From Principles to Practice: A Deep Dive into India’s Draft DPDP Rules
On 11 August 2023, India enacted the Digital Personal Data Protection Act, 2023 (DPDP Act), establishing a
framework for the collection, use, and governance of personal data. The Act builds on principles such as fairness,
lawful processing, and accountability – which set the foundation for defining rights and obligations for data
fiduciaries, processors, and principals. And now, the government has taken an important step towards
operationalizing the Act. It has released the DPDP Rules (Draft Rules) for public consultation. Comments can be
submitted here, before 18 February. The draft Rules serve as a preview of the regulatory expectations
organizations may need to align with. We analyse and summarize the Draft Rules and unpack their implications.
Breaking down the draft rules
1. When will the Rules come into effect? There is a phased timeline for implementation. Provisions
relating to the Data Protection Board (Rules 16-20) will take effect upon notification in the official
gazette, while key operational requirements (Rules 3-15, 21, and 22) will be implemented later, without
a specific timeline. This approach should provide businesses and organizations with time to align their
operations, even if clarity on specific timelines will be crucial for effective preparation.
2. How should businesses provide a notice for consent? Businesses must provide clear, standalone
notices to users about how their personal data will be handled (Rule 3). These must specify what
personal data will be processed, its intended purpose, and the exact goods, services, or outcomes it
enables. They must also include a link to the company’s website or app, explain how users can withdraw
consent as easily as they gave it, and outline how they can exercise their rights under the Act or lodge
complaints with the Data Protection Board (DPB). Businesses will have to consider how to balance
transparency with practicality, especially as processing activities evolve.
3. Who are Consent Managers (CM)? Consent Managers (CM) enable users to give, manage, review, and
withdraw their consent for processing their personal data by Data Fiduciaries (DF) (Rule 4 & First
Schedule). To become a CM, companies must register with the DPB and meet certain conditions and
adhere to certain obligations. CMs must operate independently and avoid any conflict of interest with
DFs.
4. How can government organizations process personal data? Government organizations can process
personal data to deliver subsidies, benefits, services, licenses, or permits. There are guidelines:
processing must be lawful and necessary, data retention should be limited, and robust security
safeguards are a must. Government organizations must also ensure data is accurate and to inform
individuals about how their data is being used. Individuals must have consented to receive the benefit
or it should be provided under law, policy, or public funding. (Rule 5 & Second Schedule)
5. What security safeguards should be adopted? DFs must implement security safeguards such as
encryption, obfuscation, virtual token mapping, and strict access controls. These measures must also be
contractually reinforced between DFs and processors. Operationalizing this requirement will require a
review of existing contracts to clearly define roles and responsibilities between DFs and DPs.
6. How should organizations report a data breach? DFs must alert affected data principals and the Board
as soon as they learn about a data breach (Rule 7). Then within a 72-hour deadline they must provide
more details, including date, time, extent, potential impact, and containment measures. Right now, all
� breaches are treated the same—no matter how minor or severe. There is also the question of reporting
to multiple authorities like the CERT-In, DPB, and sectoral regulators.
7. How long can you retain data? Specific DF classes (online gaming, social media, ecommerce) crossing
user thresholds must erase personal data after three years, with exceptions for user account access and
token-based services. They must notify data principals 48 hours before erasure, allowing retention only
for legal compliance (Rule 8 & Third Schedule). DFs not covered by the thresholds (including those in e-
commerce, social media and online gaming) will need to make individual determinations of when data
can be considered to not serve the specified purpose and accordingly implement a retention timeline.
8. How should DFs process children’s data? To obtain parental consent, DFs must implement reliable
parent/guardian verification systems but can choose how to do it: whether through existing information
available with them or government-authorized digital tokens. While this provides businesses with
flexibility to verify parental consent, concerns over broad-based age verification remain. Further,
healthcare providers, educational institutions (with a definition broad enough to potentially include
edtech), and essential service providers are exempt from both the requirement to take parental consent
and restrictions on tracking, behavioural monitoring of children. This may not act as a blanket exemption
– businesses must consider implementing a risk-based approach to age verification, tracking and
behavioral monitoring to avoid harms (Rule 10,11 & Fourth Schedule).
9. What are the obligations for Significant Data Fiduciaries (SDF)? SDFs are required to carry out a Data
Protection Impact Assessment and audit every twelve months, and furnish a report to the Board
containing its observations. Additionally, they are required to verify algorithmic software that may be
deployed by it for processing personal data does not pose risks to a DP’s rights. The requirement for
annual audits and DPIAs may be challenging to adhere to, while it is unclear how SDFs must verify
algorithmic software.
10. Can data be transferred outside India? A Central Government committee (yet to be defined) holds the
power to dictate which personal data and associated traffic data held by SDFs must be kept within India
(Rule 12(4)). Moreover, DFs will need to meet specific requirements that will be prescribed by the
Central Government for making personal data available to foreign states or entities (Rule 14). This may
re-open the door to data localization, and contrasts with the Act, which allows cross border data
transfers except to the countries restricted by the government.
11. How should data principals exercise their rights? Data principals can exercise their rights through clear,
published mechanisms that outline request procedures, identification requirements, and grievance
redressal processes. They can access, erase, and nominate representatives for their personal data, with
DFs and consent managers obligated to provide transparent and accessible means for rights execution
(Rule 13).
12. What about the DPB? The Central Government will constitute separate search and selection
committees for the Chairperson and other Members, comprising high-ranking government officials and
domain experts. Appointees must possess specialized knowledge in fields like data governance, law,
technology, or regulatory frameworks, ensuring a comprehensive and qualified Board. (Rule 16-20).
13. What is the process for appeal? Aggrieved parties can file digital appeals to the Appellate Tribunal
against Board orders, with fees payable through digital payment systems and discretionary fee waivers.
The Tribunal operates as a digital office, guided by natural justice principles, and has the flexibility to
regulate its own procedures while maintaining the power to summon and examine individuals (Rule 21).
� 14. What are the government’s power to call for ‘information’? The government has expansive powers to
call for information, enabling it to requisition information from DFs and intermediaries for specified
purposes (schedule 7), while maintaining safeguards.
15. Are there other exemptions? Processing of personal data for research, archiving or statistical purposes
is exempt, subject to adherence to standards that ensure data is used lawfully, without making
individual-specific decisions and maintaining responsible data governance practices (Rule 15).
The path ahead
While the Draft Rules may provide clarity on implementation and compliance, certain areas like breach reporting,
processing children’s data, DPIAs and audits, cross-border transfers etc. require closer attention. Businesses must
both engage with the consultation process to help refine the final framework and start the work to implement
the rules into their operations.
If you have any questions or need further clarification on how the draft DPDP Rules might impact your
organization, please do not hesitate to reach out.
