The MeITY (Ministry of Electronics & Information Technology), Government of India have published draft Rules viz. Draft Digital Personal Data Protection Rules, 2025 (“the Rules”) under the already notified Digital Personal Data Protection Act, 2023 (“the Act”), for public objections & suggestions till 18th February, 2025. Some of the key features of these draft Rules are as follows:
1. There are Total 22 Rules and Seven Schedules in the draft Rules (corresponding to provisions of Act containing 44 Sections & the Schedule). Not all the rules shall come into effect at once. Out of 22 Rules, Rule 3 to 15 predominantly dealing with Data Protection provisions enumerated in the Act and Rule 21 & 22 shall come into force on a specified future date once the Rules are promulgated. Rest of the rules (which mainly deal with operationalisation of the Act) shall come into effect as and when these Rules would be published in Gazette.
2. Details of the notice to be given by Data Fiduciary to Data Principal (Section 5 of the Act) have been spelt out in Rule 3 of the draft Rules
3. Corresponding to Section 6(8) of the Act, The eligibility criteria for the person to be registered as the ‘Consent Manager’ with Data Protection Board of India (“the Board”) has been specified in Rule 4 read with First Schedule – Part A to the Rules – whereas Part B of the Schedule lists down Obligations of the Consent Manager.
- Rule 5 read with Second Schedule to the Rules specifies standards for processing of data by the State instrumentalities for provision/ issue of subsidy, benefit, service, certificate, license or permit.
- Rule 6 specifies minimum data security measures to be taken by Data Fiduciary which includes technical & organisational measures.
- Rule 7 specifies manner in which Data Principal and the Board are to be informed by Data Fiduciary of any data breach. Even though there is no specific time limit within which Data Fiduciary is required to inform the breach, there is a 72 hour (extendable by request) window available to Data Fiduciary to share details with the Board w.r.t. breach & its mitigation measures.
- Rule 8 specifies objective & periods for which personal data of Data Principals to be retained by various classes of Data Fiduciaries. Rule gives a 48 hour ‘warning window’ to Data Principal to inform Data Fiduciary w.r.t. processing of the data, before completion of retention period as specified in Third Schedule. So now, even Data Principal needs to be vigilant to avoid the data erasure not intended by her.
- Rule 9 mandates Data Fiduciary to publish details of grievance redressal or Data Protection Officer, in communications and in public domain.
- Rule 10 can be termed as highlight of these rules. The Rules require Guardian of children opening Account with Data Fiduciary eg. Facebook or Instagram – to verify themselves to be such legal guardians and would be required to furnish age proof. The concept of ‘parental control’ seems to be brought in by these rules. As per this Rule, parents’ identity and age will have to be validated and verified through voluntarily provided identity proof “issued by an entity entrusted by law or the Government”.
- Rule 11 read with Third Schedule also specifies exemptions from obtaining such consent for processing data of children & disabled person by certain Data Fiduciaries and in specific conditions which predominantly include clinical & educational establishments and healthcare professionals. It also covers certain child welfare purposes for which such data processing would not require consent.
- Rule 12 has inter-alia mandated yearly Data Protection Impact Assessment & Audit of Significant Data Fiduciary.
- Rule 13 specifies rights of Data Principal earlier detailed in Sections 11 to 14 of the Act.
- Rule 14 deals with processing personal data outside India predominantly covering Data Fiduciaries who maintain servers outside India.
- Rule 15 to 22 deal with operational aspects of functioning of the Board for implementing the Act & Rules. Highlight of the Rule 19 is that it facilitates operations of the Board through digital office, dispensing requirement of physical presence – as already specified in Section 28 of the Act.
The table depicting all the 22 Rules corresponding to Sections of the Act:
| Section of DPDP Act, 2023 | Rules of draft DPDP Rules, 2025 |
| 5 | 3 |
| 6(8) | 4 read with First Schedule |
| 7(b) | 5 read with Second Schedule |
| 8(4) | 6 |
| 8(6) | 7 |
| 8(7) | 8 read with Third Schedule |
| 8(9) | 9 |
| 9(1) | 10 |
| 9(1) & (3) | 11 read with Fourth Schedule |
| 10 | 12 |
| 11 to 14 | 13 |
| 16 | 14 |
| 17(2) | 15 |
| 18 | 16 |
| 20 | 17 read with Fifth Schedule |
| 23 | 18 |
| 28(1) | 19 |
| 24 | 20 read with Sixth Schedule |
| 29 | 21 |
| 36 | 22 read with Seventh Schedule |
Author Bio
