---

January 7, 2025

India’s New Data Protection Regime, One Step Closer: Draft Compliance Rules Issued

---

• Draft Digital Personal Data Protection Rules, 2025 issued by the Ministry of Electronics and Information Technology operationalise various provisions and throw light on the compliance under the Digital Personal Data Protection Act, 2023.

• The Digital Personal Data Protection Act, 2023, is India’s first standalone data protection legislation which once brought into force, will govern the processing of personal data in digital form.

• Stakeholders are invited to submit objections and suggestions on the Draft Rules by February 18, 2025.

---

EXECUTIVE SUMMARY

The new data law i.e. Digital Personal Data Protection Act, 2023 is a standalone data privacy law, enacted by the Indian Government in August 2023. The provisions of the DPDPA are yet to be notified for enforcement. The Draft Digital Personal Data Protection Rules, 2025 provide guidance on implementation of several key provisions of the new data law. These draft rules will come into effect in the coming months after the conclusion of the public consultation period.

Applicability of New Data Law: The DPDPA is applicable to processing personal data within the territory of India and outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to individuals (i.e. data principals) within India.

Consent and Notice: Data fiduciaries (akin to data controllers) are required to seek consent from data principals for collection and processing of their personal data. Along with obtaining consent, a notice (in English and other official Indian languages) should be provided detailing the specific types of personal data collected, the purposes for processing such personal data, the rights of the data principal among other aspects.

Consent Manager: A novel mechanism of consent managers have been introduced; entities meeting certain requirements may be registered with the Data Protection Board of India as “consent managers” that offer data principals a platform to give, manage, review, and withdraw their consent provided to data fiduciaries. The consent manager is responsible for managing the data principals’ consents and implementing technical, and organisational controls, systems, procedures for safeguarding the consents and data in its possession.

Security of Personal Data: Data fiduciaries are free to adopt their chosen security standards and practices for safeguarding personal data collected and processed by them subject to certain bare minimum guardrails. These include ensuring appropriate data security measures, access control measures, maintenance of logs and periodic monitoring, detection of unauthorized access etc.

Children and Persons with Disabilities: In relation to processing of personal data of children and persons with disabilities, there are additional requirements for obtaining verifiable consent from the parent or legal guardian. The mode of seeking verifiable consent is left to the discretion of the data fiduciary.

Cross Border Transfer: Cross borders transfers of all personal data from India is permitted unless (i) the recipient jurisdiction has been notified as a restricted territory by the Indian government and/or (ii) the specific personal dataset intended to be transferred outside India is prohibited/restricted from being transferred. Seperately, the Indian Government may also prescribe additional compliances for undertaking cross-border transfers of personal data to certain jurisdictions.

Data Breach Intimation: Data fiduciaries are required to intimate affected data principals and the Data Protection Board of India of data breaches immediately upon becoming aware of the breach. Additionally, within 72 hours of awareness (or a longer timeframe approved by the Board), the data fiduciary should submit a detailed description of the breach to the Board.

 

DETAILED ANALYSIS

CONTENTS

 

1. Introduction

1. Operationalizing provisions.

2. Notice to Data Principal

3. Verifiable consent for processing data of children and persons with disabilities

4. Exemptions From Certain Obligations for Processing of Children’s Personal Data

5. Reasonable Security Safeguards

6. Processing Personal Data Outside India

7. Obligations of Significant Data Fiduciaries

8. Consent Manager

9. Data Principal Rights

10. Retention Period for Personal Data

11. Intimation of Personal Data Breach

12. Contact Information of Data Protection Officer

13. Exemptions for Research, Archiving and Statistical Purposes

14. Processing of Personal Data by State (and its instrumentalities)

15. Calling for Information from Data Fiduciary and Intermediary

16. Data Protection Board

1. Conclusion

Introduction

The Digital Personal Data Protection Act, 2023 ("DPDPA"), India’s first standalone personal data protection legislation, was released in August 2023. The law aims to strike a balance between protection of individuals’ right to privacy and personal data, and lawful processing of such data, by data fiduciaries (akin to data controllers)¹. The DPDPA prescribes several compliances for data fiduciaries processing personal data and imposes penalties for non-compliance. Our detailed analysis of the DPDPA is available here.

While the DPDPA was enacted in August 2023, it is not yet in force. Detailed rules were awaited for its implementation. The Ministry of Electronics and Information Technology (“MeitY”), the nodal ministry for implementation of the DPDPA, has on January 3, 2025, released the Draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”) for public consultation. Stakeholders are invited to submit objections and suggestions on the Draft Rules by February 18, 2025. MeitY will not publicly disclose comments submitted to it but will release a consolidated summary without attributing comments to any specific stakeholder.²

The MeitY has also issued an explanatory note (“Explanatory Note”) providing an overview of the contents of the Draft Rules in an easy to understand language.³

Ideally, the MeitY should also release FAQs clarifying certain aspects, as we have pointed out in this newsletter.

The Draft Rules aim to provide guidance on compliance, operational aspects, administration as well as enforcement under the DPDPA. The Draft Rules include provisions on notice requirements, registration and functions of consent managers, security compliances, data breach notification procedures, parental consent for children’s data, redressal procedures, and the appointment and working of the Data Protection Board of India (“Board”). In this newsletter, we provide our comments on the provisions prescribed under the Draft Rules.

I. Operationalizing provisions

The Draft Rules specify that the provisions relating to the Board will be operationalised upon the publication of the rules in the official gazette.⁴ These include provisions on the appointment of Chairperson and other Members of the Board, salary allowances and terms and conditions of service of the Board and other procedural aspects of the functioning of the Board. All other substantive rules will come into force on a date to be specified in the final version of the rules.⁵

Analysis: It is likely that the provisions related to the Board will come into force first. Other provisions are likely to come into effect at a later date. However, there is no clarity on the implementation time period and whether or not the substantive provisions on compliance may be introduced in a phased manner, giving data fiduciaries windows to comply. The Government should ideally notify separate dates for operationalizing the substantive provisions of the rules, for ease of compliance.  

II. Notice to Data Principal

The DPDPA requires data fiduciaries to provide data principals⁶ with notice prior to, or at the time of obtaining consent for processing their personal data.⁷

The Draft Rules read with the Explanatory Note specify that the notice must be clear, standalone, and understandable, distinct from any other information shared by the data fiduciary. ⁸The language of the notice must be clear and plain⁹ and is required to include, at the minimum: (i) the specific purpose for processing,¹⁰ (ii) an itemised description of personal data being processed¹¹ and (iii) an itemised description of goods and services to be provided or used to be enabled by such processing.¹²

Analysis: The Draft Rules does not prescribe a rigid template or format for the notice, allowing flexibility for data fiduciaries to design their notices so long as other requirements are satisfied. However, the notice cannot be clubbed with other documentation such as an End-User License Agreement, General Terms of Service etc. The requirement for the notice to be standalone will prevent data fiduciaries from obscuring such essential information from unrelated contractual terms.

As per the DPDPA, a data principal can consent to the processing of her personal data for the specified purpose and such consent will be limited to such personal data as is necessary for the specified purpose.¹³ If the notice exhaustively lists the items of personal data and specific purposes for each item, there may not be a requirement to separately categorize each purpose against each item of data for the purpose of consent. 

Notice Requirements for Existing Datasets

In respect of consent for processing personal data provided before the commencement of the DPDPA, data principals are required to provide the notice as soon as it is reasonably practicable.¹⁴ The DPDPA also specifically empowers the Indian Government to issue rules on the manner of providing notice in relation to such processing, independently from the manner of providing notice for consent provided after commencement of the DPDPA.¹⁵

Analysis: The Draft Rules do not specifically prescribe the notice requirements for such datasets. Also, the timeline for providing notice for processing of personal data for which consent was provided prior to the DPDPA is still unclear. Ideally, in some cases, public notice or notice on websites or apps could have been held sufficient.

Language Requirements

The DPDPA also requires that the notice be accessible in English, or any language specified in the Eighth Schedule to the Indian Constitution.¹⁶ The Draft Rules do not address or alter this requirement.  

Analysis: It would be helpful if the FAQs clarified that the notice is only required to be accessible in the languages supported by the platform of the data fiduciary, to prevent unnecessarily onerous translation requirements.

Withdrawal of Consent, Exercise of Rights and Complaint Process

The Draft Rules require the notice to provide a communication link of the platform of the data fiduciary and description of how the data principal may (i) withdraw her consent; (ii) exercise her rights under the DPDPA; and (iii) make a complaint to the Board.¹⁷

Analysis: The Draft Rules do not explicitly prescribe the manner of providing for the withdrawal of consent, or exercise of the data principal’s rights (including grievance redressal right), allowing flexibility to data fiduciaries in implementing their own practices as per their operational and business needs.

III. Verifiable consent for processing data of children and persons with disabilities

The Draft Rules require a data fiduciary to adopt appropriate technical and organizational measures to obtain verifiable consent of a parent for processing personal data of a child¹⁸. This can be undertaken through: (i) reliable details of identity and age of the parent, already available with the data fiduciary¹⁹ or (ii) voluntary provision of such details or (iii) a virtual token mapped to such details, issued by an entity entrusted by law or the Government with the maintenance of such details, or a person appointed or permitted by such entity, including a Digital Locker²⁰ service provider.²¹ Data fiduciaries are also required to observe due diligence to ensure that a person identifying themselves as the lawful guardian of a person with disability²² has been duly appointed under applicable law.²³

Analysis: In cases where details of age and identity of the parent are already available with the data fiduciary, in order to constitute “reliable” methods of identification, such identification may need to resemble a form of documentation similar to a government issued identification. A simple check-the-box criteria is unlikely to satisfy the requirement of reliable forms of identity or age.

Neither the DPDPA nor the Draft Rules require the data fiduciary to investigate the ages of their users to ascertain if they are in fact not children or the relationship between child and purported parent. The DPDPA/Draft Rules appear to rely upon self-identification by a user as a child, or by a parent, for compliances to trigger. However, it does not address a situation where there is no proactive identification by a child. Arguably, if a data fiduciary obtains actual knowledge about the age of a child either through alerts from a parent, other users or through other technical means, data fiduciaries may then take necessary steps for processing personal data of children as per the DPDPA. The Draft Rules do not prescribe a specific manner of obtaining verifiable parental consent and simply refer to reliable details of age or identity, providing flexibility to data fiduciaries in adopting their own standards.

There is also no clarity on the scope of the due diligence obligation under the said rule. For example, the Rights of Persons with Disabilities Act, 2016 (“RPWD Act”)²⁴ empowers district courts or designated authorities notified by the State Government to appoint limited guardians for persons with disabilities. It is unclear if data fiduciaries will be required to collect and/or verify such court orders granting guardianship or other such directions under the relevant statutes such as the Guardians and Wards Act, 1890, National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999, or the Mental Health Act, 2017, in order to fulfil the due diligence obligation.

IV. Exemptions from certain obligations for processing of Children’s personal data

Processing of personal data by certain classes of data fiduciaries or for certain purposes are exempt from the verifiable parental consent obligation under Section 9(1) of the DPDPA, and the prohibition on tracking or behavioural monitoring of children or targeted advertising directed at children and Section 9(3) of the DPDPA.²⁵ Part A of the Fourth Schedule sets out the classes of data fiduciaries and their conditions of processing which are exempt from the said obligations. Part B of the Fourth Schedule sets out the purposes of processing and conditions in relation to such processing which are exempt from the said obligations.

Analysis:  We have analysed some of the exemptions. In relation to Part A, which sets out the classes of exempt data fiduciaries, we have taken the example of educational institutions. The exemption for educational institutions is only in relation to the prohibition on tracking and behavioural monitoring: (i) for the educational activities of such institutions; or (ii) in the interests of safety of children enrolled with such institutions.²⁶ It may not extend to permitting targeted advertisements directed towards such children. Thus, while the exemption is stated to generally apply to Sections 9(1) and 9(3) of the DPDPA, technically the exemption applies only to purposes specified in the Conditions column in Part A of the Fourth Schedule.

In relation to the purposes exempted in Part B of Schedule 4, we have taken the example of the purpose of processing childrens’ personal data for the creation of a user account by a data principal for communication by email. Processing personal data for this purpose will only be exempt from the verifiable consent obligation and is unlikely to be exempt from the tracking, behavioural monitoring and targeted advertisement prohibition.²⁷

Part B of the Fourth Schedule also provides an exemption for processing of personal data, for confirmation by the data fiduciary that the data principal is not a child and observance of due diligence under Rule 10.²⁸ If such processing is restricted to the extent necessary for such confirmation or observance, the data fiduciary is not prohibited from tracking or behavioural monitoring.

Analysis: While the Draft Rules do not specifically obligate data fiduciaries to specifically identify if a user is a child, this provision appears to exempt data fiduciaries from the prohibition on using methods of tracking or behavioural monitoring, to ascertain that a user is in fact a child. This may include, for example, quizzes or logic-based questions, user patterns, language, preferences or interactions with specific features etc.

V. Reasonable Security Safeguards

The DPDPA requires data fiduciaries to protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a data processor,²⁹ by taking reasonable security safeguards to prevent personal data breach.³⁰ The Draft Rules reiterates this requirement.³¹

A breach of the obligation to maintain reasonable security safeguards is subject to a penalty that may extend to INR 250 Crores (approximately USD 29 Million).³²

The Draft Rules prescribe minimum security standards. These safeguards, amongst others, include: (i) implementing data security measures including encryption, obfuscation, masking or use of virtual tokens,³³ (ii) retention of logs and personal data for one year to detect unauthorized access,³⁴ and (iii) inclusion of “appropriate” contractual provisions in the contract between the data fiduciary and the data processor to adopt reasonable security safeguards.³⁵

Analysis:  The language used in the Draft Rules suggest that all of the listed reasonable security safeguards are required to be adopted at a minimum, to demonstrate compliance. Data fiduciaries appear to have flexibility in implementing security standards, as long as they meet the minimum requirements prescribed. Overall, these standards are reasonably balanced and are likely to gain acceptance within the industry.

VI. Processing Personal Data outside India

The Draft Rules specify that any entity processing personal data within India, or outside India in connection with offering goods or services to data principals in India, may transfer personal data to a foreign state or persons/entities under its control, only if it complies with restrictions imposed by the Indian Government on transferring such data.³⁶

Analysis: The cross-border transfer restrictions under the DPDPA empowers the Indian Government to restrict the transfers of personal data to specified countries or territories.³⁷ Under the Draft Rules, it appears that the powers of the Indian Government has been expanded to issue orders imposing additional compliance measures for data fiduciaries undertaking cross-border transfers of personal data to foreign states and persons/entities under its control. The intent behind this provision could be that cross-border transfer of personal data may be permitted, subject to compliance with the prescribed conditions (instead of blacklisting certain foreign states). However, this could also empower the Central Government to impose conditionalities for countries which otherwise would not have been subject to any restrictions.³⁸

It remains unclear whether such restrictions will apply solely when personal data is physically transferred outside India's territory, or if they will also extend to data shared with individuals and entities within India that are affiliated with or controlled by a foreign state (For example, diplomats, sovereign wealth funds, private companies funded by foreign government etc.). Further, it may also lead to potential conflict with foreign laws that require access to such personal data pursuant to their domestic laws (for instance, anti-corruption laws). It may potentially restrict entities in India/doing business in India from transferring the requested personal data to such foreign government body.

VII. Obligations of Significant Data Fiduciaries

The Draft Rules reiterate the obligations on Significant Data Fiduciaries (“SDF”) (i.e. data fiduciaries which will be notified under the DPDPA basis factors such as volume and sensitivity of personal data processed) to undertake annual data protection impact assessment (“DPIA”) and audit.³⁹ There is no further clarity provided regarding the manner of conducting such assessments. The Draft Rules also introduce a new provision requiring SDFs to undertake due diligence to verify that algorithmic software deployed by it (if any) are not likely to pose a risk to the rights of data principals.⁴⁰

Additionally, the Draft Rules propose new data localization obligations restricting SDFs from transferring certain categories of personal data identified by a “committee” which will be constituted by the Indian Government.⁴¹

Analysis: The DPIAs and periodic audits are independent obligations under the DPDPA⁴²; however, the Draft Rules do not distinguish between DPIAs and audits, and they appear to be overlapping. Further, in terms of the due diligence obligations, there is vagueness regarding what is “likely to pose a risk to the rights of data principals”⁴³ and may lead to subjective enforcement. Notably, the DPDPA does not propose the establishment of any committee to impose restrictions on the cross-border data transfers for categories of personal data, particularly for SDFs. It may be noted that the DPDPA itself does not include provisions for regulating non-personal data, such as traffic data.

Furthermore, SDFs who are foreign entities or global group companies may not only be required to localise the notified personal dataset, but also the logs and traffic data which are ancillary to such primary personal data set.

VIII. Consent Manager

Eligibility

The DPDPA contemplates establishment of “consent managers”⁴⁴ that offer data principals a platform to give, manage, review, and withdraw their consent provided to data fiduciaries. These consent managers are held accountable to the data principals for ensuring proper management of their consent.⁴⁵ 

Consent managers are also required to register with the Board⁴⁶ and the eligibility conditions for such registration have been prescribed in Part A of the First Schedule to the Draft Rules. These conditions include the following:

• It is a company incorporated under Indian law⁴⁷ with minimum net worth of INR 2 Crores (approximately USD 240,000).⁴⁸

• It has financial, technical and operational capability,⁴⁹ including adequate volume of business, capital and earning prospects.⁵⁰

• Its financial condition and general character of management are sound.⁵¹

• Fairness and integrity of its directors, senior management and other key personnel.⁵²

• Its governing documents (such as memorandum of association and articles of association) contain sufficient conflict of interest provisions.⁵³

• Independent certification that (i) the consent manager’s platform is in accordance with standards prescribed by the Board,⁵⁴ and (ii) appropriate technical and organisational measures to comply with such standards,⁵⁵ and (iii) adherence to obligations on disclosure of information regarding key personnel, including shareholding information.⁵⁶

Conflict of Interest and Transparency

Consent managers are required to act in a fiduciary capacity⁵⁷ and avoid conflict of interest with the data fiduciary. Such conflict may be on account of promoters, key managerial personnel,⁵⁸ directors,⁵⁹ and senior management⁶⁰ (i) holding directorship, financial interest, employment or beneficial interest with data fiduciaries and/or (ii) a material pecuniary relationship between such persons and data fiduciaries⁶¹ To this extent, consent managers are also required to transparently disclose (i) details of their promoters, directors, senior management, key managerial personnel or senior management holding more than 2% of shares in every body corporate and (ii) details of every person that holds more than 2% shares in the consent management company.⁶² Further, transfer of control in the consent manager is not permitted unless authorised by the Board.⁶³ 

In addition to this, the consent manager must obtain independent certification confirming that its interoperable platform enables data principals to give, manage, review, and withdraw their consent in compliance with data protection standards and assurance frameworks issued by the Board.⁶⁴ Independent certification is also required to confirm that appropriate technical and organizational measures have been implemented to ensure adherence to the Board's standards and frameworks, and that the publication of information about the company’s employees and shareholding on its website, application, or both has been done.⁶⁵

Obligations

Consent managers are obligated to maintain records of: (i) consents, (ii) notices and (iii) data-sharing transactions related to their platform.⁶⁶  These records must be stored for a period of seven years or longer as may be agreed or as required by law.⁶⁷ Consent managers shall conduct periodic audits and share records with the Board pertaining to its compliances and technical, and organisational controls, systems, procedures and safeguards.⁶⁸  Further, the consent manager must not sub-contract or assign its obligations under the DPDPA and the Draft Rules  to another person.⁶⁹  The consent manager is also required to respond and address data principal’s requests and grievances⁷⁰ (discussed further below in Data Principal Rights).

Failure to adhere to the obligations may result in the suspension or cancellation of registration granted by the Board⁷¹ and/or could lead to monetary penalties under the DPDPA.⁷²

Analysis: The broad restrictions placed with respect to conflict of interest may prohibit data fiduciaries and its group entities from acting as consent managers for datasets processed within the same group. It should be clarified that the conflict of interest may be only in relation to data fiduciaries being onboarded by the consent manager.

Further, one of the key takeaways regarding the operational aspects of the consent manager is that both the data principal and the data fiduciary should be onboarded on the consent manager platform in order to enable the data principal to provide and manage their consents.⁷³ It may also be noted that it is not mandatory for data fiduciaries to integrate with consent managers; the data fiduciary may continue to independently manage its data principal’s consents and grievances. Additionally, while the consent manager represents the data principal, the revenue model of the consent manager is still unclear.

Considering that the position of a consent manager is a novel concept under the DPDPA, and its operational functionality is not tested under other data protection laws, one would have to wait and see how the practical nuances and implementation challenges play out.

IX. Data Principal Rights

The DPDPA prescribes data principals rights including right to access information about their personal data⁷⁴; correction, completion, updation and erasure⁷⁵;  right to appoint a nominee⁷⁶ and grievance redressal⁷⁷. The Draft Rules further elaborate that data fiduciaries and/or consent managers (where applicable) should publish on their application and/or websites: (i) the procedure for the data principals to make a request for exercise of their rights⁷⁸ and (ii) the details of the data principal required to identify them (such as user name or other identifier) as per the terms of service of the data fiduciary/consent manager⁷⁹. Accordingly, the data fiduciaries and consent managers are required to implement technical and organizational measures to respond to data subject requests and grievances.⁸⁰ Data fiduciaries and consent managers are allowed to establish their own timelines for addressing grievances.⁸¹ The data principal may make a request to exercise their rights in accordance procedure published by the data fiduciary/consent manager.⁸²

Analysis: From a compliance perspective, the absence of prescriptive and coded grievance redressal/data principal request procedures is beneficial for data fiduciaries. It provides flexibility to entities to adopt procedures suitable to their business model.

Right to Nominate

Under the DPDPA, the data principal may nominate one or more individuals to exercise their rights.⁸³ The Draft Rules clarify that the nomination must be carried out using the methods and providing the details of the nominee in accordance with the terms of service of the data fiduciary and applicable laws.⁸⁴

Analysis: It is advantageous that there are no defined procedures for appointing a nominee and data fiduciaries have the flexibility to establish their own terms and conditions for such nominations. However, there are currently no specific laws governing the appointment of nominees under the DPDPA. This provision seems intentionally open-ended, allowing the Indian Government to introduce specific requirements in the future.

X. Retention Period for Personal Data

The DPDPA requires erasure of personal data as soon as it is reasonable to assume that the specified purpose is no longer being served.⁸⁵ The Draft Rules prescribe specific time periods to ascertain the same, in the Third Schedule, for e-commerce entities, online gaming intermediaries and social media intermediaries  (that satisfy certain thresholds of users) processing personal data for specific purposes.⁸⁶ It sets out a three-year time period from the data principal last approaching the data fiduciary for the performance of the specified purpose or exercise of her rights, or the commencement of the Digital Personal Data Protection Rules, 2025, whichever is later.⁸⁷ The time period is generally applicable to all purposes by such classes of data fiduciaries, except for the purposes of accessing the user account or enabling access to a virtual token issued by the data fiduciary used to get money, goods or services.

Data fiduciaries are also required to notify data principals at least 48 hours prior to erasure that her personal data will be erased if she does not log in to her user account, approach the data fiduciary for performance of the specified purpose or exercise her rights.⁸⁸

Analysis: While the Draft Rules set out explicit time periods to determine when the specified purpose is no longer being served for certain identified data fiduciaries in the Third Schedule, there is no clarity or guidance on the manner of ascertaining when the specified purpose is no longer being served for other data fiduciaries. In the absence of a specific timeline, data fiduciaries will have varying standards to determine erasure of personal data.

Further, there is no clarity on why a timeline has only been prescribed for the said three classes, as opposed to other data fiduciaries, such as those in possession of large volumes of personal data.

Data fiduciaries will also be required to create automated processes to track the activity of the data fiduciary to determine the intimation period of 48 hours prior to erasure of personal data and then to erase data. 

XI. Intimation of Personal Data Breach

Under the DPDPA, in the event of a personal data breach,⁸⁹ the data fiduciary shall notify the Board and each affected data principal in the below manner.⁹⁰

Analysis: The DPDPA lacks a “materiality threshold” for breach notifications, requiring all breaches, regardless of severity, to be reported. This could overwhelm data principals and organizations, leading to desensitization and reducing responsiveness to critical breaches. While the industry was hoping for some relaxation in this regard, the Draft Rules do not provide any leeway.

Intimation to Data Principals

Upon “becoming aware” of a personal data breach, the data fiduciary must “without delay” notify the affected data principals. The intimation must be done using the data principal’s user account or any registered mode of communication with the data fiduciary.⁹¹ The notification given to the data principal must include details such as a description of the breach, potential consequences for the data principal and safety measures that the data principal shall adopt, among other particulars.⁹²

Intimation to the Board

The data fiduciary, upon “becoming aware” of a personal data breach, must notify the Board in two phases:

• Without delay, a description of the breach, including its nature, extent, timing, and impact must be provided to the Board.⁹³

• Within 72 hours of awareness, or a longer period if permitted by the Board, the data fiduciary must submit an updated and detailed description of the breach.⁹⁴

Analysis: The timelines appear very difficult to comply with. Collating and sharing such information within a short timeline, particularly for intimations to affected data principals which require the inclusion of multiple details, may pose significant compliance challenges.

The Draft Rules do not specify requirements for measures to be taken following a personal data breach that must be detailed in the intimations. It may be clarified what risk mitigation or safety measures may be adopted by data fiduciaries or affected data principals following a personal data breach.

Existing reporting requirements under the Information Technology Act, 2000, directed to the Indian Computer Emergency Response Team,⁹⁵ as well as cyber security and reporting obligations under other sectoral laws (such as banking, insurance, financial sector) , may need to be harmonized with the reporting obligations prescribed under the Draft Rules, so that there is no undue burden on the data fiduciaries. To ensure compliance, organizations may implement internal monitoring mechanisms and have dedicated IT personnels in place to detect, escalate and report incidents in alignment with the diverse requirements of applicable laws.

XII. Contact Information of Data Protection Officer

The DPDPA requires data fiduciaries to publish the business contact information of the Data Protection Officer or person capable of answering the data principal’s questions about processing of her personal data.⁹⁶ The Draft Rules require that such information is “prominently published” on the data fiduciaries’ website or app and mention the same in every response to a data principal’s communication regarding exercise of her rights.⁹⁷

Analysis:

Meaning of ‘Prominently Publish’

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules”) define the term “prominently publish” to mean publishing in a clearly visible manner on the homepage of the website or the home screen of the mobile based application, or both, as the case may be, or on a web page or an app screen directly accessible from the home page or home screen.⁹⁸ Guidance may be taken from such definitions to understand the requirement under the Draft Rules.

Publishing Officer Information

As per the DPDPA, SDFs are required to appoint individuals as Data Protection Officers.⁹⁹ However, as per the DPDPA, other data fiduciaries may appoint persons, which include artificial persons, to answer questions on the exercise of rights of data principals. However, there appears to be a trend in which Indian courts are increasingly requiring individual officers’ information to be published by platforms to enable greater accessibility by users, and responsiveness by platforms.

XIII. Exemptions for Research, Archiving and Statistical Purposes

The processing of personal data necessary for research, archiving or statistical purposes is exempt from most provisions of the DPDPA if the personal data is not to be used for making any decision specific to a data principal, and such processing is carried on in accordance with prescribed standards.¹⁰⁰ The Draft Rules propose standards for processing personal data under the said exemption: processing in a lawful manner; processing is limited to only necessary personal data; accuracy of data; adoption of reasonable security safeguards to prevent personal data breaches etc.¹⁰¹

Analysis: There is no further clarity regarding what purposes fall within the ambit of “research, archiving or statistical purposes”. Further, it is unclear whether the reasonable security safeguards that data fiduciaries are required to implement under this provision align with the general requirements for reasonable security safeguards prescribed for all personal data under Rule 15 of the Draft Rules.

XIV. Processing of Personal Data by State (and its instrumentalities)

One of the grounds for the State and its instrumentalities to process personal data is for “legitimate use”¹⁰² (i.e., without issuing notice to the data principal and obtaining consent ) for providing or issuing subsidies, benefits, services, certificates, licenses, or permits (“State Services”)¹⁰³ in two scenarios: (i) when the data principal has previously provided their consent for the processing of personal data for any State Service or (ii) such personal data is already available with the State and has been notified by the Indian Government. Further, such processing is required to comply with standards provided under the Second Schedule to the Draft Rules.¹⁰⁴ Such standards include providing the data principal with (i) an intimation, (ii) contact information of a representative of the data fiduciary to respond to queries, and (iii) access to a communication links to exercise their rights under the DPDPA.¹⁰⁵

Analysis: As per the Draft Rules, if a data principal has previously consented to any State Service, the State or its instrumentalities may subsequently process such personal data for any other unrelated State Service. This raises significant concerns about the expansive scope of the Government’s power and potential for overreach. The provision should have been drafted to explicitly require that subsequent processing by the State should be associated or closely linked to the original State Service to which the data principal had provided consent.

Nevertheless, there is a requirement under the standards set out in the Second Schedule to intimate the data fiduciary regarding such processing. There are also requirements of lawful processing, purpose limitation, data minimization, ensuring accuracy of personal data, reasonable security safeguards, accountability etc. to ensure there are sufficient safeguards in respect of such data processing.

XV. Calling for Information from Data Fiduciary and Intermediary

The DPDPA empowers the Central Government to require data fiduciaries or intermediaries to furnish specific information.¹⁰⁶ The Draft Rules notify the government authorities authorised to make such requests and elaborate the purposes for making such requests in the interest of sovereignty, integrity and security of the state:

• The use of a data principal's personal data by the State or its instrumentalities¹⁰⁷ in the interest of India's sovereignty, integrity, or state security.¹⁰⁸

• The use of personal data by the State or its instrumentalities for: performing any function mandated by laws currently in force in India; or disclosing information to fulfil obligations under such laws.¹⁰⁹

• Conducting assessments for designating any data fiduciary or category of data fiduciaries as SDFs.¹¹⁰

At the time of making the information request, the requesting State/its instrumentality should specify the time period within which the requested information should be provided. The Draft Rules prohibit disclosures by the data fiduciary that could endanger the sovereignty, integrity, or security of the state, unless written permission is provided by the authorised person.

Analysis: This prohibition could extend to preventing disclosures of the information request itself and information shared pursuant to the same, by the data fiduciaries to other entities, including its group companies.

XVI. Data Protection Board

Lastly, the Draft Rules prescribe the constitution and functions of the Board. The Central Government will form the Board with a chairperson and other members.¹¹¹ The Draft Rules do not specify any qualification and candidature requirements for the appointments.

The functions of the Board include overseeing complaints and notifications regarding data breaches, complaints from data principals, and enforcement compliance with DPDPA obligations.¹¹² In cases of non-compliance, the Board is authorised to issue directives, suspend operations, or revoke registrations (of consent managers).¹¹³ Individuals dissatisfied with the Board’s decisions will be able to file appeals before the appellate tribunal (i.e. Telecom Disputes Settlement and Appellate Tribunal).¹¹⁴ The Draft Rules prescribe guidance regarding payment of fees for filing an appeal.¹¹⁵ In emergencies which warrant immediate action by the Board and where it is not feasible to call a meeting of the Board, the chairperson may  take necessary action (while recording reasons in writing for necessity for such immediate action), which shall be communicated within seven days to all members and subsequently be ratified by the Board at its next meeting.¹¹⁶

The Draft Rules reiterate that the Board shall function as a digital office and hence, may adopt techno-legal measures to conduct its proceedings.¹¹⁷

Analysis: The Draft Rules do not get into specific details regarding the conduct of business of the Board leaving room for further standard operating procedures to be adopted by the Board for its functions. However, to avoid arbitrariness, certain guardrails must be included for the exercise of emergency powers by the Chairperson of the Board.

Conclusion

The industry should actively provide feedback to the Draft Rules and seek publication of FAQs on issues in the DPDPA that remain unclear. Given that general direction is now available, businesses should evaluate their existing data protection practices, based on the industry, sector and nature of personal data in their possession. Accordingly, businesses will need to update their technological infrastructure and internal processes and documentation to include these requirements. Given the Draft Rules introduce the novel concept of a consent manager, data fiduciaries will need to consider onboarding on to the consent manager platform and integrating their data protection processes with such platform. They will also need to revisit their notices to include the required information set out in the Draft Rules. SDFs that are in the practice of sharing personal data to entities situated abroad may be impacted by potential data localization requirements enabled by the Draft Rules, which may require changes to the data sharing arrangement amongst corporate groups. The Draft Rules have largely avoided prescriptive standards, providing data fiduciaries with considerable flexibility in achieving compliance. There are some aspects which are yet to be prescribed through specific notifications, such as notification of SDFs, countries or territories to which personal data may not be transferred, databases of personal data maintained by the Indian government for processing personal data for State Services, categories of personal data that may be subject to additional cross-border transfer restrictions etc. These matters are expected to be clarified upon notification of the final rules.

 

Authors

- Technology Law Team

You can direct your queries or comments to dataprotection.nda@nishithdesai.com.

---

¹As per Section 2(i) of the DPDPA, “data fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

²Notice on Feedback/Comments on the Draft Rules, available here.

³Explanatory Note to the Draft Rules, available  here.

⁴Rule 1(2), Draft Rules.

⁵Rule 1(3), Draft Rules.

⁶As per Section 2(j) of the DPDPA, “data principal” means the individual to whom the personal data relates and where such individual is: (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.

⁷Section 5, DPDPA.

⁸Rule 3(a), Draft Rules.

⁹Rule 3(b), Draft Rules.

¹⁰Rule 3(b)(ii), Draft Rules.

¹¹Rule 3(b)(i), Draft Rules.

¹²Rule 3(b)(ii), Draft Rules.

¹³Section 6(1), DPDPA.

¹⁴Section 5(2)(a), DPDPA.

¹⁵Section 40(2)(b), DPDPA.

¹⁶Section 5(3), DPDPA.

¹⁷Rule 3(c), Draft Rules.

¹⁸As per Section 2(f), DPDPA, “child” means an individual who has not completed the age of eighteen years.

¹⁹Rule 10(1)(a), Draft Rules.

²⁰Digital Locker is a state-owned cloud service which enables individuals to upload and verify state-issued certificates and ID documents.

²¹Rule 10(1)(b), Draft Rules.

²²Rule 10(3)(f), Draft Rules.

(f) As per Rule 10(3)(f) of the Draft Rules, “person with disability” shall mean and include—(i) an individual who has long term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders her full and effective participation in society equally with others and who, despite being provided adequate and appropriate support, is unable to take legally binding decisions; and (ii) an individual who is suffering from any of the conditions relating to autism, cerebral palsy, mental retardation or a combination of any two or more of such conditions and includes an individual suffering from severe multiple disability.

²³Rule 10(2). DPDPA.

²⁴Section 16, RPWD Act.

²⁵Section 9(4) DPDPA read with Rule 11, Draft Rules.

²⁶Part A, Row 3, Fourth Schedule, Draft Rules.

²⁷Part B, Row 3, Fourth Schedule, Draft Rules.

²⁸Part B, Row 5, Fourth Schedule, Draft Rules.

²⁹As per Section 2(k) of the DPDPA, “data processor” means any person who processes personal data on behalf of a data fiduciary. Please note that there are no specific compliance requirements for data processors prescribed under the DPDPA and Draft Rules.

³⁰Section 8(5), DPDPA.

³¹Rule 6(1), Draft Rules .

³²Serial No. 1, The Schedule, DPDPA.

³³Rule 6(1)(a), Draft Rules .

³⁴Rule 6(1)(e), Draft Rules .

³⁵Rule 6(1)(f), Draft Rules .

³⁶Rule 14, Draft Rules.

³⁷Section 16(1), DPDPA.

³⁸Under Section 16 of DPDPA, the Central Government is authorised to notify specific countries or territories to which transfers of personal data may be restricted.

³⁹Rule 12(2), Draft Rules.

⁴⁰Rule 12(3), Draft Rules.

⁴¹Rule 12(4), Draft Rules.

⁴²Rule Section 10(2)(c), DPDPA.

⁴³Rule 12(3) of the Draft Rules prescribes an obligation on SDF to observe due diligence to verify that algorithmic software deployed by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of data principals.

⁴⁴As per Section 2(g) of the DPDPA, “consent manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform

⁴⁵Sections 6(7), 6(8) and 6(9), DPDPA.

⁴⁶Part A, First Schedule read with Rule 4, Draft Rules .

⁴⁷Paragraph 1, Part A, First Schedule, Draft Rules.

⁴⁸Paragraph 4, Part A, First Schedule, Draft Rules.

⁴⁹Paragraph 2, Part A, First Schedule, Draft Rules.

⁵⁰Paragraph 5, Part A, First Schedule, Draft Rules.

⁵¹Paragraph 3, Part A, First Schedule, Draft Rules.

⁵²Paragraph 6, Part A, First Schedule, Draft Rules.

⁵³Paragraph 7, Part A, First Schedule, Draft Rules.

⁵⁴Paragraph 9(a), Part A, First Schedule, Draft Rules.

⁵⁵Paragraph 9(b), Part A, First Schedule, Draft Rules

⁵⁶Paragraph 9(b), Part A, First Schedule, Draft Rules

⁵⁷Paragraph 8, Part B, First Schedule, Draft Rules.

⁵⁸Paragraph 8, Part B, First Schedule, Draft Rules.

⁵⁹Paragraph 9, Part B, First Schedule, Draft Rules.

⁶⁰Paragraph 9, Part B, First Schedule, Draft Rules.

⁶¹Paragraph 9, Part B, First Schedule, Draft Rules.

⁶²Paragraph 11, Part B, First Schedule, Draft Rules.

⁶³Paragraph 13, Part B, First Schedule, Draft Rules

⁶⁴Paragraph9(a), Part A, First Schedule, DPDP Rules.

⁶⁵Paragraph9(b), Part A, First Schedule, DPDP Rules.

⁶⁶Paragraph 3, Part B, First Schedule, Draft Rules.

⁶⁷Paragraph 4(c), Part B, First Schedule, Draft Rules

⁶⁸Paragraph12, Part A, First Schedule, Draft Rules

⁶⁹Paragraph 6, Part B, First Schedule, Draft Rules .

⁷⁰Rule 13(3), Draft Rules.

⁷¹Rule 4(5), Draft Rules .

⁷²Section 27(c), DPDPA. Under the DPDPA, different penalties for different types of breaches, in the range of INR 50 Crore (approximately USD 6 million)- INR 250 Crore (approximately USD 30 million).

⁷³Illustrations, First Schedule.

⁷⁴Section 11, DPDPA.

⁷⁵Section 12 (1), DPDPA.

⁷⁶Section 14 (1), DPDPA.

⁷⁷Section 13 (1), DPDPA.

⁷⁸Rule 13(1)(a), Draft Rules.

⁷⁹Rule 13(1)(b), Draft Rules.

⁸⁰Rule 13(3), Draft Rules.

⁸¹Rule 13(3), Draft Rules.

⁸²Rule 13(2), Draft Rules.

⁸³Section 14 (1), DPDPA.

⁸⁴Rule 13(4), Draft Rules.

⁸⁵Section 8(7)(a), DPDPA.

⁸⁶Rule 8(1), Draft Rules.

⁸⁷Third Schedule, Draft Rules.

⁸⁸Rule 8(2), Draft Rules.

⁸⁹As per Section 2(u) of the DPDPA, “personal data breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.

⁹⁰Section 8(6), DPDPA.

⁹¹Rule 7(1), Draft Rules . As per Rule 7(3), Draft Rules , the term “user account” means an online account that may be registered by the data principal with the data fiduciary such as a profile, page, handle, email address, mobile number and other similar presences through the data principal can access the services offered by the data fiduciary.

⁹²Rule 7(1), Draft Rules .

⁹³Rule 7(2)(a), Draft Rules .

⁹⁴Rule 7(2)(b), Draft Rules .

⁹⁵Section 70-B, Information Technology Act, 2000; Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013.

⁹⁶Section 8(9), DPDPA.

⁹⁷Rule 9, Draft Rules.

⁹⁸Rule 3(2), IT Rules..

⁹⁹Section 2(l), DPDPA.

¹⁰⁰Section 17 (2)(b), DPDPA

¹⁰¹Rule 15, Draft Rules.

¹⁰²Section 7(b), DPDPA.

¹⁰³Rule 5(1), Draft Rules.

¹⁰⁴Second Schedule, Draft Rules.

¹⁰⁵Paragraph(g). Second Schedule, Draft Rules.

¹⁰⁶Section 36, DPDPA.

¹⁰⁷Specifically, such requests may be made by officers and instrumentalities which are notified under Section 17(2) of the DPDPA.

¹⁰⁸S. No. 1, Seventh Schedule, Draft Rules.

¹⁰⁹S. No. 2, Seventh Schedule, Draft Rules.

¹¹⁰S. No. 3, Seventh Schedule, Draft Rules.

¹¹¹Rule 16, Draft Rules.

¹¹²Section 27(1), DPDPA.

¹¹³Section 27(3), DPDPA read with Rule 4(5), Draft Rules.

¹¹⁴Rule 21(1), Draft Rules.

¹¹⁵Rule 21(2), Draft Rules.

¹¹⁶Rule 18 (6), Draft Rules.

¹¹⁷Rule 19, Draft Rules.