On January 3rd, 2025, the Ministry of Electronics and Information Technology, Government of India took a significant step toward strengthening data protection by releasing the draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”). These Draft Rules are designed to provide the operational framework for the Digital Personal Data Protection Act, 2023 (“DPDPA”), and had requested public feedback until February 18th, 2025. This initiative is expected to transform the governance of digital personal data in the country, balancing privacy rights with technological progress.

Enacted in 2023, the DPDPA regulates the processing of digital personal data to address rising concerns pertaining to the misuse of personal information. While the DPDPA sets the foundation for privacy protections, its effectiveness relies on well-defined protocols that the new rules aim to deliver. By establishing this regulatory framework, the Indian government seeks to empower citizens with greater data control while fostering innovation and economic development in its diverse digital economy.

Key Features:

  1. Establishment of the Data Protection Board of India

The Draft Rules provide for the immediate establishment of the Data Protection Board of India (“Board”), which will oversee the enforcement of the DPDPA. The Board will handle complaints, impose penalties, and facilitate dispute resolution. Its role in enforcing compliance and protecting user privacy will be crucial to the long-term success of India’s privacy regulations.

  1. Improved Notices and Transparency

Under the Draft Rules, data fiduciaries (organizations controlling the processing of personal data) need to ensure that privacy notices are clear, comprehensive, and easily understandable. These notices should clearly specify the nature of the data collected, the purpose of the data collection, and how the data will be used. In addition, users must have access to streamlined processes for withdrawing consent, submitting grievances, and exercising their privacy rights.

The emphasis on detailed and user-friendly privacy notices aligns with global standards such as the EU’s General Data Protection Regulation (“GDPR”). As a result, businesses may need to re-evaluate their data collection practices and marketing strategies, especially regarding how consent is obtained and managed.

  1. Registration and Obligations of Consent Managers

The Draft Rules lay down the procedure that entities must follow to register as consent managers. Entities seeking registration as a consent manager must fulfill the conditions outlined in Part A of the First Schedule and apply to the DPB. Upon review, the DPB may grant or deny registration based on the applicant’s compliance with the stipulated requirements.

Registered consent managers must adhere to obligations specified in Part B of the First Schedule, ensuring robust consent management mechanisms. If a consent manager is found non-compliant, the DPB may issue directives to rectify non-adherence. In severe cases, the DPB may suspend or cancel the registration of a consent manager to safeguard data principals’ interests. The DPB also retains the authority to request relevant information from consent managers as needed.

  1. Parental and Guardian Consent for Minors

For data related to children, the Draft Rules impose strict requirements to verify parental or guardian consent. However, verifying both the user’s age and the guardian’s identity may pose practical challenges. Entities operating in India will need to build reliable processes to address these requirements while navigating complex Indian legal frameworks for guardianship.

  1. Prompt Reporting of Data Breaches

In the event of a data breach, organizations must promptly notify both the Data Protection Board of India (“DPB”) and the affected individuals. The initial breach notification should be followed by a comprehensive report within 72 hours, detailing the incident’s scope, cause, and corrective actions. Unlike GDPR, India’s framework does not set a materiality threshold, meaning even minor breaches may require reporting. This could lead to an influx of breach notifications and place additional demands on businesses to manage incident response workflows.

Global organizations will need to integrate these reporting obligations with other compliance protocols, such as those enforced by India’s Computer Emergency Response Team and various industry regulators.

  1. International Data Transfers

Although the DPDPA allows cross-border data flows, the Draft Rules authorize the government to impose specific conditions for sensitive data transfers. For large-scale data handlers, this could lead to potential data localization requirements, affecting how multinational companies manage global data operations. Entities will need to monitor these developments closely, as conflicts may arise between India’s data protection laws and international obligations, particularly in areas like surveillance and law enforcement access.

  1. Reasonable Security Safeguards

The Draft Rules impose stringent security measures that data fiduciaries must implement to protect personal data from breaches. These reasonable security safeguards include, at a minimum:

    1. Data security measures such as encryption, obfuscation, masking, or virtual tokens mapped to personal data.
    2. Access controls to secure computer resources used by data fiduciaries and data processors.
    3. Monitoring mechanisms to track access to personal data through logs, audits, and reviews, enabling the detection of unauthorized access, investigation, and remediation.
    4. Business continuity measures such as data backups to ensure continued processing in case of compromise to confidentiality, integrity, or availability of personal data.
    5. Retention of logs and personal data for a period of one year, unless another law specifies otherwise, to facilitate breach detection and response.
    6. Contractual obligations for data processors to implement appropriate security safeguards.
    7. Technical and organizational measures to ensure compliance with security standards.
  1. Additional Obligations of Significant Data Fiduciaries

Significant Data Fiduciaries must adhere to enhanced compliance obligations, including: conducting a Data Protection Impact Assessment (DPIA) and an audit every 12 months, submitting a report with significant findings from the DPIA and audit to the DPB, ensuring that algorithmic software used in processing personal data does not pose risks to data principals’ rights, and complying with data localization mandates for specific categories of personal data as determined by the Indian government.

  1. Rights of Data Principals

To facilitate the exercise of rights by Data Principals, Data Fiduciaries and Consent Managers must:

    1. Publish details on their website or app regarding how Data Principals can request to exercise their rights.
    2. Specify identifiers such as usernames or customer IDs required for such requests.
    3. Ensure an effective grievance redressal system, specifying response timelines and implementing appropriate technical and organizational measures.
    4. Enable Data Principals to nominate individuals for exercising rights on their behalf, as per the terms of service and applicable laws.

Looking Forward

The Draft Rules represent a significant advancement in India’s approach to data protection, positioning the country as a global leader in privacy regulation. However, they also introduce new challenges for businesses, particularly those operating internationally. By aligning with global standards while introducing unique elements such as consent managers, India’s regulatory framework is expected to influence privacy practices worldwide.

Organizations that adapt swiftly to these requirements will not only ensure compliance but also gain a competitive advantage in one of the world’s most important digital economies.

 

More from Dhwaj & Associates