A Comprehensive Overview of India’s Draft DPDP Rules 2025

This Article delves into India’s Draft Digital Personal Data Protection (DPDP) Rules 2025, highlighting key provisions, consent management, data fiduciaries, cross-border data transfers, and recommendations for compliance in the evolving digital landscape.

In today’s digital world, every click, and swipe represents a fraction of our choices, this data gets stored in servers across the world contributing to creating a digital profile. This personal data is more than just numbers and identifiers, it represents an individual’s preferences and their personal and professional lives. Securing this data is not just a matter of compliance but of upholding trust in the digital age, where every click and transaction can expose vulnerabilities if not properly safeguarded. To address these concerns, the Indian government has enacted the Digital Personal Data Protection Act (“Act”), a landmark legislation that aims to protect individuals’ data and promote transparency and accountability in the digital ecosystem. The Draft Digital Personal Data Protection Rules, 2025  (“DPDP Rules”) issued by the Ministry of Electronics and Information Technology operationalizes various provisions and throws light on compliance under the Act. Stakeholders are invited to submit objections and suggestions on the DPDP Rules by February 18, 2025.

Important definitions

Consent Manager: An entity responsible for managing individuals’ consent for data processing. To be registered, a Consent Manager must be a company incorporated in India, have a minimum net worth of ₹2 crores, and maintain a certified interoperable platform enabling Data Principals to manage their consent.

Data Principal: The individual to whom the personal data relates. Data Principals have rights, including the right to access, correct, and erase their data.

Data Fiduciaries: Entities such as social media platforms, e-commerce companies, online gaming platforms, etc, that collect and process an individual’s personal data are data fiduciaries. They can use such data only after the individual’s consent for specified purposes.

Digital platforms with a large number of users such as Facebook, Instagram, Netflix, etc, will qualify as significant data fiduciaries.

Key Provisions of the DPDP Rules

Rule 3 corresponds with section 6(10) of the Act wherein Data Fiduciaries must provide Data Principals with transparent and easily comprehensible notices regarding data processing activities. These notices must be presented standalone, using clear and simple language to facilitate informed consent. Additionally, they must include essential details, such as the purpose of processing, the types of data collected, and options for withdrawing consent, thereby empowering Data Principals to make informed decisions about their data.

Rule 4 corresponds with Section 6(9) of the Act and states that Registered Consent Managers, responsible for facilitating data subject rights, must adhere to specific obligations to ensure effective and unbiased consent management. This includes providing secure and accessible platforms for managing consent, maintaining independence from data fiduciaries to avoid conflicts of interest, and ensuring transparency through public disclosure of key personnel and ownership details, thereby fostering trust and accountability in the consent management process.

The First Schedule of the draft Rules outlines the detailed obligations of Consent Managers. These managers must operate independently, ensuring there is no conflict of interest between their senior management or directors and the Data Fiduciaries they serve. They are prohibited from subcontracting or delegating their responsibilities and are required to conduct regular reviews to maintain ongoing compliance with the rules. Non-compliance with these requirements could result in the suspension or cancellation of their registration. These provisions, backed by the comprehensive draft rules, ensure that Consent Managers uphold high standards of transparency, security, and fiduciary responsibility when managing personal data.

Rule 5 aligns with Section 7(b) of the Act and permits the State and its instrumentalities to process personal data to provide subsidies, benefits, services, certificates, licenses, or permits under legal or policy frameworks that involve public funds. This processing must comply with the specific standards outlined in Schedule II, which ensures that personal data is handled lawfully, transparently, and securely. The data must be accurate, retained only for the necessary duration, and protected with appropriate security measures to prevent breaches. Data Principals must be informed about the processing and provided with clear methods to exercise their rights.

Rule 6 corresponds with Section 8 of the Act and outlines the minimum security measures that a Data Fiduciary must adopt to protect personal data and prevent breaches. This includes utilizing encryption, masking, and secure access controls to protect sensitive information. Additionally, they must maintain access logs to detect and respond to unauthorized access attempts. Furthermore, Data Fiduciaries are required to retain logs and backup data for a minimum period of one year, ensuring accountability and data integrity.

Rule 7 corresponds to Section 8(6) of the Act and states that prompt notification is mandatory in the event of a personal data breach. Affected Data Principals must be informed immediately, providing clear details of the breach and the measures being taken to mitigate its effects. Additionally, the Data Protection Board must be notified within 72 hours (can be extended), accompanied by a detailed report on the breach and the remedial actions being implemented.

Rule 8 corresponds to sections 8(7) and 8(8) of the Act wherein Data Fiduciaries must retain the personal data of Data Principals for specified periods, as outlined in the Third Schedule. Data Fiduciaries must erase personal data if the specified purpose for its collection is no longer being served. Before erasure, a notice must be sent to the Data Principal 48 hours in advance.

Rule 9, in line with Section 8(9) of the Act, requires Data Fiduciaries to publish the business contact information for their Data Protection Officer or a designated point of contact for Data Principals to inquire about the processing of their data. This contact information must be clearly displayed on the Data Fiduciary’s website and app and also included in all communications with Data Principals regarding the exercise of their rights under the Act. The information should be easily accessible and prominently featured, ensuring that Data Principals can easily reach out with any concerns or questions about how their data is being processed.

Rule 10 corresponding to Section 9 of the Act mandates that a Data Fiduciary must obtain verifiable consent from a parent before processing the personal data of a child, and from a lawful guardian for a person with a disability. The Fiduciary must implement technical and organizational measures to ensure that the individual providing consent is an adult and can be identified if required, using reliable identity and age details. For persons with disabilities, the lawful guardian must be verified as appointed by a court, designated authority, or local committee, as per applicable laws on guardianship. This ensures responsible and lawful data processing for vulnerable groups.

Rule 11, in accordance with Section 9 of the Act, permits certain Data Fiduciaries to process children’s data for critical purposes such as health, education, safety, and legal obligations, subject to strict conditions ensuring that the processing is limited and necessary, prioritizing the child’s best interests. These exemptions are outlined in Schedule IV, which specifies the categories of Data Fiduciaries and purposes eligible for these provisions. Part A of Schedule IV identifies eligible Data Fiduciaries, including healthcare providers, educational institutions, and childcare services, exempt from specific requirements related to children’s data. Part B defines the purposes for these exemptions, such as complying with legal obligations, delivering subsidies or benefits to children, creating user accounts for communication, or restricting access to harmful content. In all cases, the processing of children’s data is limited to what is strictly necessary for achieving the intended purpose, ensuring that the child’s welfare remains the primary focus.

Rule 12 corresponds to Section 10 of the Act wherein Significant Data Fiduciaries (SDFs) must conduct an annual Data Protection Impact Assessment and audit, submitting a report of key findings to the Data Protection Board. SDFs must exercise due diligence to ensure their algorithmic software does not risk the rights of Data Principals. Additionally, SDFs must comply with government-specified restrictions, ensuring certain personal and traffic data is processed only within India and not transferred abroad. It also introduces new data localization requirements, prohibiting Significant Data Fiduciaries (SDFs) from transferring specific categories of personal data. These categories will be determined by a “committee” established by the Indian Government.

Rule 13 corresponds to Sections 11 to 14 of the Act and provides for the rights of a Data Principal. Data Principals are granted significant control over their data, with the right to access and rectify their information to ensure accuracy. They can also request the erasure of data that is no longer necessary for its original purpose. Additionally, Data Principals have the option to nominate a representative to exercise these rights on their behalf, providing an added layer of convenience and support.

Rule 14 corresponds to Section 16 of the Act provides for the processing and transfer of personal data outside India are subject to restrictions to ensure compliance with government regulations. A Data Fiduciary handling personal data within or outside India in connection with offering goods or services to individuals in India must adhere to requirements specified by the Central Government.

Rule 15 aligns with Section 17(2)(b) of the Act and states that the Act’s provisions will not apply when personal data is processed for purposes such as research, archiving, or statistical analysis, provided the processing is not used to make decisions about specific individuals (Data Principals). This exemption is reiterated in the draft rule, which emphasizes that such processing must comply with the data protection standards outlined in Schedule II of the draft Rules. The primary objective of this exemption is to facilitate the use of personal data for critical purposes like academic research, public policy development, and other non-commercial uses. These activities often require large datasets, and the exemption ensures that such processing can occur without the administrative hurdles typically associated with compliance under the Act. However, safeguards are mandated to ensure that personal data is handled responsibly, lawfully, and securely, even when used for these purposes.

Rules 16–20 Governance Framework for Data Protection Board 

The Data Protection Board (DPB) is established as a digital-first office, empowered to conduct digital summons and proceedings, marking a significant shift towards efficient and technology-driven governance. Furthermore, the Fifth Schedule outlines the salaries and allowances for DPB members, providing transparency and clarity on compensation. At its core, the DPB’s governance and decision-making processes prioritize efficiency and fairness, ultimately ensuring effective oversight and enforcement of data protection regulations.

Rule 21, which corresponds to Section 29 of the Act, mandates that all appeals and related documents must be filed digitally before the Appellate Tribunal. The Appellate Tribunal, constituted under the Telecom Regulatory Authority of India Act, 1997, will adjudicate disputes arising under the DPDP Act and Rules. The Tribunal will operate as a digital court, with the authority to establish its own procedures based on natural justice principles, and will not be bound by the Code of Civil Procedure, 1908. Leveraging technology, the Tribunal will conduct digital proceedings, eliminating the need for physical presence, while retaining the power to summon individuals and administer oaths when necessary, enabling a more flexible and efficient appeal process.

Rule 22 corresponds to Section 36 of the Act and states that the Central Government, through authorized persons listed in the Seventh Schedule, can require Data Fiduciaries or intermediaries to provide information for purposes specified under the Act. The government can also restrict the disclosure of such information if it might harm the sovereignty, integrity, or security of India, requiring prior written permission from the authorized person for disclosure. Providing this information is considered an obligation under Section 36 of the Act, ensuring accountability and compliance while safeguarding national interests.

Analysis and Recommendations 

The Act and its rules have far-reaching implications, affecting nearly all businesses with digital interfaces. Notable developments, including the re-introduction of data localization requirements and a heightened focus on consent management, represent substantial advancements in the framework. However, the draft rules’ ambiguities have raised industry concerns, highlighting the need for clearer guidelines and more specific provisions to facilitate compliance.

1. Concerns Over Discretionary Powers and Cross-Border Data Transfer- The draft rules grant considerable discretionary authority to both the Union Government and Data Fiduciaries. Rule 5 grants the Government broad powers to process personal data for issuing subsidies, benefits, services, certificates, licenses, or permits under Section 7(b) of the Act, without clearly defined limits. This lack of specificity may lead to concerns over the potential misuse of these powers. Rule 11 allows the Government to determine exemptions, and Rule 14 gives the Government the authority to set standards for cross-border data transfer, raising concerns about jurisdictional overlaps. Concerns regarding the overlap of orders that restrict the transfer of personal data from different jurisdictions, particularly when the Data Fiduciary intending to transfer data is located outside India, need to be addressed. These concerns should be clarified and explicitly detailed in the draft rules to ensure that personal data remains protected per the Act.
2. Challenges in Identifying Minors for Parental Consent- The draft rules primarily rely on self-declaration by users to determine whether they are minors, which may lead to the collection of additional data from parents and guardians. This approach raises concerns about how to manage individuals who cannot independently disclose their status, particularly those with disabilities. The rules should address how to handle cases involving individuals who are unable to self-declare, ensuring that their rights are protected without over-collection of personal data.
3. Ensuring Accurate Age Verification – Further clarification is needed on how Data Fiduciaries can prevent children from falsely identifying as adults. There is also uncertainty about how to verify the parent-child relationship during the creation of user accounts, beyond relying on self-declaration. Clear guidelines should be established for Data Fiduciaries on using more secure and reliable methods, such as biometric verification or third-party age verification services, to confirm the identity of minors and their legal guardians, ensuring the integrity of the consent process.
4. Uncertainty in Sector-Specific Guidelines- While the draft rules address certain sectors like e-commerce, online gaming, and social media, they fail to provide clear guidance for other key sectors, such as healthcare, education, and fintech. Explicit inclusion of these industries in the rules would help prevent confusion and ensure comprehensive coverage. Additionally, sector-specific guidance should be provided, addressing the unique data protection concerns and requirements of each sector to ensure consistent and effective implementation.
5. Complexities in Managing Consent – Businesses may face significant challenges in managing consent, especially when it comes to maintaining consent records and allowing withdrawals for specific purposes. These tasks could require substantial updates to application design and infrastructure to comply with the law. A standardized consent management framework that businesses can easily integrate into their existing systems, along with a clear timeline for necessary updates to meet compliance could be introduced.
6. Unclear Handling of Existing Digital Data- Although the draft rules allow flexibility and innovation, they raise uncertainties about how businesses should handle existing data in the digital space. The broad, principle-based approach of the Act leaves companies to interpret its requirements, potentially causing delays in compliance and resulting in inconsistencies across industries. Clearer, sector-specific guidance is essential to ensure smooth implementation and build trust in the new data protection framework. 

Conclusion

The Digital Personal Data Protection Act and its draft rules represent a significant step towards safeguarding personal data in India’s digital ecosystem. However, ambiguities regarding discretionary powers, cross-border data transfers, age verification, and sector-specific guidelines raise concerns. Clearer provisions and practical solutions are needed to ensure compliance, transparency, and data security across industries.