ON January 3, 2025, the Ministry of Electronics and Information Technology (MeitY) released the Draft Digital Personal Data Protection Rules (DPDP Rules). The government invited suggestions and objections from stakeholders via the MyGov portal, with a submission deadline of February 18, 2025. An explanatory note accompanied the draft Rules to provide further context.
The draft Rules, consisting of 22 provisions and Seven Schedules, aim to operationalise the Digital Personal Data Protection Act, 2023 (DPDP Act). These Rules clarify crucial aspects, including consent management, security safeguards and procedures for handling personal data breaches.
The DPDP Act represents a significant shift in India’s approach to data privacy. It builds on years of recommendations and judicial decisions that have shaped personal data protection in the country.
In 2011, the Justice A.P. Shah Committee laid the foundation for this legislative framework by recommending privacy laws to safeguard individual data rights. This effort gained momentum after the Supreme Court’s landmark 2017 ruling in Justice K.S. Puttaswamy (Retd.) versus Union of India, which recognised the right to privacy as a fundamental constitutional right.
In 2017, MeitY formed a committee of experts led by former Supreme Court Justice B.N. Srikrishna to address data protection issues in India and draft a data protection Bill. Following extensive deliberations, the Joint Parliamentary Committee (JPC) adopted a draft report on The Personal Data Protection Bill, 2019, on November 22, 2021.
Despite this progress, the government abruptly withdrew the legislation in October 2022 before the Parliament could consider it. Subsequently, MeitY re-examined the issues surrounding digital personal data protection and drafted the DPDP Bill in 2022.
The DPDP Act attempts to establish a comprehensive legal framework for digital personal data protection in India. It balances the rights of individuals to safeguard their personal data with societal needs and the lawful purposes of data processing. The Act applies to processing digital personal data collected online or offline, provided it is eventually digitised.
The Act imposes specific obligations on data fiduciaries— entities that determine the purpose and means of processing personal data. It requires these entities to obtain explicit consent from individuals (data principals) before processing their data. However, the Act allows for certain exceptions where consent is not required.
Key features of the draft DPDP Rules, 2025
The Draft DPDP Rules, 2025 aim to enhance digital privacy compliance across India. Here is an overview of their key features:
Implementation framework: The draft Rules provide a structured framework to enforce the DPDP Act. They outline the steps organisations must take to comply with the new data protection regulations.
Data fiduciary obligations: The Rules clearly establish the responsibilities of data fiduciaries. Organisations must obtain informed consent from data principals, ensure transparency in data processing and adopt robust security measures.
They are required to provide concise and clear information about the personal data being processed, its intended purpose and the procedure for withdrawing consent.
Establishment of the Data Protection Board (DPB): The draft Rules propose setting up the Data Protection Board, which will function digitally. This board will address grievances and enforce compliance with the DPDP Act. Its primary objective is to hold data fiduciaries accountable and safeguard personal data effectively.
Penalty provisions: The draft Rules introduce strict penalties for data breaches, emphasising the importance of personal data protection. Data fiduciaries who fail to fulfill their obligations may face significant fines, compelling organisations to prioritise data security and compliance.
Exemptions from compliance: The Rules specify several exemptions for data fiduciaries. Certain provisions related to judicial and regulatory functions, enforcement of legal rights and prevention of criminal activities may not require full compliance. Moreover, specific categories of data fiduciaries, such as startups and research organisations, might be exempted from some requirements.
Clinical establishments, healthcare professionals, educational institutions, crèches and childcare facilities are also exempt from restrictions under the DPDP Act in specific cases. For example, these entities may engage in behavioural monitoring or tracking of children to provide healthcare services, support educational activities, or ensure child safety.
Call for information: The draft Rules empower the Union government, through authorised personnel, to request personal data from data fiduciaries or intermediaries. This may occur in scenarios involving India’s sovereignty, integrity and security or to fulfill obligations under Indian law.
However, neither the DPDP Act nor the draft Rules outline specific safeguards, such as review or oversight mechanisms, for these requests. Nevertheless, any government processing of personal data must align with the constitutional safeguards prescribed by the Supreme Court in the landmark privacy ruling in Justice K. S. Puttaswamy and Anr. versus Union of India and Ors.
Consent manager framework: The Rules introduce a detailed framework for consent managers, specifying registration conditions, roles and responsibilities. Only India-incorporated companies that meet certain net worth requirements and possess certified interoperable platforms for managing consent can register as consent managers.
Consent managers must provide accessible and transparent platforms that allow data principals to give, manage, review and withdraw consent. They must ensure data fiduciaries can process personal data directly or through intermediaries onboarded on their platform.
To remain impartial, consent managers must operate as ‘data blind’, avoiding conflicts of interest with data fiduciaries. Their responsibilities include maintaining records of consent activities, offering web or mobile platforms for data principals and implementing audit mechanisms.
Public consultation and feedback mechanism: The Rules encourage active stakeholder participation by allowing public comments for 45 days. Individuals and organisations can submit feedback through the MyGov platform, ensuring diverse perspectives shape the final Rules.
Key principles of data protection
The DPDP Act sets forth clear principles to ensure organisations process personal data lawfully, transparently and securely. These principles closely mirror those of the General Data Protection Regulation (GDPR), reflecting a shared commitment to protecting individual privacy while allowing necessary data processing.
Lawful processing: Organisations must process personal data in compliance with relevant laws. The DPDP Act mandates that data processing occurs only for specific, lawful purposes.
Purpose-specific processing: Personal data can only be processed for legitimate purposes as outlined in the DPDP Act, particularly Sections 7(b) and 17(2)(b). This principle prevents misuse by limiting data processing to the purposes for which individuals have provided consent.
Data minimization: The Act requires organisations to collect and process only the minimum amount of personal data necessary to achieve specific goals. This principle reduces excessive data collection, enhancing security and minimising risks.
Accuracy: Organisations must take steps to ensure that personal data remains accurate and up-to-date. This safeguards individuals from harm caused by inaccuracies and upholds the integrity of data processing activities.
Retention: The DPDP Act mandates that organisations retain personal data only as long as necessary to fulfill the intended purposes or meet legal obligations. By limiting data retention, this principle reduces the risk of breaches or unauthorised access.
Transparency: The DPDP Act emphasises transparency in data processing. Organisations must inform individuals about how their data is processed, their rights and how to exercise them. This builds trust and empowers individuals to make informed decisions about their data.
Accountability: The Act holds organisations accountable for complying with data protection laws and principles. Data fiduciaries and consent managers must maintain records of processing activities, provide grievance redress mechanisms and ensure staff are trained on their data protection duties.
Security safeguards: Organisations must implement reasonable security measures, such as encryption, access controls and monitoring to protect personal data from breaches. These safeguards ensure the confidentiality, integrity and availability of data throughout its lifecycle.
Rights of data principals
The Draft DPDP Rules, 2025, empower individuals, known as data principals, by granting them comprehensive rights over their personal data. These Rules emphasise transparency, control and accountability, enabling individuals to actively manage their data while holding organisations responsible for its proper handling.
Key rights
Right to access and correction: Data principals can access their personal data held by data fiduciaries. They can verify the accuracy of their data and request corrections if they spot any inaccuracies. Data fiduciaries must clearly explain the process for exercising this right through their websites or applications.
Right to erasure: Data principals can request the erasure of their personal data under specific conditions, such as when the data is no longer necessary for its intended purpose or when they withdraw consent. Data fiduciaries must inform data principals about this right and the conditions under which they can exercise it.
Right to grievance redressal: Data principals can raise concerns or complaints regarding how their personal data is handled. The Rules require data fiduciaries to set up a grievance redressal mechanism and provide clear information about the process, including timelines for resolving complaints.
Informed consent and notices: The draft Rules mandate data fiduciaries to issue clear and detailed notices to data principals, explaining what personal data is collected and the purpose behind its collection. This transparency empowers data principals to make informed decisions about their data.
Right to nominate representatives: Data principals can appoint one or more representatives to exercise their rights on their behalf. This provision ensures that individuals, especially those with disabilities or other challenges, can effectively assert their data rights.
Notification of data breaches: Data fiduciaries must notify data principals of any data breaches that might impact their personal data within a specified timeframe. This transparency helps foster trust and enables data principals to take timely steps to protect their interests.
Obligations of data fiduciaries
The Draft DPDP Rules, 2025 establish key responsibilities for data fiduciaries to ensure the lawful, transparent and secure handling of personal data. These obligations aim to enhance accountability and protect the rights of individuals.
Key obligations
Ensure transparency and obtain consent: Data fiduciaries must issue clear and concise notices to data principals, explaining why personal data is collected and how it will be processed. These notices should be written in simple language and include an itemised list of the data being collected, the rights of data principals and the timelines for resolving grievances.
Comply with Union government restrictions: Data fiduciaries must process personal data according to any restrictions set by the Union government, such as prohibiting the transfer of sensitive data outside India. This ensures alignment with national policies and protects sensitive personal data.
Maintain accountability in data processing: Data fiduciaries must ensure their data processing activities, including using algorithmic software for hosting, storing and sharing data, do not violate the rights of data principals. They are fully accountable for these activities, reinforcing the importance of ethical and responsible data practices.
Notify data principals of personal data breaches: Data fiduciaries must immediately inform affected data principals about any personal data breach. They should provide clear details regarding the breach, including its nature, scope, timing and potential impact.
Fiduciaries must also describe the steps to mitigate risks and offer recommendations to protect the data principals’ interests. Additionally, they must share the contact information of a representative who can address any further questions.
Within 72 hours of becoming aware of a breach (or within a longer timeframe as permitted by the board), data fiduciaries must provide further information, such as:
Facts related to the event, circumstances and reasons behind the breach.
Risk assessments and mitigating measures taken.
Findings regarding the person responsible for the breach.
Remedial actions to prevent recurrence.
A report on notifications given to affected data principals.
Implement reasonable security safeguards: Data fiduciaries must establish strong security measures to protect personal data, including encryption, access controls and continuous monitoring for unauthorised access.
They must maintain logs to detect and respond to breaches promptly, ensuring that data remains confidential, intact and accessible. Fiduciaries must also ensure that data processors comply with these security measures through contractual agreements, preventing breaches during processing activities.
Age-gating and verifiable parental consent: Data fiduciaries must obtain verifiable consent from a parent (or guardian, if applicable) before processing the personal data of a child (under 18 years old) or an individual with disabilities.
Fiduciaries must ensure the individual providing consent is an identifiable adult, using reliable identity and age verification methods.
Conduct annual data protection impact assessments: Significant data fiduciaries are required to conduct annual data protection impact assessments and comprehensive audits. They must report the results to the Data Protection Board, outlining their compliance with data protection requirements and identifying areas for improvement.
Compliance and enforcement: Key components
Grievance redressal mechanisms: Data fiduciaries and consent managers must establish efficient grievance redressal systems to handle complaints effectively. They are required to publish clear timelines for addressing grievances raised by data principals, fostering accountability and trust.
Monitoring and enforcing compliance: The Data Protection Board will monitor adherence to the DPDP Rules. In cases of non-compliance, the Data Protection Board can direct consent managers and data fiduciaries to implement corrective measures.
Addressing non-compliance with penalties: The draft Rules have drawn criticism for their lack of stringent penalties for non-compliance. Unlike the GDPR in the European Union, which imposes substantial fines, the DPDP Rules include weaker sanctions. Stronger consequences for violations would reinforce accountability and deter negligent practices.
Role of the Data Protection Board: The Data Protection Board will oversee the implementation and enforcement of the Rules. Its responsibilities include balancing the rights of data principals with the obligations of data fiduciaries. To execute its mandate effectively, the Data Protection Board requires sufficient authority and resources to monitor compliance and impose meaningful penalties. This oversight is essential for upholding the accountability principles embedded in the DPDP framework.
Stakeholder reactions
The Draft DPDP Rules, 2025 have drawn mixed reactions from the business community. Many businesses appreciate the framework's pragmatic approach, particularly its tiered system that scales responsibilities based on organisational size.
