Understanding the Draft Digital Personal Data Protection Rules, 2025

On January 3, 2025, the Union Government released the draft Digital Personal Data Protection Rules, 2025¹ (“Draft Rules”). Formulated under the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Draft Rules have been published for public consultation, with objections and suggestions on the same to be provided to the Ministry of Electronics and Information Technology by February 18, 2025. Formulated to further safeguard citizens’ rights to protect their personal data, the Draft Rules seek to operationalize the DPDP Act, furthering India’s commitment to create a robust framework to protect digital personal data. 

In this blog, we break down the key provisions of the Draft Rules having regard to their background in the DPDP Act, and highlight certain challenges found in the draft legislation. 

Background: the DPDP Act, 2023

The DPDP Act was a revolutionary step towards India’s adoption of a robust data protection regime. This legislation marks the first comprehensive law dedicated to the protection of personal data and received presidential assent on August 11, 2023. However, the Act itself is yet to be notified for enforcement and the implementation is expected in a phased manner. To understand the impact of the Draft Rules², it is crucial to first understand the key terms and legal framework introduced by the DPDP Act.

A. Key Terms:

• Board: the Data Protection Board of India established by the Central Government. 
• Consent Manager: a person registered with the Board who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw consent through an accessible, transparent and interoperable platform.
• Data Fiduciary: any person who alone or in conjunction with other persons determines the purpose and means of processing personal data.
• Data Principal: the individual to whom the personal data relates. The ambit of this definition is expanded where the Data Principal is: (i) a child, to include their parents and/or lawful guardian; and (ii) a person with disability, to include their lawful guardian.
• Data Processor: person processing personal data on behalf of a Data Fiduciary.
• Personal Data: any data about an individual who can be identified by or in relation to such data.
• Processing: (in relation to personal data) wholly or partly automated operation(s) performed on digital personal data. Includes collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.  

B. Legal Framework:

• Scope and Applicability: Applies to the processing of personal data within India and to entities outside India offering goods/services to individuals in India. Covers personal data collected in digital form or data that is digitized after collection and excludes personal data processed for a personal or domestic purpose and data made publicly available by the Data Principal.
• Data Processing: Statutory requirement for clear, informed and unambiguous consent from Data Principals including a notice of rights. Certain scenarios (such as compliance with legal obligations or during emergencies) allow data processing without explicit consent – i.e., for a legitimate purpose³. 
• Data Principals: Given rights that include access to information, correction and erasure of data, grievance redressal, and the ability to nominate representatives for exercising rights in case of incapacity or death. 
• Data Fiduciaries: Obligated to implement data protection measures, establish grievance redressal mechanisms, and ensure data security. Significant Data Fiduciaries⁴ are required to additionally conduct Data Protection Impact Assessments (DPIAs), and appoint Data Protection Officer and an independent data auditor evaluating compliance with the DPDP Act.
• Cross-Border Data Transfer: In a departure from the earlier regime requiring data localisation, the DPDP Act permits cross-border transfer of data unless explicitly restricted by the Indian government.
• Organisational Impact: Organizations must assess and enhance their data protection frameworks to comply with the DPDPA. Key steps include appointing Data Protection Officers (for significant data fiduciaries), implementing robust security measures, establishing clear data processing agreements, and ensuring mechanisms for data principals to exercise their rights.
• Penalties: Monetary penalty can be imposed by the Board based on the circumstances of the breach and the resultant impact (including whether any gain/loss has been realised/avoided by a person). 

Enabling Mechanisms: the DPDP Rules, 2025

Under Section 40 of the DPDP Act, the Central Government is empowered to formulate rules to enable the implementation of the Act. Pursuant to this, the Draft Rules seek to provide guidance on compliance, operational aspects, administration and enforcement of the DPDP Act. The Draft Rules are to come into force upon publication however, certain critical provisions will only become effective at a later date⁵.  

Key Provisions:

• Notice Requirements for Data Fiduciaries: The notice for consent required to be provided to the Data Principal should be clear, standalone, simple and understandable. Most crucially, the Draft Rules specify that the notice should include an itemized list of personal data being collected and a clear description of the goods/services/uses which are enabled by such data processing. The Data Principal should also be informed of the manner in which they can withdraw their consent, exercise their rights and file complaints. Data Fiduciaries should provide a communication link and describe applicable methods that will enable the Data Principal to withdraw their consent or file complaints with the Board. 
• Consent Managers: Strict eligibility criteria have been prescribed for persons who can be appointed as Consent Managers – this must be an India-incorporated company with sound financial and operational capacity, with a minimum net worth of INR 2,00,00,000, a reputation for fairness and integrity and certified interoperable platform enabling Data Principals to manage their consent. These Consent Managers must uphold high standards of transparency, security and fiduciary responsibility and are additionally required to be registered with the Board and act as a single point of contact for Data Principals. Any transfer of control of such entities will require the prior approval of the Board.
• Data Processing by the State: The government can process personal data to provide subsidies, benefits, certificates, services, licenses or permits. However such processing must comply with the standards prescribed in the Draft Rules⁶ and the handling of personal data is lawful, transparent and secure. 
• Reasonable Security Safeguards: The Draft Rules call for the implementation of ‘reasonable security measures’ by Data Fiduciaries to protect personal data. This includes encryption of data, access control, monitoring of access (particularly for unauthorised access), backup of data, etc. The safeguards should also include provisions to detect and address breach of data, maintenance of logs, and ensure that appropriate safety measures are built into any contracts with Data Processors.
• Data Breach Notification: Data Fiduciaries are required to promptly notify all affected Data Principals in the event of a breach. This notification shall include a clear explanation of the breach, the nature, extent, timing, potential consequences, mitigation measures and safety recommendations to safeguard the data. The Board is also required to be informed of such breach (including a description of the breach, nature, extent, timing, location and likely impact) within 72 hours of the Data Fiduciary being aware. Longer intimation timelines may be permitted upon request. 
• Accountability and Compliance: Grievance redressal mechanisms are mandated to be published on Data Fiduciary’s platforms and the obligation is borne by such persons to ensure lawful processing of personal data. Processing is required to be limited to ‘necessary purposes’ and the data is only permitted to be retained for ‘as long as needed’.
• Data Retention by E-Commerce Entities and Online Gaming and Social Media Intermediaries: The Draft Rules require the deletion of user data after 3 years⁷ by: (i) e-commerce entities having minimum 2,00,00,000 registered users in India; (ii) online gaming intermediaries having minimum 50,00,000 registered users in India; and (iii) social media intermediaries having minimum 2,00,00,000 registered users in India.
• Consent for Children and Persons with Disabilities: The DPDP Act and Draft Rules envisage greater protection of personal data of children and persons with disabilities. Verifiable consent must be obtained from parents or legal guardians in accordance with the requirements set out in the Draft Rules. Critically, a Data Fiduciary is required to implement measures to ensure that the person providing consent on behalf of a child/person with disabilities is in fact, that child/person’s parent or legal guardian, who is identifiable. The Data Fiduciary is further required to verify that the parent is an adult by using reliable identity details or virtual tokens mapped to such details. 
• Impact Assessment: Predominantly an obligation on Significant Data Fiduciaries, the Draft Rules impose a mandate to conduct yearly DPIAs to evaluate the risks associated with the data processing activities. This requires observance of due diligence to verify the algorithmic software⁸ to ensure there is no risk to the rights of Data Principals. 
• Data Transfer Outside India: Discretion is left to the Central Government to set any requirements in respect of making personal data available to a foreign state or its entities. Data Fiduciaries processing data within India or in connection with goods or services offered to Data Principals from outside India must comply with these requirements as may be prescribed from time to time. 
• Exemptions: The Draft Rules prescribe exemptions from the applicability of the DPDP Act for processing of personal data carried out: (i) for research, archival or statistical purposes, subject to compliance with the standards set out in Schedule II of the Draft Rules⁹; and (ii) by healthcare professionals, educational institutions, creche or day care facilities and their transporters, subject to compliance with conditions set out in Schedule IV of the Draft Rules.  
• Enforcement: Including establishment of the regulatory authority (i.e., the Board), appointment of its chairperson, members, etc. and the appellate framework for decisions of the Board, the Draft Rules prescribe the mechanism for enforcement of the DPDP Act, including redressal of grievances and any consequent penalties imposed for contraventions of the law.

Implications of the Draft Rules

While the Draft Rules have been long awaited, there is still no clarity on the implementation timeline. Further, while the Ministry of Electronics & Information Technology have requested public comments on the Draft Rules, it is unlikely that the same would be released to the public. At the outset, it is apparent that the Draft Rules will require organisations to make significant investment in compliance measures to meet the requirements outlined. Including robust consent management systems, enhanced security protocols and transparent communication mechanisms with users, this will increase the overall compliance costs borne by businesses – particularly impacting smaller scale entities. Some of the key issues found in this framework as below:

• Operational Costs: Businesses may be required to restructure their platforms at a design and architecture level of application, leading to increased costs. With the added compliance burdens, this will also result in increased costs related to conducting regular audits and verifying algorithmic software (particularly by Significant Data Fiduciaries) and can lead to stifled innovation and limit market entry for upcoming businesses.
• Vagueness: Terms such as “reasonable safeguards”, “appropriate measures” or “necessary purposes” are used liberally in the Draft Rules however the same have not been adequately defined in the law, leaving a lack of clarity on what constitutes “reasonable”, “appropriate” or “necessary” standards. Further, use of phrasing such as “likely to pose a risk to the rights of data principals” does not provide clarity in satisfaction of due diligence obligations, which can lead to subjective enforcement.
• Significant reliance on discretionary authority: The Union Government has been given significant authority in determining exemptions, processing standards, data transfer and government functions involving data processing. There is consequently a lot of power given to the Government to determine the limits of the law and there is no clear criteria provided for an objective assessment, leading to questions on fairness and transparency. The Draft Rules also do not appear to adhere with the directions of the Supreme Court in the landmark judgment of K.S. Puttaswamy v Union of India¹⁰ which explicitly states that: “the matter shall be dealt with appropriately by the Union Government, with due regard to what has been set out in this judgment” (emphasis supplied). Further, large parts of the implementation and enforcement will be administered per the discretion of the competent government ministry, leaving a lack of clarity in the foundational framework.
• Potential for mandatory universal registration: Verifiable parental consent requirements for children’s data can be used to require every online user to verify their age through governmental credentials, while seemingly placing reliance on self-verification. Consequently, parents/legal guardians would be required to provide government-issued identity to verify their credentials. Further, this mechanism not only violates the principles of data minimization and retention limitations but risks over-collection, prolonged storage and potential mass surveillance¹¹.
• Lack of clarity in the law: In addition to a lack of guiding frameworks for mode of delivery of issuance of notices¹², the Draft Rules create further ambiguity in legislations such as the Rights of Persons with Disabilities Act, 2016, Guardians and Wards Act, 1890, National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999, or the Mental Health Act, 2017 with respect to consent notices issued to persons with disabilities/children. The DPDP Act also does not consider regulation of non-personal data (such as traffic) and defined procedures for processes such as appointment of nominees or appeal timeline for orders of the Board, are not clearly outlined in the Draft Rules. The Draft Rules are also required to be harmonized with existing legislations such as the Information Technology Act, 2000 and the CERT-In directions issued thereunder, where the mandated reporting of cyber incidents is required to be made within 6 hours.

Concluding Thoughts

The Draft Digital Personal Data Protection Rules, 2025, represent a significant step toward operationalizing India’s ambitious DPDP Act, 2023, and businesses can use the Draft Rules as guidelines to determine the extent of revision of their existing data protection framework that may be required. While the Draft Rules aim to create a robust framework for safeguarding personal data, their implementation will require businesses to overhaul their data protection systems, leading to increased compliance costs and operational challenges. However, despite progressive provisions like Consent Managers and enhanced security measures, the Draft Rules leave room for ambiguity, particularly with undefined terms and broad discretionary powers. As stakeholders await further clarity and finalization, it is evident that achieving a balance between privacy rights, operational feasibility, and fostering innovation will be crucial for the success of this legislation. 

India’s journey toward a comprehensive data protection regime has begun, but a clear roadmap for implementation, harmonization with existing laws, and addressing key gaps will be pivotal in building trust and driving compliance across sectors. For businesses, the time to prepare is now—building compliant frameworks will not just ensure legal adherence but also enhance user confidence in the digital ecosystem.

Stay tuned for more #TreelifeInsights as the Draft Rules evolve into actionable mandates.

References

1. [1]  https://pib.gov.in/PressReleasePage.aspx?PRID=2090271
   ↩︎
2. [2]  https://pib.gov.in/PressReleasePage.aspx?PRID=2090271
   ↩︎
3. [3]  This marks a change from the earlier regime which included a concept of “deemed consent”. The DPDP Act creates a category of permitted use that does not require explicit consent. See Section 7 of the DPDP Act.
   ↩︎
4. [4]  Data Fiduciaries notified by the Central Government under Section 10 of the DPDP Act, on the basis of factors such as: (i) volume and sensitivity of personal data processed; (ii) risk to the rights of the Data Principal; (iii) potential impact on the sovereignty and integrity of India; (iv) risk to electoral democracy; (v) security of the state; and (vi) public order. Significant Data Fiduciaries have additional obligations under the DPDP Act. 
   ↩︎
5. [5]  Rules 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 21 and 22. See: Explanatory Note to Digital Personal Data Protection Rules, 2025 published by the Ministry of Electronics & Information Technology on January 3, 2025 here:
   https://www.meity.gov.in/writereaddata/files/Explanatory-Note-DPDP-Rules-2025.pdf 
   ↩︎
6. [6]  See Schedule II of the Draft Rules.
   ↩︎
7. [7]  Subject to users actively maintaining their accounts.
   ↩︎
8. [8]  The verification exercise focuses on software deployed for hosting, display, uploading, modification, publishing, transmission, storage, updation or sharing of personal data processed by the Data Fiduciary.
   ↩︎
9. [9]  This exemption is granted to ensure necessary data processing for academic and policy research can occur while maintaining safeguards and standards to protect such data.
   ↩︎
10. [10]  (2018) 8 S.C.R. 1, where principles of “proportionality” and “necessity” were held to be essential safeguards of any data protection regime.
    ↩︎
11. [11]  https://internetfreedom.in/statement-on-the-draft-dpdp-rules-2025/
    ↩︎
12. [12]  https://www.fortuneindia.com/macro/draft-dpdp-rules-2025-a-closer-look-at-the-hits-and-misses/119825
    ↩︎

About the Author

Treelife

Share

• Link copied to clipboard!
  https://treelife.in/legal/understanding-the-draft-digital-personal-data-protection-rules-2025/
  
• 
• 
• 
• 

Treelife provides legal and financial support to startups, small business, companies and entrepreneurs with access to a team of professionals.