{"id":8367,"date":"2025-01-07T04:39:30","date_gmt":"2025-01-07T04:39:30","guid":{"rendered":"https:\/\/www.caindelhiindia.com\/blog\/?p=8367"},"modified":"2025-01-07T04:39:30","modified_gmt":"2025-01-07T04:39:30","slug":"meity-issues-draft-digital-personal-data-protection-rules","status":"publish","type":"post","link":"https:\/\/www.caindelhiindia.com\/blog\/meity-issues-draft-digital-personal-data-protection-rules\/","title":{"rendered":"MeitY issues Draft Digital Personal Data Protection Rules"},"content":{"rendered":"<h2><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-8368\" src=\"https:\/\/www.caindelhiindia.com\/blog\/wp-content\/uploads\/2025\/01\/Digital-Personal-Data-Protection-Act-2023.jpeg\" alt=\"Digital Personal Data Protection Act, 2023\" width=\"701\" height=\"329\" srcset=\"https:\/\/www.caindelhiindia.com\/blog\/wp-content\/uploads\/2025\/01\/Digital-Personal-Data-Protection-Act-2023.jpeg 328w, https:\/\/www.caindelhiindia.com\/blog\/wp-content\/uploads\/2025\/01\/Digital-Personal-Data-Protection-Act-2023-300x141.jpeg 300w\" sizes=\"(max-width: 701px) 100vw, 701px\" \/><\/h2>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_58 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-69e9d76802840\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-69e9d76802840\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.caindelhiindia.com\/blog\/meity-issues-draft-digital-personal-data-protection-rules\/#Implementing_the_Digital_Personal_Data_Protection_Act_2023\" title=\"Implementing the Digital Personal Data Protection Act, 2023\">Implementing the Digital Personal Data Protection Act, 2023<\/a><ul class='ez-toc-list-level-3'><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.caindelhiindia.com\/blog\/meity-issues-draft-digital-personal-data-protection-rules\/#Key_Provisions_of_the_Draft_Rules_of_Digital_Personal_Data_Protection_Rules_2025\" title=\"Key Provisions of the Draft Rules of Digital Personal Data Protection Rules, 2025\">Key Provisions of the Draft Rules of Digital Personal Data Protection Rules, 2025<\/a><ul class='ez-toc-list-level-4'><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.caindelhiindia.com\/blog\/meity-issues-draft-digital-personal-data-protection-rules\/#1_Notice_Requirements\" title=\"1. Notice Requirements\">1. Notice Requirements<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.caindelhiindia.com\/blog\/meity-issues-draft-digital-personal-data-protection-rules\/#2_Personal_Data_Breach_Notifications\" title=\"2. Personal Data Breach Notifications\">2. Personal Data Breach Notifications<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.caindelhiindia.com\/blog\/meity-issues-draft-digital-personal-data-protection-rules\/#3_Reasonable_Security_Safeguards\" title=\"3. Reasonable Security Safeguards\">3. Reasonable Security Safeguards<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.caindelhiindia.com\/blog\/meity-issues-draft-digital-personal-data-protection-rules\/#4_Consent_Managers\" title=\"4. Consent Managers\">4. Consent Managers<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.caindelhiindia.com\/blog\/meity-issues-draft-digital-personal-data-protection-rules\/#5_Data_Retention_Periods\" title=\"5. Data Retention Periods\">5. Data Retention Periods<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.caindelhiindia.com\/blog\/meity-issues-draft-digital-personal-data-protection-rules\/#6_Processing_of_Childrens_Data\" title=\"6. Processing of Children&#8217;s Data\">6. Processing of Children&#8217;s Data<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.caindelhiindia.com\/blog\/meity-issues-draft-digital-personal-data-protection-rules\/#7_Exemptions\" title=\"7. Exemptions\">7. Exemptions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.caindelhiindia.com\/blog\/meity-issues-draft-digital-personal-data-protection-rules\/#8_Obligations_for_Significant_Data_Fiduciaries\" title=\"8. Obligations for Significant Data Fiduciaries\">8. Obligations for Significant Data Fiduciaries<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.caindelhiindia.com\/blog\/meity-issues-draft-digital-personal-data-protection-rules\/#9_Rights_of_Data_Principals\" title=\"9. Rights of Data Principals\">9. Rights of Data Principals<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.caindelhiindia.com\/blog\/meity-issues-draft-digital-personal-data-protection-rules\/#10_Cross-Border_Data_Transfer\" title=\"10. Cross-Border Data Transfer\">10. Cross-Border Data Transfer<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.caindelhiindia.com\/blog\/meity-issues-draft-digital-personal-data-protection-rules\/#11_Data_Protection_Board_of_India\" title=\"11. Data Protection Board of India\">11. Data Protection Board of India<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.caindelhiindia.com\/blog\/meity-issues-draft-digital-personal-data-protection-rules\/#12_Call_for_Information\" title=\"12. Call for Information\">12. Call for Information<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.caindelhiindia.com\/blog\/meity-issues-draft-digital-personal-data-protection-rules\/#Key_Takeaways_from_Digital_Personal_Data_Protection_Rules_2025\" title=\"Key Takeaways from Digital Personal Data Protection Rules, 2025\">Key Takeaways from Digital Personal Data Protection Rules, 2025<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.caindelhiindia.com\/blog\/meity-issues-draft-digital-personal-data-protection-rules\/#Critical_Implications_on_Digital_Personal_Data_Protection_Rules_2025\" title=\"Critical Implications on Digital Personal Data Protection Rules, 2025\">Critical Implications on Digital Personal Data Protection Rules, 2025<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Implementing_the_Digital_Personal_Data_Protection_Act_2023\"><\/span><span style=\"color: #000080;\"><strong>Implementing the Digital Personal Data Protection Act, 2023<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The draft Digital Personal Data Protection Rules, 2025, introduced by MeitY, provide the much-needed framework for implementing the Digital Personal Data Protection Act, 2023. Sixteen months after the new Digital Personal Data Protection Act, 2023 (hereinafter referred to as the \u201cAct\u201d), the Ministry of Electronics and Information Technology (hereinafter referred to as \u201cMeitY\u201d) has introduced the draft subordinate legislation in the form of the Digital Personal Data Protection Rules, 2025 (hereinafter referred to as the \u201cDraft Rules\u201d) on January 03, 2025 for public consultation and feedback.<\/p>\n<p>In a notification associated with the Draft Rules, MeitY has invited feedback\/comments in a rule wise manner to be submitted by February 18, 2025 on MyGov portal at the link pasted below:\u00a0<a href=\"http:\/\/ssranamailer.com\/sendy\/l\/RyayFTSo8u763b7PcrN3oY892A\/p7AQAPJyYkIlSMEiC8FNaQ\/mNLCUuBwE8XSNPU57639m6fA\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https:\/\/www.google.com\/url?q=http:\/\/ssranamailer.com\/sendy\/l\/RyayFTSo8u763b7PcrN3oY892A\/p7AQAPJyYkIlSMEiC8FNaQ\/mNLCUuBwE8XSNPU57639m6fA&amp;source=gmail&amp;ust=1736310509798000&amp;usg=AOvVaw0xsaG5wdOk-8hlKpzJvWcy\">https:\/\/innovateindia.mygov.<wbr \/>in\/dpdp-rules-2025\/<\/a><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Key_Provisions_of_the_Draft_Rules_of_Digital_Personal_Data_Protection_Rules_2025\"><\/span><strong>Key Provisions of the Draft Rules of Digital Personal Data Protection Rules, 2025<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<h4><span class=\"ez-toc-section\" id=\"1_Notice_Requirements\"><\/span><strong>1. Notice Requirements<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ul>\n<li>Independence: Notices by Data Fiduciaries must be separate from other information provided.<\/li>\n<li>Clarity: Plain language is required to ensure Data Principals understand the purpose and nature of data processing.<\/li>\n<li>Transparency: Itemized descriptions of data categories, purposes, and associated services must be included.<\/li>\n<li>Rights &amp; Access: Links to rights and access options should be communicated clearly.<\/li>\n<\/ul>\n<h4><span class=\"ez-toc-section\" id=\"2_Personal_Data_Breach_Notifications\"><\/span><strong>2. Personal Data Breach Notifications<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ul>\n<li>To Data Principals: Clear, concise communication regarding the breach and safety measures taken.<\/li>\n<li>To the Data Protection Board: Detailed breach reports, including its nature, timing, and extent.<\/li>\n<\/ul>\n<h4><span class=\"ez-toc-section\" id=\"3_Reasonable_Security_Safeguards\"><\/span><strong>3. Reasonable Security Safeguards<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ul>\n<li>Measures include encryption, masking, and access controls to ensure data confidentiality, integrity, and availability.<\/li>\n<\/ul>\n<h4><span class=\"ez-toc-section\" id=\"4_Consent_Managers\"><\/span><strong>4. Consent Managers<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ul>\n<li>Consent Managers must register with the Board and act in a fiduciary capacity to maintain data integrity and ensure proper tracking of consent and data-sharing activities.<\/li>\n<\/ul>\n<h4><span class=\"ez-toc-section\" id=\"5_Data_Retention_Periods\"><\/span><strong>5. Data Retention Periods<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ul>\n<li>E-commerce, social media, and online gaming entities with significant user bases must delete personal data after three years.<\/li>\n<\/ul>\n<h4><span class=\"ez-toc-section\" id=\"6_Processing_of_Childrens_Data\"><\/span><strong>6. Processing of Children&#8217;s Data<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ul>\n<li>Verifiable parental consent is required, ensuring that the parent is a recognized adult. Stringent due diligence obligations are imposed.<\/li>\n<\/ul>\n<h4><span class=\"ez-toc-section\" id=\"7_Exemptions\"><\/span><strong>7. Exemptions<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ul>\n<li>Healthcare, Education, and Child Services: Exempt from some restrictions for public benefit.<\/li>\n<li>Research and Archiving: Processing for legitimate interests such as statistical purposes is exempt.<\/li>\n<\/ul>\n<h4><span class=\"ez-toc-section\" id=\"8_Obligations_for_Significant_Data_Fiduciaries\"><\/span><strong>8. Obligations for Significant Data Fiduciaries<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ul>\n<li>Conduct annual DPIAs and data audits.<\/li>\n<li>Ensure deployed algorithms do not harm Data Principals.<\/li>\n<li>Submit audit reports to the Board.<\/li>\n<\/ul>\n<h4><span class=\"ez-toc-section\" id=\"9_Rights_of_Data_Principals\"><\/span><strong>9. Rights of Data Principals<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ul>\n<li>Data Fiduciaries must clearly outline the process for Data Principals to exercise their rights regarding their personal data.<\/li>\n<\/ul>\n<h4><span class=\"ez-toc-section\" id=\"10_Cross-Border_Data_Transfer\"><\/span><strong>10. Cross-Border Data Transfer<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ul>\n<li>Rules for data transfer outside India will be notified by the Government. A committee is proposed to recommend which data must be localized.<\/li>\n<\/ul>\n<h4><span class=\"ez-toc-section\" id=\"11_Data_Protection_Board_of_India\"><\/span><strong>11. Data Protection Board of India<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ul>\n<li>Appointment and functioning rules for the Board, including its Chairperson and members, are specified.<\/li>\n<\/ul>\n<h4><span class=\"ez-toc-section\" id=\"12_Call_for_Information\"><\/span><strong>12. Call for Information<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<ul>\n<li>The Central Government is empowered to call for specific information from Data Fiduciaries for national security or sovereignty purposes.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Key_Takeaways_from_Digital_Personal_Data_Protection_Rules_2025\"><\/span><strong>Key Takeaways from Digital Personal Data Protection Rules, 2025<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>Balancing Industry and Privacy: The draft rules aim to balance privacy rights with industry requirements by introducing exemptions for specific sectors while emphasizing accountability for significant data fiduciaries.<\/li>\n<li>Localized Storage Concerns: The proposal to localize certain data could pose challenges for global businesses. However, the government\u2019s assurance of minimizing industry disruption is notable.<\/li>\n<li>Children\u2019s Data Protections: The stringent requirements for children\u2019s data reflect a robust approach to safeguarding vulnerable groups.<\/li>\n<li>Public Feedback Opportunity: The structured consultation process ensures stakeholder participation, enabling businesses and individuals to voice their opinions.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Critical_Implications_on_Digital_Personal_Data_Protection_Rules_2025\"><\/span><strong>Critical Implications on Digital Personal Data Protection Rules, 2025<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The annual DPIA requirement may increase compliance costs for significant data fiduciaries.\u00a0Data localization rules might affect cross-border operations and necessitate adjustments in business models.\u00a0Exemptions for healthcare, education, and research sectors promote public welfare while reducing unnecessary compliance burdens.<\/p>\n<p>We would also be submitting our feedback\/comments to Draft Rules to the Government shortly.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Implementing the Digital Personal Data Protection Act, 2023 The draft Digital Personal Data Protection Rules, 2025, introduced by MeitY, provide the much-needed framework for implementing the Digital Personal Data Protection Act, 2023. Sixteen months after the new Digital Personal Data Protection Act, 2023 (hereinafter referred to as the \u201cAct\u201d), the Ministry of Electronics and Information &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[642],"tags":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.caindelhiindia.com\/blog\/wp-json\/wp\/v2\/posts\/8367"}],"collection":[{"href":"https:\/\/www.caindelhiindia.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.caindelhiindia.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.caindelhiindia.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.caindelhiindia.com\/blog\/wp-json\/wp\/v2\/comments?post=8367"}],"version-history":[{"count":2,"href":"https:\/\/www.caindelhiindia.com\/blog\/wp-json\/wp\/v2\/posts\/8367\/revisions"}],"predecessor-version":[{"id":8370,"href":"https:\/\/www.caindelhiindia.com\/blog\/wp-json\/wp\/v2\/posts\/8367\/revisions\/8370"}],"wp:attachment":[{"href":"https:\/\/www.caindelhiindia.com\/blog\/wp-json\/wp\/v2\/media?parent=8367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.caindelhiindia.com\/blog\/wp-json\/wp\/v2\/categories?post=8367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.caindelhiindia.com\/blog\/wp-json\/wp\/v2\/tags?post=8367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}