Facebook Instagram X-twitter Linkedin Rss
Facebook Instagram X-twitter Linkedin Blog
An illustrated poster showcasing "Draft Digital Personal Data Protection Rules 2025" with an image of a computer screen displaying a security shield with a lock icon. A woman points to the shield while a man works on a laptop, symbolizing data protection and compliance.

Draft Digital Personal Data Protection Rules, 2025: A Comprehensive Overview

On January 3, 2025, the Ministry of Electronics and Information Technology published the Draft Digital Personal Data Protection Rules, 2025 (DPDP Rules) under the Digital Personal Data Protection Act, 2023 (DPDP Act). Link to the Draft Digital Personal Data Protection Rules, 2025: https://www.meity.gov.in/writereaddata/files/259889.pdf

These rules aim to provide clarity on how personal data should be handled in India while balancing the rights of individuals and the legitimate interests of businesses and the state. Below is an analysis of the key provisions:

1. Rights of Data Principals

The draft rules emphasize the rights of individuals (Data Principals) over their personal data, including:

  • Informed Consent: Data Fiduciaries must provide clear, itemized notices explaining the purpose and nature of data processing.
  • Withdrawal of Consent: Individuals can withdraw consent as easily as they give it.
  • Data Access and Erasure: Mechanisms are specified for Data Principals to access or erase their data.

2. Obligations of Data Fiduciaries

Data Fiduciaries, including businesses and organizations processing personal data, must:

  • Ensure reasonable security safeguards like encryption, masking, and data backup to prevent breaches.
  • Inform individuals of any data breaches promptly, detailing the nature and impact.
  • Retain personal data only as long as necessary for the stated purpose and erase it after a specified period.

3. Consent Managers

The concept of Consent Managers is introduced, acting as intermediaries to manage individuals’ consent for data processing:

  • They must be registered entities, adhere to transparency standards, and avoid conflicts of interest with Data Fiduciaries.
  • Consent Managers cannot read the content of shared data, ensuring strict confidentiality.

4. Processing by the State

The State can process personal data for issuing subsidies, benefits, and public services, provided it complies with standards of necessity and proportionality. However, these provisions are closely monitored to safeguard individual privacy.

5. Protection for Minors and Persons with Disabilities

The draft rules impose specific requirements for processing children’s data:

  • Verifiable parental consent must be obtained for children under 18.
  • Data Fiduciaries are tasked with ensuring safety measures, such as preventing access to harmful content.
  • For persons with disabilities, consent must be obtained from legally recognized guardians.

6. Significant Data Fiduciaries

Organizations designated as Significant Data Fiduciaries (handling large-scale sensitive data) have additional responsibilities, including:

  • Conducting annual Data Protection Impact Assessments.
  • Prohibiting cross-border transfers of specified personal data without government approval.

7. Cross-Border Data Transfers

The transfer of personal data outside India is restricted. Data Fiduciaries must meet government-specified conditions to share data with foreign entities, aligning with the aim to ensure data sovereignty.

8. Data Breach Management

Data Fiduciaries are mandated to:

  • Notify affected individuals and the regulatory Board within 72 hours of a breach.
  • Provide detailed reports on the breach’s impact and remedial measures.

9. Grievance Redressal

Data Fiduciaries and Consent Managers must establish grievance mechanisms to address complaints within defined timelines, enhancing accountability and transparency.

10. Exemptions

Certain provisions of the DPDP Act may not apply when data is processed for:

  • Archival, research, or statistical purposes, adhering to specified standards.
  • Protecting children’s health or ensuring public safety in educational or healthcare settings.

11. Compliance and Enforcement

The Data Protection Board will oversee compliance, with the power to penalize violations. It is designed as a digital-first entity, reflecting the government’s focus on efficiency and accessibility.

12. Key Challenges and Recommendations

While the draft rules provide a robust framework for data protection, challenges remain:

  • Operational Costs: Small businesses may face difficulties in meeting compliance standards.
  • Ambiguity in Cross-Border Transfers: Clearer guidelines are needed for international businesses.
  • Enforcement Mechanism: The Board’s effectiveness will depend on adequate staffing and resources.

To address these challenges, stakeholders must provide feedback to ensure the final rules balance innovation with privacy.

Conclusion

The Draft DPDP Rules, 2025, represent a significant step towards robust data protection in India, aligning with global standards like the GDPR while tailoring to India’s unique needs. Advocates, businesses, and individuals alike must actively engage with the consultation process to refine these rules, ensuring they are practical, enforceable, and protective of individual rights.

Provision-Wise/Rule-Wise Breakdown of the Draft Digital Personal Data Protection Rules, 2025

1. Notice by Data Fiduciaries (Rule 3)

Data Fiduciaries must provide clear and concise notices to Data Principals about data processing activities. These notices should:

  • Be presented independently of other information.
  • Use plain language to enable informed consent.
  • Include details such as the purpose, type of data being collected, and options for consent withdrawal.

2. Registration of Consent Managers (Rule 4)

Consent Managers, responsible for facilitating data subject rights, must register with the Data Protection Board. Their obligations include:

  • Maintaining secure, accessible platforms for managing consents.
  • Avoiding conflicts of interest with data fiduciaries.
  • Adhering to transparency norms, such as publishing details of key personnel and organizational ownership.

3. Data Security Safeguards (Rule 6)

Data Fiduciaries must adopt robust technical and organizational measures, including:

  • Encryption, masking, and secure access controls.
  • Maintenance of access logs to detect unauthorized access.
  • Retaining logs and backup data for a minimum of one year.

4. Intimation of Data Breaches (Rule 7)

In case of a personal data breach:

  • Affected Data Principals must be informed promptly with clear details of the breach and mitigation measures.
  • The Data Protection Board must be notified within 72 hours, including detailed reports on the breach and remedial measures.

5. Erasure of Personal Data (Rule 8)

Data Fiduciaries must erase personal data if the specified purpose for its collection is no longer being served. Before erasure, a notice must be sent to the Data Principal 48 hours in advance.

6. Rights of Data Principals (Rule 13)

Data Principals are empowered to:

  • Access and rectify their personal data.
  • Seek erasure of data no longer necessary for its purpose.
  • Nominate a representative to exercise these rights.

7. Cross-Border Data Transfers (Rule 14)

Transfer of personal data outside India is allowed but subject to:

  • Specific requirements prescribed by the Central Government to ensure adequate protection.

8. Significant Data Fiduciaries (Rule 12)

These fiduciaries, identified based on data volume and impact, must:

  • Conduct annual Data Protection Impact Assessments (DPIA) and audits.
  • Verify algorithmic software for compliance.
  • Restrict data flow outside India for specific categories of data.

9. Special Rules for Children and Persons with Disabilities (Rule 10)

  • Verifiable parental consent is mandatory for processing children’s data.
  • Due diligence is required to verify lawful guardianship for persons with disabilities.

10. Exemptions for Research and Archiving (Rule 15)

Data processing for research, archival, or statistical purposes is exempt from certain provisions, provided it adheres to specific standards.

11. Governance Framework for Data Protection Board (Rules 16–20)

  • The Board is envisioned as a digital-first office with powers to summon individuals digitally.
  • Members’ salaries and allowances are outlined in the Fifth Schedule.
  • Governance and decision-making processes emphasize efficiency and fairness.

12. Appeals to Appellate Tribunal (Rule 21)

Appeals against the Board’s orders must be filed digitally. The Tribunal follows principles of natural justice while maintaining flexibility in procedures.

13. Data Fiduciary Obligations in Critical Scenarios (Rule 22)

The government can direct Data Fiduciaries to provide specific data under defined circumstances, especially in matters related to sovereignty, national security, or legal compliance.

Conclusion

The Draft Digital Personal Data Protection Rules, 2025, represent a comprehensive attempt to address the evolving challenges of data protection in a digital economy. While the rules aim to protect Data Principals’ rights, they also provide a structured framework for Data Fiduciaries and Consent Managers to operate. Stakeholders must evaluate these rules critically, suggesting amendments where necessary, to strike a balance between innovation and data privacy.

To read more such articles on similar topics, click the link: https://jpassociates.co.in/topic-critical-analysis-of-the-digital-personal-data-protection-bill-2023/

Share this post

Post Categories
Recent Posts
Post Tags
Brand Identity (4) Brand Protection (8) Civil Courts (12) Copyright (13) Copyright infringement (13) copyright law (7) Copyright Protection (10) Copyrights (7) Copyrights Patents (7) court ruling (8) Delhi High Court (14) Design Rights (4) India (20) Indian Law (6) Indian Trademark Law (10) Innovation (5) intellectual property (35) Intellectual Property Law (11) intellectual property protection (5) Intellectual Property Rights (41) IPR (8) Legal Analysis (7) Legal Battle (12) Legal Case (4) legal precedents (16) Legal Protection (4) passing off (6) Patent (4) patents (4) personality rights (5) Trademark (8) trademark dispute (9) trademark disputes (5) trademark infringement (18) Trademark Law (20) trademark litigation (4) trademark protection (5) trademark registration (16) trademarks (5) Trade Marks Act 1999 (5) Trade Marks Registry (12) Trade Marks Rules (9) Trade Secrets (6) WIPO (5) Women's rights (4)

Navigate

Recent Posts

Address

J.P. Associates
320, Tulsi Vihar, Behind SBI Zonal Office,
City Center, Gwalior – 474011 (M.P.)
Contact No. : +91 9827064067, 9826654067
Email : contact@jpassociates.co.in

All rights reserved. © J.P. Associates

Facebook Instagram X-twitter Linkedin Rss Envelope
J.P. Associates

Disclaimer & Confirmation

As per the rules of the Bar Council of India, we are not permitted to solicit work and advertise. By clicking on the “I Agree” below, the user acknowledges the following:

  • There has been no advertisement, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
  • The user wishes to gain more information about us for his/her own information and use;
  • The information about us is provided to the user only on his/her specific request and any information obtained or materials downloaded from this website is completely at the user’s volition and any transmission, receipt or use of the information obtained from this website site would not create any lawyer-client relationship.

The information provided on this website is solely available at user’s own request for informational purposes only and it should not be interpreted as soliciting or advertisement. We are not liable for any consequence of any action taken by the user relying on material/information provided under this website. In cases where the user has any legal issues, he/she in all cases must seek independent legal advice.

Accept
Decline