WHAT HAS HAPPENED? |
On 03 January 2025, the Ministry of Electronics and Information Technology (MeiTY) published the Draft Digital Personal Data Protection Rules 2025 (Draft Rules) for public consultation. The deadline for providing suggestions to the Draft Rules is set for 18 February 2025.
SCOPE & APPLICABILITY |
These Draft Rules have been issued pursuant to the Digital Personal Data Protection Act, 2023 (DPDPA) and are applicable to all entities governed under the DPDPA i.e., any person processing digital personal data of data principals residing in India. The Draft Rules provide clarification on the implementation of DPDPA.
KEY FEATURES OF THE RULES |
HOW TO GIVE NOTICE FOR CONSENT |
Data Fiduciaries are going to be required to provide clear and transparent notice (i) listing in detail the personal data being collected and processed in an itemized manner along with the corresponding use cases; (ii) details of the goods or services offered or use cases enabled; and (iii) specifying the purpose for processing personal data, to seek specified and informed consent from Data Principals.
The notice is envisaged as an independent document and can’t be mixed with terms and conditions, contracts or other such disclosures.
Data Principals will be required to have access to a link (via website or an app) or any other method, with options to withdraw consent, erase personal data, file complaints with the Data Protection Board, and exercise other rights available to them.
Note: As per the DPDPA, Data Fiduciaries should provide an option to the Data Principals to access the content of the notice in any of the languages specified in the Eighth Schedule of the Indian Constitution.
IMPLEMENTING THE OBLIGATIONS OF A SIGNIFICANT DATA FIDUCIARY (SDF) |
SDFs will be required to conduct a yearly Data Protection Impact Assessment (DPIA) and compliance audit and submit their findings to the Data Protection Board.
SDFs will be required to ensure that their algorithms do not harm the rights of Data Principals. For instance, poorly managed algorithms on social media platforms could violate user privacy and rights.
OBLIGATIONS OF A CONSENT MANAGERS |
The DPDPA provided for consent managers – entities registered with the Data Protection Board who would act as a link between the Data Principals and Data Fiduciaries to manage consent through an accessible platform.
The Draft Rules specify the criteria for the registration of a person as a consent manager. This includes the requirement to ensure that there is no conflict of interest between a Data Fiduciary and consent manager.
The registration for the consent manager can be suspended or cancelled by the DPB in case of non-adherence with obligations or in the interests of Data Principals.
The Draft Rules also set out the key obligations of a consent manager which are:
Consent Platform: Provide the Data Principal with access to a website or an application to give or withdraw their consent for processing of personal data.
Data Security: Ensure personal data can be securely transferred and is unreadable to the consent manager.
Record Keeping: Maintain auditable consent records, notices, and personal data for at least seven (7) years or such longer period as may be consented to by the Data Principal and the Consent Manager.
Transparency: Publish and disclose key information about their company including details of the senior management and shareholder details.
Compliance Audits: Conduct periodic audits and report such findings to the Data Protection Board regularly.
Transfer of Control: The control of a company registered as a consent manager cannot be transferred through sale, merger, or otherwise without the prior approval of the Board.
Measures to avoid Conflict of Interest: Consent manager must prevent conflicts of interest with Data Fiduciaries by ensuring that its directors, key managerial personnel, and senior management do not hold directorship, financial interests, employment or significant relationships with them.
SECURITY SAFEGUARDS A DATA FIDUCIARY WOULD NEED TO IMPLEMENT |
The Draft Rules provide security standards that should be deployed by Data Fiduciaries and Data Processors. These include:
Securing personal data through encryption, obfuscation, masking, or by using virtual tokens mapped to the personal data.
Access control on the computer systems used by Data Fiduciary or Data Processors.
Monitoring and reviewing of access logs to detect unauthorized access as well as retention of logs and personal data for at least up to one (1) year.
Contingency measures like backups for the continued processing of personal data despite events that may destroy or cause loss of access to personal data.
CAN YOU STILL TRANSFER PERSONAL DATA ACROSS BORDERS? |
Transfer of personal data processed by Data Fiduciaries, to any region outside India, for the purpose of offering goods/services to Data Principals residing in India, may be subject to additional restrictions laid down by the Central Government. Currently, the additional restrictions/requirements have not been notified.
SDFs may be required to restrict transfer of certain personal data (including the traffic data of such personal data) outside India as specified by the Central Government basis the recommendations received from a committee constituted by the Central Government.
HOW TO NOTIFY ABOUT A DATA BREACH |
The Draft Rules mandate Data Fiduciaries to provide:
A mandatory personal data breach notification to Data Principals on becoming aware of a breach accompanied by details of the relevant consequences and safety measures to be taken.
Provide the Data Principals with contact information of personnel who shall respond to all queries pertaining to the breach on behalf of the Data Fiduciary.
Within seventy-two (72) hours of becoming aware of the incident or within an extended period allowed by the Data Protection Board, a detailed report containing the facts, measures taken, report regarding notification given to data principals, risk mitigation steps, and other relevant information is required to be provided by the Data Fiduciaries.
HOW LONG CAN YOU RETAIN PERSONAL DATA |
As per the DPDPA, personal data must only be retained to fulfill its original purpose, unless required by law
The Draft Rules specify retention timelines for specified class of Data Fiduciaries for certain data processing purposes, as outlined in Table 1 below
Data Fiduciaries must notify Data Principals at least forty-eight (48) hours before erasing stored personal data, unless the Data Principal logs in or contacts the Data Fiduciary to exercise their rights or complete the specified purpose.
Table 1
MEASURES TO ENABLE DATA PRINCIPAL TO EXCERISE THEIR RIGHTS |
To enable Data Principals to exercise their rights under the DPDPA, Data Fiduciaries and where applicable, consent managers, will be required to:
Provide instructions and required identification details on the website, application, or both to enable Data Principles to take necessary action to exercise their rights.
Publish the response time to grievance redressal either on its website, application or both whilst ensuring its effectiveness through appropriate technical and organizational measures.
Provide a mechanism for Data Principals to nominate representatives that shall act on their behalf.
PROCESSING PERSONAL DATA OF CHILDREN AND PERSONS WITH DISABILITY |
Data Fiduciaries must obtain verified parental or guardian consent before processing personal data of a child (below 18 years of age) or person with disability (PWD).
Data Fiduciaries must verify the parent/guardian’s identity as an adult using reliable details of identity and age available with the Data Fiduciary or tools like Digital Locker.
Exemption
Certain classes of Data Fiduciaries such as clinics, schools, and daycare centers can process children’s personal data without parental consent for the purpose of healthcare, education, or child safety subject to the processing being restricted for purposes specified in the Draft Rules
Certain purposes such as user account creation for communication, subsidy, benefits or authentication of the age of a child are also exempted from obtaining verifiable parental consent so long as the processing is restricted to the extent necessary for fulfilling the purpose.
WHO TO CONTACT FOR PERSONAL DATA PROCESSING QUERIES? |
Every Data Fiduciary will be required to prominently display on its website or application and include in every response to a Data Principal’s request under the DPDPA, contact information of the Data Protection Officer (only for SDF) or an authorized representative (for other Data Fiduciary) who can address queries pertaining to the processing of the Data Principal’s personal data and exercising their rights.
DETAILS ON CALL FOR INFORMATION ABILITY BY THE CENTRAL GOVERNMENT |
The Central Government, through authorized individuals (see Table 2 below), can request information from Data Fiduciaries or intermediaries (such as online platforms) as per the purposes outlined in the DPDPA.
The Central Government will set a deadline for providing the requested information.
If disclosure of such information could risk India’s sovereignty, integrity, or security, the Data Fiduciary or intermediary must withhold the information unless granted permission by authorized persons.
Table 2
EXEMPTIONS UNDER DPDPA |
The DPDPA provides an exemption for processing of personal data for the purpose of conducting research, archiving or statistics. The Draft Rules provide that the exemption shall be available so long as the following requirements are met:
Personal data is processed lawfully and only as needed for that purpose.
Efforts are made to ensure accuracy of personal data.
Personal data is retained only as long as necessary.
Security measures to prevent breaches and to keep personal data secure are implemented.
Data Principle is informed about the use of their personal data and provided with a link to exercise their rights, when applicable and the Data Fiduciary is to be held accountable for these exempted purposes.
Similar requirements would need to be fulfilled processing of personal data done by the government for the purposes of providing subsidies and benefits, which is recognized as a legitimate use under the DPDPA and therefore does not require notice for seeking consent.
KEY OBSERVATIONS |
The publication of the Draft Rules is a important step towards enforcement of the long pending comprehensive framework for protection of personal data. The DPDPA requires further clarification on several provisions, many of which have been addressed in the Draft Rules, including:
Registration and obligations of consent managers with respect to the Data Protection Board.
Procedures for notifying Data Principals of breaches and reporting them to the Data Protection Board.
Mechanisms for Data Principals to access information about processing of personal data and exercising their rights.
Despite this, there are a few areas n the DPDPA that require clarifications for ensuring business certainty and ease of compliance. These include:
Retention timelines for unspecified purposes.
Safeguards to prevent children from bypassing age restrictions.
Although the DPDPA requires Data Fiduciaries to inform Data Principals about how to file a complaint with the Data Protection Board, the Draft Rules do not specify the manner for submitting such complaints.
In case of feedback, suggestions, or queries, please reach out to the C&M team on
© 2025 Chandhiok & Mahajan, Advocates and Solicitors
This alert is for information purposes only and does not constitute legal advice.
Comments