
The Ministry of Electronics and Information Technology (Meity) released the Draft Digital Personal Data Protection Rules, 2025 (“Draft Rules“) on January 3, 2025. The Draft Rules, introduced to supplement the implementation of the Digital Personal Data Protection Act, 2023 (“DPDP Act“), mark a significant step forward in regulating and safeguarding the use of personal data. These Draft Rules, which are currently open for public opinion until February 18, 2025, aim to refine the framework of data protection laid down by the DPDP Act, and enhance the procedures to be followed by data fiduciaries (“Data Fiduciaries“) for storing and processing the data collected from the data principal (“Data Principal“). A pertinent feature of the Draft Rules is the spotlight given to the Data Principal’s consent, aligning the same with global privacy protocol. This Article draws a parallel between the consent requirements for the processing of personal data under the Draft Rules, with similar provisions of the General Data Protection Regulations (“GDPR“) as applicable in the European Union.
The Draft Rules introduce clear guidelines on how Data Fiduciaries are required to adequately obtain consent from the Data Principal. Rule 3 of the Draft Rules supplements Section 5 of the DPDP Act, stipulating that the notice provided by the Data Fiduciaries to the Data Principal should be understandable and easily accessible. The notice must include an itemized description of the personal data being processed, a detailed explanation of the specific purpose of processing of the personal data collected, and a description of goods or services that will be enabled by the processing. Additionally, the notice is required to contain a direct communication link to the Data Fiduciary’s website or app, with specific provisions on how the Data Principal can withdraw their consent (with the same ease with which the personal data was initially provided) or exercise their rights under the DPDP Act. The Draft Rules emphasize that the notice should be presented in a clear, plain language, enabling the Data Principal to provide specific and informed consent. This provision reflects the emphasis on ensuring that a transparent process is followed by the Data Fiduciary.
In comparison, Article 4(11) of the GDPR also demands that consent is to be ‘freely given, specific, informed, and unambiguous’. It sets forth that consent must be provided through a statement or clear affirmative action. Similar to the requirements under the DPDP Act, request for consent under the GDPR should be intelligible, easily accessible, and formulated in clear and plain language, in line with essence captured by Rule 3 of the Draft Rules. Furthermore, Article 7(2) of the GDPR states that any part of the consent declaration that is in contravention to any of the GDPR requirements will not be considered valid. This concept has been mirrored in Section 6(10) of the DPDP Act, wherein the Data Fiduciary is obliged to prove (wherein a contention arise with respect to the personal data processed by the Data Fiduciary) that the notice given to the Data Principal and the subsequent consent given by such Data Principal to the Data Fiduciary is in accordance with the provisions of the DPDP Act.
One of the most important rights granted to individuals under both regulations is the right to withdraw consent at any time. Article 7(3) of the GDPR specifies that individuals must be able to withdraw their consent as easily as they gave it, without facing any detriment. Likewise, Rule 3(c)(i) of the Draft Rules provides the same right of withdrawal to the Data Principal. However, the DPDP Act, under Section 6(5), lays down a significant qualification to the exertion of such rights: the Data Principal must bear the consequences of withdrawal. This has created a sense of ambiguity by suggesting that the consequences of such withdrawal will be the responsibility of the Data Principal, and the nuances of this qualification remain unclear. This provision could have significant implications for how Data Principals understand and exercise their right to withdraw consent.
In addition to these consent requirements, the Draft Rules have also emphasised on additional verification procedure for the collection and processing of data from children, or persons with disabilities. Rule 10 of the Draft Rules mandates that Data Fiduciaries must obtain verifiable consent from a child’s parent or legal guardian before processing personal data. To ensure the identity of the parent or guardian, Data Fiduciaries must use reliable identification methods, which may include data linked to government-issued documents or a digital token verified by a Digital Locker service provider. Similarly, Article 6(1) of the GDPR provides that the processing of a child’s data is lawful only when the child is at least 16 (sixteen) years old, while allowing for a discretionary lower age limit of 13 (thirteen) years that may be set by member states. The GDPR also emphasizes that data controllers must take reasonable steps to verify that consent is given by the holder of parental responsibility over the child. This age-based approach allows for some flexibility, while still ensuring that children’s data is protected. Additionally, the GDPR also provides for instances wherein there may be technological challenge in the verification of such parental consent, and the language of Article provides flexibility in order to accommodate such variation in the technological capabilities of the data controllers. The Draft Rules do not afford any flexibility on the age requirement of parental consent, or the method in which such consent is to be obtained by the Data Fiduciary. The approach under the Draft Rules is technologically intensive, emphasizing secure verification mechanisms to protect the privacy of children and their guardians.
While the Draft Rules provide a robust framework for obtaining consent, there are significant challenges in their implementation, particularly in terms of technological barriers faced by the Data Fiduciaries. The Draft Rules require that Data Fiduciaries employ reliable mechanisms for age verification and parental consent, which may prove to be a costly and technologically challenging process, especially for smaller platforms. This concern is similar to the GDPR’s provisions but is compounded in India by the digital divide and varying levels of technological infrastructure. Moreover, the Draft Rules do not provide detailed guidance on how consent notices should be delivered, whereas under the GDPR specific formats and methods of delivery are mandated to ensure accessibility and clarity. Without clear guidance on delivery, enforcing these provisions could become challenging, particularly when dealing with global tech platforms that operate in multiple jurisdictions.
The Draft Rules and the GDPR align in principle on the protection that should be afforded to a Data Principal. Both regulations emphasize transparency, informed consent, and the protection of individual privacy rights. While they share many similarities, the Draft Rules introduce certain nuances that require further clarity such as the withdrawal of consent provisions and the specific requirements for verifiable parental consent. The implementation of these Draft Rules may face significant challenges, particularly in terms of technological infrastructure and enforcement. As India moves forward in finalizing and implementing these rules, it will be crucial for to address these challenges and ensure that data protection is not only a legal obligation but a practical reality for all users in India.