Introduction:
The Ministry of Electronics and Information Technology (MeitY) has released the draft of the much-anticipated Digital Personal Data Protection Rules 2025 (DPDP Rules) for public consultation on January 3, 2025. In 2023, after several iterations of bills, India finally enacted its first Digital Personal Data Protection Act, 2023 (DPDPA). This Act, which aims to protect individuals’ privacy and secure their personal data in the digital sphere in India, received presidential assent on August 11, 2023. However, it has not yet been operational due to the absence of administrative rules under the Act.
The draft version of the DPDP Rules 2025 is now available for public consultation till 18th February, 2025 (objections or suggestions can be submitted on https://mygov.in). These rules have been prepared after consulting with various key stakeholders and are intended to make the DPDPA operational upon publication.
These rules will come into force upon publication after consultation, except for rules 3 to 15, 21 and 22 which will be effective from a later date.
The MeitY has given stakeholders a 45-day timeframe to review and submit their concerns to the Ministry. Now, with the rules out for consultation, the question arises: What’s next?
The Draft Digital Personal Data Protection Rules 2025: An Overview
The Draft Digital Personal Data Protection (DPDP) Rules, 2025, outline the regulations for handling personal data in India, as mandated by the Digital Personal Data Protection Act, 2023. These rules cover various aspects of data protection, including the responsibilities of Data Fiduciaries, Consent Managers, verifiable parental consent, security measures, and the rights of Data Principals.
Rule 1 establishes the short title and commencement of the rules, specifying which rules come into force on publication and which have a delayed effect, meaning that an adequate time frame for compliance will be provided to businesses.
Rule 2 provides definitions for terms used throughout the rules, ensuring clarity and consistency in interpretation with the DPDPA.
Rule 3 mandates that Data Fiduciaries must provide clear and understandable notices to data principals, detailing the personal data being processed, the purposes of processing, and how data principals can exercise their rights under DPDPA.
Another important rule is Rule 4, which outlines the registration and obligations of Consent Managers, who facilitate the management of consent for data processing. The conditions for registration are detailed in Part A of the First Schedule, while the obligations are specified in Part B of the same schedule.
Rule 5 (which is related to Section 7 of the DPDPA) allows the State and its instrumentalities to process personal data for providing subsidies, benefits, services, certificates, licenses, or permits while adhering to standards specified in the Second Schedule.
Rule 6 is another important rule which places an obligation on Data Fiduciaries to implement reasonable security safeguards to prevent personal data breaches, including encryption, obfuscation, data masking, access controls, and monitoring.
Rule 7 details the procedures for notifying data principals and the Board about personal data breaches, including the information that must be provided and the timelines for notification. Unlike other global privacy regulations, all personal data breaches (irrespective of harm caused) have to be communicated to the affected data principals and the Board.
Rule 8 specifies the time periods after which personal data must be erased if it is no longer needed for the specified purposes, as detailed in the Third Schedule of the Rules. This covers specific timelines for e-commerce entities, online gaming intermediaries and social media intermediaries.
Rule 9 mandates that Data Fiduciaries publish contact information for a person who can answer questions about data processing or the name of the Data Protection Officer wherever applicable.
Rule 10 provides much-awaited clarification on the requirement placed by DPDPA on obtaining the verifiable consent of parents/guardians in the case of children and persons with disabilities. This rule requires verifiable consent for processing the personal data of children or persons with disabilities who have lawful guardians, with specific measures to ensure the consent is valid. It states that the Data Fiduciary must ensure verifiable parental consent before processing a child’s personal data by confirming the parent’s identity and age through reliable details or a virtual token issued by an authorized entity, including Digital Locker service providers. Additionally, Rule 11 provides exemptions from complying with provisions of Section 9 (1) and Section 9 (3) (which mandate obtaining verifiable parental consent in case of children and persons with disabilities and prohibit behavioural tracking of children, respectively) to specified Data Fiduciaries or for purposes listed in Parts A and B of the Fourth Schedule of the Draft Rules, under specified conditions.
Rule 12 imposes additional obligations on Significant Data Fiduciaries, including conducting Data Protection Impact Assessments (DPIA) and audits on a yearly interval, and ensuring algorithmic transparency. Additionally, significant observations in DPIA and audits are to be also communicated to the Board.
Rule 13 outlines the rights of data principals, including access to information, data erasure, and the ability to nominate individuals to exercise their rights.
Rule 14 regulates the transfer of personal data outside India, subject to conditions specified by the Central Government.
Rule 15 exempts certain processing activities for research, archiving, or statistical purposes from the Act, provided they adhere to standards in the Second Schedule.
Rules 16 to 20 cover the appointment, terms of service, and functioning of the Data Protection Board, including the appointment of the Chairperson and Members, their salaries, and the procedures for Board meetings.
Rule 21 details the process for appealing to the Appellate Tribunal against decisions of the Board.
Rule 22 allows the Central Government to call for information from Data Fiduciaries or intermediaries for specified purposes, as listed in the Seventh Schedule.
What next?
The draft of the Digital Personal Data Protection Rules 2025 is now available for public consultation until 18th February 2025. The draft rules can be accessed through the website of the Ministry of Electronics and Information Technology (MeitY). You can view the rules by clicking on this link.
If you have any suggestions, you can submit them to the ministry in the prescribed manner within the given period. Once submissions are made, MeitY will review and analyse the suggestions. If any suggestions are found to be relevant, they may be considered for inclusion in the final rules.
What Should Organisations Do?
In the meantime, organizations can start developing infrastructure based on the draft rules to comply with the standards set by the Digital Personal Data Protection Act, 2023. These draft rules will help them prepare for full compliance with the law. They can create mechanisms to seek consent from Data Principals as prescribed. Additionally, organisations must start conducting gap assessments and reviewing existing practices to align with DPDPA in line with the draft rules.
Conclusion:
The release of the draft Digital Personal Data Protection Rules 2025 marks a significant step towards operationalizing the Digital Personal Data Protection Act, 2023. Organizations should take this opportunity to align their infrastructure and processes with the draft rules, preparing for full compliance. The MeitY has opened a consultation process which allows stakeholders to contribute their insights and suggestions, potentially shaping the final rules. As the ministry reviews these inputs, it is crucial for organizations to proactively implement appropriate measures, especially concerning the verification of parental consent and other key provisions of the Act, ensuring they are ready for the forthcoming regulatory landscape.
Any suggestions, with regards to the rules can be submitted to the Government on the website of MyGov (https://mygov.in).
If you’re an organization dealing with personal data and you want to learn more about DPDPA compliance, visit www.tsaaro.com
Author: Shivang Mishra Akarsh Singh A Arohi Pathak Prajwala D Dinesh
