The Central Government has published the draft Digital Personal Data Protection Rules, 2025 under the Digital Personal Data Protection Act, 2023 (DPDP Act). These rules aim to create a robust legal framework for personal data processing in India, ensuring compliance with privacy principles and protection mechanisms.
Table of Contents
Key Features of the Draft Rules
1. Notice and Consent Framework
- Rule 3:
- Data Fiduciaries must provide clear, accessible, and plain-language notices.
- Notices must include:
- Details of personal data being processed.
- Purpose and description of processing.
- Methods to withdraw consent.
2. Obligations of Consent Managers
- Rule 4:
- Consent Managers must register with the Data Protection Board (DPB).
- Key obligations:
- Ensure interoperable platforms for granting, managing, and withdrawing consent.
- Maintain consent records for at least seven years.
- Avoid conflicts of interest with Data Fiduciaries.
3. Data Fiduciaries’ Responsibilities
- Rule 6:
- Data Fiduciaries must implement reasonable security safeguards, such as:
- Encryption and access controls.
- Logging and monitoring access to personal data.
- Retain logs for at least one year to ensure accountability.
- Data Fiduciaries must implement reasonable security safeguards, such as:
4. Rights of Data Principals
- Rule 13:
- Empowering individuals with:
- Right to Information: Access details of their personal data.
- Right to Correction: Rectify inaccurate or incomplete data.
- Right to Erasure: Request deletion of irrelevant data.
- Empowering individuals with:
5. Processing of Data by Government Entities
- Rule 5:
- Public authorities may process data for issuing benefits, subsidies, or certificates.
- Such processing must adhere to standards listed in the Second Schedule.
6. Safeguards for Children’s Data
- Rule 10:
- Data Fiduciaries must ensure verifiable parental consent for processing children’s data.
- Use reliable age-verification mechanisms, such as digital tokens.
7. Special Obligations of Significant Data Fiduciaries
- Rule 12:
- Conduct annual Data Protection Impact Assessments (DPIAs) and audits.
- Ensure that algorithmic processing does not harm Data Principals’ rights.
8. Cross-Border Data Transfers
- Rule 14:
- Transfer of personal data outside India requires government approval.
- Sensitive and critical data must remain localized in India.
9. Personal Data Breach Notifications
- Rule 7:
- Notify affected Data Principals and the DPB promptly upon discovering a data breach.
- Reports must include:
- Nature and extent of the breach.
- Measures to mitigate risks.
Timeline for Implementation of Draft Rules
| Milestone | Deadline |
|---|---|
| Draft Rules Published | January 3, 2025 |
| Public Feedback Deadline | February 18, 2025 |
Click Here for the official rules.
Disclaimer
All efforts are made to ensure the accuracy and correctness of the information published at Legally Flawless. However, Legally Flawless shall not be responsible for any errors caused due to oversight or otherwise. The users are advised to check the information themselves.
