Comments & Suggestions on

Draft Digital Personal Data Protection

Rules 2025

Submitted by
Centre for Cyber Laws, NLU Delhi
 This Report has been prepared & presented by Centre for Cyber Laws, National Law
University Delhi.

Efforts and contributions have been made by the following student members of the Centre for
Cyber Laws at NLU Delhi:

• Ira Srivastava, Student Fellow

• Aniya Damithia, Student Associate
• Manya Gupta, Student Associate
• Sanskruti Yukta Nayak, Student Associate

We would like to thank the immense support lent to this Project by Hon’ble Vice-Chancellor
Prof. (Dr.) G.S. Bajpai Sir, Respected Registrar Prof. (Dr.) Ruhi Paul Ma’am and Dr.
Aparajita Bhatt, Director Centre for Cyber Laws. We thank them for the continuous
institutional support given to this Project & team at various stages.
 Table of Contents

About this Report ..................................................................................3

About NLUD .........................................................................................4

About the Centre....................................................................................5

LIST of ABBREVIATIONS .................................................................6

TABLE of SUGGESTIONS..................................................................8

Notice for obtaining Consent..............................................................8

Notice of breach ................................................................................10

Erasure of personal data ...................................................................11

Consent Manager ..............................................................................12

Verifiable Personal Consent (in the context of children) .................12

Rights of Data Principals ..................................................................15

Data Processing ................................................................................16

Data Protection Officer .....................................................................18

Data Protection Board ......................................................................19

Significant Data Fiduciary ................................................................23

Concluding Remarks ...........................................................................27

 About this Report

Data protection law in India has undergone an interesting journey. What started as the Personal
Data Protection Bill in 2018, underwent a series of consultations and engagement with civil
society and a variety of stakeholders to emerge as the Digital Personal Data Protection Act
2023.

Briefly, the journey started with the Supreme Court laying down fundamental tenets of the
Right to Privacy, with special emphasis on the situation in the digital context in 2017, in the
case of Justice K.S. Puttaswamy v. Union of India. Thereafter, the Central Government
constituted a committee of experts under the Chairmanship of Retd. Justice B.N. Srikrishna,
which came out with a Report in 2018, in order to understand the practical aspects of data
protection & privacy of individuals. Soon after that, the Personal Data Protection Bill was
introduced in 2018, which was replaced by the Personal Data Protection Bill 2019. This 2019
version was referred to a Joint Parliamentary Committee, which submitted its feedback on the
Bill via its Report in December 2021. Based on the Committee’s recommendations & industry
input, the Digital Personal Data Protection Bill 2022 was introduced. Finally, another version
in the form of the Digital Personal Data Protection Bill 2023 was passed to culminate into the
Digital Personal Data Protection Act of 2023. Thus, we see the Act has continuously evolved
and comes at the end of a long-drawn out process of consultation, dialogue and engagement.

In pursuance of operationalizing the Act, the Ministry of Electronics and Information

Technology (MeITY) released the much-awaited Draft Digital Personal Data Protection Rules
on January 3, 2025.

This Report by the Centre for Cyber Laws, NLU Delhi is a humble contribution to the
national (and global) engagement & discourse on the DPDP Rules in order to ensure that
the final version of the Rules effectively implements the principles of the Act.
 About NLUD

The primary objective of the University is to evolve and impart comprehensive and
interdisciplinary legal education that is socially relevant. Through this education, we aim to
promote legal and ethical values and foster the rule of law and the objectives enshrined in the
Constitution of India. Furthermore, the University works toward the dissemination of legal
knowledge and its role in national development, so that the ability to analyze and present
contemporary issues of public concern and their legal implications for the benefit of the public
is improved. These processes strive to promote legal awareness in the community and to
achieve political, social, and economic justice.

Many believe that the path of liberalization we embarked upon in the early 90s unleashed
India’s potential. Undoubtedly the country has undergone vast changes in all spheres and we
see a more confident India asserting itself on the global stage. However, this progress has come
with very significant challenges to the country. India’s various social classes are yet to be
assimilated; their participation in the process of governance remains fractured. Cumulative
progress needs to be fair and equitable. And integral to that is a legal system that empowers the
marginalized, is just and fair in letter and spirit, and most importantly, does not use the law as
a tool of oppression.

Our sincere endeavour is to make legal education and justice education, an instrument of social,
political, and economic change. Each individual who is part of this institution must be
remembered for the promotion of social justice. Our students will not only be shaped as change
agents as the country achieves its social and developmental goals, but will also be equipped to
address the imperatives of the new millennium and uphold the Constitution of India.
 About the Centre

The Centre for Cyber Laws has been established to understand the socio-legal issues related to
ever-evolving cyberspace. Cyberspace is infinite and has the potential to grow and evolve
infinitely. The issues related to cyberspace are also evolving with the advancement of
information technology. The global IT revolution and the emergence of new technologies such
as artificial intelligence, the Internet of Things, the e-commerce industry, new forms of virtual
currency, issues pertaining to the governance of cyberspace and more particularly the post-
pandemic new world order have necessitated the need to focus on the legal research pertaining
to new kinds of cybercrimes, issues related to cyber security and data protection and online
privacy laws and above all into the new evolving cyberspace trends and patterns which shall
shape the future of human civilisation and legal issues pertaining to it.

Vision & Objective

The vision of the Centre for Cyber Laws is to create a research-oriented space through which
further research, discussions and deliberations on issues related to cyberspace and cyber laws
can be done. The objective of the Centre is to bring professionals, academicians, cyber law
experts, technology experts, law enforcement agencies, researchers and students together to
have focused deliberations, discussions and debates related to issues of cyberspace and cyber
laws. The Centre also aims to spread awareness related to various issues related to cyber laws
such as cybercrimes, contraventions and cyber security issues.
 LIST of ABBREVIATIONS

Abbreviation Expanded form

Aadhar Act The Aadhar (Targeted Delivery of Financial

and Other Subsidies, Benefits and Services)
Act, 20161

CCPA California Consumer Privacy Act of 20182

CM Consent Manager

DF Data Fiduciary

DP Data Principal

DPA Data Protection Authority

DPB Data Protection Board of India

DPDP Act; the Act Digital Personal Data Protection Act 20233

DPIA Data Protection Impact Assessment

DPO Data Protection Officer

GDPR General Data Protection Regulation of the

European Union4

Puttaswamy Hon’ble Supreme Court in the case of

Justice K.S. Puttaswamy v. Union of India,
decided in 20175

SDF Significant Data Fiduciary

Srikrishna Committee Report Report of the Committee of Experts under

the Chairmanship of Justice B.N.
Srikrishna A Free and Fair Digital
Economy, released in 20186

1
accessible at Aadhaar_Act_2016_as_amended.pdf
2
accessible at Codes Display Text
3
accessible at Digital Personal Data Protection Act 2023.pdf.
4
accessible at General Data Protection Regulation (GDPR) – Legal Text
5
accessible at justice k s putiaswamy (retd.),_union of india and ors._1700550294.pdf
6
accessible at https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
This page is intentionally left blank.
 TABLE of SUGGESTIONS

Rule Provision Gap Suggestion Jurisprudence/Basis

NOTICE FOR OBTAINING CONSENT

3(a) ● Requiring notice in multiple languages

Notice given by Lack of accessibility in the form of Add provision to give the
Data Fiduciary language barriers. notice in vernacular languages “where necessary and practicable” was
to Data While multiple aspects of the Act & as well, i.e., Eighth Schedule provided under clause 7(2) of the 2019 Bill
Principal. Rules make it possible to ensure ease of the Indian Constitution (22 and clause 8(2) of the 2018 Bill.
Must be of data protection rights, the very languages). ● No comments in the JPC Report on clause 7
presented medium also needs to convey the (deemed approval).7
independently same. ● Srikrishna Committee Report acknowledges
of any other that it may be necessary for information (in
information the notice) to be conveyed in multiple
given by DF. languages.8
● Under the principles of GDPR, the Dutch
DPA fined TikTok €750,000 for violating the
privacy of young children by providing the
notice (during installation & otherwise) only

7
Joint Parliamentary Committee Report on the 2019 Bill, accessible at 17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf
8
Srikrishna Committee Report on A Free and Fair Digital Economy, Page 58, accessible at Data_Protection_Committee_Report.pdf
 in English – which was not always
understandable.9
3(b) Notice given by Minimum requirement is inadequate. ● Suggested additions taken from 7(1) of the
Should include the rights of the
Data Fiduciary Additional disclosures are required for data principal to withdraw her 2019 Bill and 8(1) of the 2018 Bill.
to Data the meaningful dissemination ● No comments in the JPC Report.
of consent, and the procedure for
Principal. educating data principals about their such withdrawal, if ● Consistent with S. 5, DPDP Act 2023 and
the
Inclusion of rights and providing a truly personal data is intended to be principles of the Act & Rules.
certain empowered opportunity to give processed on the basis of
coordinates. consent. consent; the basis for such
processing, and the
consequences of the failure to
provide such personal data, if
the processing of the personal
data is based on lawful
grounds; the source of such
collection, if the personal data
is not collected from the data
principal; the individuals or
entities including other data
fiduciaries or data processors,

9
Dutch DPA: TikTok fined for violating children’s privacy | European Data Protection Board
 with whom such personal data
may be shared, if applicable;
information regarding any
cross-border transfer of the
personal data that the data
fiduciary intends to carry out,
if applicable; the period for
which the personal data shall
be retained the existence of and
procedure for the exercise of
rights of the DP.

NOTICE OF BREACH

7 Intimation ● Principles of Act & Rules (accessibility by

of The current requirements for giving Notice to follow the same
personal data notice are inadequate, even compared standards as that of notice for data principals)
breach. to the current requirements of consent. consent (plain language etc.)
7(1) Intimation of Lack of timeline for notification. ● R. 7(2) gives the timeline of notification to the
Specify a reasonable timeline
personal data for the notification of breach to Board as within 72 hours or an extension
breach. each DP by the DF. obtained in writing from the Board. Here too,
this clause of timeline can be added in order
to provide certainty to the DP and maintain
the principles of transparency.
 ERASURE OF PERSONAL DATA

8(1) ● For the specified purposes, the following are

Time period for Applicability of time period after Firstly, requirements should be
specified which purpose of collection of applicable to all not specified required to erase personal data except as
purpose to be personal data is deemed to be served DFs.10 necessary for compliance with any law. (i) e-
deemed as no should be widespread & applicable to commerce DP 2cr+ (ii) online gaming
longer being all. Secondly, even if numerical intermediary DF 50L+ (iii) social media
served. thresholds apply, they should intermediary 2 cr+. All figures based on
Basis on which entities are classified be on the basis of number of registered users.11
to which thresholds are applicable active users & not registered
needs to be more comprehensive. users as registered users do not
give an idea of the real use &
impact of a platform.
8 Time period Ambiguity in defining "specified time Establish industry-specific ● Based on the GDPR’s "data minimization"12
for specified period" across various contexts. timelines for data retention. and "storage limitation" principles.13
purpose to be Potential data retention conflicts with Clarify exceptions where legal Supreme Court guidelines on data retention
deemed as no other legal obligations. compliance necessitates in PUCL v. Union of India.
longer being prolonged retention.
served.

10
Third Schedule classifies by volume (no. of registered users) depending on the type of DF.
11
Third Schedule of the Draft DPDP Rules 2025.
12
Article 5(1)(c), GDPR
13
Article 5(1)(e), GDPR
 CONSENT MANAGER

4(4) Registration ● SEBI regulates market intermediaries (like

Potentially burdensome obligations. The Central Government must
and obligations The Consent Manager (CM) faces formulate and notify a detailed stock brokers, stock exchanges, Investment
of Consent cancellation of registration and framework on the functioning Advisers, Research Analysts, etc.).
Manager. ● TRAI, RBI and other sectoral regulators
penalties in case of non-adherence to of CMs. This would include
conditions & obligations laid down. CMs being a body corporate release information and guidelines for the
This has the potential to disincentivise with defined roles, powers, operation of intermediaries (by whatever
companies from registering as CMs. functions and so on. name so called) in their respective sectors.
Further, the DPB may on its Monitoring of CMS must also
satisfaction revoke the license of the be well-defined. This is
CM, which makes the DPB too important given that the
powerful. volume of data being dealt
with is unmatched and
personal data is not sector-
specific, thus having wide-
ranging impact.

VERIFIABLE PERSONAL CONSENT (IN THE CONTEXT OF CHILDREN)

10(1) Verifiable ● R. 3(vii) & 3(viii) of the SPDI Rules to be

Data collected by the mechanism to Verification through entities
consent for verify consent is not specifically trusted by the Government – invoked.
processing of protected. add: such verification data
 personal data of ● The recent amendment15 to the Aadhar Act
including virtual token to be
child or of treated as “sensitive personal allows private entities to use the Aadhar for
person with data” and to be subject to the authentication, including age. This needs to
disability who SPDI Rules.14 be handled with utmost care in order to abide
has lawful by the principles of the DPDP Act and protect
guardian. individual data principals.
● Although the current framework, via
amended rules, provides for certain
safeguards like submitting a proposal &
justification statement before the use of
Aadhar, anonymous verification is a better
option in the interest of DPs given the
enormous volume of data that will be dealt
with (through all websites).
10(1)( Verifiable ● One such mechanism could be Aadhar
No reason to invest in anonymous Rule to include provision
b) consent for mechanisms of age verification over incentivising investment in verification by OTP wherein a child’s Aadhar
processing of the use of Aadhar. anonymisation mechanisms. phone / contact number is linked to their
personal data of This can be in-house by a DF parent, without accessing data of Aadhar
child or of or as a service availed by DFs, itself.

14
Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, [भाग II- खण्ड 3(i)] भारत का राजपत्र :
असाधारण 7.
15
Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Amendment Rules, 2025.
 person with which would be ● Examples
deemed of services (anonmyous
disability who related parties. Such verification / virtual tokens) provided in other
has lawful verification can happen by comparative jurisdictions include Yoti in the
guardian. mapping virtual tokens. UK16 and YOid in Spain.17
● An incentive to invest in such virtual mapping
could be providing points towards positive
credit rating, or a similar / equivalent
framework for personal data protection.
10(2) Verifiable No obligation to ensure consent being Add due ● The idea is to link the claimant parent to the
diligence
consent for provided for children is by their requirements for the child in order to provide lawful consent.
processing of parents / guardians only, the Rule identification of a parent, Misuse is possible in case of the requirement
personal data of merely requires to ensure that the similar to the requirements for of any adult providing consent. Therefore, it
child or of person giving consent is an adult. guardian(s). becomes important to impose a duty on the
person with DF to verify this link.
disability who
has lawful
guardian.

16
Age verification tools for online customers and custom-built apps · Yoti
17
Verify your legal age without losing your anonymity - YOiD
 10 Verifiable ● The GDPR stipulates a child to be a person
Current provisions provide age-gating First, restrictions should apply
expla consent for content for all sites and for all children only for specific notified sites under the age of 16 years, with Member States
natio processing of up to the age of 18. like for instance gambling, etc. having an option to bring this down to 13
n personal data of The age limit is too high & must be Second, even if restrictions years.
child or of brought down. apply to all kinds of content ●
it The US stipulates parental consent for certain
person with should only be for beyond a sites for persons under the age of 13 years.18
disability who certain age and to this end, the
has lawful definition of child under this
guardian. Rule should be amended to
mean a person below the age of
16 years.

RIGHTS OF DATA PRINCIPALS

13 Rights of Data 1. Absence of clear timelines for 1. Include a mandatory ● Justice K.S. Puttaswamy v. Union of India
Principals, grievance redressal response by Data timeline (such as 15-30 days) (2017) emphasized the protection of
including Fiduciaries. for grievance redressal individual privacy rights, which includes
access, erasure, 2. No standardized method for responses. timely redressal and clear procedural
grievance identity verification when a Data 2. Provide standardized safeguards for exercising data rights.
redressal, and Principal exercises rights. methods for Data Fiduciaries ● The General Data Protection Regulation
to verify the identity of Data (GDPR), under Art. 12 and 15, mandates

18
Children's Online Privacy Protection Rule ("COPPA") | Federal Trade Commission
 nomination 3. Lack of procedural clarity on how Principals, such as multi- response to data access and erasure requests
rights. nomination rights can be practically factor authentication. within one month, serving as a global
exercised. 3. Lay down procedural benchmark.
4. Insufficient mechanisms for guidelines for nomination ● The California Consumer Privacy Act
ensuring transparency in cross- rights, including (CCPA), under Sec. 1798.130(a), explicitly
platform grievance resolution. documentation and mandates response timelines and identity
notification protocols. verification measures.
4. Establish interoperability ● The Srikrishna Committee Report (2018),
standards for grievance stressed the need for strong grievance
redressal systems across Data redressal systems to protect data rights.
Fiduciaries and Consent ● The International Telecommunication
Managers. Union’s Telecommunication Standardization
Sector (ITU-T) Recommendations on Digital
Identity19 advocates for multi-layered
identity verification in digital environments.

DATA PROCESSING

5 Processing for Lack of explicit guidelines on Incorporate specific legal ● Jurisprudence surrounding “Right to
provision or accountability for misuse or data remedies and penalties for Privacy” as held in Puttaswamy mandates
issue of misuse of personal data by

19
accessible at https://www.itu.int/rec/T-REC-X.1251-200909-I
 subsidy, breaches when public data is State entities. Ensure regular accountability and security in processing
benefit, processed by the State. audits of data processing personal data.
service, practices.
certificate,
licence or
permit by State
and its
instrumentalitie
s.
14 Data transfers Absence of clear criteria for Publish a comprehensive ● Jurisprudence from Schrems II decision20 in
outside India determining permissible jurisdictions whitelist of jurisdictions with the EU invalidating Privacy Shield
are subject to for data transfers. adequate data protection emphasizes the need for robust data
conditions frameworks. protection in cross-border transfers.
imposed by the
Central
Government.

20
Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems, accessible at
https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=12312155
 Secon Establishes Lack of detailed accountability Mandate independent data ● Basis from OECD Privacy Guidelines21 and
d standards for measures for State actors processing protection audits and specify global standards for lawful processing.
Sche lawful sensitive data. penalties for violations.
dule processing,
accuracy,
retention,
security
safeguards,
accountability,
and
transparency.

DATA PROTECTION OFFICER

9 Contact No clear definition of qualifications Set qualifications and training● Derived from global practices such as the
information of or expertise required for DPOs. requirements for DPOs to Contact information of person to answer
person to ensure effective handling of questions about processing requirements for
answer data processing issues. DPOs (Article 37).
questions about
processing.

21
Guidelines Governing The Protection Of Privacy And Transborder Flows Of Personal Data, Guideline No. 7, accessible at
https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0188#mainText
9 Contact ● There is an overlap in the role of this
Absence of explanation of modalities In order to promote efficiency,
information of on the operation of such a person, the said person (under R. 9) functionary (not explicitly mentioned in the
person to including who they will be. can be from the office of the Act) and the Consent Manager (who is
answer CM. expected to fulfil the role of grievance
questions about redressal for the DP and act in the interest of
processing. the DP).
● In the interest of efficiency, since both the
person under R. 9 & the CM have a duty
towards the DP, the person referred to under
R. 9 can be from the office of the Consent
Manager.

DATA PROTECTION BOARD

18 Procedure for 1. Absence of detailed protocols for 1. Introduce more detailed ● The prohibition against Members voting
meetings of emergency decision-making criteria, guidelines for defining where a conflict of interest exists follows the
Board and beyond recording reasons. emergent situations requiring principle of nemo judex in causa sua (no one
authentication 2. No explicit guidelines on immediate Board decisions. should be a judge in their own case).
of its orders, transparency requirements for 2. Require public disclosure ● Similar procedures for decision-making and
directions and agenda-setting by the Chairperson. (at least internally) of the quorum requirements can be seen in entities
instruments. 3. Limited procedural safeguards for agenda-setting criteria for like SEBI and TRAI.
disclosing conflicts of interest and Board meetings to ensure ● Courts have often emphasized transparent
procedural transparency. and participative decision-making in
 mechanisms to resolve disputes 3. Implement clear procedural administrative bodies (Refer: Maneka
regarding the same. mechanisms for handling Gandhi v. Union of India (1978) and Centre
4. Insufficient mention of digital conflicts of interest, including for PIL v. Union of India (2011)).
authentication security standards. a formal process for Members
to disclose potential conflicts
in writing.
4. Include requirements for
secure digital authentication
standards to protect Board
decisions and records.
19 Board No standards specified for the Develop a comprehensive ● Inspiration must be drawn from the Supreme
functions as a adoption of digital technologies. digital strategy guideline, Court’s E-Committee Guidelines22and the
digital office including cybersecurity Government’s eCourts Integrated Mission
and may adopt measures and remote hearing Mode Project.23
techno-legal protocols.
measures.
20 Terms and 1. Absence of detailed recruitment 1. Develop comprehensive ● Ensuring transparency in public
conditions of criteria or transparent procedures for recruitment and selection appointments aligns with constitutional
appointment selection. guidelines to ensure a

22
accessible at https://ecommitteesci.gov.in/document-category/policy-action-plan-documents-en/
23
accessible at https://ecommitteesci.gov.in/project/brief-overview-of-e-courts-project/
 and service of 2. No explicit mention of transparent and merit-based values (Refer: Centre for Public Interest
officers and performance evaluation mechanisms hiring process. Litigation v. Union of India (2011)).
employees of or professional development 2. Include performance ● Courts have underscored the importance of
Board opportunities for employees. evaluation mechanisms and clear and transparent service conditions for
3. Ambiguity regarding autonomy in professional development public employees (Refer: State of Haryana v.
appointment decisions vis-à-vis the frameworks to enhance Piara Singh (1992)).
Central Government’s overarching employee efficiency and
control. satisfaction.
3. Clarify the extent of
autonomy granted to the
Board in appointment
decisions while maintaining
the Central Government's
oversight.

22 Calling for Bypassing consent undermines Any call for information shall● The government has the authority to demand
information privacy protections and Supreme be made via a formal written data from data fiduciaries and can exercise
from Data Court safeguards against state request by the authorities to broad discretion without the consent of the
Fiduciary or surveillance. the data fiduciary. Clear data principal for reasons listed under the 7th
intermediary safeguards must be in place, Schedule. The agents requesting data are
including oversight by a appointed by the government.
review committee and a
 requirement for requests to ● Intercepting communications violates the
specify the intended use of the constitutional right to life and personal
information. liberty unless done through legally
established safeguards. Specific safeguards
Companies must inform
for such interceptions were mandated in
individuals when their data is
PUCL v. Union of India24. Any demand for
requested by the state,
data must be reasonable, necessary, and
ensuring that such requests
proportionate.
comply with established
● Additionally, any government action
guidelines and the three-part
affecting a citizen’s right to privacy must
test of legality, necessity, and
comply with the Puttaswamy standards.
proportionality from.
These standards require:
Puttaswamy. Additionally, an
● Legality: A valid law must justify the action.
appeal process and an
● Legitimate State Aim: The action must
independent oversight
serve a valid government purpose, such as
mechanism should be
national security, crime prevention, or social
implemented to uphold
welfare.
transparency and
● Proportionality: The action must be
accountability.
reasonable and not excessive in relation to its
purpose.

24
(1978) 1 SCC 248
 ● These principles ensure that government
actions are lawful, fair, and do not
disproportionately infringe upon an
individual’s right to privacy.

SIGNIFICANT DATA FIDUCIARY

12(1) Additional The DPDP mandates annual, The requirement to conduct ● The DPDP requires SDFs to conduct annual
& obligations of organization-wide DPIAs and audits, DPIAs and audits on an DPIAs and audits on a whole-organization
12(2) Significant regardless of data processing changes, annual, whole-organization basis, rather than when there are changes in
Data Fiduciary with submissions to the DPB, creating basis should be reconsidered. data processing activities or risk profiles.
unnecessary burdens and DPIAs must not only be an DPIAs should not be limited to an annual
inefficiencies for SDFs. annual requirement. Instead, requirement. Instead, they must also be
DPIAs should also be conducted whenever there are significant
triggered by significant changes in data processing or risk profiles.
changes in data processing or Additionally, audit submissions should be
risk profiles, and audit better aligned with global best practices.
submissions should be more ● While DPIAs and audits promote data
aligned with global best protection, the absence of clear guidelines on
practices. their scope may result in inadequate
assessments. Reporting to the DPB could
 become a mere formality without effective
external oversight.

12(3) Additional Lack of clear guidelines on due The government shall provide● The rules require SDFs to verify that their
obligations of diligence measures for SDFs to assess clear guidelines on the scope, algorithmic software does not pose risks to
Significant algorithmic risks to data principals' textend and nature of the due DPs’ rights but fail to specify the exact due
Data Fiduciary rights. diligence. The risk assessment diligence measures to be followed. This lack
Lack of a strict standard for criteria, methodologies, of clarity creates uncertainty, forcing
compliance. documentation, transparency businesses to interpret and implement
standards, and independent compliance on an individual basis, which
oversight for algorithmic due may lead to inconsistent or inadequate
diligence, preferably in a safeguards.
standard format, must be ● The current due diligence standard, requiring
provided to ensure consistent that algorithmic software be "unlikely" to
implementation. pose a risk, imposes a weak obligation on
SDFs. This revision is required to ensure
Furthermore, the current due
stronger, clearer accountability and
diligence standard requires
protection for data principals. The term "not
that the algorithmic software
likely" sets a low threshold, potentially
be "not likely" to pose a risk.
allowing risks to persist. An absolute
This language imposes a lower
obligation would compel SDFs to
threshold for fulfilling SDF’s
 obligation, as it only requires a proactively eliminate any risks, ensuring
minimal likelihood of risk. more robust safeguards for personal data and
The standard should be aligning with the higher legal standards for
revised to impose an absolute privacy protection.
duty on the SDF to ensure that
no risks to data principals exist
by omitting the ambiguous
term "not likely."

12(4) Additional The lack of clear criteria for data The DPDP Rules should ● The DPDP Rules allow the Central
obligations of transfer restrictions creates clearly define the scope of Government to impose data transfer
Significant uncertainty and potential arbitrary data transfer restrictions, restrictions, but it is unclear whether these
Data Fiduciary limitations. specifying whether they apply apply to specific data categories or
to certain data categories or organizations, potentially creating
specific organizations, to uncertainty and operational challenges for
provide greater clarity and SDFs.
reduce operational uncertainty● Clear definitions are necessary to ensure
for SDFs. SDFs can comply effectively and avoid
operational disruptions. Data fiduciaries
must not face unreasonable and arbitrary
restrictions or at the discretion of the
 government without any rationale. Clear,
objective criteria must be defined to prevent
arbitrary restrictions, ensuring that data
transfers are only limited when absolutely
necessary for legitimate reasons. This will
facilitate smoother operations, help
businesses adhere to regulations, and prevent
unnecessary compliance burdens while
safeguarding privacy and data protection
rights.
● Further, the requirement to localize data for
Significant Data Fiduciaries raises concerns
about cross-border data transfers and could
have a significant impact on international
trade in services.
 Concluding Remarks

The Centre for Cyber Laws has submitted these comments to the Ministry of Electronics &
Information Technology.

The Centre appreciates the collaborative efforts undertaken by MeITY.

We strongly believe that the modifications, as proposed above, will enhance data protection
of individuals, and hence recommend that these be introduced and implemented at the earliest
in line with principles of the Digital Personal Data Protection Act 2023.

Dated: 22nd February 2025