Recently, the Ministry of Electronics and Information Technology (“Meity”) just released[1] a
first draft of the Digital Personal Data Protection Rules, 2025 (“Draft Rules”)[2] to be made as
a subordinate legislation to the Digital Personal Data Protection Act, 2023 (“DPDP Act”)[3].
Meity has invited feedback and comments from various stakeholders on the Draft Rules, in
order to consider and address any concerns and suggestions that will be made by such
stakeholders.
These Draft Rules have been released for public consultation almost sixteen and a half months of the DPDP Act, which enactment was on 11th August 2023.[4] Only upon finalization of
these Draft Rules, will the finalized rules be notified by the Government in the Gazette for
further implementation.
The Draft Rules attempt to lay down some key clarifications and guidelines that were left
wanting since the enactment of the DPDP Act, such as the registration process of consent
managers, clarification of what is meant by reasonable security safeguards, process of
intimation in case of data breach, and the process of verifying consent for a child, which were
crucial to comply with the requirements laid down under the DPDP Act.
A. Important Terms
There are some important terms to keep in mind while analysing the Draft Rules, these terms
were defined under Section 2 of the DPDP Act, and are replicated herein for reference:
- “Consent Manager” means a person registered with the Board, who acts as a single point of
contact to enable a Data Principal to give, manage, review and withdraw her consent
through an accessible, transparent and interoperable platform.[5] - “Data Fiduciary” means any person who alone or in conjunction with other persons
determines the purpose and means of processing of personal data.[6] - “Data Principal” means the individual to whom the personal data relates and where such
individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a
person with disability, includes her lawful guardian, acting on her behalf.[7] - “personal data” means any data about an individual who is identifiable by or in relation to
such data.[8] - “Board” means the Data Protection Board of India established by the Central
Government[9].
B. Key Features of the Draft Rules:
1. Requirements for a Notice (Rule 3)
Under Section 4 of the DPDP Act, the Data Fiduciaries were required to obtain the Data
Principal’s written consent for processing their personal data after giving a notice. This notice
was required to outline the processing of the Data Principal’s personal data, information on
how to exercise their right of withdrawal and grievance redressal, and information on how to
file a complaint with the Board under Section 5.
Under the present Draft Rules, in Rule 3, in addition to the conditions mentioned in Section 5,
there are further conditions to be followed, which are that the notice must:
- be clear, concise, plain, and it should be understandable independently of any other
information; - include an itemised breakdown of the personal data being processed, clear description of its
purpose and an itemized description of the goods or services provided or the uses enabled
by such processing; and - include a direct link to the Data Fiduciary’s website or app, and description of any other
means, that enables the Data Principal to withdraw their consent with ease, exercise their
rights under the DPDP Act, and make a complaint to the Data Protection Board.
2. Consent Manager (Rule 4)
Under Section 6 of the DPDP Act, Consent Managers were to be accountable to Data
Principals if they wanted to manage, review or withdraw their consent and the Consent
Managers were to be registered with the Board subject to such conditions which will be
prescribed under the Draft Rules once notified.
Under the current Draft Rules, a Consent Manager is a person who manages consent-related
matters for data processing and must meet certain requirements for registration with the Board
as mentioned in Part A of the First Schedule.
Eligibility criteria for such registration with the Board, inter alia, includes:
- It must be a company incorporated in India with a minimum net worth of INR 2 Crores.
- It must demonstrate financial, technical, and operational capability, including sufficient
business volume and sound financial management. - Its directors and senior management must exhibit fairness and integrity.
- It must obtain an independent certification that its interoperable platform for Data
Principal’s consent management is in compliance with Board-prescribed standards and
disclosure obligations.
The obligations of a Consent Manager, as specified in Part B of the First Schedule of the Draft
Rules, inter alia, includes:
- Maintain records of consents, notices, and data-sharing transactions for at least seven
years. - Respond to Data Principals’ requests and grievances.
- Not sub-contract or assign their obligations under the DPDPA.
- It shall take reasonable security safeguards to prevent personal data breach.
- It should act in a fiduciary capacity, avoiding conflicts of interest with Data Fiduciaries.
- Ensure that the manner of making available the personal data or its sharing is such that the
contents thereof are not readable by it. - Any transfer of control of Consent Manager company must be pre-approved by the Board.
3. Reasonable security safeguards (Rule 6)
Under Section 8 (5) of the DPDP Act, the Data Fiduciaries were required to protect personal
data by taking reasonable security safeguards to prevent personal data breach. However, no
clarity was given on the extent and meaning of ‘reasonable security safeguards’.
Rule 5 of the Draft Rules clarifies the reasonable security safeguards that a Data Fiduciary
needs to implement to prevent personal data breach. Data Fiduciaries must now implement
reasonable security safeguards to protect personal data it possesses or controls, including at the
minimum:
- Implementing data security measures such as encryption, obfuscation, masking, or using
virtual tokens; - Controlling access to computer resources and maintaining visibility through logs for
detecting, investigating, and addressing unauthorized access; - Ensuring data continuity through backups in case of data compromise, including loss or
destruction of access and retaining logs and personal data for one year to aid in detecting
unauthorized access, investigation, and prevention of recurrence unless otherwise required
by law; - Including appropriate provisions in contracts between Data Fiduciary and Data Processors
for taking reasonable security safeguards; and - Implementing other appropriate technical and organizational measures.
Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to
prevent personal data breach can result upto INR 250,00,00,000/- (Indian Rupees Two
Hundred and Fifty Crores) as penalty.[10]
4. Intimation of Personal Data Breach (Rule 7)
Under Section 8 (6) of the DPDP Act, the Data Fiduciary is required to give intimation to the
Board and each affected Data Principal in the event of a personal data breach, in the manner
which is to be laid out in the Draft Rules once notified.
Under Rule 7 of the Draft Rules, when a Data Fiduciary becomes aware of a personal data
breach, it must intimate, to the best of its knowledge, each affected Data Principals in clear and
simple terms, through its user account or any registered mode of communication. The
intimation should include:
- A description of the breach (nature, extent, timing, and location).
- Potential consequences for the Data Principal.
- Steps taken to mitigate risks.
- Safety measures the Data Principal can adopt.
- Contact details of a representative who will respond to inquiries of Data Principal.
Simultaneously, the Data Fiduciary must notify the Board without delay, providing an initial
description of the breach (nature, extent, timing) and its likely impact. Within 72 hours (or
longer if permitted), it must submit detailed information, including:
- Updated details of the initial description of breach.
- the events leading to the breach.
- mitigation efforts.
- findings about the responsible party.
- remedial steps to prevent recurrence.
- a report on notifications sent to affected Data Principals.
5. Retention Period of Personal Data (Rule 8)
Under Section 8(7) of the DPDP Act, the retention of personal data must be erased after the
Data Principal withdraws consent or once the specified purpose is no longer being served.
Rule 8 read with Third Schedule of the Draft Rules states that if a Data Fiduciary belongs to a
certain class i.e., e-commerce entities and social media platforms with not less than 2 crore
registered users, online gaming intermediaries with not less than 50 lakh registered users, , they
must delete the personal data upon expiry of three (3) years from the last time the Data
Principal approached for performance or exercise of her rights or from the commencement of
the Rules. This erasure is subject to retention of data required for Data Principal’s access to
their account and/or virtual exchangeable tokens. The Data Fiduciary has to notify the Data
Principal at least 48 hours before the data is deleted, that their data will be erased unless the
Data Principal logs in to their user account, approaches the data fiduciary for performance of
the specified purpose, or exercise their rights.
6. Verifiable Consent for processing personal data of a Child (Rule 10)
The requirement of verifiable parental consent for a Child is provided under Section 9 (1) of the
DPDP Act, where a Data Fiduciary has to obtain verifiable consent of the parent or lawful
guardian, as applicable, (“parent”) before processing personal data of such Child (defined as an
individual below 18 years of age).
Rule 10 (1) of the DPDP Rules provide that a Data Fiduciary must ensure and lay down the
procedure to confirm, firstly, that consent for processing of personal data of a Child is given by
an identifiable parent, secondly, the identifiability of the relation between the child and the
parent, and thirdly, that such parent is an adult; through reliable identity and age details.
These verifications can either be done through: a) identity and age details already available with
the Data Fiduciary as provided in Rule 10 (1) (a); or b) identity and age details issued, either by
an entity entrusted by law, or issued by the Government itself, which are voluntarily provided
by the parent through a Digital Locker service provider, as provided in Rule 10 (1) (b).
There are a few exceptions given under Rule 11 where verifiable parental consent is not
required. Data Fiduciaries who are clinical or mental health establishments, healthcare
professionals, educational institutions, or child day care centres, are not required to follow the
requirements of Section 9(1) and Section 9(3), provided that the processing of such personal
data is restricted to the corresponding conditions mentioned in the Fourth Schedule of the
DPDP Rules.
7. Additional obligations of significant Data Fiduciaries (Rule 12)
Significant Data Fiduciaries are Data Fiduciaries which are notified as such by the Central
Government. Under Section 10 (2) of the DPDP Act, there were additional obligations of
Significant Data Fiduciaries, which were to designate a Data Protection Officer, designate an
independent data auditor, and conducting Data Protection Impact Assessments. Under Rule 12
of the Draft Rules, Significant Data Fiduciaries must annually conduct a Data Protection
Impact Assessment and a comprehensive audit, with key findings reported to the Data
Protection Board. Significant Data Fiduciaries are also required to verify that the algorithmic
software used for processing personal data does not pose a risk to the rights of Data Principals.
Furthermore, they must implement measures to ensure that certain personal and traffic data, as
identified by the Central Government, is processed in compliance with restrictions, including
prohibiting the transfer of such data outside India.
8. Rights of Data Principals (Rule 13)
Under Section 11 and Section 12 of the DPDP Act, various rights of Data Principals have been
mentioned, including right to correction, completion, updating and erasure of its personal data
for the processing of which they have previously given consent. Under Section 14, Data
Principals also have the right to nominate any other individual, who can exercise Data
Principal’s rights in case of their demise.
Under Rule 13, the Data Fiduciaries and Consent Managers must provide information on their
website or app about how Data Principals can request to exercise their rights, including any
necessary identifiers like usernames for identification. Data Principals can request access to
their personal data or ask for its deletion by contacting the Data Fiduciary. Data Fiduciaries
must also publish the time frame for handling grievances and ensure effective
measures/producers are in place to respond within this period.
9. Processing of personal data outside India (Rule 14)
Section 16 of the DPDP Act provides that the Central Government may, by notification,
restrict the transfer of personal data by a Data Fiduciary for processing to such country or
territory outside India as may be so notified.
Rule 14 of the Draft Rules provides that the processing of personal data outside India is
restricted such that any transfer by a Data Fiduciary, whether within India or related to
services offered to Data Principals in India, must comply with requirements as may be specified
by the Central Government for making such data available to any foreign state or its entities.
10. Appeal to Appellate Tribunal (Rule 21)
Under Section 29 (1) of the DPDP Act, every person has a right of appeal against any order or
direction made by the Board before the Appellate Tribunal. Each such appeal is supposed to be
filed within sixty days from the date of receipt of the order or direction.[11]
Under Rule 21 of the Draft Rules, the manner of appeal has been described. It is provided that
all appeals against the Board’s orders must be filed digitally, following the procedure on the
Appellate Tribunal’s website. A fee, similar to that under the Telecom Regulatory Authority of
India Act, 1997, must be paid digitally through UPI or any other authorised payment method.
It is important to note that the Appellate Tribunal is not bound by the Civil Procedure Code
but follows natural justice and can set its own procedures.[12] The Appellate Tribunal operates
as a digital office, and it may use techno legal methods to conduct proceedings such that
physical presence would not be required.
11. Calling for information from Data fiduciary or intermediary (Rule 22)
Under Section 36 of the DPDP Act, the Central Government could require any Data Fiduciary
to furnish such information as it may call for. Elaborating on this power, Rule 22 of the Draft
Rules clarify that the Central Government can call for information only for the purposes of the
DPDP Act outlined in the Seventh Schedule, and only through an authorized person specified
in the Seventh Schedule. The time frame for providing this information will be specified, and if
disclosure could harm India’s sovereignty, integrity, or security, the Data Fiduciary may not
disclose it without written permission (of the Central Government). It has also been clarified
that providing information in this manner would fulfil the obligation stated under Section 36 of
the DPDP Act.
C. Enactment Procedure
According to Rule 1(3), the Draft Rules will come into force on the publication date of the Draft Rules in the official gazette, except Rules 3 to 15 and Rules 21 and 22. This essentially means that upon publication of the finalized Draft Rules, only the Draft Rules in relation to the constitution and functioning of the Data Protection Board will come into force, however, the other substantive provisions will come into force at a later date.
D. Comments and Analysis
Reasonable Security Safeguards:
A minimum requirement of fulfilling the reasonable security safeguards standard involves
including “appropriate provisions” in contracts between Data Fiduciary and Data
Processors[13]. It is important to note however, that there is a lack of clarity on these
“appropriate provisions” in contracts, since different interpretations of appropriateness would
lead to confusion and vagueness. This in turn could result in non-compliance of the obligation
to take reasonable security safeguards, the consequence of which can be extremely heavy
penalties of upto INR 250 crores (Indian Rupees Two Hundred and Fifty Crores).[14]
Further, there is an obligation to take appropriate measures to control access to the computer
resources used by the Data Fiduciary.[15] The definition of “computer resource” has the same
meaning as assigned to it under the Information Technology Act, 2000 (21 of 2000) (“IT Act”).
The definition under the IT Act any computer, computer system, computer network, data,
computer data base or software. It is not restricted to computer resources that are specifically
linked to Data Principal’s personal data. Therefore, implies that every computer resource
owned by Data Fiduciaries would require controlling of access, regardless of the nature of data
stored. A clarification should be given that only those computer resources that relate to the
Data Principal’s personal data would require controlling of access.
Data Protection Impact Assessment
Under Rule 12(1), a Significant Data Fiduciary has to undertake a Data Protection Impact
Assessment (DPIA) and an audit once in every period of twelve months from the date on which
it is notified as Significant Data Fiduciary. However, there are no details provided either in the
DPDP Act, or the Draft Rules, to understand what details should be included, what format
should be followed, and if there are any guidelines to be followed while preparing the DPIA
and conducting the audit. In light of this lack of clarity, the result could be non-compliance, if
the Board or the Appellate Tribunal deem the audit or the DPIA to be lacking in some aspects,
even though no clarity was provided. Therefore, detailed instructions and guidelines regarding
the same need to be published.
Verifiable Parental Consent for a Child
Rule 10 (1) of Draft Digital Personal Data Protection Rules, 2025, provide that a Data
Fiduciary must ensure and lay down the procedure to confirm, firstly, that consent for
processing of personal data of a Child is given by an identifiable parent, secondly, the
identifiability of the relation between the child and the parent, and thirdly, that such parent is
an adult; through reliable identity and age details.
However, there seems to be lack of clarity in respect of the child falsely representing as an adult,
in which case the Section 9 requirement will not trigger. While there is no explicit provision
requiring age verification for adults under the DPDP Act or its Rules, it would be advisable to
seek proof from all the Data Principals in respect of their age, to verify that they are an adult.
It is also important to note that the age and identity details required under Rule 10 (1) (a and b)
for confirming the identity and age of the parents does not provide any list of approved
government IDs. This creates confusion, since to prove identity, details of both the parents of
the child would be required, which is available on Passports. However, many people in India
lack sufficient resources or facilities to even want a Passport. In which case, using alternate
government ID cards such as PAN and Driving License would only provide details of the father
of the child, meaning there’s a lack of clarity for single mothers.
Intimation on Personal Data Breach
Under Rule 7 of the Draft Rules, it is stated that “on becoming aware of any personal data
breach, the Data Fiduciary shall, to the best of its knowledge, intimate to each affected Data
Principal, in a concise, clear and plain manner and without delay”.
The placement of the term ‘to the best of its knowledge’ used here creates ambiguity since there
can be two interpretations of this Rule. On the one hand it may mean that Data Fiduciary shall
only inform such breach that it is aware of to the best of its knowledge, or on the other hand, it
may mean that Data Fiduciary shall only inform those Data Principals who seem affected to
the best of its knowledge. This clarification is important since the obligation to provide
intimation on personal data breach is an important obligation with significant consequences.
Consent Manager
Consent Manager is defined, inter alia, a ‘person’ registered with the Board,[16] however, the
first condition for registration seems to be that the Consent Manager should be a company
incorporated in India, with a net worth of not less than INR 2 crores.[17] It is unclear now
whether additional amendments will be introduced to allow professionals and entities not
incorporated as companies to act as Consent Managers, or would its definition under the
DPDP Act be amended to only include a ‘company’.
Consent Managers are under an obligation to take reasonable security safeguards to prevent
personal data breach,[18] however, there is no clarity given whether the minimum standards of
a “reasonable security safeguard” mentioned in Rule 6 of the Draft Rules would also apply to
Consent Managers. This is an important clarification, since as stated earlier, the consequences
of non-compliance are huge, and although they stated as only applicable to Data Fiduciaries
under the DPDP Act, it is uncertain whether the same would apply to the Consent Managers.
Transfer of Personal Data outside India
Under Rule 14, the Draft Rules do not clarify whether restrictions on cross-border data
transfers apply solely to the transfer of personal data to foreign entities operating outside
Indian Union borders, or if they also extend to sharing data with foreign-funded entities that
are functioning inside the India Union borders. These restrictions will understandably be
elaborated in the future, by the Central Government through a separate notification, but it is
also important that a clarification can be given in that notification.
Rights of Data Principals
The Draft Rules provide for exercise of Data Principals rights under Section 14 of the DPDP
Act, which includes a right to nominate individuals who can exercise their rights under the
DPDP Act and Draft Rules after their death or incapacity. This essentially extends right to
privacy and personality after demise of an individual. In the matter of Deepa Jayakumar v. AL
Vijay and Ors.,[19] the Madras High Court dismissed an appeal and effectively held that the
right to privacy extinguishes with the life of a person and cannot be inherited or enforced
posthumously.[20] Further, the Delhi High Court in Krishna Kishore Singh v. Sarla A Saraogi,
[21] has essentially held that reputation, personality, and privacy and personality rights that
emanate therefrom, are not heritable.[22]
It is, therefore, not clear whether the legislators intend to make an exception regarding
extension of personality and privacy rights after an individual’s demise by explicitly enacting a
provision for the same. The Government could give a clarification regarding the same either
through a notification under the DPDP Act or via the Draft Rules. In case the intent is to
extend these rights posthumously, the position of various Courts on this issue will now need to
be revisited, which will be an extensive process.
E. Conclusion
The Draft Digital Personal Data Protection Rules, 2025 provide essential clarifications on
several key areas, including reasonable security safeguards, verifiable parental consent for
children, personal data breach intimations, and registration of consent managers. However, the
Draft Rules also has various ambiguities that need to be addressed to prevent significant
consequences, due to potential non-compliance leading to hefty penalties and operational
uncertainties for stakeholders.
Before finalizing and publishing the Draft Rules, it is imperative to address these ambiguities
and provide detailed guidelines to ensure clarity and compliance. Additionally, prior intimation
should be given before enforcing substantive provisions of the Draft Rules, allowing Data
Fiduciaries, Consent Managers, and Data Processors adequate time to align their practices with
the new regulations.
Footnotes
[1] https://pib.gov.in/PressReleasePage.aspx?PRID=2090271.
[2] https://www.meity.gov.in/writereaddata/files/259889.pdf.
[3] https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf.
[4] https://innovateindia.mygov.in/dpdp-rules-2025.
[5] Section 2(g), DPDP Act.
[6] Section 2(i), DPDP Act.
[7] Section 2 (j), DPDP Act.
[8] Section 2(t), DPDP Act.
[9] Section 2(c), DPDP Act.
[10] Sl No. 1, The Schedule, Digital Personal Data Protection Act, 2023.
[11] Section 29 (2) of the DPDP Act, 2023.
[12] Rule 21 (3) (a) of the Draft Rules.
[13] Rule 6 (1) (f), Draft Rules.
[14] Sl No. 1, The Schedule, Digital Personal Data Protection Act, 2023.
[15] Rule 6 (1) (b) of the Draft Rules.
[16] Section 2(g), DPDP Act.
[17] Point 1 and 4, First Schedule, Draft Rules.
[18] Point 7, Part B, First Schedule, Draft Rules.
[19] O.S.A.No.75 of 2020.
[20] Ibid, Para 36.
[21] 2023 SCC OnLine Del 3997.
[22] Ibid, Para 21.
