In the last two columns, I had talked about the importance of personal data, privacy, leakage and penalties, and last week about the India’s Digital Personal Data Protection Act (DPDPA), 2023. This week, I am going to talk about the draft Digital Personal Data Protection Rules (DPDPR), 2025, released by the Government of India on January 3rd. In simple terms, an Act is basically a bill proposed by the Parliament and becomes a law from the day it gets the assent of the President and is published in the official Gazette. Act tells what the law is, and the Rules & Regulations and Directions talks about how to implement that law. These are draft rules, and the Ministry of Electronics and Information Technology (MeitY) has given the opportunity to the public to give their views and suggestions on it till February 18.
The DPDPR, set up by the Government of India, provides a legal framework for the collection, processing and management of personal data. These rules are a major step in implementing the DPDPA in India. The DPDP rules outline clear guidelines that organizations must follow to protect personal data and ensure privacy of individuals. They empower citizens to have greater control over their personal data and require organizations to be more transparent, accountable and responsible in their data processing, collection and management.
Highlights of the Draft Data Protection Rules (DPDPR), 2025 :-
- Data fiduciary obligations : Organizations must obtain informed consent from the data principal (owner of the data), ensure transparency in data processing and implement strong security measures. They must provide concise and clear information about the personal data being processed, the purpose and the procedure for withdrawing consent.
- Establishment of Data Protection Board (DPB) : The draft rules propose to set up a Data Protection Board, which will function digitally. This board will address grievances and enforce compliance with the DPDP Act. Its primary objective is to hold data fiduciaries accountable and effectively protect personal data.
- Exemptions from compliance : Judicial and regulatory functions, enforcement of legal rights and prevention of criminal activities do not require full compliance. Similarly startups, research institutions, clinical institutions, healthcare professionals, educational institutions, crèches and childcare facilities are exempted from certain restrictions under the DPDP Act in specific circumstances.
- Request for information : The draft rules empower the central government, through its authorised personnel, to request personal data from data fiduciaries or intermediaries in situations involving the sovereignty, integrity and security of India or to fulfil obligations under Indian law.
- Consent management : Data principals can easily provide, review and withdraw consent at any time. Consent managers are required to maintain transparent records of all consent activities and implement strong security measures to protect this information.
- Data breach notifications : In the event of a data breach, data fiduciaries will be required to notify affected data principals and the Data Protection Board, providing details of the nature, scope and impact of the breach, as well as the steps taken to mitigate the risks.
- Rights of Children and Persons with Disabilities: Any Data Fiduciary dealing with personal data of minors or persons with disabilities would require verifiable consent from their parents or guardians.
- Localization of Data: The Rules propose various restrictions on transfer of personal data and information outside of India, introducing requirements of approval by the Central Government for such transfer.
- Data Retention Policy : Data Fiduciaries are required to erase data, which is older than 03 years, if the individual has not interacted with them.
- Penalty provisions : The draft regulations introduce tough penalties for data breaches, underlining the importance of personal data protection. Organisations that fail to protect personal data or breach the rules could face fines and legal action for reputational damage.