The Digital Personal Data Protection Act, 2023 (the Act), which sets out provisions for the processing of personal data, represents a significant leap forward in ensuring the protection of personal data in India. The Act, which came into force on August 11, 2023, seeks to balance individuals' right to protect their personal data with the need to process such data for lawful purposes and related or incidental matters. To facilitate the implementation of the Act, the Ministry of Electronics and Information Technology (MeitY) has released the Draft Digital Personal Data Protection Rules, 2025 (Draft Rules). Additionally, MeitY has published an explanatory note[i] on the Draft Rules. The government has invited feedback/comments from stakeholders, with the last date for submission being March 5, 2025.
Salient Features of the Draft Rules
The Draft Rules introduce several key provisions aimed at strengthening data privacy and safeguarding individuals' personal information. These include the responsibilities of data fiduciaries, rights of data principals, additional obligations of significant data fiduciaries and the role of the new Consent Manager, among others.
Obligations of data Fiduciaries
Data fiduciaries play a pivotal role in ensuring that personal data is processed responsibly and that data principals are informed of their rights regarding their personal data. The Draft Rules impose several obligations on them:
- Informed Consent and Transparency: The rules require data fiduciaries to obtain specific and informed consent from data principals for the processing of their personal data. Transparency in data collection and processing is of utmost importance. Data fiduciaries are required to notify an itemised list of personal data being collected, the purpose for collection of such data, and a clear mechanism for withdrawing consent at any time.
- Protection of Personal Data: Data fiduciaries must implement reasonable security safeguards to protect personal data, such as encryption, access control, monitoring for unauthorized access, and data backups. These safeguards must enable breach detection, investigation, remediation and maintaining of logs. Contracts with data processors should also include provisions for reasonable security safeguards.
- Intimation of Data Breaches: Upon becoming aware of personal data breach, a data fiduciary must promptly notify affected data principals, providing clear details on the breach, its potential impact, and measures taken to mitigate risks. The Fiduciary must also inform the Board without delay.
- Erasure of Data: If a data principal does not engage with a data fiduciary within a specified period, their personal data must be erased unless required for legal compliance. The fiduciary must notify the data principal at least 48 hours before erasure, giving them an opportunity to preserve their data by taking action.
- Publish contact information: Data fiduciaries are required to publish contact details of Data Protection Officer or any other designated person, capable of addressing questions regarding the processing of personal data.
- Personal Data of Children and Persons with Disabilities: Data fiduciaries are required to obtain verifiable consent from parents or legal guardians before processing the personal data of children or persons with disabilities.
- Furnishing information to central government: The Central Government may require any Data Fiduciary or intermediary to provide specified information within a set time frame, for purposes outlined in the Seventh Schedule. If disclosure is likely to prejudicially affect India's sovereignty, integrity, or national security, the Data Fiduciary or intermediary must obtain prior written consent from the authorized person before any disclosure is made.
Additional Obligations of Significant Data Fiduciaries
The obligations imposed on significant data fiduciaries under the draft Rules go a step further. These entities are required to conduct annual Data Protection Impact Assessment and a comprehensive audit, the result of which has to be reported to the Board. They have to ensure that algorithmic software used by them, for processing personal data does not pose risks to Data Principals' rights.
Rights of Data Principals
Data principals are granted specific rights under the Draft Rules:
- They can request access to their personal data or demand its erasure.
- Data principals also have the right to nominate individuals to exercise their data rights on their behalf.
The Role of the Consent Manager
“Consent Manager” has been defined in the Act as a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform[ii]. The Draft Rules clarify the specific obligations of Consent Manager, which must be a company incorporated in India, with a certified interoperable platform enabling Data Principals to manage their consent.
The responsibilities of the Consent Manager include:
- Ensuring that Data Principals can easily provide, manage, review, and withdraw consent for data processing.
- Maintaining records of consents and data sharing.
- Providing transparent access to these records.
- Implementing robust security measures to protect personal data.
- Ensuring transparency and preventing conflicts of interest.
Data Processing by the State
The Draft Rules permit the State and its entities to process personal data to provide subsidies, benefits, services, or permits, provided they adhere to specific standards. The processing must be lawful, transparent, secure, and limited to the necessary data for the stated purposes. The data should be retained for only necessary duration. The Draft Rules also require that data principals be informed about the processing of their data and the means to access their rights.
Conclusion
The release of the Draft Rules marks a significant step in implementing India’s data protection laws. These draft Rules aim to establish a comprehensive framework for processing digital personal data for lawful purposes while safeguarding individual privacy rights. The draft Rules outline clear obligations for data fiduciaries, including obtaining informed and specific consent, implementing reasonable security safeguards to protect personal data, and providing timely breach notifications. Additionally, the rules introduce provisions for special categories of data, such as that of children and persons with disabilities, and impose additional obligations on significant data fiduciaries. The introduction of specific obligations of Consent Manager and guidelines for the processing of data by the State further enhance transparency and security in data processing.
As the reliance on digital platforms grows and the volume of personal data being processed increases tremendously, these rules will play a vital role in ensuring that data privacy is protected in India. Once finalized, the rules will likely become a cornerstone of India’s data governance framework, benefiting both individuals and organizations alike.
[i] https://www.meity.gov.in/writereaddata/files/Explanatory-Note-DPDP-Rules-2025.pdf
[ii] Section 2(g), Data Protection Act, 2023. Available at:
https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
/Passle/5ca769f7abdfe80aa08edc04/SearchServiceImages/2025-03-04-16-45-41-049-67c72e35f57c9828b3a9baac.jpg)
/Passle/5ca769f7abdfe80aa08edc04/MediaLibrary/Images/2025-03-04-15-44-34-702-67c71fe28f4e4265ace716be.JPG)
/Passle/5ca769f7abdfe80aa08edc04/SearchServiceImages/2025-03-03-20-43-12-738-67c61460f73c2a7e430e58cd.jpg)
/Passle/5ca769f7abdfe80aa08edc04/SearchServiceImages/2025-03-03-20-40-30-776-67c613bef73c2a7e430e575e.jpg)