Settlement and Appellate Tribunal.
- International Data Transfers17: The transfer of personal data processed by a Data Fiduciary (either within India or outside of India, in connection with offering goods or services in India) to any country outside of India is subject to such requirements that the Central Government may specify. Data Fiduciaries may face challenges due to conflicting data protection requirements in other jurisdictions and logistical complexities in complying with India's data localisation and transfer conditions.
- Call for Information18: The Draft Rules empower the Central Government to require Data Fiduciaries to provide personal data of a Data Principal or restrict disclosure in the interest of India's sovereignty, integrity, and security, or for performing any function under the law in India.
Concluding Remarks
The Draft Rules mark a shift towards a more cohesive data protection framework in India, spurred by a need emanating from India's growing digital economy. They elaborate on key aspects of the DPDP Act, offering detailed guidance on procedures, responsibilities of various stakeholders (including Data Fiduciaries, Data Principals, and Consent Managers), and enforcement mechanisms.
The DPDP Act prescribes penalties for violations, ranging from ₹10,000 to ₹250 crore (c.$116 to $29,112,000)19. For instance, the failure to meet the duties under Section 15, such as providing a notice or responding to data principal requests, can attract a penalty of up to ₹10,000 (c.$116).
Businesses will therefore need to align their data flow, security mechanisms, operations and capabilities, as well as their consent architecture with this new framework. Further, since the DPDP Act has extra-territorial applicability, the Draft Rules will have far-reaching implications for global business operating in India, who will need to adopt strict adherence with Indian data requirements to remain compliant.
Please note that that the Draft Rules are not yet finalised. They are currently awaiting public feedback until 18 February 2025 and will likely undergo revisions based on the inputs received before being formally adopted.
Footnotes
1. R3 of the Draft Rules.
2. R4 and Part A of the First Schedule of the Draft Rules.
3. R4 and Part B of the First Schedule of the Draft Rules.
4. R5 and the Second Schedule of the Draft Rules.
5. R6 of the Draft Rules.
6. R7 of the Draft Rules.
7. §40(1)(f) of DPDP Act.
8. R8 and the Third Schedule of the Draft Rules.
9. R10 of the Draft Rules.
10. R11 and Part A of the Fourth Schedule of the Draft Rules.
11. R12 of the Draft Rules.
12. R13 of the Draft Rules.
13. R9 of the Draft Rules.
14. R15 and the Second Schedule of the Draft Rules.
15. §27 of DPDP Act.
16. R21 of the Draft Rules.
17. R14 of the Draft Rules.
18. R22 and the Seventh Schedule of the Draft Rules.
19. The Schedule of the DPDP Act.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.