|

Examining the Draft Digital Personal Data Protection Rules, 2025

On January 3, 2025, the Ministry of Electronics and Information Technology (“MeitY“) notified the draft Digital Personal Data Protection Rules, 2025 (the “Draft Rules“) under the Digital Personal Data Protection Act, 2023 (the “Act“). The Draft Rules aim to operationalize the Act by laying down the rules and standards necessary for the implementation of the same. The MeitY has invited public feedback on the Draft Rules until February 18, 2025, emphasising the Government’s commitment to a transparent and inclusive rule making processes. This article analyses the key provisions set forth under the Draft Rules, and the potential implications of the same.

Obligations of the Data Fiduciary

The Draft Rules require persons who determine the purpose and means of processing personal data (“Data Fiduciaries“) to seek informed consent from individuals to whom the personal data relates (“Data Principal“), prior to processing any of their personal data. The Draft Rules specify that such notice should be presented to the Data Principal in clear and simple language and would need to convey the information necessary for the Data Principal to give specific and informed consent to process their personal data. In order to meet this requirement, the Data Fiduciary would need to provide, at minimum, an itemized list of the personal data being requested, and the specified purpose of such processing.

The Draft Rules further require the Data Fiduciary to, through the same link used to provide the Data Principal with the notice specified hereinabove, allow for the Data Principal to: (i) withdraw consent for processing such personal data; (ii) exercise their rights under the Act; and (iii) make a complaint to the Data Protection Board (the “DPB“).

In addition to the above, if the Data Fiduciary is classified as a significant data fiduciary under Section 2(z) of the Act (“Significant Data Fiduciary“), it would be required to submit a data protection impact assessment (“DPIA“) every twelve months, along with an audit to ensure the effective observance of the provisions of the Act and the rules thereunder. The Significant Data Fiduciary would also be required to cause the person carrying out the DPIA to furnish a report to the DPB, containing the significant observations made during the DPIA and the audit.

Consent Manager

The Draft Rules allow for the registration of consent managers, where the consent manager must be  a company incorporated in India with sound financial and operational capacity, having a minimum net worth of Rupees Two Crore, a reputation for fairness and integrity in its management, and having a certified interoperable platform enabling Data Principals to manage their consent, amongst other requirements set forth in Part A of the First Schedule of the Draft Rules (“Consent Manager“). The Consent Managers will be responsible for managing the consents given, or withdrawn, by the Data Principals, allowing the Data Principals to easily review and manage their consents, maintaining records of consents and data shared, ensuring that the notice requirements are met by the Data Fiduciaries, and reasonable security safeguards are in place to prevent a personal data breach, amongst other responsibilities. It is important to note that the Consent Managers must maintain independence and have strict rules in place to prevent conflicts of interest. The Draft Rules further specify that the Consent Managers are prohibited from subcontracting and assigning responsibilities, and any transfer of control of a Consent Manager by way of sale or merger, requires the prior approval of the DPB.

Reasonable Security Safeguards

A Data Fiduciary is required to protect all personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor (as defined under Section 2(k) of the Act), by taking reasonable security safeguards to prevent personal data breach, including at the minimum, (i) ensuring that the personal data is secured through appropriate security measures such as encryption, obfuscation, masking or similar processes; (ii) controlling access to the computer resources used by the Data Fiduciary or Data Processor; (iii) maintenance of logs, and monitoring of the same to ensure that unauthorized access can be detected, investigated and to prevent recurrence of the same; (iv) ensuring appropriate data backups; (v) retention of the logs and personal data for a period of one year unless required otherwise by any law in force; (vi) ensuring that reasonable provisions are included in the contract between the Data Fiduciary and the Data Processor to implement reasonable security safeguards; and (vii) ensuring that appropriate technical and organizational measures are in place to ensure effective observance of the security safeguards.

Intimation of Personal Data Breach

On becoming aware of any personal data breach, the Data Fiduciary is required to intimate (to the best of its knowledge) each affected Data Principal, without delay, of the nature and extent of the breach, including the timing and location of the occurrence, consequences that are relevant to the Data Principal, measures implemented by the Data Fiduciary to mitigate the risk and the contact details of the person who would be able to respond to any queries of the Data Principal, on behalf of the Data Fiduciary. The Data Fiduciary would also need intimate the DPB of such breach without delay, and would be required to, within seventy two hours of becoming aware of the breach (or such longer time as the DPB may allow), provide the DPB with updated and detailed information, the broad facts resulting in the breach, measures implemented or proposed to mitigate risk, findings regarding the person causing such breach, remedial measures taken to prevent recurrence and a report regarding the intimations given to the Data Principals.

Erasure of Personal Data

If a Data Fiduciary is: (i) an e-commerce entity having not less than two crore registered users in India; or (ii) an online gaming intermediary having not less than fifty lakh registered users in India; or (iii) a social media intermediary having not less than two crore registered users in India, and the Data Principal does not engage with the Data Fiduciary for the time period specified under the Third Schedule, the personal data must be erased unless the same is required for legal compliance. Before the erasure of personal data, the Data Fiduciary must notify the Data Principal at least forty eight hours in advance, alerting them that their personal data will be erased, unless the Data Principal logs into their account or otherwise initiates contact with the Data Fiduciary for the performance of the specified purpose or exercises their rights in relation to processing of the personal data.

Contact Information of the Data Protection Officer

Under the Draft Rules, every Data Fiduciary is required to prominently publish on its website or app, and mention in every response to a communication for the exercise of the rights of the Data Principal under the Act, the business contact information of the Data Protection Officer (as defined under Section 2(l) of the Act) or a person who is able to answer, on behalf of the Data Fiduciary, any questions relating to the processing of the personal data of the Data Principal.

Verifiable Consent for Processing Personal Data of a Minor or a Person with Disability

A Data Fiduciary is required to adopt appropriate technical and organizational measures to ensure that verifiable consent of a parent or guardian is obtained prior to processing the personal data of a minor or a person with disability. The Data Fiduciary would also be required to observe due diligence to check that the individual identifying themselves as the parent or guardian has the right to consent on behalf of the minor.

Rights of Data Principals

In order to enable the Data Principals to effectively exercise their rights under the Act, the Draft Rules require the Data Fiduciary to publish on its website and app: (i) the details and means through which the Data Principal may request the exercise of their rights; and (ii) the particulars of the Data Principal (including a username or other identifier) that would be required by the Data Principal to exercise their rights. The Data Principal shall have the right to access the personal information stored by the Data Fiduciary and request its erasure using the means furnished by the Data Fiduciary.

Processing of Personal Data Outside India

Under the Draft Rules, any Data Fiduciary transferring to any other country or territory outside India any personal data processed, (i) within India; or (ii) outside the territory of India but in connection with goods or services offered to Data Principals within the territory of India, would be subject to any requirements set forth by the Central Government in respect of making such personal data available to a foreign state.

Exemptions

The Draft Rules specify that the provisions of the Act shall not apply to the processing of personal data necessary for research, archiving, and statistical purposes, provided that the processing of the personal data is in accordance with the standards set out in the Second Schedule of the Draft Rules.

Conclusion

The Draft Rules represent a significant step towards strengthening data protection in India, aligning it with global standards, while addressing unique national challenges. However, the use of vague terminology, including the phrase “reasonable security safeguards”, may lead to difficulties in determining the scope of the Draft Rules and effectuating the enforcement of the same. While the Draft Rules provide for the grievance redressal mechanisms to be published on the website, there is lack of clarity as to the process through which such grievances are to be addressed by the Data Fiduciary. In addition, the compliance requirements for businesses, including the conducting of an annual DPIA and audit, could lead to significant challenges for businesses looking to grow in the Indian market. In order for the Draft Rules to fulfil its objective of creating a robust data protection system, it would be important to ensure that the standards set thereunder are operationally feasible for all businesses.

LEAVE A REPLY