The Draft Digital Personal Data Protection Rules 2025

Context:

The Draft Digital Personal Data Protection (DPDP) Rules, 2025, will take forward the Digital Personal Data Protection Act of 2023.

The Draft Digital Personal Data Protection (DPDP) Rules, 2025

It comes with the objective of improving the legal framework for digital personal data by giving the required intricacies and balancing between the right to privacy of an individual and the requirement to process that personal data lawfully for carrying out those purposes.

• Right to Privacy – Article 21
  • Supreme Court of India has Stated that under the Article 21, the right to privacy is a fundamental right too. 
  • Article 21 of the Indian Constitution speaks about
    • Right to life
    • Right to personal liberty

Key Findings:

• Based on the Digital Personal Data Protection Act of 2023
• Status
  • Open for public consultation until 18 February
• Main Provisions
  • Informed Consent:
    • Fiduciaries have to provide clear notices to users about the data collected
  • Exemptions:
    • Data collected for subsidy and benefits purposes is exempt from certain provisions.
  • Data Security:
    • Data fiduciaries shall have reasonable security safeguards in place.
  • Data Deletion:
    • The data fiduciary will delete the user data within two days of giving notice and may stop the process based on user action during such notice period.
  • Parental Consent:
    • For personal data related to children.
  • Role and Responsibilities of Data Fiduciaries
    • Entities collecting and processing personal data are called “Data Fiduciaries”.
    • Data retention is only for the period of consent and must be deleted thereafter.
    • Security measures include encryption, access control, and monitoring for unauthorized access.
  • Consent Management
    • The entities managing the consent records have to adhere to stringent verification processes.
    • Grievances redressal mechanisms have to be put in place.
  • Data Localisation
    • Reintroduction of localisation mandates restricting certain personal and traffic data transfer outside India.
    • A government-formed committee will determine data restricted from cross-border transfer.
  • Data Breach Reporting
    • Fiduciaries must inform affected users and the Data Protection Board promptly of a breach.
    • All breaches must be reported.
    • Government agencies must process citizen data lawfully, with specific safeguards outlined to address concerns over exemptions for national security and public order.