India gears up for enhanced data protection framework with draft Digital Personal Data Protection Rules, 2025

last updated on 14 January 2025 | reading time approx. 4 minutes

Since the long-awaited Digital Personal Data Protection Act, 2023 (the “DPDP Act”) received presidential assent on 11 August 2023, corporate India has been actively preparing to implement the new data protection framework. Although the DPDP Act was introduced over a year ago, the provisions outlined in the Act have not been brought into force in the absence of operational rules being framed. In a significant development, the Ministry of Electronics and Information Technology (MeitY), Government of India has released the draft Digital Personal Data Protection Rules, 2025 on 3rd January 2025 (the “Draft Rules”). These draft rules are open for public consultation until 18 February 2025, marking another milestone in India’s journey toward robust data privacy governance.

Privacy Notice

The Draft Rules clarify that the privacy notice given by a data controller to data subject at the time when personal data is obtained, must contain a detailed breakdown of the personal data along with purpose for which each of such personal data is collected essentially to avoid any function creep. Further, such notice be given standalone and not clubbed with details/ policies of other services offered by the data controller, to make such notice concise, transparent and easily understandable. The Draft Rules also require the data controllers to provide a link in their privacy notice through which the data subjects could withdraw their consent hassle free at any time. Given these specific requirements, foreign entities operating in India must review their centralized consent management platforms at group level to incorporate consent forms and privacy notices aligned with Indian regulations.

Deemed Withdrawal of Consent

The Draft Rules require e-commerce, social media and online gaming platforms to delete their users’ personal data after three years of inactivity, if they have over 20 million users (e-commerce/ social media) or 0.5 million users (online gaming). For that, the data controller will require to notify the data subject at least 48 hours before erasing their data. Time period for other entities especially medium and small enterprises or B2B entities are yet to be clarified. It is pertinent for foreign subsidiaries in India to ensure that their centralised data repository platforms and third party data processors have systems embedded for such automatic deletion of data of Indian data subjects.

Reasonable Security Safeguards

Unlike the previous data privacy regime which recognized IS/ISO/IEC 27001 as a standard for reasonable security practices, the new Draft Rules do not prescribe any specific code of best practices. As a result, foreign entities operating in India, particularly European companies adhering to the EU’s General Data Protection Regulations (GDPR) standards and implementing relevant codes of conduct and certification regimes, would be considered to have reasonable security safeguards under the DPDP Act.

Publication of Data Protection Officer’s Contact Information

The Draft Rules prioritize easier access to a data controller’s grievance redressal officer, ensuring effective resolution of data subjects’ concerns regarding personal data. The Draft Rules mandate the data controller to publish such officer's contact details on its website as well as in all communications with data subjects regarding their personal data. The Draft Rules do not mandatorily require the grievance redressal officer to be an employee of the data controller. In case of a multinational group having more than one subsidiary in India, the data protection officer at group levelcould serve this role for all Indian subsidiaries, provided they are familiar with Indian data privacy laws and capable of addressing data subjects’ queries effectively.

Rights of Data Subjects

The Draft Rules require the data controller to publish on its website the simplified steps following which data subject can exercise its rights under the DPDP Act. Acknowledging individual’s right for time bound redressal of their grievances, the Central Government casted an obligation on data controllers to specify in its grievance redressal system, clear timelines for responding to data subjects’ grievances.

Cross-Border Data Transfer

While the Draft Rules do not put a blanket restriction on cross-border data transfers, it grants the Central Government wide powers to enforce reasonable limitations on transfers to specific countries or entities controlled by such nations. These restrictions could pose challenges for businesses especially social media and e-commerce entities that rely on multiple data processors for operating online platforms or cloud infrastructure. Data controllers will need to ensure that none of their data processors are located in restricted jurisdictions. Furthermore, the government is authorised to determine the categories of data which cannot be stored anywhere outside India. This could raise concerns over operational complexities. However, similar restrictions already exist in the financial services sector, where payment aggregators are required to store payment-related data on servers within India. Given the government’s balanced approach in the financial sector, it is likely that ease of doing business will remain a guiding principle when implementing any such restrictions.

Significant Data Controller’s Obligations

The government has not yet determined the criteria for designating an entity as a significant data controller. However, the Third Schedule of the Draft Rules insinuates that this classification will be based on the nature of business activities undertaken and the volume of personal data an entity handles. The Draft Rules cast an obligation on significant data controllers to undertake data protection impact assessment and audit annually. This provision is akin to article 35 of GDPR, with the key difference being that, the Draft Rules require such assessments to be undertaken annually irrespective of whether an organization undertakes a new project involving high risks to individuals' rights or not, as in case of GDPR.

Intimation of Data Breach

In the event of data breach, the Draft Rules require data controller to notify the data subject in a clear and straight forward manner about the incident and what precautionary measures data subject could adopt to minimise the impact of data breach. Adopting the similar approach as of GDPR, the Draft Rules require data controller to inform the data protection authority (yet to be constituted) within 72 hours of becoming aware of the incident followed with a detailed report comprising the effect of such incident and the remedial action taken.