Draft Digital Personal Data Protection Rules, 2025

Introduction

In an era where data is considered the “new oil,” safeguarding digital personal data has become imperative. Recognizing this, the Government of India introduced the Digital Personal Data Protection Act, 2023 (DPDP Act) and, following it, proposed the Draft Digital Personal Data Protection Rules, 2025 to operationalize the Act. These draft rules aim to lay down detailed procedures and norms for the implementation, compliance, and enforcement of the Act’s provisions.

Background

• The Supreme Court judgment in Justice K.S. Puttaswamy vs Union of India (2017) declared Right to Privacy as a Fundamental Right.
• In 2023, the Digital Personal Data Protection Act was enacted to regulate personal data processing in India.
• The Draft Rules, 2025 are a subordinate legislation meant to flesh out the operational details.

Objective of the Rules

• To specify procedures, obligations, and mechanisms under the DPDP Act, 2023.
• To enable compliance by Data Fiduciaries and Data Processors.
• To detail the functioning of the Data Protection Board of India (DPBI).
• To provide rights enforcement mechanisms for Data Principals (individuals).

Scope and Applicability

Aspect	Details
Jurisdiction	Applies to the processing of digital personal data in India and outside India if goods/services are offered to Indian residents.
Data Covered	All digital personal data, including that collected in non-digital form but digitized later.
Stakeholders	Data Principal, Data Fiduciary, Consent Manager, Data Processor, and the Board.

Key Provisions in the Draft Rules

1. Notice and Consent Mechanism

• Standardized format for privacy notices to Data Principals.
• Consent must be free, informed, specific, unambiguous, and can be withdrawn at any time.
• Multiple language options, ensuring accessibility.

2. Data Principal Rights

• Right to access, correction, erasure, grievance redressal, and nomination.
• Procedure for filing complaints with the Data Protection Board of India (DPBI).

3. Obligations of Data Fiduciaries

• Data Minimization:
  • Collect only necessary data.
• Purpose Limitation:
  • Use only for the stated purpose.
• Security Safeguards:
  • Encryption, access control, and breach response mechanism.
• Maintain Data Processing Records.

4. Significant Data Fiduciary (SDF) Criteria

• Turnover, volume of data processed, risk to sovereignty, etc.
• Additional obligations for SDFs:
  • Data Protection Officer (DPO) appointment.
  • Data Protection Impact Assessment (DPIA).
  • Independent audits.

5. Cross-Border Data Transfer

• Allowed unless specifically restricted by the Central Government.

6. Children’s Data

• Special provisions for processing data of minors (<18 years).
• Verifiable parental consent and no behavioral tracking/targeted advertising.

7. Grievance Redressal & Adjudication

• Time-bound resolution (30 days) for grievances raised by Data Principals.
• Escalation mechanism to the Data Protection Board if unresolved.

8. Data Breach Notification

• Mandatory breach reporting to DPBI and affected users within 72 hours.
• Clear format for notification: type of data, impact, remedial actions.

Role of the Data Protection Board of India (DPBI)

Function	Description
Enforcement	Inquiry, investigation, and imposition of penalties.
Adjudication	Hear complaints from Data Principals.
Guidance	Issuance of guidelines and advisory opinions.
Appeals	Orders can be appealed before Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

• The Data Protection Board of India (DPBI) is envisaged as the central regulatory authority responsible for the enforcement of the Digital Personal Data Protection Act, 2023 and the subsequent 2025 Rules.
• As a quasi-judicial body, the Board plays a pivotal role in ensuring accountability among data fiduciaries and processors.
• It is empowered to conduct inquiries into data breaches, investigate complaints lodged by Data Principals (individuals), and impose penalties on violators of the law.
• The DPBI is also tasked with overseeing grievance redressal mechanisms and ensuring that rights of individuals related to their personal data—such as the right to access, correct, and erase data—are upheld.
• Furthermore, the Board is expected to issue guidelines, recommend compliance standards, and adjudicate disputes where necessary.
• It acts as a critical interface between the data economy and citizens, ensuring a transparent, fair, and secure data governance framework in the country.

Penalties under the Rules

Violation	Penalty (Up to)
Data breach without safeguards	₹250 crore
Failure to protect children’s data	₹200 crore
Delay in breach notification	₹50 crore
Unlawful processing or non-erasure	₹150 crore

Sectoral Implications

1. Startups and SMEs

• Simplified compliance mechanisms and light-touch regulation for small entities.
• Provision for Consent Managers to assist in digital consent handling.

2. Health and Financial Services

• Must ensure robust encryption and anonymization techniques.
• Advised to conduct regular Data Protection Impact Assessments (DPIAs) due to high sensitivity of data.

Global Comparison

Feature	India (DPDP Rules 2025)	EU (GDPR)	USA (CPRA)
Jurisdiction	Global, if targeting Indians	Extra-territorial	Only for California residents
Consent	Mandatory & revocable	Mandatory, granular	Opt-out for sale/sharing
Children’s Data	Strict parental consent under 18	Parental consent under 16	Parental consent under 13
Penalties	Up to ₹250 crore	€20 million or 4% global turnover	$7,500 per violation

Benefits of the Rules

• Legal Certainty:
  • Brings clarity to businesses and startups.
• Consumer Empowerment:
  • Individuals gain more control over their data.
• Ease of Compliance:
  • Defined processes reduce legal ambiguities.
• Boosts Digital Economy:
  • Enhances trust in digital platforms.

Challenges & Concerns

Issue	Description
Ambiguity in Definitions	Terms like “public interest” or “significant harm” are vague.
Government Exemptions	Section 17 of the Act allows wide exemptions to government entities.
Enforcement Capacity	The DPBI is still being operationalized.
Digital Divide	Low digital literacy could hinder consent understanding.
Cross-border Uncertainty	Lack of clarity on “blacklisted” countries for data transfers.

Way Forward

• Finalize rules post stakeholder consultation and public feedback.
• Operationalize Data Protection Board of India with adequate autonomy.
• Launch mass awareness campaigns about digital rights.
• Collaborate with industry for smoother implementation.

Conclusion

The Draft Digital Personal Data Protection Rules, 2025 represent a critical step in translating the DPDP Act, 2023 into action. By defining mechanisms, responsibilities, and penalties, these rules aim to ensure that India’s digital economy grows responsibly, respecting the rights and privacy of every individual.

As India strides forward in its digital journey, these rules will serve as the foundational framework for data governance, ensuring that innovation and privacy go hand-in-hand.