By Anuradha Gandhi and Rachita Thakur
Introduction
Sixteen months after the new Digital Personal Data Protection Act, 2023 (hereinafter referred to as the “Act”), the Ministry of Electronics and Information Technology (hereinafter referred to as “MeitY”) has introduced the draft subordinate legislation in the form of the Digital Personal Data Protection Rules, 2025 (hereinafter referred to as the “Draft Rules”) on January 03, 2025 for public consultation and feedback.
In a notification associated with the Draft Rules, MeitY has invited feedback/comments in a rule wise manner to be submitted by February 18, 2025 on MyGov portal at the link pasted below:
https://innovateindia.mygov.in/dpdp-rules-2025/
Key highlight of the Rules
The Draft Rules details various implementation aspects of the DPDP Act such as the specifications of the notice to be given by the Data Fiduciaries to the individuals, the conditions for registration and obligations of the Consent Manager, operability of exemptions for the State, applicability of reasonable safeguards, processing of personal information of children, Data Protection Board, appointment of members and the Chairperson of the Board, procedure for Appeal among other provisions.
- Notice – Notice given by the Data Fiduciary (entity determining the means and purpose of processing of personal information of individuals, i.e. Data Principals) shall:
- Be a document independent of any other information given by the Data Fiduciary
- Be in a clear and plain language to enable the data principal to give free and specific consent for the type and category of information sought
- Contain itemized description and the specified purpose of such personal data along with an itemized description of the goods or services.
- Provide communication link for accessing the website or the app or both and the rights of the Data Principal
- Intimation of Personal Data Breach – The Data Fiduciary shall have to intimate the:
- Affected Data Principal and in a concise, clear and plain manner without delay giving a description of the breach, measures implemented by the Data Fiduciary, safety measures and the contact details of the point of contact person on behalf of the Data Fiduciary;
- The Board giving the description of the breach, including its extent, nature, timing and location
- Reasonable security safeguards – To protect the personal information under its control, possession, have to observe and undertake certain safety measures such as encryption and masking of personal data, appropriate safety measures to control access and detect unauthorized access along with methods to ensure confidentiality, integrity and availability of personal data.
- Consent Managers – Consent Managers have to fulfil the conditions specified in First Schedule to be registered with the Board. A Consent Manager has to enable the Data Principals using its platform to give consent to the Data Fiduciary on-boarded on its platform either directly or through another Data Fiduciary. Consent Managers have to act in fiduciary capacity with the Data Principals thereby maintaining the consent provided, withdrawn, notices accompanying previous requests for consent and along with the sharing of personal data with the data fiduciary.
- Time period for retention of information – Third Schedule to the Draft Rules specify certain classes of Data Fiduciaries long with the period of retention i.e. 3 years of personal data after which they have to delete such personal data. These classes include (i) e-commerce entities with 2 crore (20 million) or more registered users in India (ii) social media intermediaries with 2 crores (20 million) or more registered users in India (iii) Online gaming intermediaries with 50 lakh (5 million) registered users in India.
- Verifiable consent for processing of children’s data – Data Fiduciaries must obtain verifiable parental consent from the parents of a child i.e. a person under the age of 18 years through appropriate technical and organizational measures. The Data Fiduciaries are obligated to observe due diligence to ensure that the individual identifying themselves as parent is an identifiable adult.
- Exemptions –
- Education, healthcare and child services – Data Fiduciaries providing clinical establishment, mental health establishment or healthcare professional, educational institution, child care or crèche service providers are exempted from restrictions under the Act and the Draft Rules.
- Research and archiving purposes – The restrictions under the Act are not applicable to processing of personal data necessary for research, archiving and statistical purpose along with the other legitimate interests mentioned in Section 17 of the Act.
- Additional Obligations of the Significant Data Fiduciaries – The Draft Rules further specify the additional obligations for Significant Data Fiduciaries such as conducting Data Protection Impact Assessment (DPIA) once in every 12 months along with a data audit, the report of the same are to be submitted to the Board, observe due diligence to verify algorithmic software deployed by it to ensure it does not pose any risk to the Data Principal.
- Rights of the Data Principals – To enable Data Principals to exercise their rights, the Data Fiduciaries have to publish details about ow Data Principals can exercise their rights in respect to the data processed by the respective Data Fiduciary.
- Data transfer outside India – The Government of India may by notification provide certain requirements that the Data Fiduciaries will have to comply with for sharing or transfer of personal data outside the territory of India i.e. with foreign states, entities, or their agencies. The rules propose setting up a committee to recommend the types of personal data to be localized in India.
The Information Technology Minister, Shri Ashwini Vaishnaw on January 5, 2025 said that the move is to create a central body which works with other ministries and sectoral regulators to effectively implement local storage of data without causing any disruptions to the industry. [1] - Call for Information – The Central Government has been vested with the powers to call for information, for purposes specified in the Seventh Schedule and require the Data fiduciary to furnish such information within a specified time period where such disclosure is specifically in regard to the sovereignty and integrity of India or security of the state.
- Data Protection Board of India – The Rules lay down the terms and conditions for appointment of the Chairperson and other members of the Board including the provisions regarding the functioning of the Board.
Stay tuned for a detailed analysis of the Draft Rules!