Explainer: Draft Digital Personal Data Protection Rules, 2025
Moneylife Digital Team 04 January 2025
The Draft Digital Personal Data Protection (DPDP) Rules, 2025, introduced by the ministry of electronics and information technology (MeitY), marks a crucial step in shaping India’s data governance framework. These Rules operationalise the Digital Personal Data Protection Act, 2023, and aim to safeguard user privacy while enabling lawful data processing. Data Protection Board (DPBI) is tasked with investigating breaches, enforcing penalties and overseeing compliance. It will operate digitally, streamlining hearings and investigations without requiring physical presence. A search-cum-selection committee, led by the Cabinet secretary, will appoint its chairperson and members, ensuring accountability. From regulating consent management to defining penalties for breaches, the draft covers extensive ground. 
 
Data Fiduciaries and Their Responsibilities
At the heart of the draft rules are data fiduciaries—organizations or platforms that handle users' personal data. These entities are required to issue clear, plain-language notices to data principals (users), outlining:
  • What personal data is collected
  • Why it is being collected
  • How it will be processed
 
For example, an e-commerce platform collecting location data must explicitly state whether the data is for order tracking or targeted marketing. Users must also be provided with simple mechanisms to withdraw consent or exercise their rights under the Act.
 
Consent Management Simplified
The Rules introduce consent managers as intermediaries who ensure users can give, review, and withdraw consent through a secure and user-friendly platform. Registered with the Data Protection Board of India (DPBI). To qualify, a Consent Manager Must:
  • Be a registered company in India with a net worth of at least Rs2 crore.
  • Maintain transparency and avoid conflicts of interest.
  • Operate an inter-operable platform for managing consents across services.
 
For instance, a consent manager might manage permissions for a health app to access medical data while allowing the user to revoke access anytime. The emphasis on transparency and interoperability is a significant step toward empowering users. Another example could be where a user can withdraw consent given to an e-commerce platform to track purchase history via a consent manager’s portal, ensuring control over personal data.
 
Safeguarding Children’s Data
Recognising the sensitivity of children’s data, the draft mandates verifiable parental consent for processing data of individuals under 18. Platforms like gaming or social media must validate the parent’s identity using government-issued IDs or digital tokens (e.g., DigiLocker). 
 
Educational and healthcare institutions are granted exceptions, allowing them to process children’s data within predefined limits and post following prescribed safeguards, such as for safety monitoring or health services. For instance, Educational institutions can monitor students attendance for safety purposes without seeking explicit parental consent. This provision ensures a balance between regulatory compliance and operational feasibility.
 
Data Breach Reporting and Security Measures 
The rules introduce strict timelines for reporting data breaches. Fiduciaries must notify the proposed Data Protection Board of India (DPBI) within 72 hours of detecting a breach. Affected users must also be informed, with details such as:
  • Nature and scope of the breach.
  • Steps taken to mitigate risks.
  • Recommended safety measures for users.
Additionally, fiduciaries are required to implement strong safeguards like encryption, access controls, and regular audits to prevent breaches. Significant data fiduciaries (organisations with extensive data handling responsibilities) must conduct annual data protection impact assessments (DPIAs) to evaluate their compliance. Failure to comply could result in fines of up to Rs250 crores underscoring the importance of accountability.
 
Cross-border Data Transfers
The draft introduces provisions to regulate the flow of sensitive personal data outside India. While the Act permits such transfers to trusted nations, the draft rules empower a committee to classify specific data categories that must remain within Indian borders. A government-appointed committee will decide which data categories (e.g., financial or health data) must remain within Indian borders.  For instance, financial data or health records may be restricted from being exported to ensure national security and prevent misuse. This provision, while aligned with global trends, raises concerns about operational challenges for multinational corporations.
 
Specific Rules for Data Retention and Erasure
Data fiduciaries are required to delete personal data once it is no longer necessary for its specified purpose. Users must be notified 48 hours in advance of data erasure, allowing them to intervene if needed. For instance, an e-commerce platform must delete a user’s data if the user hasn’t logged in for three years, unless legally required to retain it.
 
Obligations for Significant Data Fiduciaries
Organisations classified as 'Significant Data Fiduciaries' (e.g., social media giants or gaming platforms with millions of users) face additional responsibilities:
  • Conducting annual data protection impact assessments.
  • Ensuring that algorithms used for processing data do not harm user rights.
  • Complying with restrictions on transferring specific data types outside India.
 
Despite its strengths, the draft rules face criticism for certain gaps: 
  • Ambiguities in Enforcement: The Rules lack clarity on the specifics of penalties for minor breaches and thresholds for reporting them, potentially leading to over-compliance or underreporting. 
  • Operational Feasibility: Verifying parental consent or implementing localisation requirements may pose challenges for businesses with limited resources.
  • Limited Clarity on AI and Research Exemptions: The Rules do not explicitly address whether AI models trained on personal data fall under research exemptions, leaving room for interpretation.
  • Public Sector Exemptions: While the Rules impose stringent safeguards on private entities, government bodies processing data for subsidies or services are exempt from some obligations, raising concerns about accountability.
 
The DPDP Rules, 2025, reflect India’s ambition to align its data governance with global standards, ensuring privacy, transparency, and security. However, the practical implementation of these Rules—particularly in areas like cross-border transfers and consent management—requires refinement. Stakeholders, including businesses, policymakers, and users, are encouraged to provide feedback by 18 February 2025, via the MyGov portal.
 
By addressing these gaps, the final rules can pave the way for a resilient digital ecosystem that respects individual rights while fostering innovation.
 
Comments
Ketan Parekh, 21 Others Caught in Front-running Scam, SEBI Asks Them To Disgorge Rs65.77 Crore Illegal Gains
Moneylife Digital Team 03 January 2025
Ketan Parekh, or KP, once the poster child of stock market manipulation in India, has again been caught in the Securities and Exchange Board of India's (SEBI's) net. Known for his infamous role in the stock market scam of the early...
Adani Bribery Criminal and Civil Trials To Be Heard by the Same Federal Judge in the US
KBS Sidhu 03 January 2025
Adani Bribery Criminal and Civil Trials To Be Synchronised
In a landmark decision, a New York federal court has ruled that the criminal and civil trials involving Indian billionaire Gautam Adani, though distinct legal proceedings,...
RBI Slaps Rs48.7 Lakh Penalty on 3 Cooperative Banks from Maharashtra
Moneylife Digital Team 03 January 2025
Reserve Bank of India (RBI) has slapped a penalty of Rs48.7 lakh on three cooperative banks from Maharashtra for non-compliance with directions by the regulator. It includes Pune People's Cooperative Bank Ltd (Rs25 lakh), The Akola...
SEBI To Continue Proceedings against Zee Entertainment with Fresh Notice
Moneylife Digital Team 03 January 2025
In a significant development, the Securities and Exchange Board of India (SEBI) has rejected settlement applications from Zee Entertainment Enterprises Ltd (ZEEL) and its leadership regarding alleged violations of listing regulations....
ArrayArray
Free Helpline
Legal Credit
Feedback