top of page
Writer's pictureAnushka Srivastava

India Releases and Invites Feedback on Draft Rules for Data Protection: Key Insights from the Digital Personal Data Protection Rules 2025

On 3rd January 2025, Ministry of Electronics and Information Technology released the draft Digital Personal Data Protection Rules, 2025, inviting public comment and feedback from the stakeholders until February 18, 2025. The release of the draft rules has sparked significant debate about the implications of the draft rules on data privacy rights and their role in furthering the objectives of the Digital Personal Data Protection (DPDP) Act, 2023. In this blog, we will discuss the key insights of the draft rules from the Digital Personal Data Protection Rules 2025. The draft rules outline critical provisions for how data fiduciaries should handle personal data, marking another milestone in India’s efforts to establish a robust data protection framework.

| India Releases and Invites Feedback on Draft Rules for Data Protection: Key Insights from the Digital Personal Data Protection Rules 2025 |
| India Releases and Invites Feedback on Draft Rules for Data Protection: Key Insights from the Digital Personal Data Protection Rules 2025 |

Key Highlights of the Draft Rules


  • Consent for Minor's Data:


Data fiduciaries must obtain verifiable consent from parents before processing children’s personal data. While this provision enhances protections for minors, it also places additional compliance burdens on companies to ensure proper verification processes.


"appropriate technical and organisational measures [shall be adopted] to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child" - the rule stated.


  • Consent Managers and Safeguards:


Consent managers must register and work with data fiduciaries to collect user consent under a specified format, ensuring transparency and compliance. Data fiduciaries are required to implement technical and operational safeguards to protect personal data and notify the Data Protection Board of India (DPBI) within 72 hours of a breach. Significant data fiduciaries must periodically conduct Data Protection Impact Assessments and audits to ensure adherence to the DPDP Act.


  • Data Protection Board (DPB) Structure:


The DPB is proposed to oversee complaints and appeals related to data processing practices. While the government claims this will balance regulation and innovation, stakeholders worry it might not adequately address the complexities of digital data management in a rapidly evolving landscape.


Context and Evolution of the DPDP Act


The journey of the DPDP Act has been marked by extensive deliberation and multiple iterations. Initially proposed as the Personal Data Protection Bill, the legislation underwent five revisions before its enactment on August 11, 2023. The Act aims to safeguard personal data while fostering innovation in India’s digital economy. To operationalize the Act, MeitY has been drafting detailed rules to guide its implementation. The current draft reflects the government’s efforts to address key issues raised during public consultations while balancing stakeholder interests.


Stakeholder Concerns and Opportunities


  • Challenges for Businesses:


Companies face significant challenges in implementing robust compliance measures, especially SMEs with limited resources. The lack of clear penalties might reduce incentives for organizations to prioritize data protection.


  • Advancing Individual Rights:


The draft rules aim to empower individuals by strengthening consent mechanisms and data protection rights. However, the absence of clarity in certain provisions could hinder effective enforcement.


  • Public Engagement:


Stakeholders are encouraged to participate actively in the consultation process to refine the rules. Rights advocates emphasize the need for robust feedback to ensure that the rules effectively balance individual rights and industry innovation.


The Road Ahead


The draft rules are expected to evolve based on public feedback, with final regulations anticipated later this year. As the consultation process unfolds, it is crucial for all stakeholders—citizens, businesses, and policymakers—to collaborate and contribute to shaping a framework that ensures robust data protection without stifling innovation. India’s journey toward comprehensive data privacy legislation underscores the importance of transparency, accountability, and adaptability in today’s digital age. The Digital Personal Data Protection Rules, 2025, represent a significant step forward, but their ultimate success will hinge on effective implementation and ongoing stakeholder engagement.


14 views0 comments

Recent Posts

See All

Comments


bottom of page