The Ministry of Electronics and Information Technology on 3 January 2025 released the draft Digital Personal Data Protection Rules, 2025 (Rules) for public feedback, with the consultation period running until 18 February 2025. These Rules offer critical guidance for implementing the Digital Personal Data Protection Act, 2023 (DPDPA), marking a pivotal advancement in India’s data protection framework. Our note on the DPDPA can be viewed here. These Rules shall regulate matters necessary to give effect to the provisions of the DPDPA, including timelines for enforcement and definitions to be construed in line with the DPDPA. This update briefly summarizes the Rules below.
Notice: The notice provided by the Data Fiduciary to the Data Principal must be independently understandable without reliance on other information. It needs to clearly detail the personal data to be processed along with its specified purpose, including an itemised description of personal data sought to be processed, a description of the goods or services to be provided or the uses to be enabled, or an itemised description thereof. It also needs to include a communication link to the Data Fiduciary’s website or app or other means, allowing the Data Principal to exercise her rights under the DPDPA, withdraw her consent with ease comparable to the manner in which it was given, and make complaints to the Data Protection Board (Board).
Consent Manager: Consent Managers must be from companies incorporated in India with sufficient technical, operational, and financial capacity to fulfill obligations as a Consent Manager. They must have a net worth of a minimum of INR 20 million and maintain transparency by disclosing key company details on their website and/or apps, such as (a) the promoters, directors, key managerial personnel, and senior management of the company registered as Consent Managers; (b) every person who holds shares in excess of two percent of the shareholding of the company registered as a Consent Manager, (c) every body corporate in whose shareholding any promoter, director, key managerial personnel or senior management of the Consent Manager holds shares above two percent as on the first day of the preceding calendar month.
The Consent Managers shall enable Data Principals using the Consent Manager’s website and/or app to consent to processing their personal data by a Data Fiduciary. Consent Managers must act in a fiduciary capacity toward Data Principals, avoiding conflicts of interest with Data Fiduciaries. Consent Managers should also ensure that the manner of making available the personal data or sharing it, is such that the contents are not readable by them.Consent Managers must maintain digital records of consent actions and data sharing, implement audit mechanisms, and report compliance to the Board. Subcontracting or transferring control requires prior approval from the Board.
Reasonable Security Safeguards: A Data Fiduciary must protect personal data in its possession or control, including data processed by a Data Processor on its behalf, by implementing reasonable security safeguards to prevent breaches. These safeguards must include, at a minimum: (a) encryption, obfuscation, or masking of data; (b) access control measures for computer resources; (c) logging and monitoring access to detect, investigate, and remediate unauthorised access; (d) maintaining data backups to ensure continued processing in case of compromise; (e)retaining logs and personal data for at least one year unless otherwise required by law; (f) contractual provisions with Data Processors mandating reasonable security safeguards; and (g) technical and organisational measures to ensure effective implementation of these safeguards.
Breach of Personal Data: Upon becoming aware of a personal data breach, a Data Fiduciary must promptly inform each affected Data Principal in a concise, clear, and plain manner through their user account or other registered communication channels. This notification must include (a) a description of the breach (nature, extent, timing, and location); (b) likely consequences relevant to the Data Principal; (c) measures taken or being taken to mitigate risks; (d) safety measures the Data Principal can take; and (e) contact details of a representative who can respond to queries. The Data Fiduciary must also notify the Board immediately, providing a description of the breach and its likely impact. Within 72 hours, or within a longer period allowed by the Board, the Data Fiduciary must submit detailed information, including the events leading to the breach, mitigation measures, any findings on the person responsible, remedial actions to prevent recurrence, and a report on notifications made to affected Data Principals. „User account” refers to the online account or contact information enabling the Data Principal to access the services of the Data Fiduciary.
Limit on Retention Period: The Rules set a maximum retention period of 3 years for personal data from the last Data Principal request or the commencement of the Rules for certain Data Fiduciaries, such as e-commerce entities, social media intermediaries with 2 crore+ users, and online gaming intermediaries with 50 lakh+ users. Exceptions apply for purposes like account access or virtual tokens. Data Fiduciaries must notify Data Principals 48 hours before deleting their data if no further contact is made for specified purposes or rights.
Processing Personal Data of Children or Persons with Disabilities: A Data Fiduciary must implement appropriate technical and organizational measures to obtain verifiable consent from a parent before processing a child’s personal data. The Data Fiduciary must verify that the individual claiming to be the parent is an adult, and their identity can be verified through reliable details of identity and age or voluntarily provided information, such as a virtual token issued by an authorized entity, including a Digital Locker service provider. When obtaining consent from an individual identifying as the lawful guardian of a person with a disability, the Data Fiduciary must verify that the guardian has been appointed by a court of law, a designated authority, or a local-level committee, as per the relevant guardianship laws.
Significant Data Fiduciary: A Significant Data Fiduciary must conduct a Data Protection Impact Assessment and audit every twelve months from its notification or inclusion in the notified class of Data Fiduciaries to ensure compliance with the DPDPA and the Rules. The person conducting the assessment and audit must submit a report with significant observations to the Board. The Significant Data Fiduciary must also exercise due diligence to ensure that any algorithmic software it deploys for handling personal data does not pose risks to the rights of Data Principals. Additionally, it must ensure that specified personal data and associated traffic data, as determined by the Central Government based on recommendations from a constituted committee, are processed under restrictions preventing their transfer outside India.
Rights of Data Principal: Under the DPDPA, Data Fiduciaries and, where applicable, Consent Managers must publish on their websites or apps the means through which Data Principals can exercise their rights, including the necessary particulars for identification, such as a username or other identifiers. Data Principals can request access to or erasure of their personal data from the Data Fiduciary to whom they have given consent, using the published means and particulars. The Data Fiduciaries and Consent Managers must also provide information on their grievance redressal system, including the response period, and implement appropriate technical and organizational measures to ensure timely responses. Additionally, Data Principals may nominate one or more individuals to exercise their rights under the terms of service of the Data Fiduciary, providing the necessary particulars. The term „identifier” refers to any sequence of characters issued by the Data Fiduciary, such as customer IDs or application reference numbers, that enables the identification of the Data Principal.
Processing of Personal Data Outside India: The transfer of personal data processed by a Data Fiduciary, either within India or outside India, in connection with offering goods or services to Data Principals in India is subject to restrictions. The Data Fiduciary must comply with the requirements specified by the Central Government, through general or special order, when making personal data available to any foreign state, person, entity, or agency under the control of such a state.
Exemptions: The Rules exempt clinical establishments, healthcare professionals, educational institutions, and childcare facilities from certain DPDPA restrictions on behavioural monitoring of children for purposes like healthcare, education, and child safety. Also, Personal Data may be processed for research, archiving, or statistical purposes if it is lawful, necessary, accurate, and retained only as required, with measures to prevent breaches and ensure Data Principal rights are upheld. Data Fiduciaries are accountable for compliance.
Data Protection Board of India: The Central Government will establish a Search-cum-Selection Committee to recommend individuals for the position of Chairperson and other Members of the Board. The Board shall function as a digital office and can adopt techno- legal measure to conduct their proceedings. The government has tried to guarantee the independence of the Board Members by ensuring that the Board Members with a conflict of interest in any matter will not participate or vote on that item, with decisions made by the majority of other Members.
Calling for Information from Data Fiduciary or Intermediary: The Central Government may require any Data Fiduciary or intermediary to provide information within a specified time period. If the disclosure of such information could harm India’s sovereignty, integrity, or security, the Data Fiduciary or intermediary must not disclose it without prior written permission from the authorized person.
MHCO Comment: The Rules mark a significant step toward strengthening data protection and privacy in India by implementing the provisions of the Digital Personal Data Protection Act of 2023. By outlining detailed procedures for consent management, data security, breach notification, and the processing of personal data, the Rules aim to ensure transparency, accountability, and protection of personal information.
As the consultation period progresses, stakeholders feedback will likely shape the final version of the Rules, ensuring they are adaptable and robust enough to address India’s ever-evolving data protection landscape.
This article was released on 7 January 2025.
The views expressed in this update are personal and should not be construed as any legal advice. Please contact us for any assistance.