India is taking a significant step towards strengthening its data protection framework with the release of the draft Digital Personal Data Protection Rules, 2025 (Draft DPDP Rules). These draft rules, published by the Ministry of Electronics and Information Technology (MeitY) in January 2025, are designed to lay the roadmap for the implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act). This article delves into the Draft DPDP Rules, 2025, examining their key provisions, and potential implications. Before further discussion, the following terms need to be understood.
- Data Principal: The individual whose personal data is collected and used. A user on a marketplace like Amazon.
- Data Fiduciary: The entity that collects, processes, and manages personal data responsibly. A marketplace like Amazon.
Principles of the DPDP Act
The DPDP Act is built upon six core principles that guide its approach to data protection:
- Lawful, Fair, and Transparent Usage: Organizations must use personal data in a manner that is lawful, fair, and transparent to the individuals concerned.
- Purpose Limitation: The use of personal data should be limited to the purpose for which it was collected.
- Data Minimisation: Only the necessary personal data required for the specified purpose should be collected.
- Accuracy: Reasonable efforts should be made to ensure the accuracy and up-to-date nature of personal data.
- Storage Limitation: Data should be stored only for the duration necessary for the stated purpose.
- Security: Reasonable safeguards must be implemented to prevent unauthorized access, processing, and data breaches.
The draft rules have been published to realize these principles and the provisions of the Act. The period for submitting comments and feedback on the rules ended on March 5, 2025.
Key Provisions in a nutshell
The Draft DPDP Rules provide detailed guidance on various aspects of data protection, including notice and consent, security safeguards, data breach notification, and data retention. Some of the key provisions are:
- Clear and concise notices
- Reasonable security safeguards
- Data breach notification
- Time restrictions on data storage
Notice and consent
The Digital Personal Data Protection Act, 2023 and the Draft Rules, 2025, place emphasis on informing Data Principals before processing their personal data, especially when consent is the legal basis.
Section 5(1) of the Act mandates that any request for consent under Section 6 must be accompanied or preceded by a notice from the Data Fiduciary.
To ensure understanding, Section 6(3) requires that the consent request be in clear and plain language, offering the option to access it in English or any language in the Eighth Schedule of the Constitution. It must also include contact details for a Data Protection Officer or another authorised person.
Rule 3 of the Draft Rules further details the notice requirements, stipulating that it must be:
- Understandable independently of other information (Rule 3(a)).
- Provide a clear and plain account of the necessary details for informed consent, including an itemised description of the personal data and the specified purpose with an itemised description of the goods, services, or uses (Rule 3(b)).
- Include the communication link to the Data Fiduciary’s website or app and other means for the Data Principal to withdraw consent (with comparable ease), exercise their rights, and make a complaint to the Board (Rule 3(c)).
Reasonable security safeguards
The Digital Personal Data Protection Act, 2023 mandates that Data Fiduciaries must protect personal data by taking reasonable security safeguards to prevent breaches [Section 8(5)]. The Act also outlines exemptions under certain conditions in Section 17. Specifically, Section 17(2) (b) states that the Act’s provisions do not apply to processing necessary for research, archiving, or statistical purposes if such processing adheres to prescribed standards.
The Draft Digital Personal Data Protection Rules, 2025, further detail these obligations in Rule 6 (“Reasonable security safeguards”), requiring Data Fiduciaries to implement, at a minimum:
- Rule 6(1)(a) Encrypting, obfuscating, or masking data to prevent unauthorized access.
- Rule 6(1)(b) Controlling access to computer systems handling the data.
- Rule 6(1)(c) Monitoring and logging data access to detect, investigate, and prevent breaches.
- Rule 6(1)(d) Ensuring backup and recovery in case of data loss or compromise.
- Rule 6(1)(e) Retaining logs and data for at least one year to detect and prevent unauthorized access.
- Rule 6(1)(f) Including security requirements in contracts with Data Processors.
- Rule 6(1)(g) Implementing technical and organizational measures to enforce security safeguards.
Data breach notification
In the event of a personal data breach, the draft rules mandate a swift and transparent notification process. As per Rule 7 of the Draft Rules, the Data Fiduciary must, without delay, inform each affected Data Principal in a clear and plain manner about the nature and extent of the breach, the likely consequences, the measures implemented to mitigate risk, and the safety measures the Data Principal can take. Crucially, Rule 7(1) (e) also requires the provision of business contact information for a person able to respond on behalf of the Data Fiduciary. Furthermore, Rule 7(2) of the Draft Rules stipulates that the Data Fiduciary must intimate the Data Protection Board of India upon becoming aware of a breach. This initial intimation should include a description of the breach, and a more detailed report must follow within 72 hours, or a longer period if permitted by the Board. This subsequent report must contain broad facts, circumstances and reasons leading to the breach, mitigation measures, findings regarding the responsible person, remedial actions, and a report on the intimations given to Data Principals.
Erasure of personal data when consent is withdrawn
When a Data Principal decides to withdraw their consent for the processing of personal data, the draft rules necessitate its erasure, unless legal obligations dictate otherwise. Specifically, Rule 8(1) of the Draft Rules states that a Data Fiduciary processing personal data for relevant purposes specified in the Third Schedule must erase such data if the Data Principal does not contact the Data Fiduciary for the specified purpose or exercise their rights for the relevant time period stipulated in that Schedule, provided its retention is not required by law. For significant digital platforms like e-commerce entities and social media intermediaries with not less than two crore registered users in India, this time period is three years from the date the Data Principal last contacted the Data Fiduciary for the specified purpose or exercised their rights, or the commencement of the Digital Personal Data Protection Rules, 2025, whichever is later.
Necessity to inform principals of the erasure so that they can take action to retain
To ensure Data Principals are aware of impending data erasure and can take necessary steps if they wish to retain their data, Rule 8(2) of the Draft Rules imposes an obligation on Data Fiduciaries. They must inform the Data Principal at least forty-eight hours before the expiry of the period for erasure. This notification will alert the Data Principal that their personal data will be erased upon the completion of this period unless they log into their user account or otherwise contact the Data Fiduciary for the performance of the purpose or exercise their rights.
Provisions for vulnerable groups like personal data of children, persons with disabilities, etc.
The draft rules include specific safeguards for the personal data of vulnerable groups. Rule 10 of the Draft Rules mandates that a Data Fiduciary must adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before processing any personal data of a child. This rule also requires due diligence to check that the individual identifying themselves as the parent is indeed an adult. For processing the personal data of a person with a disability who has a lawful guardian, Rule 10(2) similarly requires due diligence to verify that such guardian has been appointed by a competent authority under applicable law. Furthermore, the Fourth Schedule (Part B) of the Draft Rules provides specific exemptions from the requirements of subsections (1) and (3) of section 9 of the Act(Section 9 (3) of the Act prohibits processing of personal data that could have detrimental effect on the well-being of the child) for processing the personal data of a child for certain purposes, such as the exercise of any power or function in the interests of a child under any law, or for providing subsidies or benefits to a child. These exemptions are subject to the condition that the processing is restricted to the extent necessary for such purposes.
Consent managers
The draft rules establish a framework for the registration and obligations of Consent Managers. Rule 4 of the Draft Rules outlines the process for a person to apply to the Board for registration as a Consent Manager, requiring them to fulfil the conditions set out in Part A of the First Schedule. These conditions include being a company incorporated in India with sufficient technical, operational, and financial capacity, including a minimum net worth. Upon registration, Consent Managers are subject to obligations specified in Part B of the First Schedule. These obligations include ensuring that the personal data is made available or shared in a manner that its contents are not readable by the Consent Manager, maintaining records of consents and notices, providing Data Principals access to these records, acting in a fiduciary capacity, and avoiding conflicts of interest with Data Fiduciaries.
Data processing by the state
The draft rules permit the State and its instrumentalities to process personal data for specific purposes in the public interest. Rule 5(1) of the Draft Rules allows for the processing of a Data Principal’s personal data to provide any subsidy, benefit, service, certificate, licence or permit that is provided or issued under law or policy or using public funds. However, Rule 5(2) specifies that such processing must be done following the standards outlined in the Second Schedule. These standards include ensuring that processing is carried out in a lawful manner and for the specified uses, is limited to necessary personal data, is done while making reasonable efforts to ensure accuracy, and that personal data is retained only as long as required. The Second Schedule also mandates reasonable security safeguards, providing business contact information of a person able to answer questions about processing, specifying the means for Data Principals to exercise their rights, and ensuring accountability of the person determining the purpose and means of processing. Similar standards apply to the processing of personal data necessary for research, archiving or statistical purposes.
Concerns
The rules have drawn criticism for potentially breaching fundamental data protection principles such as purpose limitation and proportionality, particularly due to the broad exemptions granted to government agencies for processing data related to subsidies and public services without adequate safeguards. Concerns have also been raised about increasing executive influence over the Data Protection Board of India through the appointment process, which could compromise its independence and objectivity. This is critically important since State has already been given a special treatment under the act and yet, there is no effort to make the preliminary adjudicating body like the Data Protection Board more independent.
Additionally, the mandatory data retention requirements for certain entities have sparked concerns about excessive data collection and heightened surveillance risks. Lastly, Rule 22, which grants the Central Government extensive access to data, is seen as bypassing key surveillance safeguards and the criminal justice system, posing significant privacy risks. Its broad and ambiguous language, including terms like “sovereignty and integrity of India,” grants the government the power to demand data from Data Fiduciaries without clear notification protocols. The absence of restrictions on data retention heightens fears of indefinite storage and potential misuse. Transparency is further compromised as Fiduciaries are prohibited from disclosing government requests, weakening accountability. Moreover, the government’s ability to exempt itself from key data protection regulations threatens privacy, allowing unrestricted data collection without user consent or adequate legal justification.
Conclusion
The establishment of consent managers represents an innovative approach to managing individual autonomy in an era where data collection has become omnipresent. Special protections for children and vulnerable groups demonstrate a recognition of differential risks in our digital ecosystem.
However, the shadow of a dystopian future looms large. The broad exemptions granted to government agencies for processing data related to public services and subsidies create concerning possibilities for expanded state surveillance under the guise of public interest. The mandatory data retention requirements for significant digital platforms raise questions about the long-term storage of sensitive information and the potential for mission creep in data usage.
India stands at a crossroads where the path forward is neither predetermined nor inevitable. The Draft DPDP Rules contain within them the seeds of both surveillance and freedom. The ultimate direction will be determined by how these rules are interpreted, enforced, and amended in response to real-world consequences. The coming years will test whether India can navigate this complex landscape to create a digital society that respects both innovation and individual rights.
(The author is a legal researcher with the organisation)
Related:
India at the Crossroads: The delimitation exercise and its implications for democracy