top of page

Draft Digital Personal Data Protection (DPDP) Rules, 2025: A Legal Critique

  • Writer: Anhad Law
    Anhad Law
  • Aug 25
  • 7 min read

On January 03, 2025, the Ministry of Electronics and Information Technology (“MeitY”) published the Draft Digital Personal Data Protection Rules, 2025 (“Draft Rules)” under the Digital Personal Data Protection Act 2023 (‘DPDP Act’) for public comments/objections and suggestions till February 18, 2025.


The Draft Rules consist of 22 Rules and Seven Schedules, corresponding to the provisions of the DPDP Act, which contains 44 Sections. The Draft Rules aim to safeguard personal data and ensure privacy in the digital age by providing details of notice, consent manager, reasonable security safeguards, personal data breach, personal data of children and persons with disabilities, exemptions, rights of data principles, processing outside India, DP Board, etc.  Significantly, the Draft Rules have throughout used the expressions 'she' and 'her' instead of the male-centric 'he' and 'him' which has been used in most legislation drafted in the past.


Purpose and Scope

The overarching purpose of the Draft Rules is to protect personal data and ensure privacy for individuals in the digital environment. The Draft Rules are scheduled to come into effect upon publication, with specific provisions (Rules 3 to 15, 21, and 22) becoming effective from a later date, meaning initially only the Rules relating to establishment of the enforcement body i.e. Data Protection Board (“DP Board”) and appointment of chairperson and members, their salaries, allowances, meetings, terms and conditions of officers and employees of Board shall come into effect.


Key Features of Draft Rules

Notice by Data Fiduciary to Data Principal:

Under Draft Rules, the notice for consent required to be provided by the Data Fiduciary to the Data Principal must be clear, standalone, simple and understandable and should include, itemized list of the personal data being collected and clear description of the purpose for processing, along with an itemized explanation of the goods, services, or uses enabled by such processing, methods for Data Principals to withdraw consent, exercise their rights, and make complaints. The notice must provide a communication link of the Data Fiduciary’s website or app, and describe other methods (if applicable) for the Data Principal to withdraw consent easily as comparable to the process of giving consent, exercise their rights and make complaints with the Board.


Registration and Obligations of a Consent Manager:

Consent Manager must be a company incorporated in India with sound financial and operational capacity, having a minimum net worth of two crore (20 million) rupees, a reputation for fairness and integrity in its management, and a certified interoperable platform enabling Data Principals to manage their consent. Under the DPDP Act, “Consent Manager” means a person registered with the DP Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform. They must avoid conflicts of interest and uphold high standards of transparency, security, and fiduciary responsibility. Any transfer of control requires prior approval from the DP Board.


Processing for Provision or Issue of Services by the State:

The State and its instrumentalities can process personal data to provide subsidies, benefits, services, certificates, licenses, or permits. Such processing must comply with standards in Schedule II of the Draft Rules, ensuring lawful, transparent, and secure handling of personal data.


Reasonable Security Safeguards:

As per Draft Rules, Data Fiduciaries must implement reasonable security measures to protect personal data, including encryption, access control, monitoring for unauthorized access, and data backups etc. These safeguards ensure the confidentiality, integrity, and availability of data, and must include provisions for detecting and addressing breaches and maintenance of logs. Contracts with Data Processors must also ensure security measures are in place to prevent data breaches.


Intimation of Personal Data Breach:

In the event of a personal data breach, Data Fiduciaries must promptly notify all affected Data Principals, providing a clear explanation of the breach, its nature, extent, timing, potential consequences, mitigation measures and provide safety recommendations for protecting their data. They must also inform the DP Board without delay, a description of the breach, including its nature, extent, timing and location of occurrence and the likely impact and provide detailed information within 72 hours of being aware or longer if permitted.


Accountability and Compliance:

Data fiduciaries must ensure lawful processing of personal data, limit processing to necessary purposes, and retain data only as long as needed. They must also publish grievance redressal mechanisms on their platforms.


Data Retention Policies:

E-commerce entity having not less than two crore (20 million) registered users in India, online gaming intermediary having not less than fifty lakh registered users in India, and social media intermediary having not less than two crore (20 million) registered users in India  must delete user data after three years unless users actively maintain their accounts.


Verifiable Consent for Children and Persons with Disabilities:

Draft Rules outline the requirements for obtaining verifiable consent from parents or legal guardians before processing the personal data of children or persons with disabilities. Specifically, a Data Fiduciary must implement measures to ensure that the person providing consent for a child’s data processing is the child’s parent or legal guardian, and that the parent or guardian is identifiable. For a child, the Data Fiduciary must verify that the parent is an adult by using reliable identity details or a virtual token mapped to such details.

 

Exemptions for Processing Children's Data:

Certain data fiduciaries, such as healthcare professionals, educational institutions, crèche or child day care centre providers and their transporters, may be exempt from specific obligations while processing children's data, under conditions outlined in Schedule IV.


Impact Assessments:

Significant data fiduciaries are mandated to conduct yearly Data Protection Impact Assessments (DPIAs) to evaluate risks associated with their data processing activities. They shall observe due diligence to verify that algorithmic software deployed by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals.


Cross-Border Data Transfer:

Data Fiduciaries processing data within India or in connection with offering goods or services to Data Principals from outside India must comply with any requirements the Central Government sets in respect of making such personal data available to a foreign State or its entities.


Exemption from DPDP Act for research, archiving, or statistical purposes:

Draft Rules exclude the applicability of DPDP Act to the processing of personal data carried out for research, archiving, or statistical purposes if it adheres to the specific standards outlined in Schedule II of the Rules. This exemption ensures that necessary data processing for academic and policy research can occur while maintaining certain safeguards and standards to protect personal data.


Enforcement Framework:

The enforcement mechanism includes the establishment of regulatory authority i.e DP Board, appointment of its chairperson, members etc., appeal to appellate authority etc.


Implications for Stakeholders:

For Businesses

Organizations especially small-scale companies will need to invest significantly in compliance measures to meet the new requirements outlined in the Draft Rules. This includes establishing robust consent management systems, enhancing security protocols, and ensuring transparent communication with users regarding their rights and data usage.


For Users

Draft Rules aim to enhance user privacy by providing clearer rights regarding personal data management. Users will have more control over their information, including how it is processed and retained by various platforms.

 

For Regulators

The establishment of a DP Board is anticipated to facilitate oversight and enforcement of these Rules. This Board will handle grievances from users and ensure compliance among data fiduciaries.


Issues in Draft Rules:

  • Operational Challenges: Smaller businesses may face challenges in managing consent mechanisms and data localization requirements, potentially necessitating changes at the design and architecture levels of applications and platforms.

  • Heavy Compliance Burden on Businesses: The requirement for significant data fiduciaries to conduct annual Data Protection Impact Assessments (DPIAs), verification of algorithmic software and audits may impose a heavy compliance burden, particularly on smaller organizations. This could stifle innovation and limit market entry for new players

  • Confusion in time-line for Intimation about Data Breach: The Draft Rules provides for the intimation of personal data breach by the Data Fiduciary to the regulator DP Board within seventy-two (72) hours of becoming aware of the same. However, the same time limit is district from the recent MeitY Directions issued in the year 2022 under Section 70B (6) of the Information Technology Act, 2000 relating to reporting of cyber incidents, wherein companies shall mandatorily report cyber incidents including data breach to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents.

  • Vague Terminology:  The Draft Rules uses vague expressions like "reasonable security safeguards", "implement appropriate technical and organisational measures" and “affect the sovereignty and integrity of India or security of the State” which lack sufficient elaboration, and may cause difficulties in interpretation and enforcement.

  • Appeal: No period of limitation for filing appeal against order of DP Board has been provided.


Cross-Border Data Transfer: Data Fiduciaries processing data within India or in connection with offering goods or services to Data Principals from outside India must comply with any requirements the Central Government sets in respect of making such personal data available to a foreign State or its entities. However, the requirement by Central Government is uncertain.

  • Grievance Redressal Mechanisms: While businesses are required to establish grievance redressal mechanisms, the effectiveness of these systems remains questionable. There is a lack of detail on how grievances will be processed and resolved, which could undermine users' trust in the system.

  • Government Exemptions: The Draft Rules provide exemptions for government agencies, raising concerns about fairness and transparency in handling personal data by Government.


Anhad Law Perspective

Draft Rules represent a significant and right step toward strengthening India's digital privacy landscape. By establishing clear guidelines for data management and user rights, the Draft Rules aim to foster trust between users and digital platforms while ensuring accountability among businesses handling personal information. As public consultations proceed, feedback from various stakeholders will be crucial in refining the Draft Rules to balance privacy protection with operational feasibility for organizations.


Ranjan Jha, Partner and Ruchika Tandon, Partner

 

 

bottom of page