On January 3, 2025, the Ministry of Electronics and Information Technology, Government of India (“Ministry”) issued the draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”) for public consultation. The Draft Rules are framed under the Digital Personal Data Protection Act, 2023 (“Act”), which was passed into law in August 2023, but is yet to come into force. The Ministry has invited stakeholders’ feedback on the Draft Rules by February 18, 2025.

Following are the key takeaways from the Draft Rules[1]:

  1. How will the Draft Rules be enforced?

The enforcement of the Draft Rules will be in tranches. The provisions relating to the Data Protection Board (“Board”) will take effect upon notification in the official gazette, and substantive/ operational provisions will be notified at a later, unspecified date.

  1. How the notice for consent must be given by a Data Fiduciary?

Data Fiduciaries are required to provide a notice that: (a) is standalone and self-explanatory for the Data Principal to understand on its own; (b) is written in clear and plain language to enable the Data Principal to give specific and informed consent. At the minimum, notice must include an itemised description (or list) of (a) the categories of Personal Data being processed; and (b) the goods, services, or uses associated with Processing of such Personal Data, and also the Specified Purpose. Additionally, the notice must include a link to the Data Fiduciary’s website or app, and provide details on how the Data Principal can: (a) withdraw consent; (b) exercise rights under the Act; and (c) file a complaint before the Board.

  1. How should Personal Data be protected by a Data Fiduciary?

Data Fiduciaries are required to implement “reasonable security safeguards” to prevent Personal Data breaches. At a minimum, these safeguards include:

  1. Data Security Measures: Encryption, obfuscation, masking or the use of virtual tokens mapped to that Personal Data;
  2. Access Control: Restrict access to the computer system used by the Data Fiduciary or Data Processor;
  3. Logging and Monitoring: Keep and review logs to detect unauthorized access to Personal Data and support investigations;
  4. Continuity Measures: Ensure data processing can continue in case of data loss, by way of maintaining data backups, etc.;
  5. Retention of Logs: Store logs for 1 year (unless required otherwise by any law) to detect unauthorized access and aid investigations;
  6. Contractual Measures: Include security requirements in contracts with Data Processors;
  7. Technical and Organisational Measures: Apply both technical solutions and organisational policies to ensure that security safeguards are effectively implemented.

 

  1. How must a Data Fiduciary notify a Personal Data breach?

In the event of a breach of Personal Data, the Data Fiduciary must take the following steps:

  1. Intimate Data Principal: Promptly (and within 72 hours of becoming aware of the breach) notify affected Data Principal of the breach by providing: (i) a description of the breach, including its nature, extent, timing, location; (ii) potential consequences of the breach; (iii) the measures taken (if any) to mitigate risk; (iv) the safety measures that the Data Principal can take to protect themselves; and (v) contact details of a person who is able to respond to the Data Principal’s queries.

b. Intimate the Board:

    1. Promptly notify the Board of the breach, by providing: (i) a description of the breach, including its nature, extent, timing, location; and (ii) potential consequences; and
    2. Within 72 hours of becoming aware of the breach, the Data Fiduciary shall provide: (i) an updated and detailed description of the breach, including event and circumstances that led to it; (ii) actions taken to reduce risks; (iii) findings about the individual(s) responsible for the breach; (iv) steps taken to prevent similar breaches in the future; and (v) a report on the intimation sent to the affected Data Principals.
  1. How long can a Data Fiduciary retain Personal Data?

An E-commerce Entity or Social Media Intermediary (with 2 crore registered users) and an Online Gaming Intermediary (with 50 lakh registered users) shall erase Personal Data within 3 years of the Data Principal’s last login into their account with such entity. However, before such erasure of Personal Data, the aforementioned entities shall provide a notice of 48 hours to the Data Principal. 

  1. How should a Data Fiduciary process the Personal Data of a Child?

The Draft Rules require Data Fiduciaries to obtain “verifiable consent” from a parent before Processing the Personal Data of a Child. To comply with the foregoing, a Data Fiduciary must:

    1. verify and ensure that the individual identifying themselves as the parent, is in fact the parent;
    2. verify and ensure that such an individual is an Adult;
    3. obtain such individual’s reliable identity and age related credentials, such as a government issued ID card.

Similar obligations are also introduced for Processing Personal Data of persons with disabilities.

However, certain entities are exempted from the above-mentioned requirements. These include: healthcare professionals, educational institutions, childcare providers, and transportation facility providers for children. This exemption applies under defined conditions and only when the Processing of Personal Data is limited to the essential activities mentioned under the Draft Rules.

  1. What are the additional obligations of Significant Data Fiduciary (“SDFs”)?

SDFs, as notified by the Central Government, must annually undertake a Data Protection Impact Assessment and audit, submitting a report containing significant findings to the Board. SDFs must also ensure that algorithmic software does not pose a risk to the rights of Data Principals.

  1. Can a Data Fiduciary process Personal Data outside India?

The Central Government may lay down certain restrictions on the transfer of Personal Data processed either (a) within India; or (b) outside India, in connection with any activity related to offering goods or services in India. SDFs must ensure Personal Data and associated traffic data identified by the Central Government are processed in compliance with specific restrictions.

  1. How can Data Principals exercise their rights?

To enable Data Principals to exercise their rights, Data Fiduciaries must:

    1. publish on its website and app (i) details of the means for submitting requests; and (ii) any identifiers required for verification;
    2. provide the duration within which their grievance redressal system will respond to the Data Principal’s grievances; and
    3. provide a mechanism for the Data Principal to nominate individuals to exercise their rights on their behalf.

Authors:  Udit Mendiratta and Jitendra Soni (Partners), Apeksha Singh, Arushi Dokania, Nida Khan and Samia Haider (Associates).

Footnotes

[1] All capitalised terms shall have the same meaning as attributed to them under Section 2 of the Act or the Draft Rules.

More from Argus Partners