The Digital Personal Data Protection Act, 2023 ("Act") received the assent of the Hon'ble President of India on August 11, 2023. On January 03, 2025, the Ministry of Electronics and Information Technology ("the Ministry") released the Draft Digital Personal Data Protection Rules, 2025 ("Draft Rules"), along with an explanatory note, inviting feedback by February 18, 2025. Finalizing these rules is a critical step toward implementing the Act, which has faced significant delays since its notification.
The Draft Rules mark a significant step toward strengthening data privacy and security in India. Building on the framework of the Act, these rules aim to provide clarity on operational aspects of the law while ensuring the rights of individuals are upheld. By mandating transparency in data collection, robust security measures, and mechanisms for managing consent, the Draft Rules seek to balance the needs of businesses with the privacy rights of individuals. At the same time, they introduce safeguards for data processing, address cross-border data flows, and establish accountability mechanisms, making them a pivotal development in India's data protection landscape.
The Ministry recently held a consultation with officials and industry on the Draft Rules, emphasizing a simple, principle-based approach to India's evolving data protection framework. While the Ministry aims for flexibility, experts suggest further discussions are needed to better safeguard individuals' digital data rights while addressing the concerns of corporate entities in relation to the operational complexities and potential costs of aligning with the compliances under the Act and the Draft Rules.
As per the provisions of the Draft Rules, the implementation of the rules shall be carried out in phases. Initially, only the administrative provisions concerning the establishment of the enforcement authority - the Data Protection Board of India ("Board"), will take effect. This includes the appointment of the chairperson and members, along with regulations governing their salaries, allowances, meeting protocols, and terms and conditions for the officers and employees of the Board. The substantive provisions, from rules 3 to 15, 21, and 22 will be effective at a later date which shall be specified in the rules.
The Act read together with the Draft Rules, establish a structured framework of roles and responsibilities for data fiduciaries, data principals, and consent managers, ensuring transparency, accountability, and protection of individual rights in data processing.
Data Fiduciaries are entities (individuals, companies, or organizations) that determine the purpose and means of processing personal data. They are tasked with collecting, using, and storing data responsibly, ensuring compliance with the Act and the Draft Rules. Fiduciaries must provide clear notices about data usage, obtain informed consent, implement security measures, and address grievances efficiently. Significant data fiduciaries (those processing large volumes of sensitive data) bear additional responsibilities, such as conducting Data Protection Impact Assessments and audits on an annual basis.
Data Principals are the individuals whose personal data is being collected and processed. They are granted several rights under the Act, including the right to access their data, correct inaccuracies, withdraw consent, and seek grievance redressal. The framework empowers data principals to make informed decisions about sharing their data and provides mechanisms to manage their digital footprint.
Consent Managers are third-party entities acting as intermediaries to help data principals manage their consent effectively. They enable individuals to give, track, and withdraw consent across multiple fiduciaries through an interoperable platform. These managers are regulated to ensure transparency, neutrality, and adherence to security and privacy standards.
Data fiduciaries interact directly with data principals, collecting and processing their data based on the principals' informed consent. Consent managers act as facilitators, ensuring data principals can exercise control over their consent seamlessly, while also providing fiduciaries with a structured method to verify and manage consent. This interconnected system fosters trust, enhances data privacy, and aligns the interests of all stakeholders.
Section 8 of the Act, read alongside rule 6 of the Draft Rules, forms the backbone of security obligations for Data Fiduciaries. These provisions on reasonable security standards mandate robust security measures, such as encryption, access control, breach detection, and regular log maintenance, to safeguard personal data. While the Draft Rules emphasize these essential practices, they lack specific operational guidelines, leaving stakeholders to interpret and align security measures based on their data processing scale. This gap highlights the need for comprehensive government-issued guidance to standardize practices and ensure industry-wide consistency and compliance. The Draft Rules lack detailed specifications on implementing security measures, leading to varied interpretations. For instance, "reasonable security measures" could be interpreted differently by a small e-commerce platform versus a multinational corporation, resulting in inconsistent protection levels. Furthermore, comprehensive security measures like encryption and monitoring often require significant investments in infrastructure and expertise. Small and medium-sized enterprises ("SMEs") may struggle to allocate the necessary resources, potentially leading to gaps in compliance.
The requirement for data erasure under rule 8 and schedule-III introduces complexities for organizations, particularly in defining and tracking user engagement. Entities such as e-commerce platforms or social media companies must retain the personal data of a data principal for up to 3 (three) years from the date on which the said data principal last approached the data fiduciary or the coming in effect of the Digital Personal Data Protection Rules, 2025, whichever is later. Additionally, the data fiduciary must inform the data principal at least 48 (forty-eight) hours before completion of the time period for erasure of personal data. The ambiguity around determining when a data principal "last approached" a data fiduciary underscores the need for precise timestamping and robust record-keeping systems. Additionally, the 48 (forty-eight) hour notification requirement for data erasure places an operational burden on organizations, necessitating automated processes and communication tools to avoid compliance lapses. These obligations may also require significant technological upgrades and staff training to ensure seamless implementation. For instance, a user purchases an item from an e-commerce website but does not interact with the platform for 3 (three) years. The platform must erase their personal data unless legally required to retain it (e.g., for tax compliance). The challenge that might be face by such an e-commerce entity will be determining he exact timeline since the user "last approached" and may require timestamping all interactions, such as account logins, browsing activity, or order history. A solution to such an issue would be implementing detailed activity logs and automated triggers for notifications and data erasure, however, the same would require investments in the requisite technological and operational infrastructure.
The Draft Rules introduce a structured approach to cross-border data transfer, reflecting the government's intent to safeguard personal data while allowing flexibility for businesses. The rules empower the Central Government to impose restrictions on the transfer of personal data to specific jurisdictions, depending on their legal frameworks, data protection standards, and geopolitical concerns. This includes issuing general or special orders that could prohibit or condition such transfers. However, the rules also raise operational and administrative challenges for organizations, particularly multinational corporations managing large volumes of data across borders. Businesses will need to invest in legal and technical infrastructure to ensure compliance, potentially impacting operational costs and timelines. Further clarity on conditions and procedures for such transfers is anticipated, which would provide businesses a clearer roadmap for compliance while balancing privacy concerns and economic interests.
To ensure effective compliance with the Act and the Draft Rules, the government should issue detailed, sector-specific guidelines to help organizations implement appropriate security measures. SMEs would benefit from subsidized training programs and shared security infrastructure to address cost constraints. Collaboration with cybersecurity experts is crucial for organizations to adopt advanced technologies and proactively address emerging threats. Additionally, periodic audits and assessments can help identify vulnerabilities and ensure continuous adherence to data protection requirements, fostering a robust and uniform security framework across industries.
The Draft Rules represent a significant milestone in India's data protection regime, aiming to balance innovation with privacy through frameworks for consent, security, and accountability. However, implementation poses challenges, including operationalizing consent mechanisms and managing cross-border data transfers. Businesses and stakeholders must actively engage in regulatory consultations and invest in compliance infrastructure to navigate these complexities. The Draft Rules offer an opportunity to establish new benchmarks in data governance, enhancing trust and resilience in India's digital economy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
