ARTICLE
10 April 2025

Critical Analysis Of The Proposed Digital Personal Data Protection (DPDP) Rule 2025 Regime In India

The evolution of data protection laws in India has been a dynamic and pivotal journey, reflecting the country's growing emphasis on safeguarding personal data in the digital age.
India Privacy

The evolution of data protection laws in India has been a dynamic and pivotal journey, reflecting the country's growing emphasis on safeguarding personal data in the digital age. This trajectory began with the recognition of the "Right to Privacy" as a fundamental right by the Supreme Court of India, particularly in the landmark judgment of Hon'ble Justice K.S. Puttaswamy v. Union of India1 in 2017. The Apex Court decision laid down essential principles concerning privacy and underscored the significance of protecting personal information in the context of increasing digitalization.

In response to this judicial pronouncement, the Central Government took steps to develop a comprehensive data protection framework. Consequently, a Committee of Experts, chaired by Retired Hon'ble Justice B.N. Srikrishna, was constituted to delve into the practical aspects of data protection and privacy. In 2018, the Committee submitted its report, providing valuable insights and laying the foundation for legislative efforts in this domain. Building on the recommendations of the Srikrishna Committee, the Personal Data Protection Bill, 2018, was introduced in Parliament. This marked the initial legislative attempt to address the complex and sensitive issue of personal data protection. However, the Bill underwent significant scrutiny, leading to the introduction of a revised version, "The Personal Data Protection Bill, 2019." Recognizing the importance of extensive deliberations, this 2019 Bill was referred to a Joint Parliamentary Committee (JPC), tasked with examining the provisions in detail. After conducting widespread consultations and considering inputs from diverse stakeholders, the JPC submitted its report in December 2021.

Incorporating the feedback and recommendations from the JPC as well as inputs from various industry players, the Central Government introduced a new version in the form of "The Digital Personal Data Protection Bill, 2022." The 2022 Bill represented a more refined and comprehensive attempt to regulate data protection in an increasingly digitalized economy. However, further revisions were made, and ultimately, "The Digital Personal Data Protection Bill, 2023," was introduced and passed. This Bill culminated in the enactment of "The Digital Personal Data Protection Act, 2023."

The Digital Personal Data Protection Act, 2023, reflects an evolved understanding of data protection in India, following a long process of consultations, stakeholder engagement, and careful consideration of various viewpoints. The Act emphasizes the need to balance the protection of personal data with the facilitation of digital innovation and economic growth.

As part of the government's efforts to operationalize the Act and bring it into full effect, the Ministry of Electronics and Information Technology (MeITY) took a significant step by releasing the "Draft Digital Personal Data Protection Rules on January 3, 2025." These rules aim to provide clarity on the implementation of the provisions of the Act and address specific aspects of data protection practices, compliance mechanisms, and obligations for entities handling personal data.

India's journey towards robust data protection legislation has been both deliberate and comprehensive, starting from the recognition of privacy as a fundamental right to the enactment of a detailed and modern data protection framework in the form of the Digital Personal Data Protection Act, 2023. The release of the draft rules in 2025 marks yet another milestone in this ongoing process, signalling the government's commitment to ensuring a secured and responsible handling of personal data in the digital era.

Eliciting the concerns and the discussions as put forth in the aforesaid we present our comments on the draft DPDP Rules below:2

  • RULE 2 – Definitions

The interpretation clause is limited to referencing definitions and expressions provided solely within the Digital Personal Data Protection Act, 2023 (DPDP Act). While this is a valid approach, it may be beneficial to broaden the scope of the interpretation clause to enhance its overall clarity and legal consistency. Specifically, it would be prudent to include references to the terms and expressions as defined under the General Clauses Act, 1897. By doing so, this will not only align the clause with established legal standards but also provide a more comprehensive interpretative framework, ensuring that any ambiguities or gaps are resolved in accordance with broader legislative principles. This would ultimately contribute to a more robust and well-rounded legal interpretations, safeguarding against potential misinterpretations in future legal contexts.

Under the DPDP Act the term "Sensitive Personal Data" is not defined separately as it treats all personal data uniformly. Treating all data the same may lead to inadequate security measures for highly sensitive information. Health, biometric, and financial data require stricter safeguards, which are absent.

The DPDP Act, 2023 uses "Data Fiduciary" (like GDPR's Data Controller) but does not define Data Processor separately. This omission creates ambiguity, especially for IT services and cloud computing, where processing is outsourced. Without a clear Data.

Processor role, the compliance burden may fall entirely on the Data Fiduciary, leading to uncertainties in accountability and cross-border compliances, particularly for companies following both DPDP and other international regulations.

The Act uses the term "Anonymized Data" but does not provide a clear definition or standard.

  • RULE 3 - Notice given by Data Fiduciary to Data Principal

The rule concerning the notice provision contains broad and all-encompassing instructions. To make it more user-friendly and operationally efficient, it would be beneficial to include a model format in the form of schedules attached to the Rules. This format should cover both the notice that needs to be given to data principals and the process for withdrawing consent. The DPDP (Digital Personal Data Protection) Rules lack clarity regarding the specific timeframe within which notice must be provided concerning the processing of personal data. This omission can lead to ambiguity and inconsistency in the implementation of the rules. The Rules do not establish a standard procedure for the withdrawal of consent or for the exercise of various rights granted to Data Principals, such as the right to grievance redressed.

Due to these gaps, Data Fiduciaries are granted considerable flexibility in how they implement these practices, allowing them to design their own processes based on their unique operational and business requirements. However, this flexibility could lead to discrepancies and variations in how data protection rights are enforced across different organizations, potentially causing challenges in ensuring uniform compliance. Therefore, offering more precise guidelines would enhance both transparency and consistency. Including the concept of "Legitimate Interest" A valid basis for processing personal data without explicit consent exists if the processing is essential and does not infringe upon the rights and freedoms of the data principal, as mandated by the Act and Rules. This allows organizations to process data for purposes such as fraud prevention, network security, or direct marketing, as long as they conduct a balancing test to ensure that their interests do not disproportionately affect individuals' privacy. Strict reliance on consent can be impractical for businesses and states, especially for fraud detection, IT security, and analytics, where ongoing data processing is essential. A Legitimate Interests provision, with a balancing test would ensure business efficiency while protecting individual privacy rights.

  • RULE 4 - Registration and obligations of consent manager

To address concerns related to the suspension or cancellation of a consent manager's registration, it would be advisable to provide a clear appellate remedy. This would enable the aggrieved party to challenge any order of suspension or cancellation effectively. By establishing a formal appeal process, consent managers would have a mechanism to contest decisions they believe to be unjust or unwarranted. This would help maintain transparency and fairness in the regulatory framework governing consent managers.

These Rules also require consent managers to prevent conflicts of interest with data fiduciaries, including their promoters and key managerial personnel. This includes implementing safeguards to ensure that their directors, senior management, or key personnel do not hold directorships, financial interests, employment, or beneficial ownership in data fiduciaries, nor maintain material pecuniary relationships with them. However, the rules do not explicitly address situations where data fiduciaries and consent managers belong to the same corporate group, which could lead to broad interpretations restricting affiliated entities from acting as consent managers and potentially hampering the operations for large corporate groups that handle significant volumes of data across their various business units. To address this, it would be beneficial to clarify that conflict-of-interest provisions apply only to data fiduciaries specifically on boarded by a consent manager, rather than extending across an entire corporate group. Such a clarification would enable large organizations to manage data effectively across business units while maintaining necessary safeguards.

This would allow for more practical and flexible management of data within large organizations while still upholding necessary safeguards against conflicts of interest.

Moreover, there remains ambiguity regarding the extent to which data can be transferred between different Data Fiduciaries, as well as the nature of the businesses involved in such transfers. For instance, it is unclear whether a bank (acting as a Data Fiduciary) is permitted to transfer personal data solely to another bank or whether it can also transfer data to entities in different sectors, such as insurance companies. Clarifying the permissible scope of data transfers between Data Fiduciaries operating in various industries would help to ensure compliance with regulatory expectations and prevent potential misuse of personal data. Furthermore, it is essential to determine if any restrictions or limits exist on the transfer of personal data between Data Fiduciaries, particularly in situations where multiple entities are involved. Clear guidelines on these issues would enhance legal certainty and promote responsible data handling practices among organizations.

The threshold of "INR 2 crore paid up capital" should be removed because many entities who will be doing the above book-keeping of personal data might use this loophole to operate as data brokers and not get labelled as consent managers.

According to the Rules, a data principal (individual) has the right to withdraw their consent "at any time," meaning there is no specific time limit mentioned for withdrawing consent hence it should specify that withdrawal requests must be processed within a defined period. There is no specific liability such as monetary penalties for Consent Managers mishandling data, non-compliance, data breaches, or negligence. The exact extent of liability for Consent Managers is still evolving which must be clearly defined in the rules.

  • RULE 5 - Data fiduciary obligations

Clarifications are needed regarding the obligations of data fiduciaries, particularly in key areas such as notice requirements, grievance redressal mechanisms, and data retention policies. These aspects are essential for maintaining adherence to data protection legislation, particularly in heavily regulated industries such as banking, telecommunications, and healthcare.

It is crucial that data fiduciaries have explicit rules on how to inform people about the gathering, use, and sharing of their personal information. Establishing the goal of data collecting, the length of time the data will be kept, and people's rights to view, update, or remove their data are all included in this. The notice should be easily accessible, comprehensible, and provided at the time of data collection.

Grievance redressal mechanisms must be robust and efficient. Data fiduciaries are required to provide mechanisms through which individuals can raise complaints regarding misuse or mishandling of their personal data. It is important for these processes to be transparent and user-friendly, offering clear timelines for addressing grievances, especially in industries like healthcare, where sensitive information is at stake, and banking or telecom, where financial and personal details are involved.

The Rules have not explicitly defined data Intermediaries—such as YouTube channel owners, e-commerce sellers, or other platform-based businesses as data fiduciaries. Instead, the entire compliance burden is placed on primary platforms like YouTube, Amazon, and Flipkart, absolving individual sellers or content creators of direct obligations, even when they independently collect and process user data through comments, direct interactions, or transactions.

Unlike global best practices, which distinguish between different roles in data processing, rules lacks a clear classification for data intermediaries, leading to an imbalanced regulatory framework where platforms bear full responsibility. To address this gap, a shared responsibility model should be introduced, ensuring that intermediaries also have limited but clear obligations, such as informing users about data collection, handling data responsibly, and reporting data breaches.

The rules furthermore do not establish thresholds to determine when an entity should be classified as a data fiduciary, whereas global frameworks provide specific exemptions based on user base and revenue.

A solution to this issue would be to introduce a classification for data intermediaries and define fiduciary responsibilities based on scale- for instance, requiring data intermediaries such as content creators/ sellers of e-commerce business generating over ₹12 lakh annually or processing data from more than 10,000 customers/followers to register as data fiduciaries. A tiered compliance framework, inspired by risk-based regulatory approaches, could further ensure proportional obligations, where intermediaries are small businesses (under 10,000 users) follow minimal compliance, medium businesses (10,000–100,000 users) adhere to moderate compliance, and large businesses (100,000+ users) implement full compliance measures. Such as appointing a Data Protection Officer and conducting regular audits. In addition to this, a shared liability framework should be established, ensuring that while platforms provide technical infrastructure and compliance tools, intermediaries such as content creators and sellers remain responsible for the data they directly collect.

Aligning Rules with global best practices would further require the recognition of data processors as a separate category, the implementation of explicit consent mechanisms for intermediaries handling user data, and the enforcement of data minimization principles to prevent excessive data collection. These reforms would create a more balanced, fair, and effective data protection framework under the Rules.

For instance, the recent controversy involving YouTuber Ranveer Allahbadia, known for his BeerBiceps channel with over 10 million subscribers, showcases the challenges within the current Rules. Allahbadia faced significant backlash and legal scrutiny over obscene remarks made during a show, leading to multiple complaints and a police investigation. This incident highlights the lack of explicit definitions for data intermediaries, placing the entire compliance burden on primary platforms while absolving individual content creators of direct obligations. Implementing a shared responsibility model, where content creators like Allahbadia have clear obligations regarding data collection and user interactions, could mitigate such issues and align with global best practices.

Lastly, data retention policies need to be clarified, particularly in regulated sectors. Fiduciaries should outline how long they will store personal data and the measures taken to ensure its security during that period. Retention should be limited to the necessary duration for fulfilling the purpose of collection, and after that, appropriate measures for safe deletion or anonymization should be taken.

  • RULE 6 - Reasonable Security Safeguards

Rule 6, rather than simply offering minimum safeguards, could be more comprehensive by including an exhaustive list of specific safeguards. This would help provide greater clarity and certainty regarding the enforcement of this new legislation. By outlining a detailed set of safeguards, the Rules could offer more guidance to both Data Fiduciaries and processors, making compliance clearer and reducing ambiguity.

However, the DPDP Rules, as they currently stand, do not explicitly mention the specific types of logs that must be maintained by Data Fiduciaries. This leaves room for interpretation, which could lead to inconsistency in enforcement. Data Fiduciaries are expected to incorporate the required minimum safeguards into their agreements with data processors, both for existing arrangements and new contracts. At the same time, they are given some flexibility in how they implement these security measures, as long as the minimum requirements prescribed by the Rules are met. This approach allows for adaptability in how businesses ensure data security, but a more detailed set of guidelines could further improve compliance and enforcement of the Rules.

  • RULE 7 - Intimation of personal data breach

It is essential for organizations to adopt a structured approach towards the intimation of data breaches. One effective way to achieve this is by establishing a comprehensive model format that can serve as a guiding reference for reporting such incidents. This model format should outline the necessary details to be communicated in the event of a breach, ensuring that all critical information is conveyed clearly and effectively to relevant authorities or stakeholders.

In addition to creating this model format, organizations should prioritize the implementation of robust internal monitoring mechanisms designed to proactively detect any data breach incidents. This can be achieved by leveraging advanced technological tools and systems that continuously monitor for vulnerabilities or suspicious activities within the organization's IT infrastructure. By doing so, potential breaches can be identified at an early stage, reducing the risk of more significant damage or data loss. Moreover, it is crucial for organizations to appoint dedicated IT personnel who are specifically tasked with handling data security and breach-related issues. These professionals should be trained to detect breaches, escalate them within the organization's chain of command, and report them to the appropriate external bodies, all in accordance with the diverse legal and regulatory requirements that may apply across different jurisdictions. By adopting such a proactive approach, organizations can not only enhance their ability to manage and mitigate data breaches but also ensure that they remain compliant with the various laws governing data security and privacy.

  • RULE 8 - The time period for the specified purpose to be deemed as no longer being served

The prescribed timeframe of "at least forty-eight hours before the completion of the time period" for data erasure, as outlined in Rule 2, may be insufficient to ensure proper compliance and effective processing. Given the complexity of data management processes and the need for the careful handling of erasure requests, it would be prudent to extend this timeframe. A longer duration would allow Data Fiduciaries to manage the technical and operational aspects involved in processing data erasure requests, ensuring that all necessary checks are performed and that compliance with legal and regulatory standards is met. This is especially important in cases where multiple stakeholders, departments, or systems may be involved in the erasure process.

The draft rules do not provide for the procedure and method for the erasure of personal data. So, the mode of erasure must be specified.

There are certain government agencies and private organisations who have established secure deletion standards like-

  1. Secure Erase: It is a standard for all modern hard drives, which overwrites all areas of the drive.
  2. Degaussing: This method uses a strong magnetic field to erase data from magnetic media.
  3. DoD 5220.22-M: This standard outlines processes for permanently erasing data and has been developed by the US Department of Defense.
  4. Gutmann Method: It scrambles the data by using 35 overwrite passes.
  5. Bruce Schneier Algorithm: It is one of the most secure and reliable methods for data erasure.
  6. HMG Infosec Standard 5: It is a data destruction standard used by the British Government.

Furthermore, while the Digital Personal Data Protection Act (DPDP Act) mandates that significant Data Fiduciaries appoint Data Protection Officers, it allows other Data Fiduciaries to designate individuals, including artificial persons such as organizations or entities, to address inquiries related to the exercise of Data Principal Rights. While this flexibility is valuable, it may not fully account for the increasing judicial expectation that platforms enhance user accessibility by publishing information about specific individual officers responsible for data protection. Indian courts have shown a trend toward requiring greater transparency in this regard, pushing for the publication of officer details to improve user access and ensure platform responsiveness. This move towards greater transparency may better serve the interests of Data Principals by providing clearer points of contact for data-related issues.

Rule 8 does not adequately address a situation where a Data Principal seeks to retrieve data that has already been erased by the Data Fiduciary. This creates potential legal and operational challenges, particularly in cases where the data in question may be essential for the Data Principal. The absence of clear guidelines on this matter could lead to complications in interpreting the legal rights and obligations of both parties. Therefore, this scenario should be carefully considered when formulating and enforcing the Rules, ensuring that both Data Principals and Data Fiduciaries are fully aware of their rights and responsibilities in such cases. Addressing these complexities in the regulations would ensure a more comprehensive and user-friendly data protection framework.

  • RULE 9 - Contact information of the person to answer questions about the processing

Sector-specific guidelines should clearly distinguish between regulated industries and general businesses. This differentiation is essential to prevent any potential conflicts with the regulations of key governing bodies such as the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), the Insurance Regulatory and Development Authority of India (IRDAI), and the Telecom Regulatory Authority of India (TRAI). By tailoring the guidelines to specific sectors, the framework can ensure that industry-specific regulations are adhered to while avoiding overlaps or contradictions that may arise from the general business rules, ensuring smooth regulatory compliance across diverse industries.

  • RULE 10 - Verifiable consent for the processing of personal data of a child or of a person with a disability who has a lawful guardian

The rule concerning verifiable consent requires significant revision, as it fails to incorporate adequate safeguards for Data Fiduciaries in situations where false or misleading consent is provided. This can occur either when a minor falsely represents themselves as being of the legal age to give consent, or when an individual impersonates someone who is legally competent to provide such consent.

The Digital Personal Data Protection (DPDP) Rules do not establish a specific, standardized method for obtaining verifiable parental consent. Instead, they vaguely refer to the collection of "reliable age or identity details." This wording provides flexibility to Data Fiduciaries, allowing them to implement their own methods or standards for verifying consent, but it also creates uncertainty. The lack of explicit guidance leaves Data Fiduciaries exposed to legal risks if their chosen methods are later deemed insufficient or non-compliant.

Moreover, there is a significant gap in the clarity of the due diligence obligations imposed on Data Fiduciaries under these provisions. Without clear guidelines, it becomes challenging for Data Fiduciaries to determine the extent of their responsibilities in verifying the authenticity of the consent obtained. To address these shortcomings, it would be beneficial to append model formats for obtaining verifiable consent to the DPDP Rules. These model formats could serve as a reference or guiding tool for Data Fiduciaries, offering a more structured approach to ensure compliance and minimize risks. Establishing clear procedures would enhance the protection of personal data while providing a consistent framework that Data Fiduciaries can rely on when managing consent-related processes.

Another major aspect of this Rule is the requirement of consent from the legal guardian of persons with disabilities (PWDs). Guardianship of PWDs is governed by the Right of Persons with Disabilities Act, 2016 and the National Trust Act, 1999 but the Draft Rules do not differentiate between the two Acts, creating confusion over who is the guardian holding the right to give consent as the National Trust Act enforces full guardianship while the Right of Persons with Disabilities Act allows limited guardianship. Further, the requirement of consent from the guardian of PWD reinforces stereotypes and assumes that PWDs cannot manage their data.

  • RULE 11 - Exemptions from certain obligations applicable to the processing of personal data of a child

Small and medium enterprises (SMEs) and start-ups should be provided with exemptions and granted simplified compliance frameworks in order to reduce their regulatory burdens. These businesses often face significant challenges in navigating complex regulatory requirements, which can be time-consuming and costly, especially given their limited resources and smaller operational capacities. By introducing more streamlined, accessible, and less cumbersome compliance processes, the government and regulatory authorities can foster a more supportive business environment. This would not only ease the administrative load on SMEs and start-ups but also enable them to focus more on innovation, growth, and contributing to the economy. Simplified frameworks will encourage entrepreneurial ventures and small businesses to thrive without being hindered by extensive regulatory obligations, thereby promoting greater dynamism and competitiveness in the marketplace.

  • RULE 12 - Additional obligations of Significant Data Fiduciary

An addendum can be drafted to outline the specific parameters and criteria required for an entity to qualify as a significant data fiduciary for specific industries. This will ensure clarity on the qualifications, thresholds, or conditions that must be met for an organization to fall within this category. Furthermore, detailed standards and guidelines for conducting a Data Protection Impact Assessment (DPIA) should also be established. These standards will serve as a comprehensive framework to assist data fiduciaries in assessing and mitigating potential risks to data privacy and security, ensuring compliance with applicable data protection regulations.

  • RULE 13 - Rights of Data Principals

From a compliance standpoint, the absence of specific and standardized procedures for grievance redressal or handling Data Principal requests works in favour of Data Fiduciaries. This flexibility enables Data Fiduciaries to design and implement processes that are tailored to their unique business models and operational needs, without being constrained by rigid regulatory frameworks. By allowing companies to adopt their own internal mechanisms, they can ensure that their grievance redressal systems are more aligned with their customer service approach, resource availability, and corporate structure. An additional point can be inserted and exemption to employee data processing should be provided by not requiring repeated consent. The lack of clearly defined guidelines regarding the appointment of a nominee provides Data Fiduciaries with considerable autonomy in establishing their own criteria and terms for such appointments. This discretionary power enables them to set out conditions that best suit their organizational policies, operational frameworks, and legal strategies. As a result, Data Fiduciaries can not only ensure compliance in a way that integrates seamlessly with their business processes, but they can also customize these appointments to optimize performance and reduce administrative overheads. This regulatory flexibility allows Data Fiduciaries to balance compliance requirements with operational efficiency, giving them the ability to create grievance mechanisms and appoint nominees that align with their business objectives.

The rights of data principals, particularly the ability to request access to, erase, and transfer their data (portability), should be implemented with a robust and practical approach. To ensure these rights are exercised responsibly and securely, any such requests must be subjected to reasonable verification procedures. These procedures are crucial for preventing fraudulent or unauthorized requests that could compromise the security and privacy of the data principal's personal information. By incorporating appropriate checks, such as identity verification, organizations can balance the rights of individuals with the need to maintain the integrity of their data protection systems. Ensuring that only legitimate data principals or their authorized representatives can make these requests upholds the fundamental principles of privacy while preventing abuse or misuse of these rights.

The right of the Data Principal to know about all the cookies being used by the prospective apps/portals/websites. They should have the right to manage and or reject the cookies after reading through the mandatory cookies policy on the digital platform.

  • RULE 14 - Processing of personal data outside India

The intersection of data protection in cross-border data transfers should be closely aligned with global compliance standards, particularly the General Data Protection Regulation (GDPR). Aligning India's regulatory framework with these international norms will help foster and strengthen its global relationships, positioning the country as a trusted partner in the digital economy. To facilitate this, a suitable provision could be introduced to empower the relevant ministry to officially notify and designate specific countries where cross-border data transfers are permissible. This would also involve outlining the necessary requirements and conditions that such transfers must adhere to, ensuring they are in compliance with both domestic and international data protection standards.

Moreover, there is a need to amend existing laws or introduce new legal provisions to address situations involving potential data breaches that occur outside India but affect Indian data subjects. In such cases, domestic law should empower Indian authorities to initiate legal proceedings against entities responsible for the breach, even if the breach occurs in foreign jurisdictions. This would not only protect Indian citizens from data vulnerabilities abroad but also reinforce India's commitment to safeguarding personal data in the global landscape. Such measures would be critical in ensuring the accountability of foreign entities processing Indian data and would provide a robust legal framework for data protection in cross-border contexts.

  • RULE 15 - Exemption from Act for research, archiving or statistical purposes

Instead of providing a blanket exemption, it would be more prudent to ensure that any exemptions granted are subject to reasonable and carefully considered restrictions. This approach would allow for a more balanced framework that takes into account the need for flexibility while also maintaining oversight and accountability. By implementing appropriate limitations, the exemptions can be tailored to address specific concerns or circumstances, ensuring that they do not result in unchecked freedoms or unintended consequences. This way, exemptions can serve their intended purpose without compromising the broader goals or principles of the system in which they operate.

  • RULE 19 - Functioning of Board as Digital Office

A graded response mechanism for grievance redressal should be introduced to enhance the efficiency of handling complaints. This approach would allow businesses to categorize grievances based on their urgency and prioritize them accordingly. Critical and time-sensitive grievances, such as those that impact customer safety or involve legal risks, would be addressed immediately with fast-tracked solutions. Meanwhile, routine or less urgent concerns, such as service-related queries or minor issues, could be processed within a longer timeframe, allowing the business to allocate resources effectively without compromising the overall quality of grievance resolution. This method ensures that urgent matters are promptly resolved while maintaining a structured approach to handling all types of complaints in a timely manner.

  • Rule 23 - Data anonymization and pseudonymization (Suggestion)

Data anonymization and pseudonymization are critical processes that should be carefully addressed in the Digital Personal Data Protection (DPDP) rules. The rules should clearly define acceptable standards for anonymization and pseudonymization, establishing a framework that promotes data-driven innovation while safeguarding individuals' privacy. Proper anonymization ensures that personal data is irreversibly altered so that individuals cannot be identified, directly or indirectly. Meanwhile, pseudonymization, which involves replacing private identifiers with fake names or codes, offers an additional layer of protection while allowing the data to remain useful for various purposes. By setting clear guidelines on these techniques, the DPDP rules can strike a balance between protecting privacy and fostering innovation, allowing businesses and organizations to harness the potential of data without compromising individuals' rights. Acceptable standards of data anonymization shall be used to ensure that the identity of the person is kept confidential. ISO/IEC 27559:2022 is an international standard for "privacy enhancing data de-identification framework" which shall be used for data anonymization.

  • Rule 24 - Industry-Specific Guidelines for Data Retention Policies (Suggestion)

A sector-specific framework for data retention policies should be established to address the unique needs and regulations of each industry. This approach would help avoid the pitfalls of blanket data deletion mandates, which could unintentionally conflict with essential legal, financial, or tax-related obligations. Instead of imposing uniform deletion requirements across the board, it's crucial to account for industry-specific standards, ensuring that businesses can retain data in compliance with regulations that govern their operations. Such a framework would support organizations in maintaining compliance with sectoral guidelines while also safeguarding critical records necessary for audits, reporting, and legal scrutiny.

  • Rule 25 - Mandatory Data Protection Impact Assessments (Suggestion)

Mandatory Data Protection Impact Assessments (DPIAs) should be required specifically for instances of high-risk data processing. This targeted approach would help ensure that businesses engaged in low-risk data activities are not subjected to unnecessary regulatory burdens, limiting the requirement for DPIAs to situations where there is a significant potential risk to data privacy and security, it would allow low-risk businesses to operate more efficiently without being weighed down by compliance obligations that may not be relevant to their operations. This balanced approach would promote better allocation of resources while still safeguarding data protection standards in areas that pose higher risks.

  • Rule 26 - Training and capacity building (Suggestion)

It comes to training and capacity building, instead of enforcing a blanket compliance training requirement for all employees, it is more effective to adopt a risk-based approach. This method prioritizes training efforts for employees who are in roles that handle significant amounts of data or are more exposed to compliance risks. By concentrating on data-heavy positions, the organization can ensure that those most likely to encounter sensitive information or face compliance challenges are well-equipped with the necessary knowledge and skills. This targeted approach not only optimizes resources but also enhances the overall effectiveness of the compliance program.

  • Rule 27 - Clarification regarding emerging technologies (Suggestion)

Emerging technologies such as artificial intelligence (AI), blockchain (Digital Ledger Technology), and the Internet of Things (IoT) are transforming industries and redefining how we interact with the digital world. However, the rapid advancement of these technologies has outpaced the development of clear regulatory guidelines, leading to uncertainties around their implementation and impact. There is a pressing need to introduce comprehensive guidelines that address critical aspects of AI-driven decision-making, blockchain-based data storage, and IoT data collection.

In the case of AI-driven decision-making, regulations should focus on ensuring transparency, accountability, and ethical use, ensuring that algorithms are designed and deployed in a manner that prevents biases and discrimination. Similarly, blockchain, with its decentralized and immutable nature, requires clarity around how data storage and verification processes will be regulated to maintain privacy and security while leveraging its potential for trust and efficiency.

For IoT, where vast amounts of data are collected from connected devices, guidelines must establish protocols for data privacy, security, and ownership, ensuring that innovation in smart devices and interconnected systems continues without compromising user trust or safety. The Rules should explicitly mention explicit consent from data principals for usage of their personal information by any non-gen AI or gen AI language models, such consent would be taken by the consent manager and or data fiduciary/ data processor from where sourcing of data is being done by AI Development companies.

  • Rule 28 - Concept of data minimization (Suggestion)

The principles of data minimization emphasize the collection of only essential and relevant data required for a specific purpose, ensuring that businesses are not burdened with excessive data storage or processing. This concept should be clearly defined in a way that allows organizations to gather the necessary data to carry out their regular operations efficiently, without overstepping privacy boundaries or violating regulatory frameworks. The idea is to strike a balance between collecting adequate information for business functions while adhering to privacy regulations, thereby protecting users' personal data and reducing potential risks.

  • Rule 29 - Avoiding conflicts with other Indian Laws (Suggestion)

The Digital Personal Data Protection (DPDP) rules must be carefully designed to ensure they are consistent with and do not conflict with existing Indian laws, such as the Information Technology (IT) Act, tax regulations, and labour laws. It is crucial to harmonize these rules with the broader legal framework to avoid situations where businesses or individuals are faced with conflicting compliance obligations. By aligning the DPDP rules with existing laws, the regulatory landscape can remain cohesive and clear, preventing confusion and potential legal challenges. This approach will also help businesses operate smoothly without having to navigate contradictory legal requirements.

  • First Schedule (Rule 4)Part A - Conditions of Registration of Consent Manager

It is recommended to provide further clarity on the independence of Consent Managers, ensuring they remain free from undue influence by Data Fiduciaries. Strengthening governance frameworks and implementing stricter measures to prevent conflicts of interest would further reinforce the integrity of such consent managers. Introducing mandatory periodic audits, and well-defined procedures for handling consent-related disputes would align the framework more closely with global best practices.

The Rules should also explicitly define the governance structure for Consent Managers by incorporating mechanisms for grievance redressal, continuous compliance monitoring, and data breach notification obligations. To improve regulatory oversight, the inclusion of transparency obligations - such as mandating detailed record-keeping of consent transactions and periodic reporting to regulatory authorities would be beneficial. Along with these specifying clear procedures for the revocation or suspension of Consent Manager Registration in cases of non-compliance would help in improving enforcement and accountability, which shall lead to a more effective and trustworthy data protection regime.

It is further recommended that the rules should explicitly extend similar obligations to all entities storing or processing data on behalf of Data Brokers, even if they are not classified as Consent Managers.

Data Brokers refer to entities or individuals that collect, aggregate, process, and trade personal data, often without direct interaction with the Data Principals (individuals whose data is being processed). These entities source data from publicly available records, online transactions, social media platforms, and third-party agreements to develop detailed consumer profiles, which are then sold or shared with businesses, advertisers, financial institutions, and other organizations for purposes such as marketing, risk assessment, fraud detection, and analytics.

Under global data protection frameworks, Data Brokers are typically classified as Data Controllers if they determine the purpose and means of processing personal data. In the Indian context, the DPDP Act, they would likely fall under the category of Data Fiduciaries, subject to direct legal obligations, including obtaining valid consent, implementing security safeguards, and ensuring transparency in data processing. Given their extensive role in large-scale data handling, India's regulatory framework could be strengthened by introducing specific compliance requirements for Data Brokers, such as mandatory registration, disclosure of data sources, periodic audits, and restrictions on data retention and resale without explicit and informed consent. These measures would enhance accountability, prevent misuse of personal data, and align India's data governance standards with international best practices.

This would also ensure that any business entity handling personal data, regardless of its legal structure, is subject to accountability requirements akin to those imposed on Consent Managers. Key recommendations include mandating data processing agreement and requiring Data Processors to implement security and breach notification mechanism while ensuring that they provide transparency in data handling practices.

  • First Schedule (Rule 4)Part B - Obligations of Consent Manager

It is suggested to specify standardized consent request formats, implement real-time consent tracking mechanisms, and establish explicit accountability measures for data breaches. Mandating periodic third-party audits and comprehensive risk assessments similar to Data Protection Impact Assessments followed globally would strengthen compliance oversight and reinforce trust with such consent managers.

  • SECOND SCHEDULE (Rule 5(2) and 15) - Standards for processing of personal data by the State and its instrumentalities under clause (b) of section 7 and for processing of personal data necessary for the purposes specified in clause (b) of sub-section (2) of section 17

It is recommended to clarify broadly the multiple lawful grounds for processing data, such as consent and legitimate interest, rather than relying solely on the necessity for state instrumentalities. Introducing a mandatory requirement for Data Protection Impact Assessments (DPIAs) for high-risk data processing activities would ensure proactive risk mitigation and increase overall accountability. Independent oversight through a dedicated regulatory authority, similar to Data Protection Authorities, would further reinforce compliance and transparency, focusing on adherence to stringent data protection standards.

The Rules should further establish clear redress mechanisms for data principals, strengthen purpose limitation principles preventing excessive data retention and minimise risks associated with prolonged data storage. Adopting standardized security measures and a risk-based approach to data protection, tailored to the sensitivity of the data being processed, would help in sufficient safeguards. This would help in the protection of rights and safeguarding of the entities.

  • THIRD SCHEDULE Rule 8(1)

The Rules establish a fixed data retention period for specified classes of Data Fiduciaries, after which personal data must be erased unless required for legal compliance. However, this rigid approach lacks flexibility for scenarios where extended retention may be necessary for legitimate business purposes, regulatory obligations, research, or statistical analysis. Unlike the global practices, which mandate data not be retained longer than necessary based on proportionality and legitimate interests, the DPDP Rules prescribe a one-size-fits-all timeline. Introducing a more adaptable framework would help businesses manage data retention in a way that aligns with operational needs while maintaining strong data protection safeguards.

To improve its alignment with global best practices and address evolving regulatory requirements, the Rules should provide explicit provisions for extended retention under certain conditions, such as legal compliance, public interest, anonymized research, and archiving. Allowing Data Fiduciaries to justify their retention periods based on objective criteria rather than adhering strictly to arbitrary timelines would create a balanced approach between privacy and operational feasibility. In addition to this a risk-based framework could be introduced, making sure that retention policies are transparent, well-documented, and subject to regulatory oversight.

  • FOURTH SCHEDULE Rule 11

The Schedule specifies the class of data fiduciaries in respect of whom Section 9(1) and 9(3) shall not be applicable and also the purposes for which Section 9(1) and (3) shall not apply. The language of the schedule is ambiguous and gives unrestricted power to the government as it does not specify how government agencies should use the data which can lead to data misuse. Further, the exemption provided to certain entities might lead to excessive data collection or usage of children's data. So, ensure that the data is being processed only for providing healthcare, conducting educational activities, ensuring safety during transport or verifying a child's age for appropriate content access. Ensure transparency while collecting and processing data, further clear guidelines regarding the scope of digital use for specific activities with regards to data of children must be specified.

  • SEVENTH SCHEDULE Rule 22(1)

The ambit of the seventh schedule under Rule 22 (1) is very broad and hence certain measures must be taken to ensure that the power of the state is well balanced. It is essential to impose certain balances to avoid unnecessary public interest litigations. The K. S. Puttaswamy judgement, being a landmark case, established certain principles with respect to privacy laws. Firstly is established that the right to privacy is a fundamental right under the Indian Constitution. It further established the principle of 'informational privacy' which means that individuals should have the complete right to control their personal data and one should also have the 'control over the dissemination of one's personal information'. To ensure privacy, a threefold test of legality, legitimacy and proportionality was established under which firstly, there must be a valid law to justify an encroachment on privacy, secondly, there must be a legitimate purpose to justify such restriction and lastly, the restriction must be proportionate to the object and needs of the law. The proportionality clause is being breached under the draft Rules as the circumstance under which the state can use the data is very wide. Further, since the government has unrestricted access to data, it contradicts the principle of proportionality and necessity. The concept of data minimisation also originated from this judgement, but the draft rules do not enforce this principle.

  • General Suggestions:

To effectively protect personal data, it is crucial to establish clear safeguards, including oversight from a designated review committee. This committee would evaluate requests for access to personal data, ensuring that each request is valid and justified. Moreover, any request for data must clearly outline the intended use of the information. Transparency is fundamental to data protection, and companies should notify individuals whenever their personal data is requested by the state. This notification process will help ensure that state requests for data comply with established legal guidelines and meet the three-part test of legality, necessity, and proportionality, as highlighted in the landmark Puttaswamy judgment. Additionally, to promote transparency and accountability, an appeal process should be created, allowing individuals to challenge data access requests. This process should be supported by an independent oversight mechanism, which would be vital in upholding these principles. It would also be wise to introduce incentives for Data Principals, the individuals whose data is being safeguarded, by allocating a portion of the penalties imposed on those found guilty of data breaches. These funds could be used to compensate affected Data Principals, providing a meaningful form of redress for the harm caused by such breaches.

The Data Protection and Digital Privacy (DPDP) Rules 2025 should provide clearer guidance and establish simpler compliance mechanisms, especially for smaller businesses like Micro, Small, and Medium Enterprises (MSMEs). Given their limited resources, MSMEs often struggle to meet strict data protection standards. A tiered compliance framework that sets different obligations based on the size and capacity of businesses would create a more flexible and fair approach. This would not only lighten the load for smaller enterprises but also promote better compliance throughout the entire business community.

When addressing specific data issues, particularly those concerning children, cross-border data transfers, and legal exemptions, it is crucial to define vague terms like "sovereignty" and "integrity," which are frequently mentioned but not clearly defined in legal documents. Clarifying these ambiguities would help create a more consistent legal framework and minimize the risk of misinterpretation or misuse of these terms. The research exemptions in the law should clearly state whether the use of artificial intelligence (AI) in research is included in the exemption. If AI-driven research is indeed covered, a thorough data governance framework should be established to ensure that such research adheres to data protection principles and respects individuals' rights.

It is crucial for cross-border data transfer rules to closely align with the main data protection laws. If they don't, it could create unnecessary challenges for major social media platforms and other digital companies that are vital for India's digital economy. Additionally, this misalignment might lead to international disputes, potentially damaging India's reputation in the global digital arena. To better protect the data of child users, a more effective and trustworthy age verification system should be put in place. For example, a questionnaire could be created to determine if a user is a child or an adult. This multi-layered authentication approach would provide an added layer of security, ensuring that children's data is managed with the necessary care and legal protection.

Lastly, the suggested measures would enhance the data protection framework by promoting transparency, accountability, and flexibility. Implementing safeguards like oversight committees, compensation for affected Data Principals, and tiered compliance systems for businesses, along with clear definitions and processes for managing child data, cross-border transfers, and AI-driven research, would greatly improve the effectiveness of India's data protection system.

Footnotes

1. (2017) 10 SCC 1

2. https://pib.gov.in/PressReleasePage.aspx?PRID=2090271

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More