Introduction

Government of India understands that data is the new currency and control over this data is power. India has therefore enacted the Digital Personal Data Protection Act 2023 (“Act”) to create robust data privacy laws and has now released the draft Digital Personal Data Protection Rules 2025 (“Draft Rules”) for public consultation. The Draft Rules provide for a framework for the implementation of the Act. For our analyses of key aspects of the Act, please refer our earlier newsletter (https://www.mondaq.com/india/privacy-protection/1399356/data-privacy-in-india-digital-personal-data-protection-act-2023). In this write-up, we highlight key provisions of the Draft Rules and its impact:

1.         Notice by ‘Data Fiduciary’¹ to ‘Data Principal’²

The Draft Rules have elaborated on the obligation of a Data Fiduciary to seek the informed consent of the Data Principal before processing of her personal data. By requiring clear and detailed notice, the Draft Rules ensure that the Data Principal is adequately informed about data collection and processing.

2.         Reasonable security safeguards

The Draft Rules require security safeguards to be implemented by Data Fiduciary and Data Processors³ including data security measures (such as securing the personal data through encryption, obfuscation, masking etc.), control access to computer resources of the Data Fiduciary/Data Processors, measures for detection of unauthorized access etc.

These measures need to be implemented without any distinction between small or large Data Fiduciaries and therefore, implementation of these safeguards would enhance the financial and operational burden for small and mid-sized entities.

3.         Intimation of personal data breach

Emphasizing the requirement of reporting in case of a personal data breach, the Draft Rules require a Data Fiduciary to promptly notify the affected Data Principal and the Data Protection Board of India (“Board”) without any delay. The notification must include:

i.           Nature, extent, timing and location of the breach.

ii.          Potential consequences for the affected Data Principal.

iii.         Risk mitigation measures taken or proposed.

iv.        Recommended safety actions for the Data Principal.

v.         Contact details for further inquiries.

Further, the Data Fiduciary is required to provide the Board with detailed reports within 72 hours, outlining the breach’s cause, impact, responsible entities, and remedial measures.

This requirement of intimation reinforces the principles of transparency, accountability, and responsibility in the event of a personal data breach and ensures that both the Data Principal and the Board are duly informed including the remedial steps taken to strengthen data protection measures.

However, the Draft Rules lack a mechanism to categorize breaches based on their extent and severity. The General Data Protection Regulation, 2016 (“GDPR”), provides an exemption for intimation of breaches that are “unlikely to result in a risk to the rights and freedoms of natural persons”. A similar exemption could have been included in the Draft Rules to prevent unnecessary compliance burdens on the Data Fiduciary in cases of minor data breaches.

4.         Erasure of Data

The Draft Rules require the Data Fiduciary in specific sectors with specified registered users (e-commerce, online gaming, and social media) to erase personal data after a defined retention period if the Data Principal does not engage with the Data Fiduciary for the specified purpose or exercise their rights. The retention period is set to be 3 (three) years from the last interaction or the commencement of the Draft Rules, whichever is later, as specified in the Third Schedule⁴. Additionally, the Draft Rules allows the Data Principal the right to request information about their personal data and its erasure by contacting the Data Fiduciary. This framework ensures data retention is balanced with privacy protection.

5.         Consent of the Parent/Guardian

The Draft Rules mandates that Data Fiduciary implement technical and organizational measures to obtain verifiable parental consent before processing a child’s personal data. This includes due diligence to confirm the individual claiming to be a parent is an identifiable adult as per applicable laws. For the aforesaid purpose, the following mechanisms for verification has been introduced:

i.           Reliable details of identity or government-issued tokens.

ii.          Existing identity details if the parent is already registered.

iii.         Cross-verification with government-maintained records.

Similarly, for individuals with disabilities, lawful guardianship must be verified through court orders, designated authorities, or local-level committees.

The Draft Rules lay emphasis on protecting children against abuse in the digital era. The illustrations cited in the Draft Rules vis-à-vis verifiable consent of the parent/lawful guardian pertain to instances where the child or the parent voluntarily informs the Data Fiduciary about such Data Principal not being an adult and therefore, several implementation challenges arise:

i.           Potential age falsification by users and the technical and organisational measures which will need to be adopted by the Data Fiduciary to assess whether a Data Principal is an adult or not.

ii.          Compliance burden on Data Fiduciary for verifying parental identity.

iii.         Increased costs to secure age verification systems and data storage.

iv.        Lack of clarity on handling false parental claims or unavailable verification documents.

v.         Digital literacy gap among parents which will affect the verification procedures.

vi.        Complex and costly verification of guardianship for persons with disabilities, requiring legal confirmation from courts or authorities.

While no system is perfect, a more nuanced framework is necessary to balance child data protection with operational feasibility for Data Fiduciary.

6.         Data Localization

Data localization is one of the key features of the Act and the Draft Rules provides that the transfer of personal data processed by a Data Fiduciary to any country or territory outside India will be subject to restrictions imposed by the Central Government. This applies to data processed within India as well as data processed outside India in connection with offering goods or services to individuals within India. The Data Fiduciary must comply with the requirements specified by the Central Government, whether through general or special orders, before making such personal data available to any foreign state, its agencies, or entities under its’ control.

Considering that the Government’s ability to access data stored outside of India especially in cases of fraud and terror have proven to be challenging, the Draft Rules grant the Central Government significant control over data transfers. The Government is of the view that implementation of data localization will enhance data protection and facilitate the collection of data for law enforcement agencies. The delicate balance between control over data by the Government and individual’s right of data privacy will be keenly assessed going forward.

7.         Power of the Central Government

The Central Government is empowered to mandate any Data Fiduciary and intermediaries to furnish information for purposes under the Act, with a set compliance deadline.

Data Fiduciaries are prohibited from informing users or the public without prior Government approval with respect to such disclosure if such disclosures affect sovereignty, integrity, or national security. Though, the Rule is essential for the protection of sovereignty, integrity and national security of the country, the following concerns are being raised:

i.           Wide discretionary powers without clear procedural safeguards raise risks of misuse, mass surveillance, and political targeting.

ii.          Lack of definition for “security of the State” leaves room for arbitrary enforcement.

iii.         data disclosure create accountability concerns, placing businesses in a dilemma between user privacy commitments and legal compliance.

A structured oversight mechanism with transparent procedural safeguards is essential to prevent potential abuse while ensuring national security interests.

Data privacy is a complex issue and has conflicting interests which need to be carefully balanced. While the Draft Rules provide a comprehensive regulatory framework for implementing the Act, the stringent requirements on notice, consent, verification, data breach reporting, and localization may pose operational and financial challenges especially for small and mid-sized entities. Extensive powers granted to the Central Government necessitate additional safeguards and possibly clarity of use to prevent potential misuse.

Endnotes

¹ Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

²  An individual to whom the personal data relates and where such individual is: (i) a child, includes parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.

³ Any person who processes personal data on behalf of a Data Fiduciary

⁴ Classes of Data Fiduciary provided in the Third Schedule are a) an e-commerce entity having not less than 2,00,00,000 registered users in India; b) an online gaming intermediary having not less than 50,00,000 registered users in India; c) social media intermediary having not less than 2,00,00,000 registered users in India.