The Central Government in exercise of the powers conferred by sub-sections (1) and (2) of Section 40 of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), vide Notification No. G.S.R. 02(E)[1], dated January 3, 2025, issued the draft of the Digital Personal Data Protection Rules, 2025, (“Draft Rules”) under the Ministry of Electronics and Information Technology (“MeitY”). The Draft Rules have been published for the information of all persons likely to be affected thereby and shall be open to the public for objections and suggestions on https://mygov.in till February 18, 2025.
The Draft Rules aim to provide the necessary details and implementation framework of the DPDP Act. The Draft Rules are said to be notified on the date of its publication in the official gazette, except for Rule 3 to 15, Rule 21 and Rule 22, which shall be notified at a later date. The Draft Rules not only establishes the framework for implementing the DPDP Act, but also introduce several noteworthy highlights, which are as detailed below:
I. Obligations of the Data Fiduciary:
The Draft Rules lay down certain obligations of the Data Fiduciary to ensure the protection and responsible handling of personal data. These obligations include:
- Data Fiduciaries shall provide clear and standalone notices to Data Principals for personal information, using simple language to explain the information required for informed consent on personal data processing. These notices must list the personal data being collected, the purpose of processing, and an itemized explanation of the enabled goods, services, or uses.
- The Data Fiduciary shall clearly display the contact details of a designated person who can address questions regarding the processing of personal data on their website or app. If applicable, this could be the Data Protection Officer (DPO).
- Data Fiduciaries shall implement reasonable security measures like encryption, access control, monitoring, and data backups to protect personal data.
- Data Fiduciaries shall conduct annual Data Protection Impact Assessments (DPIA) and comprehensive audits, reporting the results to the Data Protection Board (“Board”). They must verify that their algorithmic software does not pose a risk to the Data Principals’ rights.
- Data identified by the Central Government must be processed within India, ensuring compliance with specific restrictions.
- Data Fiduciaries and Consent Managers shall be obligated to publish the process for Data Principals to exercise their rights, including identifying details. Further, Data Principals may request access and erasure of personal data and expect clear timelines for grievance responses.
II. Registration and obligations of Consent Manager:
The Draft Rules provide provisions for the registration of the Consent Manager, under Rule 4 read with Part A of First Schedule of the Draft Rules. For clarity, Consent Manager is a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform. Any person who fulfils such conditions may apply to the Board for registration as a Consent Manager, wherein, the Board shall verify compliance with the relevant requirements and accept or reject the application, with the reasons for rejection communicated to the applicant.
The Consent Managers shall be obligated to adhere to the provisions outlined in Part B of the First Schedule of the Draft Rules. In cases of non-compliance to such obligations, the Board may issue corrective directions after providing the Consent Manager with an opportunity to be heard. Furthermore, the Board may suspend or cancel the registration of the Consent Manager in order to protect the interests of Data Principals, with the reasons for such action duly recorded in writing.
III. Intimation of personal data breach:
On becoming aware of a personal data breach, a Data Fiduciary must promptly notify all affected Data Principals in a clear and concise form. Additionally, the Data Fiduciary must notify the Board about the breach within 72 hours, or otherwise, if permitted in writing.
IV. Time period for specified purpose to be deemed as no longer being served:
A Data Fiduciary who is processing personal data for certain purposes, as specified in the Third Schedule of the Draft Rules, shall be liable to erase the data if the Pata Principal neither contacts the Data Fiduciary for the specified purpose nor exercises their rights related to the data during the specified period, unless retention is required by law. At least 48 hours prior to the end of this period, the Data Fiduciary must notify the Data Principal that the data shall be erased, unless the Data Principal logs into their account, contacts the Fiduciary for the specified purpose, or exercises their rights regarding the data.
V. Data of children or persons with disabilities:
A Data Fiduciary shall adopt appropriate technical and organizational measures to ensure that verifiable consent is obtained from the parent before processing any personal data of a child. The Data Fiduciary shall be required to exercise due diligence in verifying that the individual claiming to be the parent is an adult, and their identity can be verified, if necessary to comply with the laws for the time being in force in India. This verification can be done through reliable identity and age details available to the Data Fiduciary, or through voluntarily provided identity and age details, or a virtual token mapped to such information. The token should be issued by the Central Government or a State Government with the maintenance of such details or a person appointed or permitted by such entity for such issuance and may also include verified details or tokens made available by a Digital Locker service provider.
The provisions of Section 9(1) and Section 9(3) of the DPDP Act, which mandate the Data Fiduciaries to obtain verifiable consent from a parent or lawful guardian before processing any personal data of a child or person with a disability, and restrict tracking, behavioural monitoring, or targeted advertising directed at children. Such provisions shall not apply to the processing of a child’s personal data by the classification of Data Fiduciaries as specified in Part A of the Fourth Schedule of the Draft Rules, subject to the conditions listed therein. Similarly, these provisions shall not apply to the processing of a child’s personal data for purposes specified in Part B of the Fourth Schedule of the Draft Rules, subject to the conditions listed.
VI. Processing of personal data outside India:
One of the most noteworthy provisions of the Draft Rules relates to the cross-border processing of personal data and the control given to Central Government thereof. The transfer of personal data processed by a Data Fiduciary to any country or territory outside India, whether processed within the territory of India or outside the said territory, in connection with activities offering goods or services to Data Principals within India shall be subject to certain restrictions. These restrictions mandate that the Data Fiduciary must comply with the requirements specified by the Central Government, either through a general or special order. This compliance is necessary for making such personal data available to any foreign state or to any person or entity under the control of or any agency of such a state.
VII. The Board:
For the recommendation of appointment of chairperson or other members of the Board, the Central Government shall constitute a Search-cum-Selection Committee (“Committee”). The Committee will be chaired by the Cabinet Secretary and the composition of the said Committee shall be as per the provisions of the Draft Rules. The Central Government shall consider the Committee’s recommendations and appoint the suitable individuals for the Board. Schedule VI of the Draft Rules elaborates on the terms and conditions of service for these officers and employees.
Further, the Draft Rules lay out provisions for governing the Board including the salary, allowances, and other service-related conditions for the chairperson and members of the Board. A detail description of service conditions has been provided for in Schedule V of the Draft Rules, wherein, the chairperson shall be entitled to a consolidated salary of INR 4,50,000 (Indian Rupees Four Lakhs Fifty Thousand Only) per month, and each member shall receive INR 4,00,000 (Indian Rupees Four Lakhs Only) per month, with no provisions for housing or a car. The Draft Rules require the chairperson to set the date, time, place, and agenda of the board meetings, along with other procedures of meetings of the Board, including how they are convened, conducted, and how decisions are made.
Importantly, the Draft Rules requires the Board to operate as a digital office, leveraging technology to conduct its proceedings efficiently without requiring physical presence. This includes the adoption of techno-legal measures and the power to summon and examine individuals under oath. The aim is to streamline processes and enhance overall operational efficiency of the Board.
The Draft Rules outline the digital process for filing appeals to the Appellate Tribunal for those dissatisfied with the Board’s orders or directions. The appeals shall be submitted digitally, and be accompanied by a fee, which the chairperson may have the right to reduce or waive off. The Appellate Tribunal shall regulate its procedures and operate as a digital office, conducting proceedings without requiring physical presence while retaining the power to summon individuals and administer oaths.
VIII. Exemption from the DPDP Act:
The DPDP Act shall not apply to the processing of personal data for research, archiving, or statistical purposes if it is carried on in accordance with the standards specified in Schedule II of the Draft Rules.