The publication of the draft Digital Personal Data Protection Rules, 2025 (Rules) marks a pivotal moment in India’s journey towards a robust and comprehensive framework for personal data protection. Released nearly 16 months after the passage of the Digital Personal Data Protection Act, 2023 (DPDPA), these Rules provide essential guidance for businesses, individuals, and stakeholders in an increasingly digitized economy. The Rules aim to balance individual privacy rights with the need for business innovation, ensuring that India’s digital ecosystem evolves responsibly. This article explores the key provisions, their implications, and the challenges ahead.
A Landmark Development in Data Protection Policy
The draft Rules are a significant policy step in implementing the DPDPA, which was passed in August 2023. They address critical aspects such as consent management, privacy notices, processing of children’s data, data breaches, and security safeguards. Designed to offer clarity and flexibility, the Rules reflect the Government’s commitment to protecting privacy while fostering digital innovation.
Know about the certification offered by Riskpro Learning on DPDPA
Notably, the Rules adopt a straightforward drafting style, accompanied by examples to aid understanding. This approach is a deliberate effort to make compliance less burdensome for businesses while enabling individuals to exercise their privacy rights effectively.
Clarity on Consent and Privacy Notices
Consent is a cornerstone of the DPDPA, and the draft Rules elaborate on its operationalization. Data fiduciaries must provide clear, independent, and easily understandable privacy notices. These notices should:
- Be separate from other information shared with individuals.
- Specify the purposes for which personal data will be processed.
- Include a link to the data fiduciary’s website or app.
- Detail how individuals can exercise their rights of access, erasure, and withdrawal of consent.
India’s Data Protection Rules: Stricter than GDPR, Simpler Yet Robust
Importantly, the Government refrains from prescribing a standard template for these notices, offering businesses the flexibility to design consent frameworks suited to their operations. This balance between structure and adaptability underscores the Rules’ pragmatic approach.
Innovative Role of Consent Managers
One of the most noteworthy features of the Rules is the establishment of consent managers. These platforms will enable individuals to give, manage, review, and withdraw consent for data processing. Consent managers must register with the Data Protection Board (Board) and comply with specific obligations.
While the concept of consent managers is innovative, questions remain about their implementation. Issues such as interoperability, monetization models, and their integration with data fiduciaries need to be addressed. Successful deployment will require coordinated efforts between the Government, consent managers, and businesses.
State’s Role in Data Processing
The Rules recognize legitimate uses of personal data by the State, particularly for providing subsidies, benefits, services, certificates, licenses, or permits. This processing does not require individuals’ consent but must adhere to strict standards to prevent misuse. The Rules mandate:
- Limiting data collection to necessary purposes.
- Ensuring data accuracy.
- Implementing adequate security safeguards.
This framework seeks to balance the State’s role in delivering essential services with individuals’ privacy rights, ensuring lawful and non-arbitrary data processing.
Draft Digital Personal Data Protection Rules,2025
Security Safeguards and Breach Notifications
Data fiduciaries are required to implement minimum security safeguards, including encryption, access controls, monitoring for unauthorized access, and maintaining data backups. They must also:
- Establish breach detection mechanisms.
- Maintain activity logs.
- Include security requirements in contracts with data processors.
To address data breaches, the Rules require fiduciaries to notify affected individuals and the Board promptly. Notifications must include details of the breach, its impact, and mitigation steps. The timeline for reporting breaches to the Board is 72 hours, though extensions may be granted. Notably, the Rules mandate reporting all breaches, regardless of risk, which may overwhelm the Board with notifications of minor incidents.
Retention and Erasure of Data
The Rules provide guidance on data retention and erasure. Personal data must be erased if the individual withdraws consent or if its purpose has been fulfilled. Specific retention timelines apply to different categories of data fiduciaries. For instance:
- E-commerce platforms, online gaming intermediaries, and social media entities can retain personal data for up to three years from the last user interaction.
Before erasing data, fiduciaries must notify individuals at least 48 hours in advance, giving them an opportunity to retain their data. This mechanism underscores the emphasis on individual rights while ensuring operational clarity for businesses.
Enhanced Obligations for Significant Data Fiduciaries
Significant data fiduciaries face stricter compliance obligations under the Rules. These include:
- Conducting a Data Protection Impact Assessment (DPIA).
- Performing annual audits.
- Submitting findings to the Board.
Additionally, significant fiduciaries must ensure that algorithms used for data processing do not harm individual rights. This provision aligns with global trends emphasizing the ethical use of AI and automated systems.
What is General Data Protection Regulation (GDPR)?
Addressing Children’s Data Processing
To safeguard children’s privacy, the Rules require fiduciaries to obtain verifiable parental consent before processing a child’s data. They must also implement technical and organizational measures to ensure compliance. This provision reflects a growing focus on protecting vulnerable groups in the digital space.
Challenges and Opportunities Ahead
While the draft Rules provide much-needed clarity, challenges remain. For instance, the absence of timelines for fulfilling individual rights requests creates ambiguity. Similarly, the blanket requirement to report all data breaches may lead to compliance burdens.
However, the Rules also present opportunities. By adopting a flexible, principles-based approach, they encourage businesses to innovate while respecting privacy. The introduction of consent managers and enhanced obligations for significant fiduciaries signal India’s readiness to align with global data protection standards.
