º¬Ðß²ÝÉçÇø

¡û Back to index

The Ministry of Electronics and Information Technology (MeitY) recently released the draft Digital Personal Data Protection Rules, 2025 (draft rules) for public consultation. This marks a step towards implementing the Digital Personal Data Protection Act, 2023 (DPDP Act), passed 17 months ago. The draft rules provide guidance on key provisions of the DPDP Act, including notice mechanisms, security measures, breach notifications, data retention, protections for minors, obligations for significant data fiduciaries (SDFs) and cross-border data transfers. However, some areas remain ambiguous and certain provisions may introduce new complexities for stakeholders.

This article provides an overview of the draft rules, highlighting the key features, potential challenges and their implications for businesses in India.

Implementation timeline

The draft rules propose a phased implementation of the DPDP Act. Provisions relating to the Data Protection Board will take effect immediately upon publication of the final rules, while other compliance-related provisions will be notified later. This approach aims to provide data fiduciaries (DFs) time to align with regulatory requirements, which reports suggest will be two years. However, it remains unclear whether this timeline will apply uniformly or vary depending on the entity¡¯s nature, size, scale and sector.

Key highlights and concerns

(1) Notice requirements. Consent forms the bedrock for processing personal data (PD) under the DPDP Act. The draft rules require DFs to provide a clear, standalone and easily understandable notice when obtaining consent from data principals for processing their PD. The notice should contain an ¡°itemised¡± description of the PD being processed, the ¡°specified purpose¡± of processing, and the ¡°itemised¡± description of goods or services enabled by such processing.

This means that DFs must not only disclose what data is collected but also how each dataset is used and which goods or services it supports. The notice must include a link to the DF¡¯s website or app, allowing data principals to withdraw consent, exercise their rights or file complaints.

The requirement for an ¡°itemised¡± notice demands descriptions of data processing, while a strict interpretation of ¡°specified purpose¡± could limit related uses. For instance, if a bank obtains consent for account opening, it may need fresh consent to process PD for functions like security alerts or maintenance.

The draft rules could have been more flexible, allowing businesses to define broader but clearly articulated processing purposes, providing standardised consent templates to reduce ambiguity or clarifying that activities directly linked to the original consent (e.g. fraud monitoring for a bank account) do not require repeated consent. However, the draft rules do not offer such flexibility, leaving ambiguity as to how businesses can lawfully process data for necessary ancillary functions.

(2) Reasonable security safeguards. The DPDP Act requires all DFs to implement ¡°reasonable¡± security measures to protect PD. Unlike the Information Technology Act and certain sectoral regulations that prescribe ISO 27001, the draft rules leave ¡°reasonable¡± unclear and provide ¡°minimum¡± safeguards such as encryption, masking, virtual tokens and ensuring access visibility through logs, monitoring and review.

This shift to prescriptive requirements enhances data protection but adds a compliance burden, particularly for smaller entities with limited resources. The lack of reference to globally recognised security standards like ISO 27001 also leaves ambiguity on whether businesses adhering to such standards will be deemed compliant.

(3) PD breach notification. In case of a PD breach, the draft rules require DFs to notify the board ¡°without delay¡± and simultaneously inform each affected data principal through their accounts or preferred communication channels. The notification must include the nature, extent, potential consequences, mitigation measures and a contact point for queries.

This dual-reporting requirement is challenging, as breach details are often uncertain in the early stages, yet DFs must submit a detailed report to the board within 72 hours or longer if approved. This timeframe is too short to fully investigate, determine the full impact and implement corrective actions. The rules do not address overlaps with CERT-In¡¯s reporting obligations, forcing DFs to juggle multiple notifications simultaneously, increasing compliance and penalty risks. A staged reporting system, starting with basic details and adding updates later, could have simplified the process.

(4) Consent managers. The DPDP Act introduced the concept of consent managers, Indian entities that serve as a single point of contact for data principals to provide and manage their consents. The draft rules outline registration requirements, including minimum net worth and demonstrating adequate technical, operational and financial capacity.

They also impose strict obligations, including providing an interoperable platform, ensuring a data-blind operational model, restricting subcontracting, maintaining consent logs for at least seven years, conducting audits, and preventing conflicts of interest.

(5) Data erasure timelines. Section 8(7) of the DPDP Act mandates PD must be erased by DFs once consent is withdrawn or the specified purpose is no longer valid, unless retention is required by law. For certain entities, e-commerce and social media intermediaries with more than 20 million users and online gaming intermediaries with more than five million users, the draft rules specify they must erase PD three years after the data principal¡¯s last relevant interaction, or three years from the draft rules¡¯ commencement, whichever is later.

Before deletion, DFs must notify the data principal at least 48 hours in advance, to allow them to re-engage and prevent erasure. However, exceptions apply for user accounts and virtual tokens, which may be retained for ongoing transactions.

While this provides a structured framework, it raises concerns over selective application, as businesses like healthcare or cloud service providers are not subject to the same rules. A uniform three-year timeline may conflict with businesses¡¯ documentation retention policies and compliance. For example, the Income Tax Act, 1961, mandates record retention for up to six years from the end of the relevant assessment year. A more flexible, purpose-based retention framework would help reduce compliance risks.

(6) Children¡¯s verifiable consent. The DPDP Act requires DFs to obtain verifiable parental consent before processing a child¡¯s PD. The draft rules specify that DFs can record consent through details already available or submitted by the parent, or via a virtual token from entities like Digital Locker. However, healthcare professionals, educational institutions, cr¨¨ches and those responsible for child transport are exempt from this requirement.

A key concern is that the draft rules rely on users voluntarily identifying as children or parents, leaving DFs without a clear method to determine when parental consent is required. They also fail to specify how age or the parent-child relationship should be authenticated beyond self-declared information.

Requiring verifiable parental consent for every instance of processing could lead to consent fatigue, reducing the effectiveness of parental oversight. These gaps could create compliance challenges and limit minors¡¯ access to essential services.

(7) SDFs. The draft rules impose additional obligations on SDFs such as conducting impact assessments, annual audits and due diligence on algorithmic software. However, they do not specify what due diligence measures an SDF must take to comply, leaving this determination to be made on a case by case basis. SDFs also face new data localisation requirements.

(8) Data localisation. The draft rules expand the government¡¯s authority over cross-border data transfers. While section 16 of the DPDP Act already allows the government to blacklist specific countries, the draft rules go further by allowing it to impose conditions on foreign states¡¯ access to transferred data. This could complicate cross-border compliance, especially for businesses operating internationally.

SDFs must also comply with data localisation requirements for specific categories of personal data, as determined by a government-appointed committee. However, the DPDP Act does not mention such a committee, and the draft rules provide no clarity on how localisation decisions will be made. This lack of transparency adds uncertainty, and a more structured approach would help ensure legal clarity while balancing security and economic considerations.

Conclusion

The draft rules are an important step in shaping º¬Ðß²ÝÉçÇø data protection framework. They provide guidance on consent, data retention, personal data breaches and cross-border transfers. However, they also introduce challenges and ambiguities that could complicate compliance.

With the public consultation now complete, the MeitY will review stakeholder input before finalising the rules. Businesses must assess their readiness to align with º¬Ðß²ÝÉçÇø evolving data protection landscape.