The Ministry of Electronics and Information Technology has the much-anticipated draft Digital Personal Data Protection Rules, 2025 (the rules), for the (DPDP Act). Arti Raghavan, an advocate practising at Bombay High Court who was part of the team that successfully challenged the 2023 amendment to the IT Rules, explains this development.
Q1. Would these rules redress the privacy concerns and issues of companies?
The notice requirement to data principals (the person to whom the data relates) may improve routine privacy concerns as specific details are required. This requirement, however, may be unduly onerous/unfeasible for the data fiduciary, as the notice includes an itemised description of personal data as well as its uses.
The question is whether all data fiduciaries have the resources to provide such notices and, if not, whether this rule will invariably be observed in its breach. The high penalties prescribed under the DPDP Act may result in a significant compliance burden for companies.
Alternatively, entities which are unable to provide such detailed notices, will refrain from storing/processing data.
This might be an optimal regulatory outcome, as it will discourage parties from storing/processing/exploiting data that they don’t have a specific, legitimate use for.
Q2. The draft DPDP rules are said to be inspired by the EU’s General Data Protection Regulation (GDPR). Are there any differences?
Here are some differences. The GDPR has a “legitimate interest” exemption – processing personal data without obtaining consent or providing a specific purpose. No such exemption exists under the rules, which makes them far more onerous.
The rules require “consent managers” to be registered with the Data Protection Board and act on behalf of data principals to review, provide, manage and withdraw consent. The equivalent does not exist under the GDPR, and the relevance of this intermediary/agent is unclear.
The rules treat all minors as “children” and thus require verifiable parental consent. The GDPR in contrast, adopts a graded approach, for instance, categorising children under 13 years of age separately.
Q3. Are there any concerns or issues that can be foreseen?
A significant concern is the absence of guardrails (external oversight) over the wide powers conferred on the government to call on data fiduciaries to provide personal data with no notice issued to the data principal about such disclosures. The “purposes” for this are widely defined, opening them to potential abuse. This sits at odds with the very purpose and object of the DPDP Act – ensuring data protection and privacy.
The grievance mechanism leaves it to individual data fiduciaries and consent managers to put in place the primary grievance redressal mechanism where they can even decide the period/time frame for complaint redressal. Time frames so decided may render the process futile and there is no recourse against this under the rules.
The lack of clarity for exemption from not tracking or behavioural monitoring of children or targeted advertising directed at children for certain entities is also concerning. The exemption has been provided to the following data fiduciaries – clinical/healthcare establishments, educational institutions, day care centres etc.
Q4. These rules mean a higher compliance burden, which is a discouraging factor on the ease of doing business. What are your thoughts on how to best balance this?
The rules could certainly benefit from some of the practical provisions of the GDPR, especially the legitimate interest exception. Further, the penalties under the DPDP Act are very high – especially when the Indian regulatory space does not typically levy such high penalties. This would certainly be a concern for businesses.
