The Ministry of Electronics and Information Technology (“MeitY”), on 3 January 2025, released the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”) for public consultation. The said Rules shall effectively act as the implement regulations for the Digital Personal Data Protection Act, 2023 (“DPDP Act”) was enacted on 11th August, 2023. The DPDP Rules have been made under the powers granted by Section 40(1) and (2) of the DPDP Act.
The Rules provides for the necessary details and implementation framework of the Act. The government has invited suggestions and objections from stakeholders through MyGov portal until February 18, 2025.
Background
In India, there have been multiple endeavours to put in place a comprehensive data privacy legislation, the latest being ‘The Digital Personal Data Protection Bill, 2023’ (“DPDP Bill”), that was passed by the Indian parliament and notified in the official Gazette on the 11th of August 2023. The stated purpose of the law was to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes and for matters connected therewith or incidental thereto. The DPDP Act aimed to establish a comprehensive legal framework governing digital personal data protection in India and provides for the processing of digital personal data in a manner that recognizes the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purposes.
Earlier, in 2012 a Group of Experts committee headed by Justice A P Shah had first submitted a Report on a privacy legislation, which proposed a conceptual framework for a privacy statute and how Indian Privacy law should take shape. And following Supreme Court’s recommendation in 2016, two draft versions of proposed law (2018 and 2019) were previously released for public consultation, in an effort to enforce the “fundamental right to privacy” recognized by the Supreme Court of India in the Justice K.S. Puttaswamy judgment earlier in 2016 wherein the Court observed- “The Parliament needs to examine and put into place a robust regime for data protection in India.”
The report of the JPC was culmination of a five year exercise whereby in 2017 the Ministry of Electronics and Information Technology, vide its NotificationNo.3 (6)J2017-CLES ( “Notification”) had first constituted a “Committee of Experts” under the Chairmanship of former Supreme Court Justice ‘Shri B N Srikrishna’ on issues relating to data protection in India and to draft a bill on data protection. The JPC, after two years of deliberations and five extensions, finally adopted the draft report on ‘The Personal Data Protection Bill, 2019’ with a majority on 22 November, 2021. However after the JPC submitted it report on the draft Bill to be tabled for the consideration before the Parliament, the Government abruptly withdrew the legislation in October 2022 before it could be taken up by the Parliament for consideration. The Ministry of Electronics and Information Technology after deliberating on various aspects of digital personal data and its protection formulated the draft DPDP Bill in 2022. The DPDP Act has been formulated largely on the lines of its predecessors after multiple consultation processes and considerable deliberation on various aspects of digital personal data and its protection and the various controversies and apprehensions over the past three versions.
Highlights of the DPDP Rules
The draft rules aim to provide detailed guidance on key aspects of the law, including the obligations of data fiduciaries to notify individuals, the registration and responsibilities of consent managers, and the handling of personal data belonging to children. Some notable aspects of the Rules include:
Rule 6 (Reasonable security safeguards) – This rule sets out what steps constitute “reasonable security safeguards” to be taken by data fiduciaries (i.e. controllers), such as encryption, access controls, contractual obligations with processors, and other technical and organisational measures.
Rule 7 (Intimation of personal data breach) – This rule essentially sets out the specifics for data breach notification to affected data subjects and the Data Protection Board.
Rule 10 (Verifiable consent for processing of personal data of child or of person with disability who has lawful guardian) – This relatively long rule sets out measures that ensure that a parent’s verifiable consent is obtained before the processing of any personal data of a child.
Rule 12 (Additional obligations of Significant Data Fiduciary) – This rule sets out additional obligations of significant data fiduciaries, including annual DPIAs, and an obligation to verify that “algorithmic software deployed by it” will not likely pose a risk to the rights of Data Principals (i.e. an impact assessment).
Cross-border data transfers
The Rules obligate entities to adopt measures to ensure that personal data identified by Central Government is processed in compliance with specific restrictions, ensuring that the data and any related traffic data are not transferred outside of India. Additionally, with regard to processing of personal data outside India, Data Fiduciaries processing data from outside India must comply with any requirements the Govt. sets in respect of making such personal data available to a foreign State or its entities.
Consent
There is an obligation to obtain verifiable consent for processing personal data of children and persons with disabilities as per Rule 10 of the DPDP Rules and the provision outlines the requirements for obtaining verifiable consent from parents or legal guardians before processing the personal data of children or persons with disabilities. Specifically, a Data Fiduciary must implement measures to ensure that the person providing consent for a child’s data processing is the child’s parent or legal guardian, and that the parent or guardian is identifiable.
Besides the DPDP Rules also obligate that a ‘Consent Manager’ must be a company incorporated in India with sound financial and operational capacity, having a minimum net worth of two crore rupees, a reputation for fairness and integrity in its management, and a certified interoperable platform enabling Data Principals to manage their consent. The said entity must be registered with the Data Protection Board and must implement strong security measures to protect personal data, avoid conflicts of interest, and ensure transparency, besides comply with specific obligations of ensuring that Data Principals can easily give, manage, review, and withdraw consent for data processing, maintaining records of consents and data sharing, and providing transparent access to such records. There is also a prohibition on subcontracting or assigning responsibilities, and obligated to regularly review their operations.
Processing of Personal Data
The DPDP Rules allow State and its instrumentalities to process the personal data of Data Principals to provide or issue subsidies, benefits, services, certificates, licenses, or permits, as defined under law or policy or using public funds but must adhere to standards outlined in Schedule II, to ensure lawful, transparent, and secure handling of personal data for such purposes.
Obligations of data fiduciaries
The Data Fiduciary is obligated to provide notice to the Data Principal which must be clear, standalone, and understandable, distinct and in simple, plain language with a complete and clear requirement for ‘informed consent’ for the processing of their personal data. Specifically, the notice should include, itemized list of data collected and purpose for processing, along with an itemized explanation of the goods, services, or uses enabled by such processing and provide a link to Data Fiduciary’s website or app, and describe methods for withdrawal of consent, exercise of rights and make complaints to the Board. Besides, Significant Data Fiduciaries are accountable for verifying that any algorithmic software they use for processing, hosting, storing and sharing personal data does not pose a risk to rights of Data Principals.
Besides, the Data Fiduciaries under Rules 6 are obligated to implement reasonable security measures to protect personal data, including encryption, access control, monitoring for unauthorized access, and data backups etc. so as to ensure the confidentiality, integrity, and availability of data, and must include provisions for detecting and addressing breaches and maintenance of logs.
In case of a Data Breach, Data Fiduciaries under Rule 7 are obligated to promptly provide clear and straightforward notification to all affected Data Principals explaining the breach’s nature, extent, and timing, along with potential consequences, including measures, if any taken to mitigate the risks and provide safety recommendations along with contact information of a responsible person for inquiries. Additionally, the Data Fiduciary must inform the Board about the breach without delay. Within 72 hours or a longer time if permitted, the Data Fiduciary is obligated to provide detailed information, including the events that led to the breach, actions taken to mitigate risks, and the identity of the individual responsible, if known.
The exact text and copy of the draft Rules can be accessed here.
Should you need any clarification or would like to discuss any query related to the said development or generally any aspect related to the Law, please feel free to contact:
Salman Waris,
Founder
Privacy Academy
Email: salman.waris@techlegis.com
Ph: +91-9891427685
