Linkedin
Contact Us

Draft Digital Personal Data Protection Rules, 2025

Draft Digital Personal Data Protection Rules


In August 2023, India enacted its first standalone data protection and privacy law in the form of the Digital Personal Data Protection Act, 2023 (“DPDP Act”). In January 2025, the much-awaited subordinate rules under the DPDP Act, namely the Digital Personal Data Protection Rules, 2025 (“Draft Rules”) were released in draft form by the Ministry of Electronics and Information Technology (“MeitY”) inviting comments and feedback from the public by 5th March 2025. 

Key Features of the Draft Rules

Consent of Data Principals

  1. Standalone Consent Notices: Consent notices, for processing personal data (i.e. data about an individual who is identifiable by or in relation to such data (“Personal Data”)) of an individual to whom the Personal Data relates (“Data Principal”), should be given by persons who determine the purpose and means of processing of Personal Data (“Data Fiduciaries”) to Data Principals and should be separate from other agreements (such as terms and conditions) and in plain and clear language to ensure that individuals are made aware, inter alia, of the Personal Data to be collected and processed, the purpose for such processing and their rights under the DPDP Act.
  1. Explicit Consent Requirement: Data Fiduciaries must obtain clear and explicit consent from Data Principals before processing their personal data. This consent must be informed (an itemized list of the Personal Data being collected and a clear description of the purpose for processing, along with an itemized explanation of the goods, services, or uses enabled by such processing), specific, and freely given.
  1. Withdrawal of Consent: Data Principals should be informed by the Data Fiduciaries about their right to withdraw their consent at any time, and Data Fiduciaries must have mechanisms in place to facilitate this process.

Consent Managers

  1. An Indian company meeting the criteria specified in the Draft Rules can apply to the Data Protection Board (“DPB”) for registration as a single point of contact to enable a Data Principal to give, manage, review and withdraw consent through an accessible, transparent and interoperable platform (“Consent Manager”). The DPDP Act allows 
  2. every Data Principal to give, manage, review, or withdraw their consent to a Data Fiduciary through a Consent Manager as an intermediary. 
  3. If a Consent Manager is used by a Data Fiduciary to manage the obtaining of consent, the Consent Manager is accountable to the Data Principal and acts on their behalf in accordance with the obligations prescribed under the DPDP Act. Consent Managers have been assigned a number of obligations. The DPB can issue warnings or suspend/cancel the registration of a Consent Manager.
  1. While the Draft Rules provide a practical framework for Consent Managers to operate, there are concerns regarding the enforcement mechanisms in the event of non-compliances. Currently, the DPB may only instruct Consent Managers to take corrective measures in the event of non-compliance, which may be insufficient given the potential impact on Data Principals’ rights. Considering the critical role Consent Managers play, more stringent measures, such as pecuniary fines or other penalties, are necessary. 

Reasonable Security Safeguards


Data Fiduciaries must implement reasonable security safeguards to protect Personal Data from breaches. This includes data encryption, access controls, monitoring through logs, data back-ups, and measures for detecting and addressing unauthorized access. They must retain logs and data for one year (unless required by law to retain for longer) and ensure contracts with the persons who process Personal Data on behalf of the Data Fiduciary (“Data Processors”) mandate similar security measures, supported by effective technical and organizational safeguards.

Rights of Data Principals

  1. Publication of Rights: Data Fiduciaries and Consent Managers must clearly publish details on their website or app about how Data Principals can exercise their rights, such as publishing, accessing or erasing their data, along with the means, such as a link, and required identifiers, such as a username, unique code or password, for making such requests.
  1. Access and Erasure Requests: Data Principals can request the Data Fiduciary to access or erase their Personal Data using the published methods. Nevertheless, a Data Fiduciary (of such class as notified under the Draft Rules) that is processing Personal Data for such corresponding purposes (as specified in the Draft Rules), shall erase such Personal Data within 3 (three) years from the date on which the Data Principal last approached the Data Fiduciary for the performance of the specified purpose or exercise of their rights, such as accessing, amending or deleting of Personal Data, or the commencement of the Draft Rules, whichever is latest, unless its retention is necessary for compliance with any law. 
  1. Grievance Redressal System: Data Fiduciaries and Consent Managers must publish their grievance redressal response time and implement measures to ensure timely responses.
  1. Nomination Rights: Data Principals can nominate individuals to exercise their rights under the DPDP Act on their behalf, in accordance with the Data Fiduciary’s terms and applicable laws, using the provided methods.

Restrictions on Processing of Personal Data Outside India

The transfer of Personal Data outside India by a Data Fiduciary, whether processed within or outside India, is subject to such restrictions as the Central Government may, by order, specify, in respect of making such Personal Data available to any foreign State, or to any person or entity under the control of such State or any agency of such a State. Since the Draft Rules have entrusted the Central Government with powers to restrict the processing of Personal Data outside India, the Central Government is likely to issue (and periodically review) a negative list of countries and/or the conditions for processing Personal Data outside India, in due course.

Data Breach Notification

  1. Notification to Affected Individuals: Data Fiduciaries must promptly inform affected Data Principals about a data breach, detailing its nature, consequences, mitigation steps, safety measures, and a contact for queries.
  1. Reporting to the Board: Data Fiduciaries must immediately notify the Data Protection Board about the breach and thereafter provide detailed updates, within 72 hours of becoming aware of the same, on the causes, mitigation steps, responsible parties and actions to prevent recurrence along with a report on the intimations given to affected Data Principals.

Significant Data Fiduciaries (“SDFs”)

  1. Data Protection Impact Assessment and Audit: SDFs comprise a Data Fiduciary or class of Data Fiduciaries that will be notified by the Central Government. The Central Government will determine this classification based on factors like data volume, data sensitivity, harm potential, and use of emerging technologies. While no list of SDFs has yet been released, given the criteria, SDFs will probably encompass companies in the fields of technology and social media such as Meta and Google; e-commerce companies like Amazon, Flipkart, Swiggy; banks and financial institutions like HDFC, ICICI, Paytm and large companies having a voluminous customer base in various other sectors such as telecommunication providers, online payment platforms, insurance and healthcare providers, streaming and edtech providers. These SDFs must conduct a data protection impact assessment and audit every 12 (twelve) months to ensure compliance with the DPDP Act and its subordinate legislation and submit a report of significant findings to the Board.
  1. Data Localization Measures: SDFs must ensure that Personal Data, as specified by the Central Government, is processed subject to the restriction that the Personal Data and the traffic data pertaining to its flow is not transferred outside the territory of India. However, further clarity is awaited from the Central Government regarding the specific categories of data that will fall under this restriction, the conditions under which these restrictions will apply, and the mechanisms for enforcement. These details will be crucial in evaluating the operational and business impact of such provisions, particularly on sectors that rely heavily on cross-border data processing and transfers.

Children’s Data Protection

  1. Verifiable Parental Consent for Children: Data Fiduciaries must implement technical and organizational measures to obtain verifiable consent from a child’s parent before processing the child’s Personal Data. They must verify the parent’s identity and age using reliable details already held or voluntarily provided, including virtual tokens or digital locker services.
  1. Verification of Guardians of Persons with Disabilities: When processing Personal Data of a person with a disability, Data Fiduciaries must verify that the individual claiming to be the lawful guardian is officially appointed by a court, designated authority, or local committee under applicable guardianship laws. 

The requirement of these additional safeguards will only be exempted for the Data Fiduciaries or for such purposes as given in Draft Rules (for example: if the Data Fiduciary is a clinical establishment, mental health establishment or healthcare professional, then the processing is restricted to provision of health services to the child by such establishment or professional, to the extent necessary for the protection of their health).

Government Powers

  1. Exemptions for National Security: The government retains the authority to exempt itself from certain compliance obligations under specific circumstances, particularly concerning national security or public order.
  1. Information Request and Disclosure Restrictions: The Central Government may require Data Fiduciaries to provide information for purposes outlined in the DPDP Act. The government will specify the time period for submission, and if disclosure of such information to third parties may affect India’s sovereignty, integrity, or national security, the Data Fiduciary or intermediary must obtain prior written permission from the authorized person of the Government before disclosing the information. This provision forms part of the obligations under Section 36 of the DPDP Act.

Exemption for Research, Archiving, or Statistical Purposes

The DPDP Act exempts Personal Data processing for research, archiving, or statistical purposes, provided it complies with the standards set out in the Draft Rules, ensuring data use for academic and policy research while maintaining safeguards.

Key Takeaways

  1. The DPDP Act and Draft Rules will necessitate substantial changes in how organizations obtain and handle user consent, potentially leading to operational challenges, especially for smaller businesses. 
  1. While the Draft Rules set out comprehensive security measures, their generic nature may lead to ambiguity regarding compliance standards. It was anticipated that the Draft Rules would offer a structured approach to facilitate the implementation of the DPDP Act. However, the Draft Rules provide a broad framework without detailed guidelines that would have enhanced ease of implementation. 
  1. The public consultation process was initially until 18th February 2025 and was then extended till 5th March 2025. This period will be crucial for gathering feedback from stakeholders and refining these rules further. 
  1. While the DPDP Act and Draft Rules emphasize data protection and accountability, the specifics regarding the type and volume of data to be localized remain unclear. The Draft Rules place a strong emphasis on data localization, aiming at Personal Data of Data Principals within India to be processed domestically, with cross-border transfers subject to restrictions specified by the Central Government. This move aims to bolster data security and privacy, granting the government greater control over data flows and enforcement of regulations. 
  1. Many global businesses rely on an international network of data centres, and mandating local data centres in India could lead to substantial operational costs. Managing multiple localized data systems could further complicate logistics and financial planning, particularly for businesses with a global user base. Additionally, conflicts between India’s data localization laws and international standards, such as the EU’s GDPR, could pose challenges for companies operating across multiple jurisdictions with stringent data protection regulations.
  1. As India moves forward, balancing national security and privacy with the operational and financial realities of global businesses will be critical. Companies must closely monitor developments and prepare for potential localization requirements to ensure compliance while managing the risks of logistical and operational disruptions.
  1. Overall, while the Draft Rules are a positive development in India’s journey towards effective data protection, careful implementation and ongoing dialogue will be essential to address potential challenges and ensure that the framework serves its intended purpose, making the DPDP Act truly effective in protecting individuals’ data rights.
  • Michelle Solomon Le Page (Partner) Jones Vaidya (Senior Associate) and Manasvini (Associate), Solomon & Co. 

About Solomon & Co.

Solomon & Co. (Advocates & Solicitors) was founded in 1909 and is amongst India’s oldest law-firms. The Firm is a full-service firm that provides legal service to Indian and international companies and high net-worth individuals on all aspects of Indian law.

“Disclaimer”

The information contained in this article is intended solely to provide general guidance on matters of interest for the personal use of the reader, who accepts full responsibility for its use. The application and impact of laws can vary widely based on the specific facts involved. As such, it should not be used as a substitute for consultation with a competent adviser. Before making any decision or taking any action, the reader should always consult a professional adviser relating to the relevant article posting.

Copyright © 2020 Solomon & Co., All rights reserved.

More Articles

Solomon & Co. is a premier Indian law firm with a strong presence in Mumbai and a global reach, delivering trusted legal solutions to clients in India and across international borders.

Information

Our Team

Get In Touch

© 2025 Solomon & Co. India. All rights reserved. Site by – The Branding Tales

Disclaimer

In accordance with the rules of the Bar Council of India, law firms are prohibited from soliciting work and advertising. By accessing this website (www.solomonco.in), you acknowledge and agree that there has been no advertisement, solicitation, invitation, or inducement from us or any of our members to solicit work through this website. The use of this site does not create a lawyer-client relationship and should not be construed as an invitation to form such a relationship or as legal advice.

The information on this website is provided for general informational purposes only. We do not guarantee that the content is current, complete, or accurate. We are not responsible for any consequences resulting from actions taken by users based on the information provided on this website.