Digital Personal Data Protection

Rules, 2025

Shubhankar Bhatt
Shubhankar Bhatt

Published on: May 1, 2025

Sourabh Jain
Sourabh Jain

Updated on: May 2, 2025

(6 Ratings)
124

INTRODUCTION

After years of anticipation, the Ministry of Electronics and Information Technology (MeitY) officially unveiled the draft Digital Personal Data Protection Rules, 2025 on January 3, 2025. This marks a significant step towards the implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act). By introducing these rules, MeitY seeks to provide detailed guidelines for the operationalization of the DPDP Act, outlining the responsibilities of data fiduciaries, the rights of individuals, and the mechanisms for enforcement and compliance.

By outlining specific compliances requirements, these rules aim to address growing concerns over data privacy and security by regulating the collection, processing, and storage of personal data by businesses, organizations, and other entities. The release of these draft rules is a key development in the Government’s ongoing efforts to establish a robust framework for safeguarding digital personal data in an increasingly digital world.

Applicability

These rules are designed to govern the processing of personal data and will apply to:

  1. Organizations operating within India,
  2. Organizations outside India that offer goods or services to individuals in India.

These rules are applicable to:

  1. Data Fiduciaries, who determine the purpose and means of processing personal data.
  2. Data Processors, who process data on behalf of Data Fiduciaries.
  3. Significant Data Fiduciaries designated by the Central Government based on the volume and sensitivity of data handled, risks to individuals, and potential impact on national interests.

KEY PROVISIONS OF DRAFT DPDP RULES, 2025:

(Rule 3) – Notice Requirements for Data Fiduciaries: Data fiduciaries must provide clear and easily understandable notices to data principals when collecting their personal data. These notices should include:

  1. A detailed list of the data being collected.
  2. The purpose of processing, and the goods, services, or benefits enabled by such processing.
  3. Instructions for withdrawing consent, exercising rights, and lodging complaints.
  4. The notice must also offer easily accessible communication links to the fiduciary’s platform and outline straightforward methods for withdrawing consent or submitting grievances, ensuring transparency and simplicity.

(Rule 4) – Registration and Obligations of Consent Managers: Consent managers, third-party entities or platforms that assist data principals in managing their consent, must apply to the Board for registration. Once registered, they have several obligations under the DPDP Rules:

  1. Enable Data Principals to give, deny, or withdraw consent for data processing by Data Fiduciaries on the platform.
  2. Maintain a record of consents, notices, and data sharing activities and provide Data Principals access to these records in machine-readable form, and retain them for at least 7 years.
  3. Provide a website or app as the primary means for Data Principals to access services and manage their consent.
  4. Cannot sub-contract or assign its obligations under the Act and rules.
  5. Implement reasonable security safeguards to prevent personal data breaches.
  6. Act in a fiduciary capacity towards Data Principals and avoid conflicts of interest with Data Fiduciaries, including in its leadership.
  7. Publish information about its leadership, significant shareholders, and related parties on its website/app for transparency.
  8. Establish effective audit mechanism to monitor compliance with technical safeguards, conditions of registration, and legal obligations.
  9. Obtain prior Board approval for any transfer of control through sale, merger, or other means.

(Rule 6) – Reasonable Security Safeguards: Data fiduciaries must implement appropriate security measures to protect personal data. The contract between the Data Fiduciary and the Data Processor shall include appropriate provisions requiring the implementation of reasonable security safeguards.

(Rule 7) – Intimation of Data Breach: In the event of a data breach, Data Fiduciaries must:

  1. Notify affected individuals promptly, providing details of the breach, its impact, and the mitigation steps taken.
  2. Inform the Data Protection Board within 72 hours of detection (or longer if approved), offering a detailed report of the incident.

(Rule 8) – Accountability, Compliance, and Data Retention Policies:

  1. Data fiduciaries must process personal data lawfully and only for necessary, specified purposes.
  2. They must also provide grievance redressal mechanisms on their platforms.
  3. For entities such as e-commerce platforms, online gaming intermediaries, and social media platforms with large user bases, data retention policies mandate the deletion of user data after three (3) years unless the user actively maintains their account.
  4. Users must be notified at least 48 hours before data deletion, allowing them to retain their data by logging in or contacting the fiduciary.

(Rule 10) – Consent for Processing Personal Data of Children and Persons with Disabilities:

  1. Data Fiduciary must implement appropriate technical and organizational measures to obtain verifiable consent from a child’s parent before processing their personal data.
  2. Data fiduciary must ensure that the individual providing consent is an identifiable adult.
  3. Similarly, when obtaining consent from a lawful guardian of a person with a disability, Data fiduciary must verify that the guardian is legally appointed by a court, designated authority, or local-level committee in accordance with applicable laws.

(Rule 12) – Obligations of Significant Data Fiduciaries:

  1. Significant Data Fiduciaries must conduct annual DPIAs to identify and mitigate risks associated with data processing activities
  2. They also ensure that any algorithmic systems used for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it, do not violate the rights of data principals
  3. Adopt measures to ensure that personal data identified by the Central Government is processed in compliance with specific restrictions, ensuring that the data and any related traffic data are not transferred outside of India.

(Rule 14) – Processing of Personal Data Outside India: Data Fiduciaries processing data within India or in connection with offering goods or services to Data Principals from outside India must adhere to any requirements set by the central government regarding the sharing of personal data with foreign states or their entities.

(Rule 15) – Exemptions for Research and Statistics: The draft Rules provide an exemption for personal data processing for research, archiving, or statistical purposes, as long as it complies with the safeguards specified in Schedule II (Standards for processing of personal data by State and its instrumentalities). This allows for necessary data usage in academic and policy research while ensuring the protection of data.

(Section 33) – Penal Provisions:

Breach of provisions of this Act or rules made thereunder Penalty
Failure by a Data Fiduciary to implement reasonable security safeguards Rs. 250 crores
Failure to notify the Board or affected Data Principal of a personal data breach Rs. 200 crores
Failure to comply with additional obligations related to children Rs. 200 crores
Breach of any other provision of this Act or the rules made thereunder. Rs. 50 crores

Challenges faced by Organisations

Cross-Border Data Transfers

Navigating international data transfer laws is complex and can delay global operations due to varying legal requirements and safeguards.

Legal and Financial Risks

Failing to comply with privacy laws can result in heavy fines, legal action, and reputational damage, especially in case of data breaches.

High Costs of Data Governance & Compliance

Meeting regulatory standards requires major investments in software, training, and audits, posing a greater burden on small and medium businesses.

Managing User Consent

The rules stress clear, transparent, and verifiable consent. Businesses must build systems to track and manage consent throughout the data lifecycle, adding complexity to user interactions and requiring regular compliance checks.

CONCLUSION:

The Draft Digital Personal Data Protection Rules, 2025 represent a pivotal moment in India’s data privacy landscape. These rules are set to reshape how organizations manage personal data, placing stronger emphasis on accountability, transparency, and user rights.

Businesses will be expected to adopt more structured data governance practices, ensure secure processing, and comply with principles like data minimization and purpose limitation. Additionally, they must empower individuals with greater control over their personal information, including rights to access, correction, and erasure.

While adapting to these new requirements may be challenging, they present an opportunity for companies to strengthen consumer trust and show a commitment to responsible handling of personal data. In a world where digital trust is becoming increasingly important, early and effective compliance will serve as a competitive advantage.

Disclaimer

The information provided in this article is intended for general informational purposes only and should not be construed as legal advice. The content of this article is not intended to create and receipt of it does not constitute any relationship. Readers should not act upon this information without seeking professional legal counsel.

Tell us how helpful was this post?

Subscribe Newsletter Request a demo Contact Us