Draft Digital Personal Data Protection Rules 2025 released

The Ministry of Electronics and Information Technology (‘MEITY’) released the Draft Digital Personal Data Protection Rules, 2025 (‘DPDP Rules’ or ‘Rules’) on Friday, over a year since the passing of the Digital Personal Data Protection Act, 2023 (‘DPDPA’) for public consultation and feedback until 18 February 2025.

About the DPDPA

The DPDPA along with the DPDP Rules aims to establish a comprehensive framework for processing of personal data of individuals to whom such data relates (‘Data Principals’) in India, in respect of any processing undertaken. The DPDPA is slated to apply to any entity that undertakes processing of personal data in India or outside India in connection with offering of goods or services to Data Principals in India. This may include entities which determine the purposes and means of processing (referred to as ‘Data Fiduciaries’) and those which process on the former’s behalf and on their instructions (referred to as ‘Data Processors’).

The Rules provide a much-needed operational framework based on which the DPDPA would apply to various entities, and provide further clarifications and guidance on the scope, extent and nature of various obligations outlined in the DPDPA.

Key aspects of the Rules:

Providing a Privacy Notice & Information

In consonance with the Notice requirements under the DPDPA[1], The Rules specify that the Privacy Notice must be presented to a Data Principal independent of any other information that is made available and shall include, in clear and plain language, a fair account of details necessary to enable specific and informed consent and shall include, without limitation:

Itemized description of personal data;
Specific purpose for which such data is processed;
Itemized description of goods and service;
Link to the website or application of the Data Fiduciary; and
Means through which Data Principal may withdraw consent, exercise their rights and make a complaint to the Data Protection Board (‘DPB’).

In addition to the Privacy Notice, Data Fiduciaries are required, under the DPDPA, to publish the business contact information of the Data Protection Officer (if applicable) or person who would be able to answer queries of the Data Principal[2]. The DPDP Rules further clarify that such information must be published prominently on the website and application and must be mentioned in every response to communication of rights.

Implementation of reasonable security safeguards

While the DPDPA requires Data Fiduciaries to protect personal data in respect of any processing by taking reasonable security safeguards to prevent personal data breach[3], the Rules further clarify and outline the ‘minimum’ threshold of such safeguards, including:

Data security measures, including encryption, obfuscation, masking or through use of virtual tokens;
Access control measures to prevent unauthorized access to computer resources processing personal data;
Maintaining necessary logs for detection, investigation or remediation of unauthorized access and visibility of processing activities undertaken;
Continuity and disaster recovery plans and policies including data backups, for securing personal data in case of any adverse events affecting confidentiality, integrity or availability of data;
Measures and logs that will enable detection, investigation, remediation of unauthorized access and retention for 1 (one) year unless otherwise legally required;
Provisions in agreements with Data Processors for taking reasonable security measures and safeguards; and
Technical and organizational measures to effectively implement the above.

Data Breach Reporting

The Rules provide further clarity on the reporting requirements already specified by the DPDPA[4], by providing specific requirements in relation to the same. The key requirements in relation to reporting of such breaches include:

Reporting to Data Principals: Data Fiduciaries are required to intimate each affected Data Principal through user accounts or other modes of communication description of breach (including nature, extent, timing and location of occurrence), relevant consequences, measures implemented to mitigate risk, safety measures that may be taken by Data Principals and business contact information for resolving queries.

Such intimation must be provided in a concise, clear and plain manner, without undue delay. No timeline for reporting to individuals has been prescribed in the Rules.

Reporting to DPB: Data Fiduciaries are also required to report the personal data breach to the DPB with such details of the breach at two instances, ostensibly:

- Reporting must be undertaken including a description of the breach (including nature, extent, timing, location of occurrence and likely impact) without delay. This must be reported to the DPB without any delay.

- Detailed reporting must be undertaken in respect of updated and detailed information in respect of the breach, broad facts, events, circumstances and reasons behind the breach, measures implemented or proposed to mitigate risk, findings regarding persons who caused the breach, remedial measures to prevent recurrence of breach and report regarding intimations provided to Data Principals. Such detailed report must be provided within 72 (seventy-two) hours of becoming aware of the same.

Inactivity / Data Retention Periods

While the DPDPA requires Fiduciaries to not retain personal data beyond the purpose for which such data is collected[5], they do not specify a retention period. The Rules adopt a different approach in respect of certain Data Fiduciaries, and specify retention periods based on inactivity of users on platforms. Such retention periods have been specified only for certain entities viz.

e-Commerce entities which have 2 (two) crore registered users or more in India;
Online gaming intermediaries which have 50 (fifty) lakh registered users or more in India; and
Social media intermediaries which have 2 (two) crore registered users or more in India.

(collectively ‘Schedule-III Entities’)

Such Schedule-III Entities (which process personal data for enabling access to user accounts, or access virtual tokens issued by or on behalf of Data Fiduciaries stored on their platform used to purchase money, goods or services) are required to erase personal data unless retention within 3 (three) years from the date on which the user last accessed their account, made any activity or contacted the Data Fiduciary or within 3 (three) years from commencement of the Rules, whichever is latest, unless required otherwise by law.

At least forty-eight hours prior to deletion, such Schedule-III Entities are required to inform the Data Principal that personal data would be erased unless the user logs in to the user account, otherwise initiates contact with Data Fiduciary or exercises their rights.

Verifiable Consent: Personal data of children and PWD

The DPDPA specifies the requirement to obtain ‘verifiable consent’ of parent or legal guardian in respect of processing personal data of children. In this regard, the DPDP Rules clarify that Data Fiduciaries must adopt appropriate technical and organisational measures to meet such requirement and identify the individual (identifying as parent or legal guardian) providing consent by undertaking due diligence by reference to:

Reliable details of identity and age available with the Data Fiduciary;
Details provided voluntarily by the individual – relating to identity and age; or
Through a virtual token mapped to identity and age details issued by an entity entrusted by law or Government with maintenance of such details (or a person appointed or permitted by such entity for issuance). This includes details or token verified or made available by a Digital Locker service provider.

With regard to individuals identifying themselves as lawful guardians of persons with disabilities, Data Fiduciaries are required to undertake due diligence to verify that such guardian is appointed by courts, authority or a local level committee, as per law.

Entity-based Exemptions on Verifiable Consent and Restrictions on Children’s Data Processing

While the DPDPA requires verifiable consent of parent or legal guardian and restricts certain activities i.e., tracking, behavioural monitoring, targeted advertising[6] (‘Additional CPD Requirements’) when processing personal data of children (‘CPD’), it enables the specification of exemptions (and conditions thereof) for such requirements. In this regard, the DPDP Rules specify:

Entities such as clinical establishments, mental health establishments or healthcare professionals are exempt from complying with Additional CPD Requirements in respect of processing undertaken for provision of health services where it is necessary for protection of health of the Data Principal;
Allied healthcare professionals are exempt from complying with Additional CPD Requirements if processing is restricted to supporting implementation of healthcare treatment plan / referral plan recommended for such child to the extent necessary for protection of health;
Educational institutions are exempt from complying with Additional CPD Requirements where processing is restricted to tracking and behavioural monitoring required for educational activities of such institution or safety interests of children enrolled;
Individuals in whose care children are in creches or child day care centres are exempt from complying with Additional CPD Requirements if processing is restricted to tracking and behavioural monitoring in the interests of safety of children entrusted in their care;
Data Fiduciaries engaged in transport of children by educational institutions, creches and child day care centres are exempt from complying with Additional CPD Requirements if they restrict processing to tracking location of children in the interest of their safety during the course of travel to and from such institutions or centres.

(collectively ‘Schedule-IV Entities’)

Purpose-based Exemptions on Verifiable Consent and Restrictions on Children’s Data Processing

In addition to the above exemptions for Schedule-IV Entities, the DPDP Rules also provide purpose-driven exemptions for processing CPD as outlined below:

Where CPD is processed for exercise of any power, performance of function or discharge of duty in the interest of a child under any law, the Additional CPD Requirements may be exempt if processing is restricted to the extent necessary for such power, function or duty;
Where CPD is processed for providing subsidy, benefit, service, certificate, license or permit in the interests of a child, the Additional CPD Requirements may be exempt if processing is restricted to the extent necessary for such provision or issuance;
Where CPD is processed for ensuring that information likely to cause detrimental effect on well-being of a child is not accessible to such child, the Additional CPD Requirements are exempt if processing is restricted to the extent necessary to ensure such non-accessibility to such child; and
Where CPD is processed for creation of a user account for communication by email, the Additional CPD Requirements are exempt if processing is necessary for creation of such user account and use is limited to communication by email.

Additionally, where a Data Fiduciary processes children’s data to verify that such individual is not a child in observance of due diligence specified under the DPDP Rules, the Additional CPD Requirements are exempt if processing is restricted to the extent necessary for such confirmation or observance of due diligence.

Significant Data Fiduciaries & Additional Obligations

While the DPDP Rules do not expressly specify any additional criteria for classification of ‘Significant Data Fiduciary’ (‘SDF’) beyond what is outlined in the DPDP Act[7], the Rules outline the key obligations applicable to such SDF, including:

Annually undertaking a data protection impact assessment and data audit to ensure adherence to the provisions of the DPDPA;
Requiring the auditor or assessor to submit a report containing the significant observations in the audit and impact assessment to the DPB;
Observing due diligence to verify that algorithmic software deployed by SDF which has any interface with personal data is not likely to cause any risk to Data Principals; and
Undertake measures to ensure that personal data (and any traffic data pertaining to its flow) specified by the Government (on the basis of a committee’s recommendations) is not transferred outside India.

It is pertinent to note that the Rules empower the Central Government to call for information from any Data Fiduciary for the purpose of carrying out assessments for notifying any Data Fiduciary or class thereof as Significant Data Fiduciary and for such purpose, the Secretary of MEITY may designate an officer on his behalf to call for information.

Data Principal Rights

While the rights relating to Data Principals have been specified under the DPDPA[8], the DPDP Rules outline the framework through which Data Principals may effectuate such rights through Data Fiduciaries. This includes:

Publication of details of the means through which Data Principal may make request for exercise of their rights and particulars (such as username or other identifiers) that would have to be furnished to identify themselves under the terms of service;
Publication of details of grievance redressal systems for responding to grievances of Data Principals, including the period for responding to such grievances;
Implementation of technical and organisational measures to respond to grievances of Data Principals within the time periods specified by the Data Fiduciaries; and
Providing appropriate means and details to enable a Data Principal to exercise the right of nomination through means and by furnishing required information.

Cross-border Transfers

While the DPDPA specifies that the Government may specify a negative list of countries to which transfers are restricted[9], the Rules carve out certain situations by providing that such transfers would be subject to requirements that would have to be met by Data Fiduciaries. These requirements would be specified by the Government by general or special orders in respect of making personal data available to foreign States or any person or entity under the control of or any agency of such foreign State.

Consent Managers-Registration requirements and Obligations

While the DPDPA conceptualized the agency of Consent Manger[10], the Rules provide an operational framework through which such consent managers may be registered and may operate. The Rules provide that:

Entities, which are eligible with reference to the First Schedule of the Rules, may apply to the DPB for registration as Consent Manager by furnishing such details as sought and published by the DPB, from time to time;
The Rules empower the DPB not only to make an enquiry in respect of fulfilment of such conditions (and publication of details of such Consent Manager) prior to registration, but also seek necessary information, issue notice of non-adherence to Consent Manager and suspend, cancel registration or give necessary directions to Consent Managers to protect Data Principal interests;
The Rules require entities registered as Consent Managers to comply with the conditions and obligations specified in First Schedule thereto, which include the following key obligations and requirements:
- Enabling Data Principals to provide consent to processing of their personal data directly by a Data Fiduciary onboarded on their platform (or through another Data Fiduciary onboarded on their platform);
- Specifying the necessary details, disclosures and information on its website and applications, as the case may be;
- Restriction on subcontracting or assigning performance of obligations under the DPDPA or the Rules;
- Implementing technical, organisational and security measures to protect personal data and avoiding conflict of interest;
- Adopting effective audit mechanisms to review, monitor and evaluate outcome of audits to the DPB; and
- Comply with restrictions and conditions in respect of change of control of the organization of the Consent Manager.

Other requirements

In addition to the key obligations set out above, the Rules specify certain other provisions which clarify the obligations and exemptions provided under the DPDPA. Some of the key provisions therein include:

Exemptions for State, Research, Archiving and Statistical Purposes: While the DPDPA sets out that its provisions would not apply in respect of research, archiving, statistical purposes[11] and provide an exemption for consent in relation to processing for issuance of any subsidy, benefit, service, certificate, licence or permit that is provided or issued under law or policy[12], the Rules specify such exemption is subject to the condition that processing shall take place in accordance with the conditions specified in the Second Schedule (‘Second Schedule Conditions’). Some of the key Second Schedule Conditions include limiting personal data as is necessary for use or achieving the purposes specified therein, as the case may be, and implementing reasonable security safeguards to prevent personal data breach, including in respect of Data Processors.

Power to call for information: While the DPDPA vests a wide power to the Central Government to require the DPB and any Data Fiduciary or intermediary to furnish[13], for the purposes of the DPDPA, such information it has called for, the Rules outline that such information may be called from State or instrumentalities by such persons for such purposes specified in the Seventh Schedule.

The Seventh Schedule empowers information to be solicited from State and its instrumentalities processing personal data for performance of legal function or for disclosure to fulfil legal obligation or in the interest of sovereignty, integrity or security of the State by designated persons identified in the Schedule. Additionally, information may be solicited from private entities for classification of any Data Fiduciary or class thereof as Significant Data Fiduciary.

Appointment, Service Conditions and Meetings: The Rules provide certain requirements in respect of appointment of chairperson and members of the DPB by the Central government upon recommendations of search-cum-selection committees constituted under the Rules, and provide service conditions, salaries and allowances in the Fifth Schedule. Additionally, the Rules also outline the procedure for meetings of the DPB and provide a timeline of 6 (six) months for completion of an inquiry the DPB, extendable by consecutive periods of a maximum of three months with reasons recorded in writing.

In alignment with the DPDPA[14], the Rules provide that the DPB shall function as a digital office and may adapt techno-legal measures to conduct proceedings in a manner that does not require physical presence of any individual. This is without prejudice to the powers of the DPB to summon and enforce attendance of any person and examining such person on oath, in line with the DPDPA.

While the Draft Rules signify a pivotal step for ensuring implementation of the DPDPA, especially with more elaborate provisions on notice, consent managers, retention timelines, cross-border transfers, and rights of data principals, certain provisions may lack complete clarity and present challenges in compliance with by Data Fiduciaries. At this juncture, it is critical for organizations across all sectors to actively participate in industry and ongoing public consultations to address practical concerns associated with compliance and ensure a balanced approach that adequately addresses compliance challenges while also protecting the key interests that the DPDPA and the Rules seek to protect, all while fostering digital innovation.

[1] Section 5, Digital Personal Data Protection Act, 2023.

[2] Section 8(9), Digital Personal Data Protection Act, 2023.

[3] Section 8(5), Digital Personal Data Protection Act, 2023.

[4] Section 8(6), Digital Personal Data Protection Act, 2023.

[5] Section 8(7), Digital Personal Data Protection Act, 2023.

[6] Section 9(3), Digital Personal Data Protection Act, 2023.

[7] Section 10(1), Digital Personal Data Protection Act, 2023.

[8] Sections 11-14, Digital Personal Data Protection Act, 2023.

[9] Section 16, Digital Personal Data Protection Act, 2023.

[10] Section 2(g), Digital Personal Data Protection Act, 2023.

[11] Section 17(2)(b), Digital Personal Data Protection Act, 2023.

[12] Section 7(b), Digital Personal Data Protection Act, 2023.

[13] Section 36, Digital Personal Data Protection Act, 2023.

[14] Section 28, Digital Personal Data Protection Act, 2023.

In-focus

Pandora’s box of income-tax implications arising from 2014 amendment to Employee Pension Scheme, 1995

The UK CBAM: Carbon conundrum at the crossroads of trade and sustainability

LATEST News

Telecommunication towers are not immovable property – ITC is not deniable under Section 17(5)(d)

55th GST Council Meeting – Highlights

Zinc sulphate (agriculture grade) is a fertilizer – Sulphuric acid for manufacture of said item is eligible for exemption

Patents – Filing of Divisional Application on the day of grant of patent in original application is not fatal

In-focus

India imposes Quantitative Restrictions on imports of Metallurgical Coke

Patentability of computer related inventions – Court’s inconsistent approach underscores complexity but creates uncertainty

Latest Articles

Adoption of Artificial Intelligence in the FinTech sector: A regulatory overview

IGST on FTWZ transactions: Retrospective amendment to put dichotomy to rest

latest Events

Proving Country of Origin for Imports under Free Trade Agreements

Reconstructing tests of immovability and credit eligibility in the wake of Bharti Airtel judgement

LATEST News

Draft Digital Personal Data Protection Rules 2025 released

Telecommunication towers are not immovable property – ITC is not deniable under Section 17(5)(d)

55th GST Council Meeting – Highlights

Zinc sulphate (agriculture grade) is a fertilizer – Sulphuric acid for manufacture of said item is eligible for exemption

VALUES THAT SHAPE US

Draft Digital Personal Data Protection Rules 2025 released

Browse articles

免责声明