| Reference Date | Version | April 14, 2025 | 1.0 |
| Keywords | Personal Data, Data Principal, Data Protection, Data Processing, Data Breach, Data Privacy |
| Legislation(s)/Policies |
(i) Data Protection Act, 2023 (ii) Draft Digital Personal Data Protection Rules, 2025 |
| Jurisdiction | India |
The draft Digital Personal Data Protection Rules, 2025, signifies a crucial advancement in India's data protection landscape, establishing essential frameworks for safeguarding personal data under the Digital Personal Data Protection Act, 2023. Released by the Ministry of Electronics and Information Technology on January 03, 2025, these rules highlight transparency, accountability, and inclusivity in data-handling practices.
It is crucial not only to understand the obligations of each player involved in the data handling chain but also to appreciate the often far-reaching consequences of any act of omission or commission by any player within that chain. Guidance from data protection lawyers can be valuable for gaining a nuanced understanding of the subject. Data protection lawyers are essential for navigating complex legal frameworks related to privacy, AI governance, and data handling.
INTRODUCTION
The Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection Rules, 2025 ("DraftDPDP Rules") for public consultation on January 3, 2025, marking a significant step towards operationalizing the Digital Personal Data Protection Act, 2023 ("DPDPAct").
Key provisions include enhanced notice requirements for Data Fiduciaries, governance mechanisms for Consent Managers, and strengthened security safeguards to mitigate risks of data breaches. Additionally, the Draft DPDP Rules address the rights of Data Principals, such as simplified processes for consent withdrawal and data erasure, while mandating periodic audits and assessments for Significant Data Fiduciaries. By fostering a balance between privacy and innovation, these Draft DPDP Rules aim to build trust in India's digital ecosystem while ensuring compliance with global standards.
This article examines the Draft DPDP Rules, identifies key areas that necessitate scrutiny and offers constructive suggestions to enhance clarity, enforceability, and alignment with the spirit of the DPDP Act.
MEANINGS
The meanings as given under the DPDP Act and used in the Draft DPDP Rules are reproduced below for ease.
a. Personal data: any data about an individual who is identifiable by or in relation to such data.
b. Data Principal: the individual to whom the
personal data relates and where such individual is—
(i) a child, includes the parents or lawful guardian of such a
child;
(ii) a person with disability, includes her lawful guardian,
acting on her behalf.
c. Data Fiduciary: any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
d. Data Processor: any person who processes personal data on behalf of a Data Fiduciary.
e. Consent Manager: a person registered with the Data Protection Board of India who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.
f. Significant Data Fiduciaries: any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10 of the DPDP Act.
THE DRAFT DPDP RULES – OBSERVATIONS
1. Notice Requirements for Data Fiduciaries (Rule 3 of the Draft DPDP Rules further to notice provisions under Section 5 of the DPDP Act)
This rule outlines the obligations of a Data Fiduciary to provide notice to the Data Principal at the time of obtaining consent. This rule appears to address only online transactions, and the elements of such notice are limited. Hence, we propose the following modifications:
(i) Dual Format Notice: The provision should mandate that the said notice be presented to the Data Principal in both digital and non-digital formats. Such notice shall be understandable independently of any other information and must be made accessible, in an appropriate manner, to individuals with disabilities and those lacking access to digital platforms.
(ii) Enhanced Content Requirements: The Data
Fiduciaries should be required to provide the said notice to the
Data Principal, in clear, concise, and plain language, including at
least the following details:
ii.a) An itemized description of the personal data to be collected
or processed.
ii.b)The specific purposes for processing the personal data.
ii.c) An itemized description of the goods or services provided or
uses enabled by such processing.
ii.d) The identity and contact details of the Data Fiduciary and
any Data Processor involved.
ii.e) The expected duration for which the data will be
retained.
(iii) Clarifying Data Principal Rights: This
rule should be revised to specifically state the Data
Principal's right to:
iii.a) access, correct/edit, or erase their personal data,
iii.b) withdraw consent via a process as simple as granting it,
and
iii.c) make a complaint to the Data Protection Board of India
("Board") in writing or
electronically.
(iv)Addressing Subsequent Digitization: This rule should focus on the collection of personal data that is digitized subsequently, ensuring it is prominently displayed and compliant with requirements specified under the said rule. It should also be available to the Data Principal in both hard copy and electronic form.
(v) Communication Preferences: The Data Principals should be required to furnish their preferred mode of communication for the purposes of the DPDP Act and the Draft DPDP Rules, including Rule 7 (Intimation of personal data breach) of the Draft DPDP Rules.
(vi) Summary of Rights: The Data Principal should receive a summary of their rights available under the DPDP Act and Draft DPDP Rules in clear and concise language. This summary must also specify that the Data Principal may seek advice to better understand or enforce their rights.
2. Consent Managers: Strengthening Governance and Accountability (Rule 4 of the Draft DPDP Rules further to the provisions for obtaining consent under Section 6 of the DPDP Act)
This rule outlines the process for registration of Consent Managers and the obligations of Consent Managers. To enhance the governance and accountability of Consent Managers, we propose the following changes to the First Schedule in the Draft DPDP Rules:
(i) Integrity of Leadership: The conditions of registration of Consent Manager should be revised to specify that the directors, key managerial personnel, and senior management must have a minimum 12th-class education qualification or its equivalent, possess a general reputation and record of fairness and integrity, and must not have been convicted of offences under the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 (POSH) Act or any offence involving moral turpitude.
(ii)DataProcessing Location: The obligations of the Consent Manager should include a requirement for the Consent Manager to process, or ensure the processing of, records within the territory of India, as mandated by applicable law.
(iii) Enhancing Security Safeguards: The obligations of the Consent Manager should emphasize on the implementation of a comprehensive information security program and policies by the Consent Manager, which shall include managerial, technical, operational, and physical controls to prevent personal data breaches.
(iv) Managing Conflicts of Interest: The obligations of the Consent Manager should emphasize on the need to implement reasonable systems and procedures by the Consent Manager to avoid conflicts of interest with Data Fiduciaries, including, but not limited to, their promoters and key managerial personnel.
(v) Strengthening Audit Mechanisms: The obligations of the Consent Manager must include the requirement of having in place an effective audit and real-time monitoring mechanism to review, monitor, evaluate and report such outcomes to the Board periodically or at least once in a calendar quarter.
(vi) Data Fiduciary Compliance: The obligations of the Consent Manager should require the Consent Manager to have an information system in place to ensure that the Data Fiduciary complies with Rule 6 (Reasonable security safeguards) of the draft DPDP Rules. This modification stems from the Consent Manager's accountability to the Data Principal under the DPDP Act.
3. Reasonable Security Safeguards: Bolstering Data Protection (Rule 6 of the Draft DPDP Rules)
This rule requires Data Fiduciaries to implement reasonable security safeguards, including in respect of processing of data in its possession or under its control. The following modifications are proposed to this rule to strengthen the security measures undertaken by the Data Fiduciaries:
(i) Comprehensive Data Security Measures: The
obligation of Data Fiduciary to protect personal data should be
more specific and include the requirement to have in place
appropriate data security measures, including encryption,
obfuscation, masking, or the use of virtual tokens, along with
physical measures to protect such personal data from any
unauthorized access, disclosure, alteration, or destruction.
Proportionate Risk Assessment: The security measures adopted by
the Data Fiduciary should be required to be proportionate to the
potential risk posed by the processing activities against the Data
Principals' rights, considering factors such as data
sensitivity, likelihood of threats, and potential impact on Data
Principals.
(ii) Enhanced Access Visibility: The obligation of Data Fiduciary to protect personal data should emphasize the requirement for visibility on data access through logs, real-time monitoring, and review for early detection, investigation, and remediation of any unauthorized access.
(iii) Contractual Security Obligations: The obligation of Data Fiduciary to protect personal data should specify security measures to be implemented by the third party and obligations of the Data Processors (means any person who processes personal data on behalf of a Data Fiduciary) in the event of any data breach, in contracts entered between the Data Fiduciaries and Data Processors.
(iv) Periodic Security Assessments: The obligation of Data Fiduciary to protect personal data should mandate periodic security assessments by the Data Fiduciary, including vulnerability assessments, penetration testing, audits of internal controls, processes, third-party relationships, and assessments of Data Protection Impact Assessments ("DPIA").
(v) Mandatory Training: The Data Fiduciary
should be required to conduct regular training for employees,
contractors, and other individuals involved in processing personal
data on security practices, risk identification, and
responsibilities mentioned in the DPDP Act.
Continuous Evaluation: The Data Fiduciary should be required to
periodically evaluate and update its security practices in light of
emerging risks, technological advancements, and changing regulatory
requirements.
4. Data Retention: Balancing Purpose and Privacy (Rule 8 of the Draft DPDP Rules further to the provisions for data erasure under Section 8, sub-section 7 of the DPDP Act)
This rule requires the specified class of Data Fiduciary to erase the personal data when a specified purpose for which personal data was collected is considered to no longer be served.
(i) Publicly Available Retention Period: It is
proposed that theData Fiduciaries should be required to define and
make publicly available the retention period for the collected
personal data; and that such a retention period should be
proportionate to the purpose of processing and based on the
necessity of retaining personal data for the fulfilment of such
purpose.
The Data Fiduciary should be required to periodically review its
data retention practices to ensure compliance with the Draft DPDP
Rules. They must also be required to ensure that the collected
personal data is no longer retained when it is no longer needed for
the specified purpose. Any personal data retained for compliance or
legal purposes must be securely archived, protected from
unauthorized access, and disposed of once it is no longer
necessary.
(iii) Pre-Erasure Notification: This provision should mandate a notification to be provided to the Data Principal at least forty-eight hours before the erasure of their personal data under this rule, informing them of the impending erasure and providing an opportunity to exercise their rights in relation to the processing of such personal data. Such notification must be made accessible in a manner appropriate to individuals with disabilities and those lacking access to digital platforms.
5. Accessibility of Contact Information of Data Protection Officer (Rule 9 of the Draft DPDP Rules further to the requirement to publish information about the Data Protection Officer or other relevant individuals as outlined in Section 8, sub-section 9 of the DPDP Act)
This Rule requires every Data Fiduciary to publish the business contact information of the Data Protection Officer or any other individual who is able to answer on behalf of such Data Fiduciary about the processing of personal data. To enhance transparency and facilitate effective communication, we propose that the ule should specify that business contact information, at a minimum, should include the name, title, or position of the responsible person or department and contact details.
The Data Protection Officer or the designated person should be equipped and authorized to respond to the raised queries in a prompt manner or within a reasonable timeline.
The Data Fiduciary should be required to immediately notify the Data Principal of any changes to the contact details or the person responsible for handling data processing queries.
6. Safeguarding the Rights of Children and Persons with Disabilities (Rule 10 of the Draft DPDP Rules further to the provisions for processing personal data of children or persons with disabilities under Section 9 of the DPDP Act)
Stringent safeguards when processing the personal data of children and persons with disabilities are paramount. Hence, we propose the following modifications to enhance accountability and transparency in obtaining and verifying verifiable consent:
(i) Verifiable Consent: The Data Fiduciary should be required to adopt appropriate technical and organizational measures to ensure that the verifiable consent of the parent or legal guardian is obtained before the processing of any personal data of a child (which means an individual who has not completed the age of eighteen) and be required to observe due diligence to check that the individual identifying themselves as the parent or legal guardian is an adult who is identifiable if required in connection with compliance with any law.
(ii) Right to Withdraw Consent: The lawful guardian must be informed of their right to withdraw consent at any time, and this right should be easily exercisable. Further, upon withdrawal of such consent, the Data Fiduciary must be required to cease the processing of such personal data unless there is another lawful basis for continuing such processing.
(iii) Regular Review and Updates: The Data Fiduciary should be required to ensure that the process for obtaining and verifying such consent is regularly reviewed and updated to comply with the requirements of the DPDP Act. Any failure with respect to the verification of such consent or improperly processing data without valid consent should be liable to penalty as determined by the Board.
7. Obligations of Significant Data Fiduciaries (Rule 12 of the Draft DPDP Rules, further to the provisions for additional obligations for Significant Data Fiduciaries under Section 10 of the DPDP Act)
The Draft DPDP Rules have recognized the enhanced responsibilities of Significant Data Fiduciaries ("SDFs"). We propose the following modifications to systematically identify risks and enforce corrective measures to protect the rights of the Data Principal:
(i) Mandatory DPIA and Audit: An SDF should be required, once every twelve months from the date on which it is notified as such or is included in the class of Data Fiduciaries notified as such, undertake a DPIA and an audit to ensure effective observance of the provisions under the DPDP Act and the DPDP Rules. Such DPIA must identify and assess potential risks posed against the rights of the Data Principal, and also evaluate the effectiveness of data protection measures implemented by the Data Fiduciary.
(ii) Algorithmic Bias Verification: n SDF should be required to observe due diligence to verify that any algorithmic software deployed by it for hosting, display, uploading, modification, publishing, transmission, storage, updating, sharing or processing of personal data does not pose a risk to the rights of Data Principals. Further, the SDF must verify that such algorithmic software has been thoroughly tested for potential biases, inaccuracies, or unintended risks that could affect the rights of Data Principals, and it shall also undertake necessary corrective measures to mitigate any risks identified during the use of such algorithmic software.
8. Rights of Data Principals (Rule 13 of the Draft DPDP Rules further to rights granted to Data Principals under Sections 11, 12, 13, and 14 of the DPDP Act)
The proposed modifications to this rule aim to empower the Data Principals to effectively exercise their rights.
(i) Accessible Means for Exercising Rights: The means for Data Principals to make requests to exercise their rights provided under the DPDP Rules and the DPDP Act should include appropriate modes and manners for individuals with disabilities and those lacking access to digital platforms.
(ii) Request to Data Fiduciary: There should be
an enabling provision whereunder to exercise the rights of the Data
Principal provided under the DPDP Act to access information about
their personal data and its erasure, such Data Principal may make a
request to the Data Fiduciary to whom they had previously given
their consent for the processing of their personal data, using the
means and furnishing the particulars published by such Data
Fiduciary for the exercise of such rights.
Also, such requests to the Data Fiduciary should be possible via a
process that is as simple as giving such information about personal
data.
VIEWPOINT
The Draft DPDP Rules represent a significant milestone in establishing a robust data protection framework in India. The implications of the DPDP Rules extend to both individuals and businesses, promoting a culture of responsible data handling. For individuals, the Draft DPDP Rules promise enhanced privacy and autonomy in the digital realm, enabling them to make informed decisions regarding the processing of their personal data. For businesses and organisations, compliance with these Draft DPDP Rules will not only mitigate risks but also build trust among customers, fostering long-term sustainability and growth. However, such compliance will necessitate a substantial investment from businesses or organisations in infrastructure, training, and governance mechanisms.
The Draft DPDP Rules signify a positive step toward establishing a comprehensive data protection framework in India. Some areas may need further clarification and refinement, and challenges remain regarding implementation and enforcement. The DPDP Rules are a crucial stride toward a more secure and equitable digital ecosystem in India, aligning the nation with global best practices in data protection.
Legal Support in the domain of Data Protection and Privacy Laws
If you are interested in related topics like privacy and data protection, reach out for information or support to our legal firm in Gurgaon with expertise in the practice group, Information Technology and Artificial Intelligence. Please feel free to contact us for more information on how our legal firm in NCR can help.
Founded in 2003 by Divjyot Singh and Suniti Kaur, Alaya Legal takes pride in its boutique practice, which encompasses Litigation and Arbitration, Corporate and Commercial, Energy and Sustainability, as well as Information Technology and Artificial Intelligence. The firm provides tailored solutions for its clients to align with their growth objectives by leveraging its expertise and experience in these sectors.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
