Draft Digital Personal Data Protection Rules, 2025: A Comprehensive Overview |

In August 2023, India took a significant step toward safeguarding personal data by enacting the Digital Personal Data Protection Act, 2023 (“DPDP Act”). This landmark legislation marked India’s first standalone data protection and privacy law. In January 2025, the Ministry of Electronics and Information Technology (“MeitY”) released the draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”), inviting public feedback until March 5, 2025. These Draft Rules aim to operationalize the DPDP Act by providing a detailed framework for compliance, consent management, and data security. At Intervenor Legal Solutions, we are committed to helping our clients navigate this evolving legal landscape with precision and expertise. Below, we outline the key provisions of the Draft Rules and their implications for businesses and individuals.

Key Provisions of the Draft Rules

Consent Mechanisms for Data Principals

  1. Standalone Consent Notices: Data Fiduciaries—entities determining the purpose and means of processing personal data—must provide clear, standalone consent notices to Data Principals (individuals to whom the personal data relates). These notices, separate from other agreements, must use plain language to detail the personal data collected, the purpose of processing, and the rights of Data Principals under the DPDP Act.
  2. Explicit Consent Requirement: The Draft Rules mandate that Data Fiduciaries obtain informed, specific, and freely given consent before processing personal data. This includes providing an itemized list of the data collected and a clear explanation of the purposes and services enabled by such processing.
  3. Withdrawal of Consent: Data Principals must be informed of their right to withdraw consent at any time. Data Fiduciaries are required to establish accessible mechanisms to facilitate this process, ensuring flexibility and user control over personal data.

Role of Consent Managers

  1. Registration and Functionality: Indian companies meeting specified criteria can register with the Data Protection Board (“DPB”) as Consent Managers. These entities serve as intermediaries, enabling Data Principals to give, manage, review, or withdraw consent through transparent and interoperable platforms.
  2. Accountability: Consent Managers act on behalf of Data Principals and are accountable for compliance with the DPDP Act. However, concerns exist about the adequacy of enforcement mechanisms, as the DPB’s current powers are limited to issuing warnings or suspending/canceling registrations. Stronger penalties, such as fines, may be necessary to ensure accountability given the critical role Consent Managers play.

Security Safeguards

Data Fiduciaries must adopt robust security measures to protect personal data, including encryption, access controls, data backups, and monitoring logs. These safeguards extend to contracts with Data Processors, who handle personal data on behalf of Data Fiduciaries. Logs and data must be retained for one year unless otherwise required by law, ensuring traceability and accountability in case of breaches.

cybersecurity-concept-man-holding-padlock-futuristic-city

Rights of Data Principals

  1. Transparent Rights Publication: Data Fiduciaries and Consent Managers must publish clear instructions on their platforms, detailing how Data Principals can exercise their rights, such as accessing, amending, or erasing personal data. These instructions must include accessible methods, such as links and unique identifiers.
  2. Access and Erasure Requests: Data Principals can request access to or erasure of their personal data. Certain Data Fiduciaries, as notified under the Draft Rules, must erase personal data within three years from the last interaction with the Data Principal, unless retention is required for legal compliance.
  3. Grievance Redressal: Data Fiduciaries and Consent Managers must establish efficient grievance redressal systems with published response times to address Data Principals’ concerns promptly.
  4. Nomination Rights: Data Principals can nominate individuals to exercise their rights under the DPDP Act on their behalf, in accordance with applicable laws and the Data Fiduciary’s terms.

Cross-Border Data Transfer Restrictions

The Draft Rules empower the Central Government to impose restrictions on transferring personal data outside India, particularly to foreign states or entities under their control. A negative list of countries or specific conditions for cross-border data processing is expected, which will provide clarity on compliance requirements for global businesses.

Data Breach Notification

  1. Informing Affected Individuals: Data Fiduciaries must promptly notify Data Principals of any data breach, outlining its nature, consequences, mitigation measures, and a contact point for queries.
  2. Reporting to the DPB: Breaches must be reported to the Data Protection Board immediately, with detailed updates within 72 hours, including causes, mitigation steps, and measures to prevent recurrence.

Significant Data Fiduciaries (SDFs)

  1. Compliance Requirements: SDFs, to be notified by the Central Government based on factors like data volume and sensitivity, must conduct annual data protection impact assessments and audits. These reports must highlight significant findings and be submitted to the DPB.
  2. Data Localization: SDFs may face restrictions on transferring certain personal data outside India, with further details awaited from the Central Government. This could significantly impact sectors reliant on cross-border data flows, such as technology and e-commerce.

Protection of Children’s Data

  1. Parental Consent: Data Fiduciaries must obtain verifiable parental consent before processing children’s personal data, using reliable identity verification methods like digital tokens or locker services.
  2. Guardianship Verification: For persons with disabilities, Data Fiduciaries must verify the lawful appointment of guardians before processing their personal data, ensuring compliance with guardianship laws.

Government Exemptions and Powers

  1. National Security Exemptions: The Central Government may exempt itself from certain compliance obligations for national security or public order purposes.
  2. Information Requests: Data Fiduciaries may be required to provide information to the government for purposes outlined in the DPDP Act, with restrictions on third-party disclosures that could affect India’s sovereignty or security.

Research Exemptions

Personal data processing for research, archiving, or statistical purposes is exempt, provided it adheres to the standards outlined in the Draft Rules, balancing academic needs with data protection.

Key Implications for Businesses

  1. Operational Challenges: The stringent consent and localization requirements may pose challenges, particularly for smaller businesses with limited resources. Compliance with these rules will require significant operational adjustments.
  2. Ambiguity in Standards: While the Draft Rules provide a broad framework, their generic nature may lead to uncertainty in compliance standards. Detailed guidelines are needed to facilitate effective implementation.
  3. Global Business Impact: Data localization mandates could increase operational costs for businesses relying on international data centers. Conflicts with international regulations, such as the EU’s GDPR, may further complicate compliance for multinational companies.
  4. Public Consultation: The ongoing public consultation, extended to March 5, 2025, provides an opportunity for stakeholders to refine the Draft Rules, ensuring they balance privacy, security, and business needs.

How Intervenor Legal Solutions Can Help

At Intervenor Legal Solutions, we understand the complexities of navigating India’s evolving data protection landscape. As one of the best law firms in Delhi, with expertise in the Supreme Court, High Court, and District Court, we offer tailored legal strategies to ensure compliance with the DPDP Act and Draft Rules. Our team of seasoned attorneys provides:

  • Compliance Audits: Comprehensive assessments to align your data practices with the DPDP Act and Draft Rules.
  • Consent Management Solutions: Guidance on implementing robust consent mechanisms and managing Consent Manager obligations.
  • Data Breach Response: Strategic support for breach notifications and compliance with DPB reporting requirements.
  • Cross-Border Data Strategy: Expert advice on navigating data localization and international transfer restrictions.
  • Litigation Support: Robust representation in case of disputes or non-compliance issues, leveraging our deep expertise in the Delhi High Court.

With over 5,000 cases resolved and a client-centric approach, Intervenor Legal Solutions is your trusted partner in achieving compliance while safeguarding your business interests.

Conclusion

The Draft Digital Personal Data Protection Rules, 2025, represent a critical step toward strengthening India’s data protection framework. However, their implementation will require careful planning to address operational challenges, ensure compliance, and balance national security with global business realities. At Intervenor Legal Solutions, we are committed to guiding our clients through this transformative legal landscape with unparalleled expertise and dedication.

We Help to Solve Your Legal Issues

Discover how our team of the best lawyers in the Delhi High Court navigates the complexities of the legal landscape to deliver optimal solutions.

Get Appointment