Disclaimer

Rules framed by the Bar Council of India prohibit law firms from soliciting work or advertising in any manner. This is not a solicitation or advertisement by us.

By clicking on ‘I AGREE’, you acknowledge that:

  • You want more information about Quest IP, its practices and its attorneys, for your information and use;
  • Your access does not create any attorney-client relationship between Quest IP and you;
  • This website does not provide legal advice, and Quest IP has not made any representation to this effect.

We are not liable for your actions based on the information contained in this website.

I agree No thanks

DRAFT DIGITAL PERSONAL DATA PROTECTION RULES, 2025

The Ministry of Electronics and Information Technology published the Digital Personal Data Protection Rules, 2025 (DPDP Rules) on 3rd January 2025 for public consultation. The comprehensive Rules set out to implement the Digital Personal Data Protection Act, 2023. Some of the Key highlights of the DPDP Rules are:

  1. Notice Requirements for Data Fiduciaries (Rule 3)
    • The notice provided to the Data Principal must be clear, independently understandable, and written in plain language, detailing the personal data being processed, its specific purpose, and the goods or services associated with such processing.
    • The notice must include a direct link to the Data Fiduciary’s website or app and explain how the Data Principal can withdraw consent, exercise their rights under the Act, and file complaints with the Board, ensuring ease of use comparable to the process of giving consent.
  2. Obligations of Consent Manager (Rule 4)
    • The Consent Manager must enable Data Principals to track, manage and give consent for personal data processing, ensure data security, and maintain transparent records for at least seven years. They must also avoid conflicts of interest and publish relevant company details for transparency.
    • The Consent Manager must take security measures to prevent data breaches, act in a fiduciary capacity, and implement regular audits to ensure compliance. They cannot transfer control of their company without prior approval from the Board.
    • If the Board believes a Consent Manager is not following required conditions, it can notify the Consent Manager, provide an opportunity to respond, and order corrective actions. To protect Data Principals, the Board may suspend/cancel the Consent Manager’s registration and issue further instructions. The Board may also request any information from the Consent Manager for this purpose.
  3. Reasonable Security Safeguards to be undertaken by the Data Fiduciaries (Rule 6)
    • A Data Fiduciary must implement appropriate security measures to protect personal data, including encryption, obfuscation, access controls, activity logs for detecting and addressing unauthorized access, data backups, and measures to ensure continued processing during data breaches or compromises.
    • The Data Fiduciary must retain logs and relevant data for at least one year (or longer, as required by law), include security safeguard obligations in contracts with Data Processors, and adopt technical and organizational measures to ensure compliance with these safeguards.
  4. Intimation of Personal Data Breach (Rule 7)
    • Upon discovering a personal data breach, the Data Fiduciary must promptly notify affected Data Principals with clear and concise information, including the nature and consequences of the breach, measures taken to mitigate risk, safety actions the Data Principal can take, and contact details for inquiries.
    • The Data Fiduciary must inform the Board without delay and provide an initial description of the breach and submit detailed updates within 72 hours (or longer with written approval), including circumstances, causes leading to the breach, mitigation measures and actions taken to prevent recurrence.
  5. Time Period for Erasure of Personal Data (Rule 8)
    • A Data Fiduciary must erase personal data once the specified time period for processing has passed, unless retention is required by law, and if the Data Principal does not approach the Fiduciary or exercise their rights during this period.
    • The Data Fiduciary must notify the Data Principal at least 48 hours before the erasure deadline, to inform them that their data will be erased unless they log in or initiate contact to exercise their rights or continue the specified purpose.
  6. Verifiable Consent for Processing Personal Data of Children or Persons with Disabilities (Rule 10)
    • A Data Fiduciary must ensure verifiable parental consent before processing a child’s personal data, to verify the parent’s identity and use reliable or voluntarily provided details, or through a virtual token issued by a recognized authority.
    • When obtaining consent from a guardian of a person with disability, the Data Fiduciary must verify if guardian has been appointed by a court or designated authority, in accordance with guardianship laws.
  7. Additional Obligations of Significant Data Fiduciary (Rule 12)
    • A Significant Data Fiduciary must conduct a Data Protection Impact Assessment and audit every 12 months and submit a report with key findings to the Board and ensure that any algorithmic software used does not pose a risk to Data Principals’ rights.
    • The Data Fiduciary must implement measures to restrict the transfer of specified personal and traffic data outside India, in line with Government recommendations.
  8. Rights of Data Principal (Rule 13)
    • Data Fiduciaries and Consent Managers must provide clear instructions on their website or app for Data Principals to exercise their rights, including access to personal data, erasure, and nomination of individuals, and must specify how identification details, if necessary, will be used.
    • They must also publish grievance redressal timelines and implement measures to ensure the effective handling of complaints, as well as allow Data Principals to nominate individuals in accordance with applicable terms and laws.
  9. Processing of Personal Data Outside India (Rule 14)
    • Data Fiduciaries must comply with requirements set by the Government before a transfer of personal data outside India, especially if the data is related to activities offering goods or services to Data Principals within India.
  10. Appeal to Appellate Tribunal (Rule 21)
    • Appeals to the Appellate Tribunal must be filed digitally and follow procedure specified on its website, and are subject to a fee, payable digitally via approved payment systems.
    • The Appellate Tribunal operates with flexibility in procedure, guided by natural justice, and may use technology to conduct proceedings.

Conclusion

While the DPDP Rules are a step forward to ensure robust data protection under the Act, the Government must clarify and address several issues such as restriction on cross border transfers, identification of the Significant Data Fiduciary, guidelines on government-maintained databases and challenges small and medium enterprises (SME’s) may face with technology intensive upgrades for compliance. These gaps create a potential conflict of laws and raise questions about the State’s authority to request information in the absence of the safeguards established in other legislative frameworks. It is important that the Government consider and deliberate on behalf of all stakeholders. This will mitigate data breaches and ensure strong data privacy rights in order to balance state interests with economic growth and innovation.