On 3 January 2025, the Indian Ministry of Electronics and Information Technology (MeitY) released draft Digital Personal Data Protection Rules, 2025 (DPDP Rules) for public consultation.
These draft implementing rules take a number of distinctive approaches to data privacy compliance topics and are purposed specifically for collection and processing of personal data in the digital realm. India’s Digital Personal Data Protection Act (DPDP) of 2023 is already distinct in being confined in its application to personal data held in digital form (including personal data that has been digitised after collection offline). The explanatory note for the legislation stated that the law had been designed to regulate the challenges posed by intensive data usage in internet and other digital services, and this underpinning philosophy has been carried into the draft rules.
Consent managers: consent is the primary basis for processing personal data under the DPDP Act, with only limited exceptions.
Uniquely in primary data protection laws, the DPDP gives statutory recognition to and regulates third party consent management platforms. These are platforms that automate the presentation of privacy notices and the management of consent/opt-out privacy preferences.
The DPDP allows individual consent to be given either directly to the data controller (a ‘data fiduciary’ in the terminology of the DPDP) or through a consent manager. Consent managers can also be given responsibility to manage the exercise of data subject rights and in redressing grievances.
Consent managers will be required to register with the new Data Protection Board (DPB) once this is set up and will be subject to its rules and supervision. Consent management platforms will also need to be certified by the DPB.
The DPDP Rules lay down specific obligations on consent managers regarding record keeping (of privacy notices, consents given, and the personal data that has been collected - which must be made accessible to the consenting individual for at least seven years), and as to the management, review and withdrawal of consents, and the implementation of technical and organisational safeguards (each to also be certified by the DPB), as well as audit and reporting obligations.
Consent managers must be ‘data blind’, such that they will not themselves have access to any of the personal data provided through their consent management platforms.
Withdrawal consent and exercise of data subject rights: as well as regulating the use of third party consent management platforms, the DPDP Rules appear to require data controllers/ fiduciaries to provide automated mechanisms for individuals to withdraw their consent and exercise data subject rights. Notably, the draft rules mandate that the means to withdraw consent must be made as easy as those for providing consent.
Data retention limits: the DPDP Rules impose a maximum data retention period of three years for certain digital service providers, running from the date on which the data subject last accesses the service or last exercises their data subject rights:
- E-commerce providers with 20 million or more registered users in India.
- Social media providers with 20 million or more registered users in India.
- Online gaming providers with five million or more registered users in India.
Data can only be retained after this period to the extent necessary to comply with other laws.
Typically, privacy laws require personal data to be deleted once it is no longer necessary to retain it for the purpose for which it was collected rather than for a statutorily mandated period.
Notice of the deletion will have to be given no later than 48 hours in advance, and users of online accounts directed to log into their accounts in order to prevent their data from being deleted.
Given the low user-count thresholds, this mandatory deletion requirement is highly burdensome and will have widespread and far-reaching impact. It is also notable that the DPDP has extra-territorial effect in connection with any activity related to the offering of goods or services to individuals within India.
Online child safety: the draft rules introduce stringent verification requirements on data controllers/ fiduciaries before processing the personal data of anyone under the age of 18. Data controllers/ fiduciaries will be required to implement reliable measures to ensure that persons giving consents are adults, and where the consent is given on behalf of a child that the person purporting to give the consent is the child’s parent or guardian.
The emphasis on parental verification will present operational challenges for digital platforms catering to large and diverse user bases. The DPDP Rules facilitate the use of virtual tokens and ‘digital locker’ services as a means of age verification, which will be regulated by the government. The IT Minister Ashwini Vaishnaw has said that the government’s Digital India program will support the creation of a system for adoption of such virtual tokens.
The DPDP also bans targeted advertising directed at children and tracking or behavioural monitoring of children (with limited exceptions).
Minimum security standards: the DPDP Rules are also unusual in laying down detailed minimum security safeguards for protecting personal data, including encryption or tokenisation and pseudonymisation of personal data and access controls, logging, monitoring and systems for detecting unauthorised access. Typically, security standards are issued in separate guidance/ rules rather than as baseline standards directly in the statutory framework itself.
Cross-border data transfers: the DPDP Rules appear to empower the Central Government to impose restrictions on data controllers/ fiduciaries from providing to any foreign government agency personal data that is held offshore in connection with the provision of goods or services to Indian residents (for example, in response to official data access requests or during regulatory investigations).
The explanatory note indicates that such restrictions could be imposed on any offshore service provider. However, further clarification from MeitY will be needed since the wording of the relevant rule, read literally, would only appear to allow restrictions to be placed when data that is already offshore is transferred to another overseas location, or when data is transferred out of India for the first time, i.e., not only when the data is first collected outside of India, for example by an offshore platform. Either way, the imposition of such a rule could lead to significant conflict of law challenges.
Data breach notifications: the draft rules mandate unusually short timelines for reporting personal data breaches. Data controllers/ fiduciaries must notify the DPB immediately upon becoming aware of a breach. A detailed report will then have to be provided within 72 hours (also counted from first awareness), failing which an extension will need to be requested from the DPB. The detailed report should set out mitigation measures, threat actor information (if available), and notifications to affected individuals, who must also be informed without undue delay.
In addition, individuals will have to be notified of a breach as soon as the organisation becomes aware of it. The notification should include, among other things, an explanation of the consequences for the particular individual, the mitigation measures being taken by the organisation and measures the individual can take to protect their interests. The communication should be made either through an online account or any other mode of communication registered with the organisation.
These timelines will pose a significant compliance challenge.
Significant Data Fiduciaries: the DPDP empowers the Central Government to notify certain data controllers/ fiduciaries (individually or by class of data controllers) as “Significant Data Fiduciaries” (SDFs) based on certain criteria such as the volume or sensitivity of data processed and the risks to individual rights. The DPDP Rules do not elaborate on the grounds for designation, but do elaborate on some of the additional obligations that SDF will be subject to, and also lay down additional obligations on SDFs.
- Annual Data Protection Impact Assessments (DPIAs): the DPDP provides that SDFs will need to carry out periodic DPIAs. The Rules set the period as annual. Distinct from DPIA requirements in most other jurisdictions, the requirement to conduct DPIAs under the DPDP Rules are not triggered by changes in data processing activities or the risk profile of processing, but are instead to be conducted on a whole-organisation basis. Unusually, SDFs will also have to submit their annual DPIAs to the DPB.
- Audits: similarly, the DPDP Rules set the period for conducting audits as annual. Audit reports will likewise have to be submitted to the DPB.
- Algorithmic software: SDFs are made accountable for verifying that any algorithmic software they use to process personal data does not pose a risk to the rights of data subjects.
- Potential additional data transfer restrictions: the DPDP Rules lastly provide a basis for the Central Government to restrict SDFs from transferring personal data (and related meta data) out of India. It is unclear if those restrictions are to be imposed on certain categories of personal data or on specific organisations, and potentially therefore could be imposed on both.
The focus on e-commerce, social media and online gaming providers in the data retention provisions possibly provides some indication of the kinds of digital service providers that may be more likely to be designated as an SDF.