DPDP Rules to be notified by April

By Anuradha Gandhi and Rachita Thakur

Introduction

The central government is set to notify the final Digital Personal Data Protection Rules (hereinafter referred to as “DPDP Rules”) in April, following an extensive feedback process[1]. Earlier this year, the Ministry of Electronics and Information Technology (MeitY) had published the Draft DPDP Rules on its websites to invite anonymous feedback or comments from various sectors such as technology, consulting MSMEs, banking, and finance, and representatives from industry, legal and policymaking circles. The aim was to gather a broad spectrum of inputs to strike a balance between fostering innovation and ensuring robust regulation of personal data.[2]

The final rules are expected to provide detailed guidelines on data localization, cross-border data transfers, and obligations of Significant Data Fiduciaries.

What does the Rules say?

The DPDP Rules establishes a comprehensive framework for protection of personal data by providing[3]:

1. Notice by Data Fiduciary: The Data Fiduciary is required to provide a standalone notice to the Data Principal which shall include an itemized list of the personal data being collected and clear description of the purpose for processing, along with an itemized explanation of the goods, services, or uses enabled by such processing.
2. Obligations of a Consent Manager: A registered consent manager inter alia has specific obligations to comply with respect to rights of Data Principals, maintaining records of consents and data sharing and implementing strong security measures to protect personal data.
3. Intimation of Personal Data Breach: The DPDP Rules require that, on becoming aware of personal data breach, the data fiduciary shall promptly notify the affected data principal about the breach specifics and to the Data Protection Board within 72-hours.
4. Data Retention Periods: The DPDP Rules has set data retention periods for certain classes of Data Fiduciaries such as e-commerce entities, online gaming intermediaries, and social media platforms. Such platforms may retain personal data for up to three years from the last interaction or the coming in effect of rules, whichever is later, except when the data is needed for the principal to access their account or virtual tokens. However, the Data Principal shall be notified 48 hours before such erasure.
5. Special Provisions for Children: Processing of children’s data requires verifiable parental consent and additional safeguards.
6. Cross-Border Transactions: Personal Data can be transferred outside India only under government approved conditions.
7. Additional obligations for Significant Data Fiduciaries: SDFs are assigned with additional obligations to comply with such as conducting Data Protection Impact Assessment and audits once every year with the results to be intimated to the Board and to verify algorithmic processing of personal data.

What Lies Ahead

Finalizing the DPDP Rules will provide-much needed clarity on key issues such as data localization, cross-border data transfers and the obligations of Significant Data Fiduciaries. This move is expected to eliminate ambiguities, offering precise guidelines that will help businesses and regulators navigate the data protection landscape more effectively.

Rishabh Gupta , Junior Associate Advocate at S.S. Rana & Co. has assisted in the research of this article.

[1]https://economictimes.indiatimes.com/tech/technology/meity-aims-to-notify-data-protection-rules-in-april-industry-bodies-raise-concerns-over-data-localisation-verifiable-parental-consent/articleshow/119432689.cms?from=mdr

[2]https://pib.gov.in/PressReleaseIframePage.aspx?PRID=2092928

[3]Explanatory note to DPDP Rules, available at: https://innovateindia.mygov.in/dpdp-rules-2025/