Home / Editorial

Civil Law

Draft Digital Personal Data Protection (DPDP) Rules, 2025

    «
 13-Jan-2025

Source: The Hindu 

Introduction 

The Ministry of Electronics and Information Technology (MeitY) has finally released the draft rules for implementing India's first comprehensive data privacy law, the Digital Personal Data Protection Act 2023, after a 16-month wait. These rules, open for public feedback until mid-February, are crucial as they provide the framework for implementing data protection measures, user rights, and establishing the Data Protection Board of India. 

The Digital Personal Data Protection (DPDP) Act 2023 

  • It establishes rules for processing digital personal data in India, focusing on protecting individuals' privacy while enabling lawful data processing by organizations. 
  • The Act introduces a consent-based framework where organizations must obtain explicit consent before collecting and processing personal data, with certain exemptions for state functions and emergencies. 
  • It creates a Data Protection Board of India to enforce compliance and handle grievances, with powers to impose significant penalties (up to Rs 250 crore) for violations. 
  • The law requires companies to implement reasonable security safeguards to prevent data breaches and mandates that they notify users and authorities about any data breaches. 

DPDP Act, 2023  

  • Section 4 (Grounds for processing personal data): Personal data can only be processed with the Data Principal's consent or for certain legitimate uses and must be for a lawful purpose that is not expressly forbidden by law. 
  • Section 8 (General obligations of Data Fiduciary): Data Fiduciaries must protect personal data through reasonable security safeguards, report breaches, and erase data when retention is no longer necessary. 
  • Section 9 (Processing of personal data of children): Verifiable parental consent is required before processing children's data, and tracking/behavioral monitoring of children is prohibited. 
  • Section 10 (Additional obligations of Significant Data Fiduciary): Significant Data Fiduciaries must appoint Data Protection Officers, conduct audits, and undertake Data Protection Impact Assessments. 
  • Section 11 (Right to access information about personal data): Data Principals have the right to obtain summaries of their processed personal data and know which entities their data has been shared with. 
  • Section 13 (Right of grievance redressal): Data Principals have the right to grievance redressal from Data Fiduciaries and Consent Managers regarding their personal data. 
  • Section 16 (Processing of personal data outside India): The Central Government can restrict transfer of personal data to certain countries/territories outside India through notification. 
  • Section 18 (Establishment of Board): Establishes the Data Protection Board of India as a corporate body with powers to acquire/hold property and enter into contracts. 

Draft DPDP Rules, 2025 

  • Released on 3rd January, 2025 by MeitY, the Draft DPDP Rules mark a significant step in India's digital personal data regulation journey, following the DPDP Act of 2023. 
  • The rules take a principles-based, less prescriptive approach compared to the earlier Personal Data Protection Bill, which was considered too restrictive and hostile to industry interests. 
  • Unlike the EU's GDPR, India's rules provide simplicity and clarity in notice and consent mechanisms, helping reduce "consent fatigue" experienced by users. 
  • The rules respect business autonomy by avoiding strict dictates on how entities should enable user rights like correction, erasure, and consent withdrawal. 
  • Special exemptions are provided for educational institutions, healthcare providers, and childcare centers regarding parental consent requirements for tracking and monitoring children's data. 
  • A significant concern is the rules' approach to cross-border data flows, particularly for Significant Data Fiduciaries (SDFs), which may face stricter localization mandates. 
  • The draft rules lack clarity on how businesses can verify legitimate user information requests and handle excessive or unfounded information requests. 
  • According to IBM, data breaches cost Indian businesses an average of ₹19.5 crore ($2.35 million) in 2024, states the importance of data protection. 
  • The framework states the need to move beyond traditional notice-and-consent mechanisms, particularly in contexts where obtaining consent is impractical, such as malls, airports, and beaches. 

What are the Criticisms of the DPDP Rules 2025 Draft? 

  • The DPDP Act 2023 is India's first comprehensive data privacy law covering all commerce and industry sectors, establishing user rights and creating the Data Protection Board of India. 
  • The draft rules aim to provide guidance on critical mechanisms like notice, consent, data breach notifications, parental consent for children's data, and data localization. 
  • Civil society criticized the DPDP Act for not having a specialized regulator and lacking standard protections against government data access. 
  • Regarding user rights, the draft rules fail to provide clear mechanisms for how users can exercise their rights to access, correct, complete, update, and erase their data. 
  • The rules don't clarify specific scenarios like whether users can ask search engines to remove certain links, or how to handle third-party objections to data erasure requests. 
  • For children's data protection, the rules require parental consent for users under 18 but lack detailed procedures for verifying parental relationships and age verification. 
  • The rules don't address practical implementation challenges like shared device usage in Indian families or methods to verify children's age claims. 
  • Despite having 16 months for preparation, critics consider the draft rules vague, incomplete, and rushed compared to typical detailed guidelines. 
  • The government needs to seek expert advice, conduct wider consultations, and establish clear implementation timelines before finalizing the rules. 

What are the Key Features and Concerns of the DPDP Rules 2025? 

  • Principles-based Approach: 
    • Less prescriptive compared to previous attempts 
    • Focuses on outcomes rather than detailed processes 
  • Key Provisions: 
    • Simplified framework for notice and consent 
    • Flexible approach to user interface design 
    • Special provisions for children's data protection 
    • Exemptions for specific industries like educational institutions and healthcare providers regarding parental consent requirements 
  • Notable Concerns: 
    • Cross-border data flow restrictions 
    • Different rules for Significant Data Fiduciaries (SDFs) vs smaller entities 
    • Potential data localization mandates for larger enterprises 
    • Gaps in addressing business verification of user information requests 
  • Implementation Framework: 
    • Provides necessary details for implementing the DPDP Act 2023 
    • Available on MeitY's website for public review 
    • Open for feedback/comments from stakeholders 
    • Feedback will be held in fiduciary capacity and not disclosed 
  • Public Consultation Process: 
    • MeitY is actively seeking stakeholder feedback 
    • Submissions will be kept confidential 
    • A consolidated summary of feedback will be published after rules are finalized 
    • Individual submissions will not be publicly disclosed 

What are the Major Gaps and Implementation Challenges in the DPDP Rules 2025 Draft? 

  • The draft rules lack detailed guidelines despite providing basic operative guidance for critical mechanisms like notice, consent, data breaches, and parental consent collection. 
  • Regarding user rights, the DPDP Act grants users the right to access, correct, complete, update, and erase their data, but the draft rules fail to clarify how users can exercise these rights. 
  • The rules simply restate the Act by saying users can make requests to data processors by following business-published steps, without providing specific implementation guidance. 
  • A critical gap exists in the right to erasure, as the rules don't clarify whether users can request search engines to remove specific website links, despite Indian courts frequently ordering Google to "de-list" certain links. 
  • The draft rules fail to address how third parties' online speech rights might be affected by erasure requests and don't provide clear objection mechanisms for data processors. 
  • For child protection, the rules mandate parental consent for users under 18 but lack specific mechanisms for identifying children and verifying parental consent. 
  • The rules only broadly require data processors to adopt "appropriate technical and organizational measures" for parental consent, without detailing the actual verification process. 
  • Critical implementation questions remain unanswered, such as verifying genuine parental relationships, dealing with age falsification, and handling shared device usage in Indian families. 
  • Despite having 16 months for preparation, the rules are considered vague and incomplete, lacking the detailed guidelines typically needed for effective consumer privacy protection and business operations. 

Conclusion  

Despite having 16 months to draft these rules, the government has produced a vague and incomplete document that falls short of providing clear operational guidance for businesses and adequate protection for users' privacy. Before finalizing these rules, which will form the foundation of India's first data privacy law, the government needs to seek expert advice, conduct broader consultations, and establish clear implementation timelines.