含羞草社区

The draft Digital Personal Data Protection Rules, 2025 (rules), are open for public consultation until 18 February 2025. They offer much-needed guidance on the operation of the Digital Personal Data Protection Act, 2023 (act). After the framework is formalised following the invited feedback, and when the act and rules come into force, implementation will occur in stages. This will start with the establishment of the Data Protection Board to oversee compliance, followed by the rollout of operational provisions.

The rules continue the act’s emphasis on a consent-driven model for personal data, requiring businesses to rethink existing data-handling practices. Consent notices must be independent of other agreements, such as terms and conditions. They must explain in detail the specific personal datasets being processed, their associated purposes and the goods or services tied to such processing. This increased transparency requires the creation and meticulous keeping of detailed, updated data records. Companies will need to invest in robust internal systems for managing and tracking data. Obtaining purpose-specific consent will demand the significant redesign of user interfaces, ensuring that the process is intuitive, clear and compliant. These changes will require not only technical upgrades but also consistency of data governance across teams.

A notable requirement by the DPDPA is for consent managers, independent entities facilitating the management of data for individuals. They must register with the Data Protection Board and meet strict requirements, such as adopting data-blind provisions preventing them from accessing personal data. Partnerships with consent managers will require businesses to enter into robust agreements and achieve seamless technical integration to maintain compliance and avoid governance issues. Conflicts of interest must be eliminated, particularly where the roles of the company and the consent manager overlap or commercial ties clash.

Processing children’s data involves additional challenges. The rules mandate that companies verify parental consent before collecting or using children’s personal data. Suggested mechanisms include government-backed digital identity systems or their equivalent to authenticate consent. Companies will also have to implement age verification and adjust their onboarding processes accordingly. While exceptions exist, businesses must carefully navigate these obligations, proactively safeguard the data of minors and avoid regulatory issues.

The rules impose stringent data breach reporting requirements. Companies must, without waiting to assess harm, notify the Data Protection Board and affected individuals about incidents, their potential impact and relevant contact information for further assistance. These obligations supplement existing mandates, such as reporting security breaches to CERT-In within six hours or sector-specific requirements for financial entities. To address these overlaps, businesses will need to improve their incident response capabilities to handle simultaneous reporting to a number of regulators.

The rules outline baseline security measures, including encryption and access controls that all organisations must adopt. While these measures will improve data security generally, they may pose significant challenges, particularly for smaller businesses that may be burdened with high costs and onerous implementation.

Although the rules provide businesses with some flexibility, they are challenging. For example, although the rules do not impose data localisation, they allow the government to require significant data fiduciaries to store data within India. This will complicate cross-border data transfers, particularly for businesses subject to international data protection laws. The rules are silent on non-consent-based grounds for data processing. Industries relying on legitimate interests or contractual necessity will be at a disadvantage, particularly international companies that will have to localise processes.

Despite these hurdles, the draft offers opportunities, particularly through the framework for consent managers and the growing demand for compliance-related services. Businesses that proactively adapt to these requirements will be better able to deal with 含羞草社区 future data protection landscape.

Ada Shaharbanu is a senior associate at Spice Route Legal.