On 3 January 2025, India’s long-simmering data protection law took another tentative step towards actualization, as the Ministry of Electronics and Information Technology (“MEITY”) released the draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”). The Draft Rules are the much-awaited subordinate rules for the implementation of the Digital Personal Data Protection Act (DPDPA), 2023, India’s first comprehensive data protection law, passed by Parliament in August 2023 but not yet effective.
The Draft Rules provide a detailed framework for implementing the provisions of the DPDPA, addressing key aspects such as notice and consent requirements, processing of data by the State, obligations of a Data Fiduciary and cross-border data transfers.
Notably, the DPDPA and Draft Rules apply solely to data processed digitally and do not cover analogue data processing. For instance, if a medical clinic records patient information in a handwritten ledger, this data is not protected under the Act. However, if the same information is entered into a computer system, it would fall within the DPDPA’s scope and be subject to its requirements.
The Rules will be implemented in a staggered manner. Rules concerning the Data Protection Board (e.g., the appointment of members, their terms of service, and allied techno-legal measures) will come into force upon being published in the Official Gazette. However, compliance-related rules, such as how notice is to be provided or how a personal data breach should be reported, will only come into effect subsequently, on dates that the Central Government will specify. The timelines for implementation have therefore again been left to the Central Government’s discretion.
The Draft Rules share some similarities with the European Union’s General Data Protection Regulation (“GDPR”), but in general, they retain a distinctly “Indian” flavor – note the centralized regulatory structure; reservation of the State’s rights to process personal data to provide subsidies, licenses, permits and so on; the broad government discretion retained in respect of multiple matters, including in the cagey approach to cross-border data transfers; the requirement for data localization by Significant Data Fiduciaries; and of course, the inherent suspicion of gaming and social media platforms.
KEY HIGHLIGHTS
I. Consent Requirements
Under the Draft Rules, in order to obtain consent, the Data Fiduciary must provide a notice to the Data Principal that:
- is understandable independent of any other information provided by the data fiduciary. This implies that reference to hyperlinked privacy policies and terms of use may not be legally tenable, although one hopes for more clarity on this in future iterations.
- offers a fair and concise account of the necessary details to allow the Data Principal to give informed, specific consent for the processing of their personal data, which at minimum must include (amongst other things) an itemized description of the goods and services or uses enabled through the specified processing activities. This implies that the Data Fiduciary may need to link each type of data processing to its relevant use case in the notice for the Data Principal’s benefit.
- includes a link to access the website or app through which the Data Principal may withdraw her consent as easily as it was given, exercise her rights under the Act and make a a complaint to the Data Protection Board (“Board”).
GDPR Comparison:For its part, the GDPR echoes some of the same concerns, requiring that consent must be “freely given, specific, informed, and unambiguous.” It must be collected through a clear affirmative action, with the notice being easily accessible and comprehensible to the individual.
- Minors and Consent
A Data Fiduciary is required to implement appropriate technical and organizational measures to obtain (i) the verifiable consent of a parent before processing a child’s personal data, and (ii) the verifiable consent of a lawful guardian for a person with disabilities. It must also exercise due diligence to confirm that the person identifying as the parent is an identifiable adult, under applicable laws in India. This must be done by taking into account; (a) reliable identity and age details held by the Data Fiduciary; or (b) identity and age details voluntarily provided or linked to a virtual token issued by an authorized entity, such as one designated by the Central or State Government or a Digital Locker service provider. For a lawful guardian, the Data Fiduciary must exercise due diligence to verify that such guardian is appointed by a court of law, a designated authority, or a local level committee, under the law applicable to guardianship.
- Consent Managers
The Draft Rules also expand on the concept of a “Consent Manager” as given in the DPDPA. This Consent Manager must be an Indian-incorporated company with a minimum net worth of ₹2 crore, a proven track record of fairness and integrity, and an interoperable platform to help Data Principals manage their consent. The entity must be registered with the Board and adhere to strict security measures to safeguard personal data. Additionally, it must ensure transparency, avoid conflicts of interest, and enable Data Principals to easily give, manage, review, or withdraw consent. The Consent Manager is also responsible for maintaining consent records, tracking data sharing, and providing easy access to these records for Data Principals.
II. Processing of Personal Data by the State
Under the Draft Rules, the State and its instrumentalities are authorized to process the personal data of a Data Principal for the purpose of providing subsidies, benefits, services, certificates, licenses, or permits granted under applicable laws, policies, or public funds. However, such processing is only permissible for those Data Principals specified in Section 7(b) of the DPDPA. Specifically, this includes individuals who have previously consented to the processing of their personal data by the State or its instrumentalities for any of these purposes, and those whose personal data is available in digital form or has been digitized from non-digital records, registers, or other documents maintained by the State or its instrumentalities, and which are notified by the Central Government.
Interestingly, the State is still bound by high standards for processing under Second Schedule of the Draft Rules, requiring such processing to be lawful, purpose-limited and protected from breaches. Data Principals also retain all their rights with respect to this data.
III. Obligations of a Data Fiduciary
The Draft Rules impose the following obligations on Data Fiduciaries:
1. Reasonable Security Safeguards: A Data Fiduciary is principally accountable, for itself and any Data Processor, to ensure compliance with the DPDPA. The Draft Rules, unexpectedly, now specify reasonable security safeguards to be taken by such Data Fiduciaries to protect personal data in its or its Data Processors’ possession or control. These safeguards must include, at the minimum
a. ‘appropriate’ data security measures, including encryption, masking or tokenization;
b. ‘appropriate’ measures to control access to computer resources;
c. visibility on the accessing of such personal data, through appropriate logs, monitoring and review, for enabling detection of unauthorized access, its investigation and remediation to prevent recurrence;
d. disaster recovery and backup measures;
e. measures to detect unauthorized access, its investigation, remediation to prevent recurrence; and continued processing in the event of such a compromise, and to retain logs and personal data for a period of one year; and
f. ‘appropriate’ provisions in contracts with Data Processors for such safeguards, and technical and organizational standards to ensure their observance.
2. Notice of breach: On becoming aware of a personal data breach, a Data Fiduciary must, to the best of its knowledge, notify all affected Data Principals without delay in a concise and clear manner (using the registered mode of communication).
The Rules also prescribe a two-tier notification process to the Board although they do not specify the exact mode in which the Board is to be notified.
First, the initial notification to the Board containing basic information (e.g., description, nature, timing, location of breach) must be made ‘without delay’ upon becoming aware of a breach. One foresees some legal wrangling over what exactly ‘without delay’ might mean: an hour, a day, two days? “Sorry Judge, we didn’t ‘delay’ the notice by two days, it just took us that long to get the information together.”
Second, the detailed notification (containing information such as the broad facts relating to the events, circumstances and reasons leading to the breach; and proposed or implemented mitigation measures) must be made within 72 hours of becoming aware of a breach. Data fiduciaries may request the Board to extend the 72-hour timeline.
3. Grievance Redressal: Along with the grievance redressal given in the DPDPA, the Draft Rules also provide for an appeal to the Appellate Tribunal. Any person aggrieved by an order or direction of the Board should file related documents in digital form, after following the procedure specified by the Appellate Tribunal.
4. Significant Data Fiduciaries: The Central Government has the power to designate Significant Data Fiduciaries (“SDF”) under the DPDPA. The Draft Rules have imposed additional obligations on such SDFs, including:
- conducting Data Protection Impact Assessments (“DPIA”) and audits every 12 months;
- due diligence to verify that any algorithmic software used is not likely to pose a risk to the rights of Data Principals; and
- measures to ensure that personal data specified by the Central Government on the basis of the recommendations of a committee constituted by it, is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India. This last point essentially reintroduces the bogey of data localization in the context of any entity the Government deems fit to notify a SDF.
GDPR Comparison: The GDPR imposes detailed requirements for conducting a DPIA, such as maintaining records of processing activities and ensuring safeguards for special categories of data like health or biometric information. The GDPR does not recognize the equivalent of ‘Significant Data Fiduciaries’ with additional obligations.
IV. Cross-Border Transfers
The Draft Rules have reinforced the centralized approach to cross-border data transfer through the “blacklisted countries” regime envisaged under the DPDPA, which permits cross-border transfer of personal data to countries except those that have been explicitly blacklisted by the Central Government. Specifically, the Draft Rules state that Data Fiduciaries processing personal data within India, or offering goods or services to Data Principals from outside India, are required to comply with any conditions set by the Central Government regarding the transfer of such data to foreign countries or entities.
GDPR Comparison: Clearly, the Draft Rules take a more restrictive approach to cross-border transfer. This differs from the GDPR, which has adopted a more structured and transparent framework for cross-border data transfers, emphasizing adequacy decisions, standard contractual clauses, and binding corporate rules. The GDPR focuses on data protection consistency through established transfer mechanisms. The DPDPA’s approach gives significant discretion to the government in restricting data transfers and indirectly seems to promote data localization (as in the requirement for SDFs to ensure that personal/traffic data, as specified by the Central Government based on committee recommendations, is not transferred outside India).
V. Oversight
The DPDPA established the Board as the Data Protection authority in India, and contemplated that it would function as an independent body. The Draft Rules have now provided for the appointment of the Board’s chairperson and other members, the procedure therefor, and so on. The Draft Rules provide that the Central Government is to form a committee, chaired by the Cabinet Secretary, to appoint the Chairperson and members of the Data Protection Board. The Chairperson oversees Board meetings, sets agendas, and ensures timely inquiries within six months. A quorum requires one-third of members, with decisions made by majority vote. The Board or authorized persons can request information from Data Fiduciaries or intermediaries.
GDPR Comparison: The Board is another example of India’s centralized approach to data protection, with a single regulatory authority overseeing matters. This centralization is unlike the GDPR, which relies on independent Data Protection Authorities across member states, and coordination by the European Data Protection Board for consistency.
VI. Rights of Data Principals
The Draft Rules have outlined how Data Principals may exercise their rights under the DPDPA. The Data Fiduciary is required to publish the means through which a Data Principal can make a request to exercise these rights, including any necessary identifiers such as usernames. Data Principals have the right to access or erase their personal data by submitting a request to the Data Fiduciary to whom they previously gave consent, using the specified means, and providing the necessary identifiers.
Additionally, Data Fiduciaries and Consent Managers must display the timeline for responding to grievances from Data Principals and implement appropriate technical and organizational measures to ensure timely responses. With respect to erasure, the Draft Rules obligate a Data Fiduciary belonging to a specific class and processing personal data for purposes listed in the Third Schedule of the Draft Rules to erase such data after the specified time period unless retention is required by law. If, during this time, the Data Principal does not engage with the Data Fiduciary – either by using the service or exercising their rights – the data must be deleted. Additionally, the Data Fiduciary must notify the Data Principal at least 48 hours before the data is erased, giving them an opportunity to log in or contact the Data Fiduciary to continue the service or exercise their rights.
CONCLUSION
The Draft Rules are currently open for public consultation and comments, which may be made through the MyGov portal until February 18th, 2025. Although the Draft Rules do represent progress, they are not without their shortcomings. For instance, they do not prescribe a transition period and leave it entirely to the government’s discretion to effect a phased implementation, thereby prolonging the prevailing uncertainty among corporates as to how much time they have to overhaul their existing data protection and privacy policies.
Furthermore, the restrictive approach to cross-border data transfers may also pose challenges for corporates operating globally, across multiple jurisdictions. One hopes the next iteration of the Draft Rules prescribe a clear, standardized framework for cross border data transfers, such as the GDPR’s Standard Contractual Clauses, for example.
Nevertheless, one is tempted to welcome the Draft Rules with a “better late than never” shrug, for they represent another step forward towards an actual, comprehensive, functioning Indian data protection law. Which will arrive, soon. Remember, patience is a much touted virtue in India.
Authors: Shantanu Mukherjee, Varun Alase, Manasi Ravindra
