On January 3, 2025, the Ministry of Electronics and Information Technology, Government of India (‘MeitY’), released the draft Digital Personal Data Protection Rules, 2025 (‘Draft DPDP Rules’) under the Digital Personal Data Protection Act, 2023 (‘DPDP Act’), for public consultation. Upon finalization, the Draft DPDP Rules will be notified in a suitable manner for implementation. MeitY has also issued an explanatory note on the Draft DPDP Rules which provides a brief overview of its provisions as well as an insight into the guiding principles followed in the drafting of the Draft DPDP Rules.

The Draft DPDP Rules, released 16 months after the enactment of the DPDP Act, offer guidance on the operational aspects of the DPDP Act. These Rules cover key aspects, including the process and timeline for reporting personal data breaches, the consent manager framework, mechanisms to obtain verifiable consent for processing children’s data, incremental requirements relating to cross-border data transfers, data erasure timelines and the operational details in relation to the constitution, powers and functioning of the Data Protection Board of India (‘DPB’).

Key Highlights

1. Notice: The notice given by the data fiduciary (person who determines the purpose and means of processing of personal data) to the data principal (individuals to whom the personal data relates) must be clear, understandable and distinct from other information provided by such data fiduciary to enable the data principal to give specific and informed consent for processing of her personal data. Such notice should include: (i) an itemized description of the personal data processed; (ii) the specified purpose of and an itemized description of the goods or services to be provided or uses to be enabled by, such processing; and (iii) the link for the website/ app of the data fiduciary through which the data principal can withdraw her consent, exercise data principal rights and make a complaint to the DPB.

2. Intimation of Personal Data Breach: The data fiduciary, upon becoming aware of the personal data breach, must provide a preliminary notification to the DPB without delay of the description of the breach including its nature, extent, timing, location, and potential impact. At the same time affected data principals must also be notified without delay through their user account or any other mode of communication opted by the data principal, providing details of the nature and extent of the breach, potential consequences for the data principal, the safety measures being implemented to protect their interests, and business contact information of a person who can answer their queries. Thereafter, a more detailed intimation, needs to be made to DPB within 72 hours (or within such extended timeline as permitted by the DPB on a request made in writing) with updated information including measures implemented or proposed to mitigate risk, findings of the investigation and remedial measures undertaken and intimations given to affected data principals.

Needless to mention, this reporting requirement is in addition to the reporting obligations under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 notified under the Information Technology Act, 2000, that require reporting of cyber security incidents (which includes data breaches and data leaks) to CERT-In, within six hours of knowledge, as well as sectoral reporting requirements to be made to Securities and Exchange Board of India (‘SEBI’), Insurance Regulatory and Development Authority of India (‘IRDAI’), Reserve Bank of India (‘RBI’), as applicable.

3. Verifiable Consent for Processing Personal Data of Children or Person with Disabilities: The data fiduciary is required to:

i.     In Case of a Child – (a) adopt appropriate technical and organizational measures to ensure that verifiable parental consent is obtained; and (b) observe due diligence to verify that the individual identifying herself as the parent is an adult who is identifiable, if required, in compliance with applicable law by using either: (x) existing data of such parent available with the data fiduciary; or (y) details voluntarily provided by such parent, of their identity and age or a virtual token mapped to the same, issued by an authorized entity including by a digital locker service provider notified by the Central Government under the relevant rules under the Information Technology Act, 2000.

ii.   In Case of a Person with Disability Who has a Lawful Guardian – observe due diligence while obtaining verifiable consent to verify that the individual identifying herself as the lawful guardian has been so appointed by the Court or competent authority under the applicable guardianship law.

The illustrations provided under Draft DPDP Rules seem to address only those instances where a child or an adult proactively identify themselves (as a child, or a parent, respectively) for the purpose of triggering the verifiable consent mechanism. Given that the DPDP Act imposes an obligation on the data fiduciary to obtain verifiable parental consent before processing children’s personal data, more clarity may be required on how a data fiduciary can otherwise identify whether a user is a child and, the manner in which the relationship between the parent and the child can be established.

4. Cross-Border Transfers: The DPDP Act allows free transferability of personal data to any country or territory outside India, except to the countries, which are specifically restricted by the Government through a notification. However, the Draft DPDP Rules appear to introduce new restrictions on outward transfer of personal data. In the context of significant data fiduciaries (‘SDF(s)’), the Government, based on recommendations of a committee it constitutes, may specify certain personal data sets and the traffic data pertaining to its flow that cannot be transferred outside India. In other words, SDFs may be subject to data localization requirements for certain types of their customer / user data.

The Government may also prescribe requirements (by way of a general or special order) for disclosure of personal data by data fiduciaries to any foreign State or a person / entity under the control of or any agency of such a foreign State. As per the explanatory note released by MeitY, this is intended to ensure that personal data originating from Indian territory remains protected under the DPDP Act, presumably from foreign surveillance. Multinational organizations may need to analyze the operational impact of these localization requirements (when prescribed) and their ability to comply foreign laws that mandate their respective Government’s access to data handled by such entities in respect of their Indian operations.

5. Additional Obligations of SDFs: SDFs must conduct Data Protection Impact Assessments and comprehensive audits to ensure compliance with the DPDP Act once a year. SDFs also need to ensure that the algorithms deployed by them for personal data processing do not pose a risk to data principal rights.

6. Data Erasure Timelines: Certain notified classes of data fiduciaries – e-commerce entities with more than 20 million registered Indian users, online gaming intermediaries with more than five million registered Indian users and social media intermediaries with more than 20 million registered Indian users, must erase personal data if the specified purpose is no longer deemed to be served, i.e., the data principal neither approaches such data fiduciary for the performance of the specified purpose nor exercises her rights in relation to such processing. These data fiduciaries may retain personal data for three years from their last engagement with the data principal or these Rules coming into effect, whichever is later, unless such personal data is required for the data principal to access her user account or any virtual token issued to redeem money, goods or services. Before erasure of personal data, the data fiduciary must notify the data principal at least 48 hours in advance and offer an opportunity to re-engage with the data fiduciary to prevent such erasure.

7. Certain Exemptions:

i.    Certain class of data fiduciaries such as clinical and mental health establishments, healthcare professionals, allied healthcare professionals, educational institutions, individual childcare providers and transportation service providers engaged by such persons, have been exempt from specific provisions related to children’s data such as verifiable parental consent and restriction on behavioral monitoring, as long as their processing of personal data is limited to activities like healthcare, education, ensuring safety, which are necessary for the well-being and safety of the child.

ii.   Exemption from certain provisions of the DPDP Act for research, archiving and statistical purposes is available subject to implementation of appropriate technical and organizational measures to ensure effective observance of standards including lawful processing, data minimization, data accuracy, restricting retention until fulfilment of purpose, implementation of reasonable security safeguards to prevent personal data breaches, accountability of data fiduciaries for processing in accordance with the standards, etc.

8. Call for Information: Data fiduciaries or intermediaries may be called for information by the Government for purposes including national security, legal compliance or assessment of their status as SDF. Further, the competent authorities are required to specify the timeline for furnishing such information. Where disclosure of information might affect the sovereignty and integrity of India or security of India, the competent authorities may restrict disclosure by the data fiduciaries of such requests for information.

9. Mechanism to Exercise Data Principal Rights: Data fiduciaries must publish on their website and or app, the details of the mechanism using which data principals may exercise their rights and any particular information such as the username or other identifiers including file number, customer identification number, etc., which may be required to establish their identity. The data fiduciary must also provide clear timelines for responding to requests or grievances.

10. Reasonable Security Safeguards: The data fiduciary must implement reasonable security measures to prevent personal data breach including encryption, access control, maintenance of logs to monitor, review and detect unauthorized access and take remedial measures, data backups to mitigate operational disruption caused by compromise in confidentiality or availability of personal data, etc.

11. Consent Manager: Similar to the framework issued by the RBI applicable to account aggregators to operate their consent management platform for financial data, the Draft DPDP Rules prescribe the requirements for registration as a consent manager and their obligations. The conditions for registration as a consent manager include incorporation of a company in India, minimum net worth requirements, adequacy of capital, earning capacity, independent certification regarding the conformity of its platform to data protection standards as may be published by the DPB, etc. The obligations of consent managers include providing an interoperable platform to enable data principals to give and manage consents, being data-blind, restrictions on subcontracting or assigning its obligations, maintaining records and logs of consents for at least seven years, conducting audits, ensuring no conflict of interest arise due to any interest held by their directors and senior management in any of the data fiduciaries, disclosure of its shareholding in excess of two percent and obtaining approval from the DPB for a change of control.

Way Forward

The Draft DPDP Rules propose a staggered implementation whereby the provisions relating to the establishment of the DPB will come into effect immediately upon notification of the Rules, while other compliance obligations applicable to data fiduciaries will be implemented later. Although no specific timeline for implementation has been called out in the Draft DPDP Rules, as per recent press reports, the IT Minister Shri Ashwini Vaishnaw has indicated that the Government may provide a two-year timeline to the industry to implement the law.

Comments and suggestions to the Draft DPDP Rules can be submitted on the MyGov (https://mygov.in) website by February 18, 2025.