One Step Closer To Privacy: A Dive Into The Draft DPDP Rules - Part I

On 3rd January 2025, the Ministry of Electronics and Information Technology ("MeitY") released the much-anticipated Draft Digital Personal Data Protection Rules 2025 ("the Draft Rules") for public consultation, resuscitating the Digital Personal Data Protection Act 2023 ("the Act").

The Draft Rules take a step towards operationalizing the Act, specifying obligations for Data Fiduciaries, from clear and accessible disclosures to reporting requirements in cases of data breach. From the viewpoint of the Data Principals, the Draft Rules introduce a stronger framework to demand their rights to data erasure, access of data, consent management, and appointment of nominees to act on their behalf.

This Article assesses the provisions of the Draft Rules in detail relating to the responsibilities it places on Data Fiduciaries and Consent Managers, as well as all the rights granted to Data Principals and the means to avail them. The Article shall also take a close look at the introduction of stringent parental consent measures for minors introduced by the Draft Rules and how it brings about both benefits and concerns.

THE MISSING PIECES

The most important aspect of the Draft Rules is that it provides much-needed definition to various crucial components provided under the Act. It places extensive requirements while still aiming to minimize compliance burdens for most Data Fiduciaries.

The Draft Rules also give clarity to the role to be played by Consent Managers with regards to data privacy. It prescribes in detail the requirements for becoming a Consent Manager, the process of registration, and their obligations. The Draft Rules clarify that Consent Managers are exclusively responsible to Data Principals, having accountability to the Board. They must ensure independence from Data Fiduciaries and any aspect that might lead to a conflict with the interests of the Data Principals is prohibited by default. Consent Managers are sure to play a significant role in the effective implementation of the Act and it opens opportunities for a new industry consisting of companies providing government authorized regulatory services.

RESPONSIBILITIES OF DATA FIDUCIARIES

The Draft Rules expand on the obligations of Data Fiduciaries under the Act, providing a more stable framework for entities engaged in the collection and processing of digital personal data. Key obligations and responsibilities for all Data Fiduciaries under the Draft Rules include:

1. Consent Notice: Data Fiduciaries must seek consent from the Data Principals (Users) through a consent notice which must be presented independently of any other information. It must be in clear and plain language. It must include all information required to enable the Users to give informed consent, including an itemized list of personal data being collected, the exact purpose of such data collection, and the goods and/or services that would be enabled by such data processing.
2. Ensuring Security Safeguards: The Draft Rules hold Data Fiduciaries responsible for all personal data in their possession and those held by Data Processors who operate on their behalf. In order to ensure protection of personal data from breaches, Data Fiduciaries are expected to: (i) take all appropriate data security measures including encryption, obfuscation, or use of virtual lockers; (ii) prevent any unauthorized access to their computer resources; (iii) ensure active monitoring and review of access through logs; (iv) ensure readiness of backup systems in case personal data is lost, leaked, corrupted, or becomes inaccessible; (v) maintain security logs for one year in order to detect, investigate, and prevent unauthorized access (unless other laws require different retention periods); and (vi) include security requirements in contracts with data processors.
   Unlike the current legislative framework which recommends certain standards (like IS/ISO/IEC 27001) to be adhered with, the Draft Rules do not lay down any such standards. It is also pertinent to note that these security measures must be complied by every Data Fiduciary, regardless of the size, industry or scope of its operations.
3. Handling Data Breaches (User): Upon being aware of any personal data breach, the Data Fiduciary must inform, without delay, affected Users through their accounts or registered contact methods. Data Fiduciaries must clearly state to the Users the description of the breach, how it might affect the Users, what they are doing to mitigate risk, safety measures that Users can take to protect their interests and provide contact details of a person who can respond on their behalf to any queries that the User may have. While the Draft Rules require that there is no delay in any personal data breach to Data Principals, no specific timeline is provided.
4. Handling Data Breaches (Board): The Data Fiduciary must intimate the Data Protection Board upon becoming aware of any personal data breach with a brief description of the breach as soon as possible. The Data Fiduciary must then follow up within seventy-two (72) hours with updated and detailed information specifying broad facts regarding the breach including proposed or implemented measures, findings regarding the perpetrator, remedial measures to prevent recurrence, and a report regarding the intimation given to affected Users.
5. Mandatory Data Erasure: Such Data Fiduciaries that are e-commerce entities or social media intermediaries having over two crore registered Indian Users or is an online gaming intermediary having over fifty lakh registered Indian Users must erase personal data of the Users after three years from the date on which the User last used their service. The Data Fiduciary must inform the User through a notice no less than 48 hours before erasure.
6. Contact Information: Data Fiduciaries must display prominently on their website or app and in communications pertaining to rights of the User, the contact details of the Data Protection Officer or any person who can answer on behalf of the Data Fiduciary questions of the User regarding how their data is processed.
7. Verifiable Consent and Exemptions: Before collection or processing of personal data of a child under the age of eighteen (18) or any person with disability, Data Fiduciaries must obtain verifiable consent from a parent or a lawful guardian. Consent must be verified using reliable details of identity and age already available with the Data Fiduciary, using voluntarily provided and verifiable details of identity and age, or through virtual tokens linked to such information, issued by an entity entrusted the Government or by law. Certain classes of Data Fiduciaries such as healthcare providers, childcare providers, and educational institutions are exempt from this obligation, but only to the extent of certain prescribed purposes under Fourth Schedule to the Draft Rules. Similar exemption shall also apply to Data Fiduciaries in collecting tracking data or behavioural monitoring of children, which is otherwise prohibited under the Act.
8. Transfer of Personal Data outside India: Data Fiduciaries who process personal data within India or does so in relation with offering of goods and services to Users outside India must comply with all directions issued by the Central Government in connection with making personal data of Indian Users available to foreign states or entities.
9. Exemption for Research, Archiving, or Statistics: In the interest of academic and policy research, the Act and the Draft Rules shall not apply with regards to the processing of any personal data carried out for research, archiving, or statistical purposes, provided it adheres to specific standards laid down under the Second Schedule of the Draft Rules.

RIGHTS OF DATA PRINCIPALS / USERS

The Draft Rules stipulate that notices for consent must contain within it, descriptions and links which would enable or assist the Data Principals to exercise their rights under the Act and the Draft Rules, the means to lodge a complaint with the Data Protection Board, and the process to withdraw the granted consent at any point through a Consent Manager. The Consent Manager must ensure that Data Principals are empowered to give, manage, review, and withdraw consent, while implementing DPDP strong security measures to protect data and ensure transparency with the Board's audits.

Data Fiduciaries and Consent Managers must also publish on their websites and apps the details of how Data Principals can raise such a request using their data identifiers (such as username, licence number, application reference number etc.) Data Principals are entitled to make a request to access their collected personal data and demand its erasure at any time and the Data Fiduciary and Consent Manager must ensure that any such grievance redressal systems are effective in implementing the necessary technical and organizational measures. Data Fiduciary and Consent Manager have the discretion to determine the time period within which grievances of Data Principals are responded to, whereas, Section 13 (2) of the Act indicated that this time period was to be prescribed. The Draft Rules also enable Data Principals to now nominate more than one nominee to act on their behalf with regards to their personal data in case of death or incapacity.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.