Search Your Queries Related To Trilegal

The Draft Digital Personal Data Protection Rules, 2025 – Operationalising India’s Data Protection Law

The recently released draft Digital Personal Data Protection Rules, 2025 aim to facilitate the implementation of the Digital Personal Data Protection Act, 2023. While the rules provide some clarity, they also raise several questions and potential challenges to effective compliance. This update discusses the key highlights of the rules and their implications for businesses.

Partners: Rahul Matthan, Nikhil Narendran, Jyotsna Jayaram, and Jaideep Reddy, Counsels: Karishma Sundara and Aparna Gaur, Senior Associate: Prabal De, Associates: Sindhu A., Muskaan Wadhwa, Pranay Jalan, and Radhika Sikri

Introduction

On 3 January 2025, the Central Government released the draft Digital Personal Data Protection Rules, 2025 (Rules) for public consultation, accompanied by an explanatory note that provides further context to the Rules. The Rules are to be issued under the Digital Personal Data Protection Act, 2023 (DPDPA), which was enacted in August 2023, and is yet to come into effect. The DPDPA left the prescription of various implementation details, such as the manner of seeking verifiable consent and reporting personal data breaches, to the Central Government. The Rules largely seek to provide for these matters and to introduce certain additional requirements.

Consultation process: Any person interested in submitting feedback on the Rules may do so through the MyGov portal by 18 February 2025. Unlike previous consultations held on the DPDPA, these submissions will not be published and will be kept confidential by the Central Government.

Commencement and implementation: The Rules will be implemented in a staggered manner. Rules concerning the Data Protection Board (e.g., the appointment of members, their terms of service, and allied techno-legal measures) will come into force upon being published in the Official Gazette. However, compliance-related rules, such as how notice is to be provided or how a personal data breach should be reported, will only come into effect subsequently, on dates that the Central Government will specify.

Highlights: The Rules provide anticipated clarity on how data fiduciaries should comply with certain requirements under the DPDPA, e.g., publication of contact information, grievance redressal mechanisms, and personal data retention periods for certain data fiduciaries. They also, however, introduce certain unexpected provisions, such as a list of security safeguards that data fiduciaries must observe at a minimum. Key issues that businesses can focus on include: (1) broad data breach reporting requirements, which could lead to over-reporting; (2) potentially cumbersome cross-border transfer restrictions, including a data localisation provision for significant data fiduciaries (SDF); (3) parental consent mechanisms, which, for most consumer internet businesses, will require re-engineering; and (4) the requirement for a standalone notice for consent-based processing.

The key aspects of the Rules and their implications for businesses are discussed below.

A. Notice for consent-based processing

The Rules specify how data fiduciaries must provide notices to data principals for (past and fresh) consent-based processing and explain what these notices must contain.

Manner: The Rules, amongst other things, require every notice to be presented and understandable independent of any other information provided by the data fiduciary. This suggests that the existing practice of relying on hyperlinked documents in privacy notices (e.g., FAQs explaining some data practices) for easier readability may no longer be viable. Data fiduciaries will need to revisit their notice-consent flows and privacy notices to assess if they meet these preconditions.

Content: The Rules require the notice to provide a ‘fair account’ of the processing activities, which at minimum must include (amongst other things) an itemised description of the goods and services or uses enabled through the specified processing activities. This suggests that data fiduciaries will need to tie each processing activity (the type of personal data and purpose) to a resultant use case. When revisiting their privacy notices and consent flows to ensure that they enable specific and informed consent, data fiduciaries will also have to consider how notice can be effectively provided for prospective and exploratory use-cases.

B. Reasonable security safeguards

The proposal of certain minimum reasonable security safeguards that all data fiduciaries must adopt is unexpected. As the DPDPA does not expressly provide for prescription of such standards, it was understood that data fiduciaries (and, by extension, data processors) could decide what would be reasonable or appropriate for the personal data that they handle. That said, some flexibility has been retained even in the prescribed list of standards. For instance, most of the safeguards listed, such as the implementation of data security measures, measures to ensure continued processing (e.g., data backups), and access controls have been qualified by the terms appropriateor reasonable.

Another notable minimum safeguard specified under the Rules is the retention of certain logs for a period of one year (unless otherwise required under law), to enable the detection, investigation, and remediation of any compromise of personal data. The Rules do not, however, clarify the types of logs that must be maintained.

Data fiduciaries will now have to build in the prescribed list of minimum safeguards for existing data processor agreements, as well as new arrangements.

C. Intimation of personal data breaches

The Rules specify when and how data fiduciaries must report personal data breaches to affected data principals and the content of such notifications. They also clarify the timing and content of similar notifications to the Data Protection Board.

Informing affected data principals: Data fiduciaries must, upon becoming aware of a personal data breach, and to the best of their knowledge, notify all affected data principals without delay. These notifications (which can be provided to the data principals’ user accounts or means of accessing a data fiduciary’s services) must contain certain information (e.g., a description of the breach including its nature, extent, timing and location of occurrence). The use of the phrases upon becoming aware and without delay suggest the immediacy of such notifications without prescribing a timeline. The urgency of such notifications is, however, tempered by the data fiduciary having to only provide the intimation to the best of its knowledge at the relevant time.

Informing the Data Protection Board: The Rules are silent on the exact mode that data fiduciaries must use to notify the Data Protection Board of personal data breaches. They prescribe a tiered notification process differentiated by timing and content. The initial notification to the Data Protection Board containing basic information (e.g., description, nature, timing, location of breach) must be made without delay upon the data fiduciary becoming aware of a breach. On the other hand, the detailed notification (containing information such as the broad facts relating to the events, circumstances and reasons leading to the breach; and proposed or implemented mitigation measures) must be made within 72 hours of the data fiduciary becoming aware of a breach. Data fiduciaries can request the Data Protection Board to extend the 72-hour timeline.

Data fiduciaries will accordingly need to design processes to comply with these requirements in parallel with similar reporting requirements under other regimes (e.g., cybersecurity reporting obligations to the Indian Computer Emergency Response Team or to sectoral regulators).

D. Processing personal data of children

Verifiable parental consent: The Rules task data fiduciaries with adopting appropriate technical and organisational measures to verify the identity and age of a parent or lawful guardian before processing any child’s personal data.

Data fiduciaries can confirm the age and identity of a parent or lawful guardian by using (1) reliable details available with them; or (2) voluntarily provided identity and age details or a virtual token mapped to these details. Such tokens must be issued by authorised entities, such as, a digital locker service provider designated under the Information Technology Act, 2000 (IT Act). The illustrations provided in the Rules  suggest that what constitutes reliable details will be case-specific. For instance, if the parent is a registered user of a service for which the child wishes to register, the data fiduciary can use the age and identity details that it possesses about the parent to confirm their adulthood. If no such pre-existing relationship exists, the data fiduciary will have to rely on voluntarily provided identity and age details or officially issued virtual tokens mapped to these details.

Exemptions from verifiable parental consent and certain processing restrictions: The Rules specify certain classes of data fiduciaries and purposes for which (1) no verifiable parental consent is required; and (2) tracking, behavioural monitoring of, or targeting advertisements at children is permitted. For instance, clinical establishments and mental health establishments (both, defined terms under the Rules) are exempted when processing personal data of a child to provide healthcare services. Processing to confirm if a data principal is a child or creating a child’s user account for limited email communication, amongst other things, has been similarly exempted.

E. Verifying lawful guardianship of persons with a disability

Data fiduciaries must observe due diligence measures to ensure that a person identifying themself as the lawful guardian is duly appointed under applicable guardianship laws. The Rules do not clarify what due diligence measures must be adopted (unlike in the case of a child). Absent prescription on this front, data fiduciaries will likely have to implement measures to verify guardianship documentation (as specified under the guardianship laws referenced in the Rules) before processing such data principals’ personal data.

F. Personal data retention periods for e-commerce entities, online gaming intermediaries, and social media intermediaries

The Rules prescribe data retention periods for certain data fiduciaries, i.e., (1) e-commerce entities with at least 2 crore registered users in India; (2) online gaming intermediaries with at least 50 lakh registered users in India; and (3) social media intermediaries with at least 2 crore registered users in India (collectively, Identified Data Fiduciaries).

The Rules do not prescribe retention periods for any other classes of data fiduciaries. This suggests that such data fiduciaries may make a case-to-case determination of the retention period, based on their assessment of whether a specified purpose has elapsed.

With certain exceptions, Identified Data Fiduciaries can retain personal data for three years from (1) when the data principal last approached them for the performance of the specified purpose or exercise of any rights related to the processing of their personal data; or (2) the commencement of the Rules, whichever is later. All Identified Data Fiduciaries must erase personal data in their possession once this period ends. Identified Data Fiduciaries must notify data principals of such erasure 48 hours before the prescribed period elapses to allow them to take actions to preserve such data (e.g., by logging into their user account).

G. Exemption for processing personal data for research, archival or statistical purposes

Data fiduciaries that process personal data for research, archival, or statistical purposes are exempt from complying with the DPDPA provided (1) the personal data is not used to take any decisions specific to a data principal; and (2) they comply with the standards prescribed under the Rules. However, several of the standards prescribed under the Rules are similar to the obligations that would otherwise apply to processing within the ambit of the DPDPA. For example, the Rules require data fiduciaries to ensure purpose limitation, make reasonable efforts to ensure accuracy, adopt reasonable security safeguards, and be accountable for the observance of such standards.

H. Additional obligations of SDFs

Certain data fiduciaries are to be notified as SDFs by the Central Government based on factors such as the volume and nature of the personal data they process. The Rules do not clarify which entities will be classified as SDFs; this is expected to be notified concurrently with the DPDPA coming into force.

The Rules, however, detail certain obligations of SDFs under the DPDPA. For example, they specify an annual timeline for carrying out audits and Data Protection Impact Assessments (DPIA). The Rules also introduce two additional obligations.

The first requires SDFs to observe due diligence measures to verify that the algorithmic software  that they use to process personal data is unlikely to pose a risk to the rights of data principals. This is unsurprising given that DPIAs themselves require an assessment and management of the risks to the rights of data principals. Having said that, the Rules do not specify what due diligence measures an SDF must take to comply with this requirement. Businesses will need to make this determination on a case-to-case basis.

The second is a new and unexpected data localisation obligation that SDFs may be subject to, which is discussed below.

I. Cross-border transfer restrictions

Under the DPDPA, the Central Government has the power to blacklist territories to which personal data cannot be transferred. The Rules now introduce additional restrictions. Specifically:

Restrictions on access by foreign States: The Central Government may specify conditions concerning any foreign State’s access to personal data that is transferred outside India. These transfer restrictions apply to any outbound transfers of personal data from India by either Indian or foreign data fiduciaries. Depending on the conditions to be specified, this could potentially result in a conflict with foreign laws enabling foreign States’ access to personal data.

Data localisation for SDFs: SDFs may now be subjected to a data localisation obligation for certain classes of personal data and related traffic data. A Central Government committee is expected to specify the applicable classes of personal data. This data localisation provision has a questionable basis, as the scheme of the DPDPA does not contemplate localisation; it only allows for restrictions on cross-border transfers to blacklisted geographies. The constitution of the proposed committee and the criteria it is to follow are also not specified. The lack of clarity around which entities will ultimately be classified as SDFs compounds the uncertainty.

J. Calls for information

The DPDPA empowers the Central Government to call for information from the Data Protection Board, intermediaries (as defined under the IT Act), and data fiduciaries for the purposes of the DPDPA. The Rules appear to clarify the scope of these purposes, which include, amongst others, the State’s use of personal data in the interest of sovereignty, integrity, or security of India. The Central Government can also require the recipient to keep the access request confidential.

Notably, neither the DPDPA nor the Rules specify safeguards (such as review and oversight mechanisms that exist under other laws like the Telecommunications Act, 2023 and the IT Act) for the issuance of these information requests. That said, any processing of information by the Central Government will need to satisfy the constitutional safeguards prescribed by the Supreme Court in the landmark privacy decision in Justice K. S. Puttaswamy and Anr. v Union of India and Ors.

K. Consent manager framework

The Rules set out the registration conditions, roles, and obligations of consent managers.

Registration conditions: Only Indian-incorporated companies that meet certain net worth requirements and are equipped with certified interoperable platforms enabling consent management can seek registration as consent managers.

Role of a consent manager: They must provide an accessible, transparent, and interoperable platform for data principals to give, manage, review, and withdraw their consent. This should extend to processing of a data principal’s personal data either directly by a data fiduciary, or indirectly by another data fiduciary onboarded on the platform. Consent managers must remain data blind, and their platform may, potentially, be used to enable portability of personal data.

Obligations: Consent managers must act in a fiduciary capacity with respect to data principals and avoid any conflicts of interest with data fiduciaries. They must also maintain records of consent given, denied, or withdrawn by data principals, develop a website or app (or both) for use by data principals, and establish audit mechanisms.

Notably, the Rules do not clarify if data fiduciaries must mandatorily integrate with consent manager platforms. However, for the framework to function effectively, consent managers are likely to strive for wide participation from data fiduciaries.

L. Miscellaneous

The Rules also include provisions to operationalise other aspects of the DPDPA. Notably: (1) data fiduciaries’ prominent publication of contact information to enable grievance redressal within timelines that they can determine; (2) the standards to be followed by the State when processing personal data to issue benefits or subsidies; and (3) the operational framework of the Data Protection Board and the Appellate Tribunal.

Conclusion: Are we there yet?

The long-awaited Rules were expected to usher in clarity on how certain obligations under the DPDPA were to be implemented. While the Rules do this in part, they also leave a few questions open to interpretation and discussion, stalling implementation and compliance-building in the interim.

For instance, notice (the bedrock of consent-based processing) must be independently presented and understood by data principals. This raises questions about the continued viability of existing privacy notices and consent flows. Similar ambiguities percolate other key provisions, such as the method of verification of the identity and age of a parent or lawful guardian. The major showstoppers come in the form of unexpected cross-border transfer restrictions. The foundation and execution of the data localisation provision, though restricted to SDFs, remains unclear. The additional restrictions pertaining to foreign States’ access to personal data transferred outside India may result in a potential conflict of laws scenario. The State’s power to call for information under the DPDPA absent similar safeguards under other existing laws also provides food for thought.

Given the far-reaching impact of the Rules, stakeholders should proactively participate in the consultation process with a view to address these issues.

If you require any further information about the material contained in this newsletter, please get in touch with your Trilegal relationship partner or send an email to alerts@trilegal.com. The contents of this newsletter are intended for informational purposes only and are not in the nature of a legal opinion. Readers are encouraged to seek legal counsel prior to acting upon any of the information provided herein.

 

Other Relevant Material

Let's connect

Disclaimer

Under the rules of the Bar Council of India, Trilegal is prohibited from soliciting work or advertising in any form or manner. By accessing this website, www.trilegal.com, you acknowledge that:

  • You are seeking information about Trilegal of your own accord and there has been no form of solicitation, advertisement or inducement by Trilegal or its members.
  • This website should not be construed as providing legal advice for any purpose.
  • All information, content, and materials available on this website are for general informational purposes only.
  • Any information obtained or material downloaded from this website is completely at the user’s volition, and any transmission, receipt or use of this website is not intended to, and will not, create any lawyer-client relationship.
  • Information on this website may not constitute the most up-to-date legal or other information. Trilegal is not liable for the consequences of any action taken by any person based on any material or information available on this website, or for any inaccuracy in or exclusion of any information or interpretation thereof.
  • Readers of this website or recipients of content or information available on this website should not act based on any or all such content or information, and should always seek advice of competent legal counsel licensed to practice in the appropriate jurisdiction.
  • Third party links contained on this website re-directing users to such third-party websites should neither be construed as legal reference / legal advice, nor considered as referrals to, endorsements of, or affiliations with, any such third party website operators.
  • The communication platform provided on this website should not be used for exchange of any confidential, business or politically sensitive information.
  • The contents of this website are the intellectual property of Trilegal.

We prioritize your privacy. Before proceeding, we encourage you to read our privacy policy, which outlines the below, and terms of use to understand how we handle your data:

  • The types of information we collect and why we collect them.
  • How we use your information to provide a personalized experience.
  • The measures we take to ensure the security of your data.
  • Your rights and choices in managing your personal information.
  • How we may share information with trusted partners for specific purpose.

For more information, please read our terms of use and our privacy policy.

Up arrow