Update
DATA | REGULATORY | ECHNOLOGY, MEDIA AND TELECOMMUNICATIONS JANUARY 10, 2025
Draft Digital Personal Data Protection Rules, 2025
A long-anticipated draft of the Digital Personal Data Protection Rules, 2025 (“Draft
Rules”) was released by the Central Government (“Government”) on January 3, 2025
for public consultation and comments, along with an explanatory note on the contents
on the Draft Rules. Once brought into effect, these rules will enable implementation of
the Digital Personal Data Protection Act, 2023 (the “DPDP Act” or the “Act”), which
was published in the Official Gazette on August 11, 2023, although not yet in force.
The consultation process on the Draft Rules will continue until February 18, 2025. The
rules under the DPDP Act are proposed to be implemented in a staggered manner.
To recap, the DPDP Act lays down the law for processing of digital personal data (any
data in digital form about an individual who is identifiable by or in relation to such data)
in a manner that recognizes both the rights of individuals to protect their personal data
and the need to process such data for lawful purposes and for connected or incidental
matters. For an overview of the provisions of the DPDP Act, please see our notes here
and here.
Certain key aspects introduced or further clarified under the Draft Rules are discussed
below:
CONSENT NOTICE
The Act requires a consent notice to be given by a data fiduciary (i.e., a person who
determines the purpose and means of processing personal data, including in
conjunction with other persons) to a data principal (i.e., the individual to whom the
personal data relates or the parent/ guardian of such individual, if applicable) along
with, or prior to, a request for consent for the purpose of processing the latter’s
personal data.
Additional requirements relating to the contents/ nature of such notice have been
specified in the Draft Rules, including a mandate that such notice should:
1. be understandable, independent of any other information which has been, is, or
may be, made available by a data fiduciary;
PAGE 1 OF 6
�2. provide a fair account of the details necessary to enable the data principal to give
specific and informed consent for the processing of their personal data, in clear and
plain language, including at the very least:
a. an itemized description of such personal data; and
b. a description of the specific purposes of processing, along with an itemized
description of the goods/services to be provided, or uses to be enabled, by such
processing.
3. contain the particular communication link for accessing the website or app, or both,
of such data fiduciary, and a description of other means, if any, using which a data
principal may:
a. exercise their rights under the Act (including the right to withdraw consent); and
b. make a complaint to the Data Protection Board of India (“DPBI”).
The requirement of providing an itemized description of personal data and a
description of specific purposes along with an itemized description of goods/services
to be provided or uses to be enabled by the data fiduciary may be a cumbersome task
and would likely require organizations processing personal data to relook at their
consent/privacy notice. Similarly, the requirement for a consent notice “independent”
of any other information may require organizations to ensure that all necessary details
to facilitate “informed consent” are set out in the consent notice itself (rather than
through links to another document or privacy policy). The Draft Rules do not clarify if
the prescribed notice-related requirements would also apply to notices that are
required to be issued under the Act, which relates to instances where a data principal
has given consent for processing personal data before the Act comes into effect.
REASONABLE SECURITY SAFEGUARDS
Under the Act, a data fiduciary is required to protect personal data in its possession or
under its control, including in respect of any processing undertaken by it or on its behalf
by a data processor, by taking reasonable security safeguards to prevent personal
data breach. Importantly, a breach of this obligation may involve a penalty which may
extend to INR 2.5 billion.
The Draft Rules specify certain minimum reasonable security safeguards which should
be implemented by a data fiduciary (and in turn its data processors). The specifications
in the Draft Rules appear to be generic requirements for most part and not specific
(unlike current rules on sensitive personal data which prescribe/recommend specific
security and certification standards) – this introduces some subjectivity in determining
the adequacy of the security safeguards implemented by a data fiduciary. Further, it is
proposed that the prescribed security safeguards (including access controls,
PAGE 2 OF 6
�maintenance of logs, incident detection, investigation and remediation) would apply to
all categories of data fiduciaries (irrespective of the nature of their business and/or the
volume and sensitivity of personal data being processed by them). Implementation of
these requirements may therefore be onerous for smaller businesses.
TIME PERIOD RESTRICTIONS FOR STORAGE OF DATA
The Draft Rules prescribe retention periods for different classes of data fiduciaries
which include e-commerce entities, social media intermediaries and online gaming
intermediaries with specified number of registered users in India.
As per the Draft Rules, the personal data processed by these specified data fiduciaries
must be erased, unless required for legal compliance, if (a) the processing being
undertaken for any purpose (other than enabling the data principal to access their
account or accessing a virtual token that is issued by or on behalf of the data fiduciary
which can be redeemed for money, goods or services) and (b) the data principal does
not engage with the data fiduciary within the prescribed timelines.
Such prescribed timelines will be calculated from the date on which the data principal
“last approached the data fiduciary for performance of the specified purpose” or
commencement of the DPDP Act, whichever is later. The determination of when each
user “last approached the data fiduciary” may be ambiguous and also require certain
processes and tools, such as timestamping.
Further, the data fiduciary must inform the data principal at least 48 hours before
completion of the time period for erasure of personal data. Organizations may find this
to be a cumbersome process and would need to build in adequate technical tools to
comply with this requirement.
REPORTING OF PERSONAL DATA BREACHES
The Act requires that, upon occurrence of any personal data breach, a data fiduciary
is obligated to notify the DPBI and each affected data principal, in the manner
prescribed under the rules. The Draft Rules do not prescribe any specific timeline for
the initial breach notification and state that it should be made without delay – this may
leave room for some ambiguity although a strict interpretation of this provision would
mean that the data principals need to be identified of a data breach almost
immediately, which may be a practical challenge. An additional update is required to
be provided to the DPBI within 72 hours of the breach. A breach of these obligations
may attract a penalty of up to INR 2 billion.
Additional requirements relating to the details to be provided in the breach notice to
the data principal and the DPBI have been prescribed in the Draft Rules, including with
respect to: description of the breach (nature, extent and timing); consequences of the
breach; and the risk mitigation measures implemented. The additional update to the
PAGE 3 OF 6
�DPBI is required to include findings regarding the person who may have caused the
breach, remedial measures taken to prevent recurrence, and a report regarding
notices provided to the affected data principals.
At present the above notification obligations are applicable to all categories of data
breaches (irrespective of the nature, gravity or materiality of the breach), i.e., it
arguably extends to even an isolated instance of unauthorized processing or
accidental disclosure of personal data. Further, the mode of reporting to the DPBI is
not specified – presumably, the DPBI would enable an online reporting mechanism for
this provision.
SIGNIFICANT DATA FIDUCIARIES
The Act introduces the concept of “significant data fiduciaries” to whom additional
obligations are applicable (including conducting periodic Data Protection Impact
Assessments (“DPIA”)). Such entities are expected to be notified by the Government
based on the factors outlined in the Act.
The Draft Rules specify the obligations applicable to significant data fiduciaries, which
include: (a) ensuring submission of the results of the DPIA to the DPBI once in every
period of 12 months; (b) verifying by way of due diligence, that any algorithmic software
deployed by it inter alia for storage, hosting, uploading, transfer or modification of the
personal data being processed “is not likely to” pose a risk to the rights of data
principals; and (c) ensuring certain types of personal data remains in India and
implementing measures to adhere to any specific cross border transfer restrictions
prescribed by the Government.
The Draft Rules impose significantly higher compliance requirements on significant
data fiduciaries. Compliance with the restriction on cross border transfer of certain
categories of personal data may result in an operational and administrative issue with
significant cost implications for data giants that currently process data outside India.
Recent statements made by the Union Minister for Electronics & Information
Technology (“MeitY Minister”) suggest that the Government is likely to engage
external experts to draw up a list of “prohibited sectors” and hold consultations with
the IT industry prior to imposing such restrictions on cross border transfers.
CROSS-BORDER DATA TRANSFERS
According to the Act, it was clear that the Government is considering imposing
restrictions on the transfer of personal data to certain jurisdictions. The Draft Rules
provide additional clarity in this regard, including by specifying that the Government
may introduce restrictions (by way of a general or special order) which would apply to
PAGE 4 OF 6
�transferring/ disclosing personal data to a foreign state or any entity controlled by such
foreign state.
VERIFIABLE CONSENT
The Act requires a data fiduciary to obtain verifiable consent of the parent or lawful
guardian of a child and/or a person with disability who has a lawful guardian, prior to
processing any personal data relating to such data principals, in a manner prescribed
under the rules. The Draft Rules prescribe the following requirements in this regard:
Children
A data fiduciary is required to adopt appropriate technical and organizational measures
to ensure that a verifiable parental consent is obtained before processing a child’s
personal data. They are also required to undertake due diligence to check that an
individual identifying themselves as the parent of a child is an adult who is identifiable
with reference to “reliable” details of identity and age available with the data fiduciary;
or voluntarily provided details of identity and age, or a virtual token issued by an
appropriate authority such as those made available by an authorized digital locker
service provider.
The Draft Rules provide exceptions to the above requirement to obtain verifiable
parental consent, as well as on the prohibition on tracking, behavioral monitoring and
targeted advertising with respect to children. Currently, there is insufficient clarity on
the implications/ responsibilities of the data fiduciary in a situation where an individual
under 18 years does not identify herself as a child.
In addition, statements made to the media by the MeitY Minister indicate that the
existing digital architecture created by the Government (including use of virtual tokens)
should assist with the implementation of this requirement and that the Government
may further update the Draft Rules to employ technological measures to safeguard
children’s data.
Persons with disability
While obtaining verifiable consent from a lawful guardian prior to processing personal
data relating to a person with disability (where applicable), the data fiduciary is required
to observe due diligence to confirm that the individual(s) identifying themselves as the
lawful guardian have been appointed by a court of law or the designated authority in
accordance with the applicable guardianship law.
CONSENT MANAGERS
The Act defines ‘Consent Managers’ as persons registered with the DPBI who act as
single points of contact to enable data principals to give, manage, review and withdraw
their consent through an accessible, transparent and interoperable platform, and
PAGE 5 OF 6
�further provides that Consent Managers will be subject to such obligations and
technical, operational, financial and other conditions, as prescribed under the rules.
The Draft Rules accordingly deal with such conditions for the registration and
obligations of Consent Managers.
Eligibility conditions for registration as a Consent Manager inter alia include a minimum
net worth of INR 20 million and fulfillment of specified independent certification
requirements relating to its interoperable platform and technical and organizational
measures. Further, the charter documents of the Consent Manager must contain
provisions to avoid conflicts of interest with data fiduciaries, including in respect of their
promoters and key managerial personnel. Certain eligibility conditions prescribed in
the Draft Rules appear to be subjective and may need additional clarity.
CONCLUSION
While further clarity is required on various aspects of the DPDP Act (such as thresholds
for notification as a significant data fiduciary, cross border transfer restrictions), the
Draft Rules are indicative of the approach organizations can take to ensure compliance
with the Act on various other aspects. Overall, the Draft Rules are a step in the right
direction and with a transparent consultation process, the Draft Rules will hopefully be
refined further so that India can finally have a robust data protection framework in
place.
In the meantime, businesses in India should use the Draft Rules as a starting point to
evaluate and improve upon their IT and cybersecurity systems so that they are ready
to comply with the requirements of the DPDP Act and its rules as and when they come
into effect.
This update has been authored by Radhika Iyer (Partner), Dr. Deborshi Barat (Counsel), Reshma (Vaidya) Gupte
(Counsel) and Prakriti Anand (Associate). They can be reached on riyer@snrlaw.in, dbarat@snrlaw.in,
rgupte@snrlaw.in and panand@snrlaw.in, respectively, for any questions. This is intended only as a general discussion
of issues and is not intended for any solicitation of work. It should not be regarded as legal advice and no legal or
business decision should be based on its content.
© 2025 S&R Associates
NEW DELHI MUMBAI
Max House One World Center
Tower C, 4th Floor 1403 Tower 2 B
Okhla Industrial Estate Phase III 841 Senapati Bapat Marg, Lower Parel
New Delhi 110 020 Mumbai 400 013
Tel: +91 11 4069 8000 Tel: +91 22 4302 8000
PAGE 6 OF 6
