DPDP Rules: End of a long wait or yet another failed attempt? 

After a wait of almost 16 months since the enactment of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) on 11 August 2023, the much- awaited draft of the Digital Personal Data Protection Rules (“Draft Rules”) were released by the Ministry of Electronics and Information Technology (“MEITY”) on 03 January 2025. The DPDP Act seeks to regulate the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data and the need thereof for lawful purposes. Pursuant to this objective, the DPDP Act places various obligations over a ‘Data Fiduciary’ who has been expressly defined to mean any person (natural or juristic) who determines the purpose and means of processing of personal data (“Data Fiduciary”). These obligations include ensuring lawful processing of personal data, obtaining consent from Data Principals, implementing security safeguards, and complying with data retention and grievance redressal requirements. An individual to whom such personal data relates, is referred to as a ‘Data Principal’ as per the DPDP Act (“Data Principal”). Further, the DPDP Act defines a ‘Data Processor’ as a person who processes personal data on behalf of a Data Fiduciary.  

The Draft Rules provide clarity to the procedural framework as outlined in the various provisions of the DPDP Act to support the actual implementation of the Act. The Draft Rules were open for comments until 05 March 2025 and the date of publication of the Draft Rules remains unclear. In this update, we have discussed the key provisions of the DPDP Act, the Draft Rules and shared our thoughts on the same.  

We have listed below some of the key features of the DPDP Act and the corresponding Draft Rules: 

Consent and Notice Requirement: 

Any request for consent to process a Data Principal’s personal data must be preceded or accompanied by a notice from the Data Fiduciary, ensuring transparency in the data processing request. Section 5 of the DPDP Act requires that a Data Fiduciary to issue such notice in such manner as would be prescribed under the DPDP Rules. 

In this regard, the Draft Rule 3 prescribes the requirements for such notice. The notice must: 

• Be conveyed in clear and plain language to ensure comprehensibility; 

• Contain all necessary information to enable the Data Principal to provide specific and informed consent for the processing of their personal data; 

• Include a detailed description of the personal data being processed, its intended purpose, and a list of goods and services that will utilize the data; and 

• Provide the Data Principal with an easily accessible link to the Data Fiduciary’s website and/or mobile application, along with a mechanism to withdraw consent and exercise their rights under the DPDP Act. 

However, it remains to be seen how entities involved in processing personal data will implement such requirements in a single notice particularly with respect to those persons who may not be digitally literate and who do not understand the implications of such notice. Such entities may view this mandate as an additional step that can affect overall user experience. Further, If the consent is withdrawn by a Data Principal for the purpose specified in notice by Data Fiduciary, then the processing of personal data has to be stopped. This can result in hampering businesses that require continued consent for upgradation of services or goods. 

Consent Management:  

Section 6 of the DPDP Act defines ‘Consent’ by stating that it shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action. The DPDP Act also has introduced the concept of ‘Consent Manager’ whose role is to assist the Data Fiduciary to manage the consent provided for processing of data. As per Section 2(g) of the DPDP Act a ‘Consent Manager’ is a person who is registered with the Data Protection Board of India (“DPBI”), to act as a single point of contact to enable a Data Principal to give, manage, review and withdraw consent through an accessible, transparent and interoperable platform.  

In this regard, Rule 4 of the Draft Rules outlines the requirements to qualify as a ‘consent manager’. The consent manager: 

• Must be a company incorporated in India with sound financial and operational capacity; 

• Must have a minimum net worth of INR 2,00,00,000; 

• Must have a reputation for fairness and integrity in its management; and 

• Must have a certified interoperable platform 

Hence, if a company fulfils the aforementioned requirements, then it can make an application to the DPBI. After registration as a ‘Consent Manager’, there are specific compliances that ought to be followed by the said entity such as maintain record of consents, ensuring prevention of conflict of interest involving its senior management and Data Fiduciaries, seeking prior approval of DPBI in case of transfer of control, etc.  

Such a provision provides a unique opportunity for entities to venture into the business of acting as a ‘Consent Manager’ as plethora of industries are dependent on processing personal data and will require assistance of a consent manager.  

Safeguards to ensure data protection during breach: 

Under Section 8(5) of the DPDP Act, a Data Fiduciary is required to implement reasonable security safeguards to protect personal data in its possession or control and to prevent data breaches. 

In this regard, Rule 6 of the Draft Rules is pertinent as it further elaborates on these security safeguards, mandating that Data Fiduciaries must, at a minimum: 

• Implement suitable data security measures, such as encryption, obfuscation, masking, and virtual tokens; 

• Establish access control protocols to regulate data access; 

• Maintain data backups to prevent data loss or destruction; 

• Incorporate contractual provisions ensuring that these security safeguards are extended to Data Processors engaged by the Data Fiduciary. 

These measures are designed to strengthen data protection frameworks, minimize security risks, and ensure accountability in data processing activities. 

Additional Compliances for Significant Data Fiduciary; 

Section 10 of the DPDP Act empowers the Union government to designate a Data Fiduciary or a class of Data Fiduciaries as a Significant Data Fiduciary (“SDF”) based on factors such as the volume and sensitivity of the personal data they process. 

In this regard, Rule 12 of the Draft Rules imposes additional obligations on SDF’s, which include: 

• Conducting a Data Protection Impact Assessment (DPIA) and an annual audit; 

• Reporting the findings to the DPBI to demonstrate compliance with data protection regulations; 

• Ensuring that any software used for processing personal data, including for storage, hosting, and sharing, does not infringe upon individuals’ rights; 

• Adhering to specific regulations governing the processing of certain categories of personal data, ensuring that such data remains within India. 

Additionally, the government retains the authority to restrict the transfer of certain types of personal data outside the country when necessary. Considering the obligations of SDFs under the DPDP Act and Draft Rules, it will lead to increased costs for the entity being regarded as SDF as additional mechanisms would have to be brought into effect to cater to its obligations.  

Processing of Data by Government and its authorities: 

Under Section 7(b) of the DPDP Act, the State and its agencies are permitted to process personal data for providing subsidies, benefits, and services, subject to the following conditions: 

1. The Data Principal has consented to the processing; 

2. The personal data is already available in state records. 

In this regard, Rule 5 of the Draft Rules allows state agencies to process personal data without requiring fresh consent, provided they inform users about such processing. Additionally, Rule 6 of the Draft Rules expands on the requirement for reasonable security safeguards, mandating that Data Fiduciaries must: 

• Implement data security measures such as encryption, obfuscation (deliberately making data unintelligible to unauthorized users), masking, and virtual tokens; 

• Establish access control protocols to regulate data access; 

• Maintain data backups to prevent loss or destruction of personal data; and 

• Ensure that contracts between Data Fiduciaries and Data Processors include provisions to transfer and uphold these security safeguards. 

These provisions aim to enhance data security, protect individual rights, and ensure responsible handling of personal data by both state agencies and private entities. 

Exemptions prescribed under the Draft Rules: 

Exemptions to processing of personal data of children 

Section 9 of the Act provides for exemptions to standard requirements for processing of personal data of children. This exemption is limited to conditions laid down under Part A and Part B of Schedule IV of the Draft Rules. Under Part A, certain kinds of Data Fiduciaries such as healthcare professionals, educational institutions and childcare providers are exempted from standard processing requirements. The linkage of such exemption and processing of personal data is based on the necessity of activities that are undertaken by the Data Fiduciary for the well-being and safety of the child. Part B further lays down the specific purposes for which exemption will apply such as processing for legal duties, issuing subsidies or benefits to children, creating user accounts for communication purposes, or ensuring the child does not have access to harmful information. Therefore, Rule 11 read with Schedule IV of the Draft Rules incorporates this exemption in processing of personal data of children limited to certain purposes and certain Data Fiduciaries only.  

Exemption to processing of personal data for research, archiving or statistical purposes  

As per Section 17 (2), the provisions of the Act would not be applicable for processing of personal data if the said data is used for research, archiving or statistical purposes and if the data is not used by the Data Fiduciary to take any decision. In this regard, Rule 15 of the Draft Rules lays down standards that have to be complied during such processes under Schedule II.  

Processing of personal data outside India: 

Section 16 of the Act provides that Central Government can restrict transfer of personal data by a Data Fiduciary for processing of the said data to any territory outside India by issuance of notification to such effect. In this regard, Rule 14 of the Draft Rules further clarifies that Central Government can by a general or a special order, specify requirements for making personal data available to any foreign State or person or an entity under control of the foreign State.   

Our Thoughts: 

The impact of the Draft Rules on various market players is already visible from their reaction to the probable provisions. One such instance is Instagram’s recent launch of the teen accounts feature in India whereby additional protective measures have been introduced to  align with the requirement under the Draft Rules such as prohibition on processing data of users under 18 years of age without verifiable parental consent.¹ Further, telecom sector is also reacting to the foreseeable compliances under the new law as can be seen through request of private telecom operators, seeking a two-year extension to comply with the DPDP Act. The reason behind such a request is that the said sector will face significant compliance burden as they process large volumes of personal data and are likely to be classified as SDF under the DPDP Act. This extension would allow them to update customer application forms and enhance their technological systems to manage user consent for data usage and processing.² 

The Draft Rules can also impact international transactions, particularly mergers and acquisitions, as these typically involve transferring large volumes of data. If such data includes personal data of individuals, then the provisions on consent requirements and transfer of personal data outside India could apply, potentially complicating and delaying such deals.³ Moreover, an additional layer of consent requirements will likely increase compliance costs for businesses, which may ultimately be passed on to consumers. This could lead to higher prices for digital services, impacting affordability and accessibility, particularly in sectors heavily reliant on personal data processing. 

The steps undertaken by MEITY to implement the DPDP Act appear to be in the right direction. However, several gaps in the Draft Rules as dealt with above need to be addressed. The DPDP Act has been structured to align with global data protection laws, and its effective implementation through these Rules could position India among nations committed to safeguarding digital privacy.