India seeks views on Draft Digital Personal Data Protection Rules

India

The Ministry of Electronics and Information Technology (“MEIT”) has released a draft of the Digital Personal Data Protection Rules, 2025 (“Draft Rules”) under the Digital Personal Data Protection Act, 2023 (“Act”). The MEIT is currently seeking public feedback and comments on the Draft Rules by 18 February 2025 (“Consultation”).

We summarise the key Draft Rules below.

A. Key Definitions

Rule 2 of the Draft Rules states that unless otherwise required by the context, the definitions within the Act apply to the Draft Rules. This includes the following key definitions:

  • Board: The Data Protection Board of India established by the Central Government under section 18 of the Act.
  • Child:  An individual who has not completed the age of eighteen years.
  • Consent Manager: A person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw his/her consent through an accessible, transparent and interoperable platform. 
  • Data Fiduciary: Any person who alone or in conjunction with other persons determines  the purpose and means of processing of personal data. This is akin to a data controller under the data protection laws of other jurisdictions.
  • Data Principal: The individual to whom the personal data relates and where such individual is (i) a child, includes the parents or lawful guardian of such a child; or (ii) a person with disability, includes her lawful guardian, acting on her behalf. This is akin to a data subject under the data protection laws of other jurisdictions.
  • Data Processor: Any person who processes personal data on behalf of a Data Fiduciary.

 B. Key Rules

Key rules under the Draft Rules include the following:

  • Notice from Data Fiduciary to Data Principal to Obtain Consent: The method and minimum content of such notices are prescribed such as the inclusion of a communication link to the Data Fiduciary’s website and/or app, and for Data Fiduciaries to provide the means for Data Principals to withdraw consent, exercise rights under the Act and make complaints with the Board.
  • Consent Manager Registration and Obligations: Consent Managers will be registered, and the Board may register or reject applications based on prescribed conditions.
  • Reasonable Security Safeguards:  Data Fiduciaries must protect personal data using various measures, including data security measures (e.g. encryption); control measures (e.g. controlled access to computer resources); access monitoring (e.g. through computer logs); business continuity measures (e.g. backups); unauthorised access detection; agreed contractual measures between the Data Fiduciary and Data Processor; and appropriate technical and organisational measures.
  • Data Breach Reporting: Data Fiduciaries who are aware of a personal data breach must notify affected Data Principals and the Board without delay, and Data Fiduciaries must provide detailed and specified information within 72 hours  to the Board (or a longer period if allowed via a written request to the Board).
  • Retention of Personal Data and Requirement to Erase: Certain classes of Data Fiduciaries (including social media intermediaries, online gaming intermediaries, and e-commerce entities) who process personal data for corresponding purposes must erase personal data unless retention is necessary for compliance with the law. Importantly, such Data Fiduciaries must inform the Data Principal that such personal data will be erased unless certain actions are taken at least 48 hours before the erasure is carried out. 
  • Publication of the Data Protection Officer’s Contact Information: A Data Protection Officer’s contact information must be published prominently on the Data Fiduciary’s website or app to allow Data Principals to raise questions regarding the processing of their personal data.
  • Verifiable Consent for Processing Personal Data of the parent or lawful guardian of children or persons with disability respectively should be obtained using appropriate technical and organisational measures prior to processing the personal data of such individuals.
  • Exemptions from Obligations applicable to Processing Child Personal Data: Certain classes of Data Fiduciaries (including clinical establishments, mental health establishments, educational institutions and transportation companies engaged by educational institutions, nurseries or child care centres to transport children) are exempted from sections 9(1) and (3) of the Act, which require Data Fiduciaries to obtain verifiable consent from a child’s parent and not to undertake tracking or behavioural monitoring of children, in relation to specific activities and purposes.
  • Additional Obligations for Significant Data Fiduciaries which include an annual undertaking and reporting the results of Data Protection Impact Assessments and audits and ensuring algorithmic software does not pose risks to Data Principals’ rights.
  • Publication of Details regarding how Data Principals can Exercise their Rights and related information on the Data Fiduciary’s website and/or app.
  • Transfers of Personal Data out of India is subject to restrictions specified by the Central Government through general or special orders.
  • Exemption for Research, Archiving or Statistical Purposes where the Act does not apply to the processing of personal data necessary for research, archiving or statistical purposes if done according to specified standards.
  • Calling for Information from Data Fiduciary or Intermediary where the Central Government may, for specified purposes, require any Data Fiduciary or intermediary to furnish certain information within a specified period.

C. Conclusion

Anyone who wishes to participate in the Consultation to the Draft Rules may provide comments or feedback through a link provided by the MEIT to the MyGov Portal.

Click here to find out more about the Act.

Click here to find out more about the Rules.

Click here to find out more about the Consultation.

The information provided above does not, and is not intended to, constitute legal advice pertaining to the Act, Draft Rules and Consultation; information, content, and materials stipulated above is based on our reading of the amendments and are for general informational purposes only.