The government is looking to resolve the data privacy and security issues resulting from the processing of personal data by introducing the long-awaited draftDigital Personal Data Protection Rules, 2025(draft rules) in January. The Ministry of Electronics and Information Technology has invited public comment up to the beginning of March, with the government apparently anxious to move forward quickly after that. These draft rules are intended to regulate data processing, consent management, security measures and cross-border data transfers. Although the rules are an attempt to bring India closer to adopting global privacy standards, they also introduce complexities and areas of uncertainty with which businesses and individuals will have to cope in the future.
The obtaining, managing and withdrawing of consent and ensuring the security of data remain the focal point of the draft rules. Under the proposed rules, data fiduciaries, businesses that process personal data, either directly or through data processors, are required to provide individuals as data principals with itemised descriptions of the personal data they wish to collect. They must also set out in detail the specific purposes for which the data is being collected. Withdrawing consent is expected to be as simple as granting it, and intermediaries called consent managers will enable this process. The rules, however, are broad and fail to give users granular control. This is in contrast to the European Union's GDPR, which allows users to consent to specified types of data processing, limiting third-party control over their other personal information and its dissemination.
The draft rules impose rigorous security obligations on data fiduciaries. Fiduciaries must implement encryption and access controls and preserve audit logs for a minimum of one year. They must notify the Data Protection Board within 72 hours of any data breach. The rules, however, fail to distinguish between or provide clarity on minor incidents and critical breaches.
The draft rules do not prohibit the transfer of personal data to jurisdictions outside India, but such transfers are subject to any requirements that the government may impose. The rules do not provide any indication at this point as to what such requirements may be and what may be the consequences of failing to comply with them.
The protection of the data of children as well as of persons with disability are restated in the draft rules. The rules make provision for companies to obtain verifiable consent from parents and guardians before processing the data of minors and persons with disability. Although the DPDP Act bars data fiduciaries from undertaking the tracking or behavioural monitoring of children, the rules permit such tracking and monitoring for specific purposes by educational institutions and individuals providing care to children in creches or day-care centres. So far as persons with disability are concerned, the rules lack explicit guidelines on accessibility. Without clear provisions, such individuals may struggle to understand and complete consent forms and data access requests. They may even be unable to file complaints. This will ultimately limit their ability to exercise their rights effectively.
When compared to international privacy frameworks such as the GDPR and California's Consumer Privacy Act, the draft rules fall short in giving individuals power over their data. Although the rules grant rights to access, correct and erase personal data, they are missing crucial provisions such as those regarding data portability and the right to object to automated decision making. They also have no safeguards such as restricting the use of personal data for the purposes of profiling. These gaps weaken the ability of individuals to control their digital identities fully.
The draft rules constitute a significant milestone in India's journey towards stronger data protection. However, the framework they intend to put in place is far from perfect. Challenges related to consent architecture and procedure, compliance burdens, cross-border data transfers and user rights need urgent attention. Addressing these concerns through meaningful stakeholder engagement will be the key to building a balanced ecosystem, one that safeguards privacy without stifling technological innovation and growth.
Originally published in India Business Law Journal, 24 March 2025.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
