/ Business Consultancy

MeitY issues Draft Digital Personal Data Protection Rules

Digital Personal Data Protection Act, 2023

Implementing the Digital Personal Data Protection Act, 2023

The draft Digital Personal Data Protection Rules, 2025, introduced by MeitY, provide the much-needed framework for implementing the Digital Personal Data Protection Act, 2023. Sixteen months after the new Digital Personal Data Protection Act, 2023 (hereinafter referred to as the “Act”), the Ministry of Electronics and Information Technology (hereinafter referred to as “MeitY”) has introduced the draft subordinate legislation in the form of the Digital Personal Data Protection Rules, 2025 (hereinafter referred to as the “Draft Rules”) on January 03, 2025 for public consultation and feedback.

In a notification associated with the Draft Rules, MeitY has invited feedback/comments in a rule wise manner to be submitted by February 18, 2025 on MyGov portal at the link pasted below: https://innovateindia.mygov.in/dpdp-rules-2025/

Key Provisions of the Draft Rules of Digital Personal Data Protection Rules, 2025

1. Notice Requirements

  • Independence: Notices by Data Fiduciaries must be separate from other information provided.
  • Clarity: Plain language is required to ensure Data Principals understand the purpose and nature of data processing.
  • Transparency: Itemized descriptions of data categories, purposes, and associated services must be included.
  • Rights & Access: Links to rights and access options should be communicated clearly.

2. Personal Data Breach Notifications

  • To Data Principals: Clear, concise communication regarding the breach and safety measures taken.
  • To the Data Protection Board: Detailed breach reports, including its nature, timing, and extent.

3. Reasonable Security Safeguards

  • Measures include encryption, masking, and access controls to ensure data confidentiality, integrity, and availability.

4. Consent Managers

  • Consent Managers must register with the Board and act in a fiduciary capacity to maintain data integrity and ensure proper tracking of consent and data-sharing activities.

5. Data Retention Periods

  • E-commerce, social media, and online gaming entities with significant user bases must delete personal data after three years.

6. Processing of Children’s Data

  • Verifiable parental consent is required, ensuring that the parent is a recognized adult. Stringent due diligence obligations are imposed.

7. Exemptions

  • Healthcare, Education, and Child Services: Exempt from some restrictions for public benefit.
  • Research and Archiving: Processing for legitimate interests such as statistical purposes is exempt.

8. Obligations for Significant Data Fiduciaries

  • Conduct annual DPIAs and data audits.
  • Ensure deployed algorithms do not harm Data Principals.
  • Submit audit reports to the Board.

9. Rights of Data Principals

  • Data Fiduciaries must clearly outline the process for Data Principals to exercise their rights regarding their personal data.

10. Cross-Border Data Transfer

  • Rules for data transfer outside India will be notified by the Government. A committee is proposed to recommend which data must be localized.

11. Data Protection Board of India

  • Appointment and functioning rules for the Board, including its Chairperson and members, are specified.

12. Call for Information

  • The Central Government is empowered to call for specific information from Data Fiduciaries for national security or sovereignty purposes.

Key Takeaways from Digital Personal Data Protection Rules, 2025

  • Balancing Industry and Privacy: The draft rules aim to balance privacy rights with industry requirements by introducing exemptions for specific sectors while emphasizing accountability for significant data fiduciaries.
  • Localized Storage Concerns: The proposal to localize certain data could pose challenges for global businesses. However, the government’s assurance of minimizing industry disruption is notable.
  • Children’s Data Protections: The stringent requirements for children’s data reflect a robust approach to safeguarding vulnerable groups.
  • Public Feedback Opportunity: The structured consultation process ensures stakeholder participation, enabling businesses and individuals to voice their opinions.

Critical Implications on Digital Personal Data Protection Rules, 2025

The annual DPIA requirement may increase compliance costs for significant data fiduciaries. Data localization rules might affect cross-border operations and necessitate adjustments in business models. Exemptions for healthcare, education, and research sectors promote public welfare while reducing unnecessary compliance burdens.

We would also be submitting our feedback/comments to Draft Rules to the Government shortly.

**********************************************************

If this article has helped you in any way, i would appreciate if you could share/like it or leave a comment. Thank you for visiting my blog.

Legal Disclaimer:
The information / articles & any relies to the comments on this blog are provided purely for informational and educational purposes only & are purely based on my understanding / knowledge. They do noy constitute legal advice or legal opinions. The information / articles and any replies to the comments are intended but not promised or guaranteed to be current, complete, or up-to-date and should in no way be taken as a legal advice or an indication of future results. Therefore, i can not take any responsibility for the results or consequences of any attempt to use or adopt any of the information presented on this blog. You are advised not to act or rely on any information / articles contained without first seeking the advice of a practicing professional.