The Aakhya Weekly #129 | Special Edition- Draft Digital Personal Data Protection Rules, 2025

In Focus: Key Insights from the Draft DPDP Rules, 2025

Aakhya India Policy Team

In August 2023, the Digital Personal Data Protection Act (DPDP Act) was enacted to regulate the processing of personal data while safeguarding individuals’ right to privacy. Building on this, the Central Government released the draft Digital Personal Data Protection Rules, 2025 on January 3, 2025, for public consultation. Stakeholders are invited to submit their suggestions and feedback via the MyGov portal (https://mygov.in) by February 18, 2025.

The provisions related to the Data Protection Board (Rules 16-20) will come into effect upon their notification in the official gazette. In contrast, key operational requirements outlined in Rules 3-15, 21, and 22 will be implemented later, though no specific timeline has been provided for their enforcement.

For clarity, we have revisited the following definitions from the DPDP Act 2023 to simplify understanding:

• Consent Manager (CM): means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform;

• Data: means a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by human beings or by automated means;

• Data Fiduciary (DF): means any person who alone or in conjunction with other persons determines the purpose and means of processing personal data;

• Data Principal (DP): means the individual to whom the personal data relates

• Data Processor (DPr): means any person who processes personal data on behalf of a Data Fiduciary

What are the Rules Exactly?

1. Notice to give Consent (Rule 3): DFs should provide clear and detailed notice to DPs when requesting consent for personal data processing. According to the rules, this notice must include an itemised description of the personal data being collected, the specific purposes for its processing, and the goods or services enabled by such processing. The notice must be separate from other documents like contracts or terms and conditions and include a communication link to the DF's website or app. It must also offer easy options for the DP to withdraw consent, exercise their rights under the Act, or file a complaint with the Board.

2. Registration and Obligations of Consent Manager (Rule 4): A CM is a registered entity with the Data Protection Board of India, tasked with helping individuals manage, review, and withdraw consent for data use through a user-friendly platform. To qualify, the entity must be an Indian-incorporated company with a net worth of at least ₹2 crores, sufficient technical, operational, and financial capacity, and sound business prospects. It must prioritise the interests of DPs, handle a certified interoperable platform meeting data protection standards, and ensure strong security measures. The CM must maintain transparency, secure data, and avoid conflicts with DF while complying with regular audits and data protection laws. Failure to meet obligations may lead to corrective actions, suspension, or cancellation of registration by the Board to protect DPs' rights.

3. The Processing of Personal Data by the State (Rule 5): The government and its instrumentalities can process individuals' data (DPs) for issuing subsidies, benefits, services, certificates, licenses, or permits as outlined by law, government policies, or public funds. This processing must comply with the standards set in the Second Schedule, ensuring the data is processed lawfully, accurately, and only for specified purposes. It mandates that data be used strictly for its intended purpose, retained only for as long as necessary, and protected by reasonable security safeguards. Additionally, the government must inform DPs about the processing, provide clear contact information for inquiries, and offer mechanisms for DPs to exercise their rights under the Act.

4. Reasonable Security Safeguards (Rule 6): A DF must safeguard the personal data it holds or controls, including data processed by a DPr on its behalf, by implementing reasonable security measures to prevent breaches. These measures include encryption, obfuscation, masking, or virtual tokenisation of data, controlling access to computer resources, and maintaining visibility on data access through logs, monitoring, and reviews to detect and prevent unauthorised access. Additionally, the DF must ensure data processing continues even during breaches or outages through backups. It must retain logs and personal data for one year unless legally required otherwise. Security measures must also be included in contracts with DPr. Furthermore, the DF must adopt appropriate technical and organisational measures for efficient security safeguards.

5. Intimation of Personal Data Breach (Rule 7): In the event of a personal data breach, a DF must inform the Data Protection Board and each affected DP in a prescribed manner. According to Rule 7, the breach notification must be clear, easy to understand, and sent via the DP's registered communication method, such as their user account. The DF must provide key details, including a description of the breach, its potential impact on the DP, actions taken by the DF to mitigate risks, advice on how the DP can protect themselves, and contact information for inquiries. Additionally, the DF must report the breach to the Board within 72 hours, providing an initial description of the breach, its potential effects, and later updates, including reasons behind the breach, steps taken to mitigate risks, identification of responsible parties, and measures to prevent future occurrences. However, there is no mention of a reporting timeline to DPs.

6. Time-bound Data Retention (Rule 8): DF is required to erase a DP's personal data either upon withdrawal of consent or when the purpose for which the data was collected is no longer served, whichever occurs first. Schedule 3 of the rules outlines the retention periods for different categories of Data Fiduciaries. For instance, e-commerce entities with at least 2 crore registered users in India must retain data for up to 3 years from the last user activity or the commencement of the DPDP Rules 2025, whichever is later. Similarly, online gaming and social media intermediaries with a significant user base have defined retention times. Furthermore, at least forty-eight hours before the data is erased, the DF must notify the DP, informing them that their data will be erased unless they log into their account, contact the DF for a specific purpose, or exercise their rights regarding data processing.

7. Obligation to Provide Contact Information for Data Processing Queries (Rule 9): A DF is obligated to publish the business contact details of a Data Protection Officer or another designated person who can address any questions from the DP regarding the processing of their data. This provision ensures that DPs have a clear and accessible channel for raising concerns or inquiries about their data. Rule 9 further mandates that the DF must prominently display the contact information of the Data Protection Officer or the designated contact person on its website or app. Additionally, the DF must include this contact information in all responses to communications where the DP exercises its rights under the Act.

8. Children’s Personal Data (Rule 10): A DF must obtain verifiable consent from a child's parent or lawful guardian before processing the child's personal data. The DF is prohibited from processing personal data in ways that could harm the child's well-being, including tracking or monitoring children's behaviour or engaging in targeted advertising aimed at them. The DPDP rules specify that when a child informs the DF of their status, the DF must ensure that the parent verifies their identity before processing the child's personal data. The DF must confirm reliable identity and age details if the parent is a registered user. If the parent is not registered, the DF must verify their identity using government-issued identity and age details or a virtual token, which can be provided via a Digital Locker service. This verification applies whenever a child's personal data is processed to create an account. However, tech giants have also raised alarms, saying that behavioural tracking is essential for ensuring the effectiveness of safety features designed to protect young users.

9. Exemptions for Processing Children's Personal Data (Rule 11): The Rules outline exceptions for processing children’s data without parental consent or restrictions on tracking and behavioural monitoring. These exceptions apply to DF in specific cases, such as clinical, mental health or healthcare professionals processing data for health services to safeguard a child’s well-being, educational institutions monitoring data for learning purposes or child safety, and individuals or establishments responsible for children’s care, such as crèches or daycare centres, processing data for safety. DFs involved in transporting children may also process data for tracking their location for safety purposes. Additionally, processing is allowed without parental consent for legal purposes in the child’s best interest, such as fulfilling duties under Indian law, providing public funds-related services, or creating user accounts for email communication. It is also permissible to process data to block harmful content or verify that a DP is not a child.

10. Additional Obligation for Significant Data Fiduciary (Rule 12): SDF is a Data Fiduciary notified by the government based on factors such as the volume and sensitivity of personal data processed, risks to individuals' rights, and threats to national security and public order. As per the rules, SDF must conduct a Data Protection Impact Assessment and an audit every 12 months after being notified as such or included in the class of DF. The findings must be reported to the DPB. The SDF is also required to ensure that any algorithmic software used for processing personal data does not pose risks to the rights of individuals. Furthermore, the SDF must implement measures to prevent certain personal and traffic data, as specified by the Central Government based on committee recommendations, from being transferred outside India. This provision may raise data localisation concerns from SDFs, potentially creating conflicts with international data transfer obligations, especially where foreign laws mandate the disclosure or transfer of data to government agencies outside India.

11. Rights of Data Principals (Rule 13): DPs have specific rights under the DPDP Act, and it is the duty of the DF and, where applicable, the CM, to provide clear instructions on how these rights can be exercised. The DF and CM must publish the methods available for DPs on their website or app, to request access to or erase their personal data. They must also specify the identifiers (Ex- usernames or customer IDs) required to verify the DP’s identity for these requests. DPs can make requests to the DF they previously provided consent to, using the published methods and identifiers. Furthermore, the DF and CM must disclose their grievance redressal process, including the response time for addressing complaints and implementing measures to ensure timely resolution. DPs also have the right to nominate individuals to act on their behalf, for exercising their rights.

12. Processing of personal data outside India (Rule 14): The transfer of personal data by DFs outside India is restricted and must follow conditions set by the Central Government, as and when they get notified. If data is processed in India, it cannot be transferred abroad without meeting these conditions. The same rules apply if data is processed outside India for offering goods or services to individuals in India. The Central Government may issue orders to regulate data transfers to foreign countries or share with foreign-controlled entities.

13. Exemption from Act (Rule 15): Processing personal data for research, archiving, or statistical purposes is exempt from the Act’s provisions, provided that the data is not used to make decisions affecting a specific DP. Such processing must adhere to the standards outlined in the Second Schedule.

14. Data Protection Board (Rule 16-20): The DPB is governed by a Search-cum-Selection Committee, led by the Cabinet Secretary, to recommend the Chairperson and Members, with appointments made by the government. Their salary and service conditions are outlined in the Fifth Schedule. The Chairperson organises meetings, and decisions require a quorum and majority vote, with a casting vote in case of ties. The Board operates digitally, retaining the power to summon individuals under oath. It can appoint officers with Central Government approval, as specified in the Sixth Schedule.

15. Appeal to Appellate Tribunal (Rule 21): Individuals dissatisfied with a decision by the Data Protection Board can appeal to the Appellate Tribunal. Rule 21 mandates digital submission of appeals, with a fee comparable to that under the Telecom Regulatory Authority of India Act, 1997, unless waived by the Chairperson. Payments must be made via UPI or other RBI-approved systems. The Tribunal operates independently of the Code of Civil Procedure following natural justice principles and its internal procedures, with minimal in-person appearances, while retaining the authority to summon individuals under oath.

16. Requesting Information from Data Fiduciaries (Rule 22): The Central Government can request DFs or intermediaries to provide information for specific purposes, such as ensuring India’s security or meeting legal requirements. If the information concerns national security, the DF or intermediary must obtain written consent from an authorised person before sharing it. The government may also assign officers to identify Significant Data Fiduciaries (SDFs), based on factors like the volume and sensitivity of the data they handle.

---

Top Stories of the Week

IndiaAI and Microsoft Partner for Digital Transformation

IndiaAI, under the Digital India Corporation, has partnered with Microsoft to boost the adoption of artificial intelligence across India. This strategic collaboration aims to skill 500,000 individuals by 2026, including students, educators, government officials, and women entrepreneurs. The initiative focuses on establishing AI Centers of Excellence, termed 'AI Catalysts', helping promote rural AI innovation in tier 2 and 3 cities. Additionally, AI Productivity Labs will be set up in 20 National Skill Training Institutes to empower local educators and students with foundational AI training.

The collaboration emphasises responsible AI development, assuring ethical practices through frameworks and standards, and creating AI-enabled solutions for critical sectors such as healthcare and education. Microsoft will also support 1,000 AI startups via its Founders Hub program, offering resources, mentorship, and technical guidance. ​This partnership is positioned as a step towards making India a leader in AI applications, facilitating inclusive growth and economic transformation across the country​.

---

A Few Good Reads

• Rishi Gupta examines the reasoning behind US NSA Jake Sullivan's visit to India and spotlights why India is becoming an increasingly important strategic partner for the USA

• Ajay Shah discusses the volatility of currency markets, highlighting the need for consistent price fluctuations instead of government-controlled rates to foster stronger, more capable firms.

• Vivek Katju notes, "Despite a large Indian diaspora in Canada, bilateral ties have not been a priority for India," discussing the implications of Justin Trudeau's resignation on India-Canada relations.

• T.C.A. Anant emphasizes that transparent methodologies and regular household surveys can improve CPI's usefulness in policymaking.

• Ian Bremmer opines Xi Jinping's government will be less accommodating of the ‘Tariff Man’s’ demands this time around.

  ---