| Reference Date | Version | April 14, 2025 | 1.0 |
| Keywords | Personal Data, Data Principal, Data Protection, Data Processing, Data Breach, Data Privacy |
| Legislation(s)/Policies |
(i) Data Protection Act, 2023 (ii) Draft Digital Personal Data Protection Rules, 2025 |
| Jurisdiction | India |
The draft Digital Personal Data Protection Rules, 2025, signifies a crucial advancement in India’s data protection landscape, establishing essential frameworks for safeguarding personal data under the Digital Personal Data Protection Act, 2023.
It is crucial not only to understand the obligations of each player involved in the data handling chain but also to appreciate the often far-reaching consequences of any act of omission or commission by any player within that chain.
Introduction
The Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection Rules, 2025 (“Draft DPDP Rules”) for public consultation on January 3, 2025.
Key provisions include enhanced notice requirements for Data Fiduciaries, governance mechanisms for Consent Managers, and strengthened security safeguards to mitigate risks of data breaches.
This article examines the Draft DPDP Rules, identifies key areas that necessitate scrutiny and offers constructive suggestions to enhance clarity, enforceability, and alignment with the spirit of the DPDP Act.
Meanings
The meanings as given under the DPDP Act and used in the Draft DPDP Rules are reproduced below for ease.
- Personal data: any data about an individual who is identifiable by or in relation to such data.
- Data Principal: the individual to whom the personal data relates.
- Data Fiduciary: any person who determines the purpose and means of processing personal data.
- Data Processor: any person who processes personal data on behalf of a Data Fiduciary.
- Consent Manager: a person registered with the Data Protection Board of India.
The Draft DPDP Rules – Observations
1. Notice Requirements for Data Fiduciaries
This rule outlines the obligations of a Data Fiduciary to provide notice to the Data Principal at the time of obtaining consent.
- Dual Format Notice: The provision should mandate notice in both digital and non-digital formats.
- Enhanced Content Requirements: Data Fiduciaries should provide clear and concise notice details.
- Clarifying Data Principal Rights: This rule should specify the rights to access, correct, erase, and withdraw consent.
- Addressing Subsequent Digitization: Personal data digitized subsequently should comply with all notice requirements.
2. Consent Managers: Strengthening Governance and Accountability
This rule outlines the process for registration of Consent Managers and their obligations.
- Integrity of Leadership: Senior management should possess integrity and a clean record.
- Data Processing Location: Processing of records should occur within India.
- Enhancing Security Safeguards: Consent Managers should implement comprehensive security measures.
- Managing Conflicts of Interest: Systems should exist to avoid conflicts with Data Fiduciaries.
3. Reasonable Security Safeguards
This rule requires Data Fiduciaries to implement reasonable security safeguards.
- Comprehensive Data Security Measures: Appropriate data protection mechanisms including encryption and masking should be used.
- Enhanced Access Visibility: Real-time monitoring and logging should be implemented.
- Contractual Security Obligations: Data Processors must follow security obligations under agreements.
- Periodic Security Assessments: Vulnerability assessments and audits should be conducted regularly.
4. Data Retention: Balancing Purpose and Privacy
This rule requires Data Fiduciaries to erase personal data once the purpose is fulfilled.
- Publicly Available Retention Period: Retention periods should be defined and publicly disclosed.
- Pre-Erasure Notification: Data Principals should receive prior notice before data erasure.
Viewpoint
The Draft DPDP Rules represent a significant milestone in establishing a robust data protection framework in India.
The implications of the DPDP Rules extend to both individuals and businesses, promoting a culture of responsible data handling.
The DPDP Rules are a crucial stride toward a more secure and equitable digital ecosystem in India.
Legal Support in the domain of Data Protection and Privacy Laws
If you are interested in related topics like privacy and data protection, reach out for information or support to our legal firm in Gurgaon .
Founded in 2003 by Divjyot Singh and Suniti Kaur, Alaya Legal takes pride in its boutique practice, which encompasses Litigation and Arbitration, Corporate and Commercial, Energy and Sustainability , as well as Information Technology and Artificial Intelligence.
Riddhi Rahi (Ms), Mr. Tushar Todi and Rachit Singh (Mr)
Associate at Alaya Legal
Associate at Alaya Legal
-
Rachit Singh (Mr)
-
Rachit Singh (Mr)
-
Rachit Singh (Mr)
-
Rachit Singh (Mr)
-
Rachit Singh (Mr)
-
Rachit Singh (Mr)



