On January 3rd, 2025, the Ministry of Electronics and Information Technology, Government of India took a significant step toward strengthening data protection by releasing the draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”). These Draft Rules are designed to provide the operational framework for the Digital Personal Data Protection Act, 2023 (“DPDPA”), and had requested public feedback until February 18th, 2025. This initiative is expected to transform the governance of digital personal data in the country, balancing privacy rights with technological progress.

Enacted in 2023, the DPDPA regulates the processing of digital personal data to address rising concerns pertaining to the misuse of personal information. While the DPDPA sets the foundation for privacy protections, its effectiveness relies on well-defined protocols that the new rules aim to deliver. By establishing this regulatory framework, the Indian government seeks to empower citizens with greater data control while fostering innovation and economic development in its diverse digital economy.

Key Features:

The Draft Rules provide for the immediate establishment of the Data Protection Board of India (“Board”), which will oversee the enforcement of the DPDPA. The Board will handle complaints, impose penalties, and facilitate dispute resolution. Its role in enforcing compliance and protecting user privacy will be crucial to the long-term success of India’s privacy regulations.

Under the Draft Rules, data fiduciaries (organizations controlling the processing of personal data) need to ensure that privacy notices are clear, comprehensive, and easily understandable. These notices should clearly specify the nature of the data collected, the purpose of the data collection, and how the data will be used. In addition, users must have access to streamlined processes for withdrawing consent, submitting grievances, and exercising their privacy rights.

The emphasis on detailed and user-friendly privacy notices aligns with global standards such as the EU’s General Data Protection Regulation (“GDPR”). As a result, businesses may need to re-evaluate their data collection practices and marketing strategies, especially regarding how consent is obtained and managed.

The Draft Rules lay down the procedure that entities must follow to register as consent managers. Entities seeking registration as a consent manager must fulfill the conditions outlined in Part A of the First Schedule and apply to the DPB. Upon review, the DPB may grant or deny registration based on the applicant’s compliance with the stipulated requirements.

Registered consent managers must adhere to obligations specified in Part B of the First Schedule, ensuring robust consent management mechanisms. If a consent manager is found non-compliant, the DPB may issue directives to rectify non-adherence. In severe cases, the DPB may suspend or cancel the registration of a consent manager to safeguard data principals' interests. The DPB also retains the authority to request relevant information from consent managers as needed.

For data related to children, the Draft Rules impose strict requirements to verify parental or guardian consent. However, verifying both the user’s age and the guardian’s identity may pose practical challenges. Entities operating in India will need to build reliable processes to address these requirements while navigating complex Indian legal frameworks for guardianship.

In the event of a data breach, organizations must promptly notify both the Data Protection Board of India (“DPB”) and the affected individuals. The initial breach notification should be followed by a comprehensive report within 72 hours, detailing the incident’s scope, cause, and corrective actions. Unlike GDPR, India’s framework does not set a materiality threshold, meaning even minor breaches may require reporting. This could lead to an influx of breach notifications and place additional demands on businesses to manage incident response workflows.

Global organizations will need to integrate these reporting obligations with other compliance protocols, such as those enforced by India’s Computer Emergency Response Team and various industry regulators.

Although the DPDPA allows cross-border data flows, the Draft Rules authorize the government to impose specific conditions for sensitive data transfers. For large-scale data handlers, this could lead to potential data localization requirements, affecting how multinational companies manage global data operations. Entities will need to monitor these developments closely, as conflicts may arise between India’s data protection laws and international obligations, particularly in areas like surveillance and law enforcement access.

The Draft Rules impose stringent security measures that data fiduciaries must implement to protect personal data from breaches. These reasonable security safeguards include, at a minimum:

Significant Data Fiduciaries must adhere to enhanced compliance obligations, including: conducting a Data Protection Impact Assessment (DPIA) and an audit every 12 months, submitting a report with significant findings from the DPIA and audit to the DPB, ensuring that algorithmic software used in processing personal data does not pose risks to data principals’ rights, and complying with data localization mandates for specific categories of personal data as determined by the Indian government.

To facilitate the exercise of rights by Data Principals, Data Fiduciaries and Consent Managers must:

Looking Forward

The Draft Rules represent a significant advancement in India’s approach to data protection, positioning the country as a global leader in privacy regulation. However, they also introduce new challenges for businesses, particularly those operating internationally. By aligning with global standards while introducing unique elements such as consent managers, India’s regulatory framework is expected to influence privacy practices worldwide.

Organizations that adapt swiftly to these requirements will not only ensure compliance but also gain a competitive advantage in one of the world’s most important digital economies.