ANM Global Team’s insights: Draft Digital Personal Data Protection Rules, 2025

ANM Global Team’s insights: Draft Digital Personal Data Protection Rules, 2025

by By Anushree Rauta, Equity Partner, Adarsh Himatsinghka, Principal Associate, Savan Dhameliya, Associate and Mrunmayee Nagur, Trainee Associate

Recently, the Ministry of Electronics and Information Technology (“Meity”) just released[1] a first draft of the Digital Personal Data Protection Rules, 2025 (“Draft Rules”)[2] to be made as a subordinate legislation to the Digital Personal Data Protection Act, 2023 (“DPDP Act”)[3]. Meity has invited feedback and comments from various stakeholders on the Draft Rules, in order to consider and address any concerns and suggestions that will be made by such stakeholders. These Draft Rules have been released for public consultation almost sixteen and a half months of the DPDP Act, which enactment was on 11th August 2023.[4] Only upon finalization of these Draft Rules, will the finalized rules be notified by the Government in the Gazette for further implementation. The Draft Rules attempt to lay down some key clarifications and guidelines that were left wanting since the enactment of the DPDP Act, such as the registration process of consent managers, clarification of what is meant by reasonable security safeguards, process of intimation in case of data breach, and the process of verifying consent for a child, which were crucial to comply with the requirements laid down under the DPDP Act. A. Important Terms There are some important terms to keep in mind while analysing the Draft Rules, these terms were defined under Section 2 of the DPDP Act, and are replicated herein for reference:

• “Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.[5]
• “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.[6]
• “Data Principal” means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.[7]
• “personal data” means any data about an individual who is identifiable by or in relation to such data.[8]
• “Board” means the Data Protection Board of India established by the Central Government[9].

B. Key Features of the Draft Rules: 1. Requirements for a Notice (Rule 3) Under Section 4 of the DPDP Act, the Data Fiduciaries were required to obtain the Data Principal’s written consent for processing their personal data after giving a notice. This notice was required to outline the processing of the Data Principal’s personal data, information on how to exercise their right of withdrawal and grievance redressal, and information on how to file a complaint with the Board under Section 5. Under the present Draft Rules, in Rule 3, in addition to the conditions mentioned in Section 5, there are further conditions to be followed, which are that the notice must:

• be clear, concise, plain, and it should be understandable independently of any other information;
• include an itemised breakdown of the personal data being processed, clear description of its purpose and an itemized description of the goods or services provided or the uses enabled by such processing; and
• include a direct link to the Data Fiduciary’s website or app, and description of any other means, that enables the Data Principal to withdraw their consent with ease, exercise their rights under the DPDP Act, and make a complaint to the Data Protection Board.

2. Consent Manager (Rule 4) Under Section 6 of the DPDP Act, Consent Managers were to be accountable to Data Principals if they wanted to manage, review or withdraw their consent and the Consent Managers were to be registered with the Board subject to such conditions which will be prescribed under the Draft Rules once notified. Under the current Draft Rules, a Consent Manager is a person who manages consent-related matters for data processing and must meet certain requirements for registration with the Board as mentioned in Part A of the First Schedule. Eligibility criteria for such registration with the Board, inter alia, includes:

• It must be a company incorporated in India with a minimum net worth of INR 2 Crores.
• It must demonstrate financial, technical, and operational capability, including sufficient business volume and sound financial management.
• Its directors and senior management must exhibit fairness and integrity.
• It must obtain an independent certification that its interoperable platform for Data Principal’s consent management is in compliance with Board-prescribed standards and disclosure obligations.

The obligations of a Consent Manager, as specified in Part B of the First Schedule of the Draft Rules, inter alia, includes:

• Maintain records of consents, notices, and data-sharing transactions for at least seven years.
• Respond to Data Principals’ requests and grievances.
• Not sub-contract or assign their obligations under the DPDPA.
• It shall take reasonable security safeguards to prevent personal data breach.
• It should act in a fiduciary capacity, avoiding conflicts of interest with Data Fiduciaries.
• Ensure that the manner of making available the personal data or its sharing is such that the contents thereof are not readable by it.
• Any transfer of control of Consent Manager company must be pre-approved by the Board.

3. Reasonable security safeguards (Rule 6) Under Section 8 (5) of the DPDP Act, the Data Fiduciaries were required to protect personal data by taking reasonable security safeguards to prevent personal data breach. However, no clarity was given on the extent and meaning of ‘reasonable security safeguards’. Rule 5 of the Draft Rules clarifies the reasonable security safeguards that a Data Fiduciary needs to implement to prevent personal data breach. Data Fiduciaries must now implement reasonable security safeguards to protect personal data it possesses or controls, including at the minimum:

• Implementing data security measures such as encryption, obfuscation, masking, or using virtual tokens;
• Controlling access to computer resources and maintaining visibility through logs for detecting, investigating, and addressing unauthorized access;
• Ensuring data continuity through backups in case of data compromise, including loss or destruction of access and retaining logs and personal data for one year to aid in detecting unauthorized access, investigation, and prevention of recurrence unless otherwise required by law;
• Including appropriate provisions in contracts between Data Fiduciary and Data Processors for taking reasonable security safeguards; and
• Implementing other appropriate technical and organizational measures.

Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach can result upto INR 250,00,00,000/- (Indian Rupees Two Hundred and Fifty Crores) as penalty.[10] 4. Intimation of Personal Data Breach (Rule 7) Under Section 8 (6) of the DPDP Act, the Data Fiduciary is required to give intimation to the Board and each affected Data Principal in the event of a personal data breach, in the manner which is to be laid out in the Draft Rules once notified. Under Rule 7 of the Draft Rules, when a Data Fiduciary becomes aware of a personal data breach, it must intimate, to the best of its knowledge, each affected Data Principals in clear and simple terms, through its user account or any registered mode of communication. The intimation should include:

• A description of the breach (nature, extent, timing, and location).
• Potential consequences for the Data Principal.
• Steps taken to mitigate risks.
• Safety measures the Data Principal can adopt.
• Contact details of a representative who will respond to inquiries of Data Principal.

Simultaneously, the Data Fiduciary must notify the Board without delay, providing an initial description of the breach (nature, extent, timing) and its likely impact. Within 72 hours (or longer if permitted), it must submit detailed information, including:

• Updated details of the initial description of breach.
• the events leading to the breach.
• mitigation efforts.
• findings about the responsible party.
• remedial steps to prevent recurrence.
• a report on notifications sent to affected Data Principals.

5. Retention Period of Personal Data (Rule 8) Under Section 8(7) of the DPDP Act, the retention of personal data must be erased after the Data Principal withdraws consent or once the specified purpose is no longer being served. Rule 8 read with Third Schedule of the Draft Rules states that if a Data Fiduciary belongs to a certain class i.e., e-commerce entities and social media platforms with not less than 2 crore registered users, online gaming intermediaries with not less than 50 lakh registered users, , they must delete the personal data upon expiry of three (3) years from the last time the Data Principal approached for performance or exercise of her rights or from the commencement of the Rules. This erasure is subject to retention of data required for Data Principal’s access to their account and/or virtual exchangeable tokens. The Data Fiduciary has to notify the Data Principal at least 48 hours before the data is deleted, that their data will be erased unless the Data Principal logs in to their user account, approaches the data fiduciary for performance of the specified purpose, or exercise their rights. 6. Verifiable Consent for processing personal data of a Child (Rule 10) The requirement of verifiable parental consent for a Child is provided under Section 9 (1) of the DPDP Act, where a Data Fiduciary has to obtain verifiable consent of the parent or lawful guardian, as applicable, (“parent”) before processing personal data of such Child (defined as an individual below 18 years of age). Rule 10 (1) of the DPDP Rules provide that a Data Fiduciary must ensure and lay down the procedure to confirm, firstly, that consent for processing of personal data of a Child is given by an identifiable parent, secondly, the identifiability of the relation between the child and the parent, and thirdly, that such parent is an adult; through reliable identity and age details. These verifications can either be done through: a) identity and age details already available with the Data Fiduciary as provided in Rule 10 (1) (a); or b) identity and age details issued, either by an entity entrusted by law, or issued by the Government itself, which are voluntarily provided by the parent through a Digital Locker service provider, as provided in Rule 10 (1) (b). There are a few exceptions given under Rule 11 where verifiable parental consent is not required. Data Fiduciaries who are clinical or mental health establishments, healthcare professionals, educational institutions, or child day care centres, are not required to follow the requirements of Section 9(1) and Section 9(3), provided that the processing of such personal data is restricted to the corresponding conditions mentioned in the Fourth Schedule of the DPDP Rules. 7. Additional obligations of significant Data Fiduciaries (Rule 12) Significant Data Fiduciaries are Data Fiduciaries which are notified as such by the Central Government. Under Section 10 (2) of the DPDP Act, there were additional obligations of Significant Data Fiduciaries, which were to designate a Data Protection Officer, designate an independent data auditor, and conducting Data Protection Impact Assessments. Under Rule 12 of the Draft Rules, Significant Data Fiduciaries must annually conduct a Data Protection Impact Assessment and a comprehensive audit, with key findings reported to the Data Protection Board. Significant Data Fiduciaries are also required to verify that the algorithmic software used for processing personal data does not pose a risk to the rights of Data Principals. Furthermore, they must implement measures to ensure that certain personal and traffic data, as identified by the Central Government, is processed in compliance with restrictions, including prohibiting the transfer of such data outside India. 8. Rights of Data Principals (Rule 13) Under Section 11 and Section 12 of the DPDP Act, various rights of Data Principals have been mentioned, including right to correction, completion, updating and erasure of its personal data for the processing of which they have previously given consent. Under Section 14, Data Principals also have the right to nominate any other individual, who can exercise Data Principal’s rights in case of their demise. Under Rule 13, the Data Fiduciaries and Consent Managers must provide information on their website or app about how Data Principals can request to exercise their rights, including any necessary identifiers like usernames for identification. Data Principals can request access to their personal data or ask for its deletion by contacting the Data Fiduciary. Data Fiduciaries must also publish the time frame for handling grievances and ensure effective measures/producers are in place to respond within this period. 9. Processing of personal data outside India (Rule 14) Section 16 of the DPDP Act provides that the Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified. Rule 14 of the Draft Rules provides that the processing of personal data outside India is restricted such that any transfer by a Data Fiduciary, whether within India or related to services offered to Data Principals in India, must comply with requirements as may be specified by the Central Government for making such data available to any foreign state or its entities. 10. Appeal to Appellate Tribunal (Rule 21) Under Section 29 (1) of the DPDP Act, every person has a right of appeal against any order or direction made by the Board before the Appellate Tribunal. Each such appeal is supposed to be filed within sixty days from the date of receipt of the order or direction.[11] Under Rule 21 of the Draft Rules, the manner of appeal has been described. It is provided that all appeals against the Board’s orders must be filed digitally, following the procedure on the Appellate Tribunal’s website. A fee, similar to that under the Telecom Regulatory Authority of India Act, 1997, must be paid digitally through UPI or any other authorised payment method. It is important to note that the Appellate Tribunal is not bound by the Civil Procedure Code but follows natural justice and can set its own procedures.[12] The Appellate Tribunal operates as a digital office, and it may use techno legal methods to conduct proceedings such that physical presence would not be required. 11. Calling for information from Data fiduciary or intermediary (Rule 22) Under Section 36 of the DPDP Act, the Central Government could require any Data Fiduciary to furnish such information as it may call for. Elaborating on this power, Rule 22 of the Draft Rules clarify that the Central Government can call for information only for the purposes of the DPDP Act outlined in the Seventh Schedule, and only through an authorized person specified in the Seventh Schedule. The time frame for providing this information will be specified, and if disclosure could harm India’s sovereignty, integrity, or security, the Data Fiduciary may not disclose it without written permission (of the Central Government). It has also been clarified that providing information in this manner would fulfil the obligation stated under Section 36 of the DPDP Act. C. Enactment Procedure According to Rule 1(3), the Draft Rules will come into force on the publication date of the Draft Rules in the official gazette, except Rules 3 to 15 and Rules 21 and 22. This essentially means that upon publication of the finalized Draft Rules, only the Draft Rules in relation to the constitution and functioning of the Data Protection Board will come into force, however, the other substantive provisions will come into force at a later date. D. Comments and Analysis Reasonable Security Safeguards: A minimum requirement of fulfilling the reasonable security safeguards standard involves including “appropriate provisions” in contracts between Data Fiduciary and Data Processors[13]. It is important to note however, that there is a lack of clarity on these “appropriate provisions” in contracts, since different interpretations of appropriateness would lead to confusion and vagueness. This in turn could result in non-compliance of the obligation to take reasonable security safeguards, the consequence of which can be extremely heavy penalties of upto INR 250 crores (Indian Rupees Two Hundred and Fifty Crores).[14] Further, there is an obligation to take appropriate measures to control access to the computer resources used by the Data Fiduciary.[15] The definition of “computer resource” has the same meaning as assigned to it under the Information Technology Act, 2000 (21 of 2000) (“IT Act”). The definition under the IT Act any computer, computer system, computer network, data, computer data base or software. It is not restricted to computer resources that are specifically linked to Data Principal’s personal data. Therefore, implies that every computer resource owned by Data Fiduciaries would require controlling of access, regardless of the nature of data stored. A clarification should be given that only those computer resources that relate to the Data Principal’s personal data would require controlling of access. Data Protection Impact Assessment Under Rule 12(1), a Significant Data Fiduciary has to undertake a Data Protection Impact Assessment (DPIA) and an audit once in every period of twelve months from the date on which it is notified as Significant Data Fiduciary. However, there are no details provided either in the DPDP Act, or the Draft Rules, to understand what details should be included, what format should be followed, and if there are any guidelines to be followed while preparing the DPIA and conducting the audit. In light of this lack of clarity, the result could be non-compliance, if the Board or the Appellate Tribunal deem the audit or the DPIA to be lacking in some aspects, even though no clarity was provided. Therefore, detailed instructions and guidelines regarding the same need to be published. Verifiable Parental Consent for a Child Rule 10 (1) of Draft Digital Personal Data Protection Rules, 2025, provide that a Data Fiduciary must ensure and lay down the procedure to confirm, firstly, that consent for processing of personal data of a Child is given by an identifiable parent, secondly, the identifiability of the relation between the child and the parent, and thirdly, that such parent is an adult; through reliable identity and age details. However, there seems to be lack of clarity in respect of the child falsely representing as an adult, in which case the Section 9 requirement will not trigger. While there is no explicit provision requiring age verification for adults under the DPDP Act or its Rules, it would be advisable to seek proof from all the Data Principals in respect of their age, to verify that they are an adult. It is also important to note that the age and identity details required under Rule 10 (1) (a and b) for confirming the identity and age of the parents does not provide any list of approved government IDs. This creates confusion, since to prove identity, details of both the parents of the child would be required, which is available on Passports. However, many people in India lack sufficient resources or facilities to even want a Passport. In which case, using alternate government ID cards such as PAN and Driving License would only provide details of the father of the child, meaning there’s a lack of clarity for single mothers. Intimation on Personal Data Breach Under Rule 7 of the Draft Rules, it is stated that “on becoming aware of any personal data breach, the Data Fiduciary shall, to the best of its knowledge, intimate to each affected Data Principal, in a concise, clear and plain manner and without delay”. The placement of the term ‘to the best of its knowledge’ used here creates ambiguity since there can be two interpretations of this Rule. On the one hand it may mean that Data Fiduciary shall only inform such breach that it is aware of to the best of its knowledge, or on the other hand, it may mean that Data Fiduciary shall only inform those Data Principals who seem affected to the best of its knowledge. This clarification is important since the obligation to provide intimation on personal data breach is an important obligation with significant consequences. Consent Manager Consent Manager is defined, inter alia, a ‘person’ registered with the Board,[16] however, the first condition for registration seems to be that the Consent Manager should be a company incorporated in India, with a net worth of not less than INR 2 crores.[17] It is unclear now whether additional amendments will be introduced to allow professionals and entities not incorporated as companies to act as Consent Managers, or would its definition under the DPDP Act be amended to only include a ‘company’. Consent Managers are under an obligation to take reasonable security safeguards to prevent personal data breach,[18] however, there is no clarity given whether the minimum standards of a “reasonable security safeguard” mentioned in Rule 6 of the Draft Rules would also apply to Consent Managers. This is an important clarification, since as stated earlier, the consequences of non-compliance are huge, and although they stated as only applicable to Data Fiduciaries under the DPDP Act, it is uncertain whether the same would apply to the Consent Managers. Transfer of Personal Data outside India Under Rule 14, the Draft Rules do not clarify whether restrictions on cross-border data transfers apply solely to the transfer of personal data to foreign entities operating outside Indian Union borders, or if they also extend to sharing data with foreign-funded entities that are functioning inside the India Union borders. These restrictions will understandably be elaborated in the future, by the Central Government through a separate notification, but it is also important that a clarification can be given in that notification. Rights of Data Principals The Draft Rules provide for exercise of Data Principals rights under Section 14 of the DPDP Act, which includes a right to nominate individuals who can exercise their rights under the DPDP Act and Draft Rules after their death or incapacity. This essentially extends right to privacy and personality after demise of an individual. In the matter of Deepa Jayakumar v. AL Vijay and Ors.,[19] the Madras High Court dismissed an appeal and effectively held that the right to privacy extinguishes with the life of a person and cannot be inherited or enforced posthumously.[20] Further, the Delhi High Court in Krishna Kishore Singh v. Sarla A Saraogi, [21] has essentially held that reputation, personality, and privacy and personality rights that emanate therefrom, are not heritable.[22] It is, therefore, not clear whether the legislators intend to make an exception regarding extension of personality and privacy rights after an individual’s demise by explicitly enacting a provision for the same. The Government could give a clarification regarding the same either through a notification under the DPDP Act or via the Draft Rules. In case the intent is to extend these rights posthumously, the position of various Courts on this issue will now need to be revisited, which will be an extensive process. E. Conclusion The Draft Digital Personal Data Protection Rules, 2025 provide essential clarifications on several key areas, including reasonable security safeguards, verifiable parental consent for children, personal data breach intimations, and registration of consent managers. However, the Draft Rules also has various ambiguities that need to be addressed to prevent significant consequences, due to potential non-compliance leading to hefty penalties and operational uncertainties for stakeholders. Before finalizing and publishing the Draft Rules, it is imperative to address these ambiguities and provide detailed guidelines to ensure clarity and compliance. Additionally, prior intimation should be given before enforcing substantive provisions of the Draft Rules, allowing Data Fiduciaries, Consent Managers, and Data Processors adequate time to align their practices with the new regulations.

Footnotes

[1] https://pib.gov.in/PressReleasePage.aspx?PRID=2090271. [2] https://www.meity.gov.in/writereaddata/files/259889.pdf. [3] https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf. [4] https://innovateindia.mygov.in/dpdp-rules-2025. [5] Section 2(g), DPDP Act. [6] Section 2(i), DPDP Act. [7] Section 2 (j), DPDP Act. [8] Section 2(t), DPDP Act. [9] Section 2(c), DPDP Act. [10] Sl No. 1, The Schedule, Digital Personal Data Protection Act, 2023. [11] Section 29 (2) of the DPDP Act, 2023. [12] Rule 21 (3) (a) of the Draft Rules. [13] Rule 6 (1) (f), Draft Rules. [14] Sl No. 1, The Schedule, Digital Personal Data Protection Act, 2023. [15] Rule 6 (1) (b) of the Draft Rules. [16] Section 2(g), DPDP Act. [17] Point 1 and 4, First Schedule, Draft Rules. [18] Point 7, Part B, First Schedule, Draft Rules. [19] O.S.A.No.75 of 2020. [20] Ibid, Para 36. [21] 2023 SCC OnLine Del 3997. [22] Ibid, Para 21.