The Authors are Nusrat Hassan, Managing Partner, Dentons Link Legal, Ambuj Sonal, Partner, Dentons Link Legal , Meghna Punjabi, Senior Associate, Dentons Link Legal, Shivangi Gupta, Associate, Dentons Link Legal

Close to seventeen months since the enactment of the Digital Personal Data Protection Act, 2023 (Act), the Ministry of Electronics and Information Technology has released the much-awaited draft Digital Personal Data Protection Rules, 2025 (Draft Rules) for stakeholder comments[1].

The Act, which received the nod from the Parliament of India in August 2023, is yet to be implemented. In line with the objectives of the Act, the Draft Rules appear to be an attempt to introduce a robust framework for protection, management, collection, storage, retention and dealing in any manner, with the digital personal data of individuals. It is expected that with the release of the Draft Rules, the Act, along with the rules will be soon brought into effect (in a phased wise manner) once the consultation process is completed.

The key aspects of the Draft Rules, inter alia, provides for the following:

  1. Notice requirements

Seeking consent from data principals (equivalent to data subject under the EU GDPR) require a data fiduciary (equivalent to controller under the EU GDPR) to give a mandatory notice to the data principal. The Draft Rules propose a broad structure of such notice.

To begin with, the notice must be standalone, and understandable, distinct from any other information shared by the data fiduciary. This suggests that privacy notices/ consent forms that often make references to terms of use and other policies will need to be tweaked to facilitate readability of notices without the need to click on multiple hyperlinks to understand a data fiduciary’s processing activities. Also, as opposed to the standard practice in Inda, the notice/ consent forms can no longer be a part of a privacy policy or terms of use.

Insofar as the content of the notice is concerned, the Draft Rules take a flexible approach requiring the notice to provide a fair account of the details to enable a data principal to give consent which, at the minimum, must include:

  • an itemized description of personal data sought to be collected from the data principal; and
  • the specified purpose of, and an itemized description of the goods or services to be provided or uses to be enabled by, such processing.

This is likely to get support from industry stakeholders as the Draft Rules refrain from setting out stringent content requirements.

  1. Reasonable security safeguards

The Act mandates data fiduciaries to protect personal data by taking reasonable security safeguards. The Draft Rules have proposed certain minimum safeguards that must be put in place by all data fiduciaries. Such safeguards and security measures should be ‘appropriate’ and ‘reasonable’ bearing in mind the baseline requirements. This provides the option to data fiduciaries and data processors to adopt such data security safeguard which are best suited to their business and requirements.

In line with the EU GDPR, the Draft Rules take an approach that there is no ‘one size fits all’ solution to information security, likely to gain acceptance from multinational corporations.

  1. Data breach intimation requirement

 

The Act and the Draft Rules mandate intimation requirement to both affected data principals as well as the Data Protection Board of India (Board).

The obligation to intimate the affected data principals arises only when the data fiduciary becomes ‘aware of any personal data breach’. However, the timeline for such intimation is vague requiring the same to be given ‘without delay’. Further, this obligation of intimation is also subject to the ‘best of knowledge’ of the data fiduciary.

Interestingly, the data fiduciary has been mandated to intimate the affected data principals about breach of ‘any’ personal data. This appears to be a higher compliance requirement when compared to EU GDPR, which requires only those breaches that are likely to result in a high risk to the rights and freedoms of natural persons to be communicated to data subjects

Intimation requirement to the Board is two-fold:

  • firstly, at the time of becoming aware of the breach, for which the intimation is required to be provided ‘without delay’; and
  • secondly, intimation must also be given within 72 hours of becoming aware of the breach with detailed information such as findings regarding person who caused the breach, measures implemented to mitigate risk etc.

Providing information about such aspects within 72 hours may pose practical difficulties as such details, more particularly, the cause of breach and mitigation steps can only be ascertained after conclusion of a detailed investigation.

  1. Retention Period

The Act advocates the right to be forgotten and mandates personal data erasure as soon as it is reasonable to assume that the specified purpose is no longer being served. Interestingly, the Draft Rules prescribe data retention periods for only a specific class of data fiduciaries, that is:

  • e-commerce entities with at least 20 million registered users in India;
  • online gaming intermediaries with at least 5 million registered users in India; and
  • social media intermediaries with at least 20 million registered users in India.

The Draft Rules do not prescribe retention periods for any other classes of Data Fiduciaries giving the impression that such other data fiduciaries may have the leeway to determine retention periods on a case-to-case basis.

For the specified class of data fiduciaries, the Draft Rules propose a three-year time period from the data principal last approaching the data fiduciary for the performance of the specified purpose or exercise of her rights, or the commencement of the Digital Personal Data Protection Rules, 2025, whichever is later. Data fiduciaries are also required to notify data principals at least 48 hours prior to erasure that her personal data will be erased if she does not log in to her user account, approach the data fiduciary for performance of the specified purpose or exercise her rights. Such data fiduciaries will need to revisit their data retention policies and IT systems to bring the same in line with these requirements of Draft Rules, which may result in higher cost of compliance.

  1. Cross border transfer of personal data

The Act introduced the concept of negative list insofar as cross border transfer of personal data is concerned barring transfer of personal data to specific jurisdictions. The Draft Rules now aim to introduce additional obligations in relation to cross border transfer of personal data and empower the Indian Government to impose restrictions by a general or a special order. The Act read along with the Draft Rules is likely to draw the attention of multinational companies that view data portability as a sensitive topic.

Further, there is no clarity on how personal data already present in the restricted jurisdictions will be dealt with.

  1. Consent Manager

The Act introduced the novel concept of ‘consent manages’ and the Draft Rules prescribe the registration conditions, roles, and obligations of consent managers. Only companies incorporated in India that have a minimum net worth of INR 20 million can seek registration as consent managers.

They must provide an accessible, transparent, and interoperable platform for data principals to give, manage, review, and withdraw their consent. This should extend to processing of a data principal’s personal data either directly by a data fiduciary, or indirectly by another data fiduciary onboarded on the platform.

Consent managers must act in a fiduciary capacity with respect to data principals and avoid any conflicts of interest with data fiduciaries. They must also maintain records of consent given, denied, or withdrawn by data principals, develop a website or app (or both) for use by data principals, and establish audit mechanisms. While appointment of consent manager by data fiduciary seems to be not mandatory, it surely will assist the data fiduciaries in smoother compliance relating to consent management, however, with an additional cost.

  1. Exemptions for Research, Archiving and Statistical Purposes

The Act exempts processing of personal data necessary for research, archiving or statistical purposes if the personal data is not to be used for making any decision specific to a data principal, and such processing is carried on in accordance with prescribed standards. The Draft Rules propose standards for:

  • processing personal data under the said exemption;
  • processing in a lawful manner;
  • processing is limited to only necessary personal data;
  • accuracy of data; and
  • adoption of reasonable security safeguards to prevent personal data breaches etc.

The Draft Rules use vague terms such as “research, archiving or statistical purposes” without defining the same.

  1. Obligations of Significant Data Fiduciaries

The Draft Rules reiterate the obligations on Significant Data Fiduciaries (SDF) (i.e. data fiduciaries which will be notified under the Act basis factors such as volume and sensitivity of personal data processed) to undertake annual data protection impact assessment (DPIA) and audit. There is no further clarity provided regarding the manner of conducting the DPIA. The Draft Rules also introduce a new provision requiring SDFs to undertake due diligence to verify that algorithmic software deployed by it (if any) are not likely to pose a risk to the rights of data principals.

Additionally, the Draft Rules propose new data localization obligations restricting SDFs from transferring certain categories of personal data identified by a “committee” which will be constituted by the Indian Government.

Our Comment

The release of the Draft Rules marks a significant step by the Indian Government leading towards a robust and secure environment in India which can ensure protection and privacy of personal data. With India having the second largest number of internet users worldwide and the push towards reforming into 'Digital India', a strong framework for protection of digital personal data is pertinent. The Draft Rules have attempted to provide for multiple requirements which are new to the India Inc. and may result in additional expenses for meeting the compliance.  From the perspective of data principals, the procedure and requirements for providing consent will now be more stringent and it will be necessary to bring awareness amongst the data principals of their respective rights as well as obligations. Overall, the Draft Rules should be welcomed by the stakeholders and more importantly, given the shift from the earlier law, the Government must offer the required guidance and adequate timelines for preparation and adherence of the new rules, as and when it is made effective.  

Disclaimer: The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[1] Comments on the Draft Rules may be submitted to the Ministry of Electronics and Information Technology by the 18th of February 2025.

Picture Source :

 
Nusrat Hassan, Managing Partner, Dentons Link Legal, Ambuj Sonal, Partner, Dentons Link Legal , Meghna Punjabi, Senior Associate, Dentons Link Legal, Shivangi Gupta, Associate, Dentons Link Legal