Snapshot of the Draft Digital Personal Data Protection Rules 2025

The Digital Personal Data Protection Act, 2023, enacted by the Parliament of India on August 11, 2023,1 marked a pivotal step in the country’s journey toward a robust data protection regime. However, the Act left several critical aspects open-ended, relying on subsequent rules for clarity and implementation. The Ministry of Electronics and Information Technology (MeitY) has now published the Draft Digital Personal Data Protection Rules, 2025, on January 3, 2025 for public consultation.

These draft rules aim to provide comprehensive guidance on operationalizing the provisions of the parent Act, addressing the recurring phrase ‘as may be prescribed,’ which appears over 30 times in the legislation. The draft rules seek to strike a balance between safeguarding individuals’ personal data and accommodating the legitimate operational needs of businesses and state authorities. MeitY has currently opened the draft for public consultation, inviting objections and suggestions.

Key Provisions of the Draft Digital Personal Data Protection Rules

1. Notice by Data Fiduciaries:

   Data Fiduciaries are required to issue clear and standalone notices to Data Principals. These notices must be written in simple and easily understandable language, explicitly stating the purpose and scope of data processing to ensure informed consent.

2. Consent Management:

   Consent Managers tasked with facilitating data subject rights must register with the Data Protection Board. They are responsible for maintaining secure and user-friendly platforms to manage consent while adhering to transparency standards.

3. Data Security Safeguards:

   Data Fiduciaries are obligated to implement robust security measures, including encryption, data masking, and regular access log monitoring, to prevent data breaches. Additionally, they must retain backup data for a specified duration.

4. Data Breach Notification:

   In the event of a data breach, Data Fiduciaries must promptly notify affected individuals, detailing the nature of the breach and measures taken to mitigate risks. Furthermore, the Data Protection Board must be informed within 72 hours, along with a comprehensive report on the incident.

5. Data Erasure:

   Personal data must be erased when it is no longer necessary for its original purpose. Data Fiduciaries are required to inform Data Principals at least 48 hours before initiating data erasure.

6. Rights of Data Principals:

   Individuals are entitled to access, correct, and erase their personal data. They also have the right to withdraw consent and nominate a representative to exercise these rights on their behalf.

7. Processing of Children’s Data:

   Data Fiduciaries must obtain verifiable parental consent before processing data of children under the age of 18. Adequate measures must also be in place to prevent children’s exposure to harmful content.

8. Significant Data Fiduciaries:

   Organizations classified as Significant Data Fiduciaries, due to their large-scale handling of sensitive personal data, are subject to enhanced obligations. These include conducting annual Data Protection Impact Assessments and obtaining government approval for cross-border data transfers.

9. Cross-Border Data Transfers:

   Transfers of personal data outside India are subject to conditions to be prescribed by the Central Government through general or special orders in respect of making personal data available to any foreign state, or to any person or entity under the control of any agency of foreign states.

10. Data Protection Board of India:

    The rules establish the Data Protection Board of India as a digital-first adjudicatory authority responsible for overseeing compliance, addressing grievances, and imposing penalties for non-compliance.

11. Collection and Processing of Data by the Central Government:

    The Central Government may require any Data Fiduciary or intermediary to furnish any such data as called for (i) in the interest of sovereignty and integrity of India or security of the State, (ii) Performance of any function under any law in force, (iii) Disclosure of any information for fulfilling any obligation under any law in force and (iv) to determine any Data Fiduciary as Significant Data Fiduciary.

The Gaps that continue to persist in the Draft DPDP Rules

1. Ambiguity in definition of Significant Data Fiduciary: The Rules remain silent on the criteria or thresholds for determining who qualifies as a Significant Data Fiduciary. The absence of criteria could result in inconsistent or arbitrary designation of Significant Data Fiduciaries by the Government.
2. Consent Manager : While the Rules provide for thresholds of consent managers, there remains ambiguity in accountability of consent managers to Data Principals and Data Fiduciary. The rules fail to sufficiently address data misuse and breaches by Consent Managers.
3. Data Deletion and Retention: The Rules does not clarify whether data deletion requests will take precedence over data retention requirements. Furthermore, it is pertinent to note that though the State has the authority to process personal data of the Data Principals, the discretion on data retention is absolute and unchecked.
4. Timelines for Grievance Redressal: The Rules have given the Data Fiduciary or Consent Manager discretion to decide the time frame for grievance redressal. Ideally the Rules should have prescribed the timelines. The Rules also do not specify timelines for adjudication of any complaint submitted by the Data Principal to the Board.
5. Exemptions to Government: The Government and its instrumentalities can seek any information from Data Fiduciaries under the vague and broadly worded term “sovereignty and integrity of India or security of the State.” This enables excessive data collection and surveillance of Data Principals in the absence of safeguards to ensure government accountability and transparency.
6. Reasonable Security Safeguards: The terms like ‘obfuscation’ and ‘masking’ remain undefined – leaving the manner of implementation of such alternative measures ambiguous and upon the discretion of the Data Fiduciary. Furthermore, better guidance to what constitutes as reasonable security safeguards is warranted.

The draft Digital Personal Data Protection Rules, 2025, represent a significant step toward establishing a transparent and accountable data governance framework in India. While the rules address many critical aspects of data processing and protection, certain ambiguities persist, such as thresholds for Significant Data Fiduciaries, clarity on consent management practices, and timelines for grievance redressal. As stakeholders actively participate in the consultation process, refining these provisions will be essential to ensure a balanced, effective, and enforceable regulatory regime that protects individuals’ data rights while enabling digital innovation and economic growth.

1 Press Information Bureau, Digital Personal Data Protection Act is a world-class legislation: MoS Rajeev Chandrasekhar, (13 August 2023) https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1948357.