This Article examines the Draft Digital Personal Data Protection (DPDP) Rules, 2025, which implement the DPDP Act, 2023, to enhance digital privacy in India. It highlights key features such as informed consent, data erasure rights, digital nominees, and a virtual Data Protection Board for grievance redressal. The framework balances innovation and regulation, easing compliance for startups while imposing stricter obligations on major data fiduciaries. The Article also analyzes provisions on consent, data security, and cross-border transfers. A major concern is the requirement for guardian consent for persons with disabilities (PwDs), which critics argue limits autonomy. Other challenges include unclear compliance thresholds and retroactive consent issues. While the rules strengthen data protection, their effectiveness depends on proper implementation and balancing regulatory oversight with digital growth.
INTRODUCTION
The goal of the proposed Digital Personal Data Protection Rules (hereinafter, the DPDP Rules) is to defend citizen’ rights to personal data protection. In keeping with India’s pledge to provide a strong framework for safeguarding digital personal data, these regulations aim to operationalize the Digital Personal Data Protection Act, 2023 (DPDP Act). The proposed Digital Personal Data Protection Rules, 2025 (the ‘Draft DPDP Rules’) were released by the Ministry of Electronics and Information Technology, which is a part of the Government of India, on January 3, 2025. The public was given time until February 18, 2025, to provide feedback and ideas. The Digital Personal Data Protection Act, 2023 (hereinafter, the DPDP Act), which received presidential assent on August 9, 2024, is meant to be supplemented by the Draft DPDP Rules. The regulations, are straightforward and easy to understand, are intended to empower citizens in the quickly expanding digital economy. In line with the DPDP Act, they aim to uphold the rights of citizens while striking the ideal balance between innovation and regulation, ensuring that everyone may profit from India’s expanding innovation ecosystem and digital economy. They also deal with particular issues including unauthorized commercial data use, digital damages, and breaches of personal data.[1]
General Data Protection Regulation (GDPR) & DPDP ACT
The DPDP Act is a statutory manifestation of the basic right to privacy, which was established by the Supreme Court in 2017,[2] whereas the GDPR was based on the EU’s Charter of basic Rights and the preceding Data Protection Directive. The Data Protection Board is a new data protection regulatory body created by the DPDP Act. Nonetheless, the Data Protection Board’s purview is centered on resolving complaints and penalizing data breaches. The European (and UK) national supervisory authorities, on the other hand, have a wide range of regulatory responsibilities, including rule-making and other administrative duties. The Indian government, which has expressed a strong preference for simplicity and business friendliness, has complete rule-making authority under the DPDPA. This will probably result in a more straightforward, principles-based, and less detailed system in India, which could lead to more room for interpretation and even doubt.
KEY FEATURES OF THE DRAFT RULES
The rules put citizens at the center of the framework for data protection. To provide informed consent, data fiduciaries must make information about the processing of personal data easily understandable and available. The rights of citizens include the ability to designate digital nominees, request data erasure, and access easy-to-use tools for data management. By granting citizens more control over their data, rules empower them. Trust in digital platforms is increased by provisions for informed consent, the right to erase, and grievance remedies. Parents and guardians have the authority to make sure their kids are secure online.
1) Innovation and regulation in balance: India’s approach finds a special balance between encouraging innovation and enforcing laws to safeguard personal information. These regulations prioritize the well-being of citizens while promoting economic growth, in contrast to constrictive global frameworks. This is seen by stakeholders as a new worldwide data governance blueprint. The framework anticipates that startups and smaller enterprises will have a lighter compliance burden. To ensure that everyone is involved- from small businesses to huge corporations, these rules provides to successfully migrate to comply with the new law.
2) Digital-first strategy: The guidelines adopt the ‘digital by design’ tenet. To guarantee ease of living and ease of doing business, consent procedures, grievance resolution, and the operations of the Data Protection Board are all envisioned as being ‘born digital.’ With a digital platform and app, the Board will operate as a virtual office, allowing residents to contact it online and have their grievances resolved without needing to be there in person. Workflows are optimized to guarantee speed and transparency in everything from handling complaints to communicating with Data Fiduciaries. This fosters trust between citizens and Data Fiduciaries and represents India’s forward-thinking approach to governance.
3) Resolving the concerns of stakeholders: Companies gain from a practical structure. Significant Data Fiduciaries have greater responsibilities, while startups and MSMEs have less of a compliance burden due to graded responsibilities. The fundamental framework for protecting personal data established by the Act and its regulations can be enhanced by sector-specific data protection measures. The digital office strategy of the Data Protection Board would guarantee prompt and open complaint resolution. When enforcing fines for defaults, the Board must take into account many considerations, including the type and severity of the default, the steps taken to reduce its impact, etc. Additionally, at any point during the proceedings, Data Fiduciaries may voluntarily make commitments that, if approved by the Board, would lead to their termination. This strikes a compromise between the necessity to uphold individuals rights and giving those handling personal data a just adjudication framework. Effective procedures to achieve compliance are ensured by provisions for significant data fiduciaries yearly data protection impact assessments and audits.
4) Fiduciary operational guidelines : Implementing strict procedures, such as sending notices with necessary information to facilitate the exercise of data primary rights, is the responsibility of data fiduciaries. Other duties that significant data fiduciaries must perform include yearly audits, Data Protection Impact Assessments (DPIAs), algorithmic fairness compliance, and cross-border data transfer protocols. These steps reduce the risks involved with handling sensitive data and guarantee an organized approach to data governance.
5) An inclusive strategy : The draft regulations are the result of extensive research into international best practices and feedback from a wide range of stakeholders.
6) Awareness-raising campaigns: The government organizes a thorough awareness campaign because it understands how important citizen participation is. These programs will promote a culture of data responsibility by educating the public about their rights and obligations under the new framework. India shows leadership in creating a fair digital future with these regulations.
ANALYSIS OF THE PROVISIONS OF THE RULES
Notice for processing of data: In accordance with section 5 of the DPDP Act, the person who determines the purpose and method of processing personal data, known as the data fiduciary, must obtain the Data Principal’s consent by sending them a notification before processing their personal data.[3] Such consent must be given freely and must be explicit, unequivocal, and detailed in order to comply with the requirements outlined in section 6 and other DPDP Act provisions.[4] By requiring the Data Fiduciary to make sure the notification requesting consent is submitted to the DP and is clear, regardless of other information provided to the DP, the Draft DPDP Rules aim to further clarify the provisions regulating the necessity to obtain such consent. The notice must offer a ‘fair account of details necessary to enable the Data Principal to give specific and informed consent for the processing of their personal data,’ according to the specifications.[5] The aforementioned provision in the proposed Draft DPDP Rules mandates that the notice must, at the very least, include an in-depth description of the nature and purpose of the data processing, along with a unique and required link that will allow the Data Principal to withdraw their consent, exercise any rights, and file a complaint with the Data Protection Board of India, which was established in accordance with the DPDP Act. This will help to minimize any shortcomings regarding the implementation of section 6 of the DPDP Act.
Protection of Personal Data: Rule 6 of the Draft DPDP Rules requires the Data Fiduciary to implement adequate security measures to guarantee the protection of the personal data in its control at a time when data breaches are becoming dangerously more often.[6] Among other recommended efforts, these protections should at the very least involve encryption, access restrictions, and record keeping. The Data Protection Board of India and the impacted Data Principal must receive prompt, clear, and unambiguous notification in the event of a breach of personal data, according to Draft Rule 7[7], read with Section 8(6) of the Draft DPDP Rules.[8] The Data Fiduciary is required to notify the Data Protection Board of India of the data breach within 72 hours of its discovery, or within any longer period that may be allowed, even though there is no time restriction for such disclosure with regard to Data Principal.
One noteworthy aspect of the Draft DPDP Rules is how the erasure of data is emphasized. The DPDP Act only allows for the erasure of personal data after a request from the Data Principal or within a ‘reasonable time,’ but the Draft DPDP Rules stipulate that this erasure must take place within a given time frame. According to Rule 8, the data will be deleted following a 48-hour notice to the Data Principal if the Data Principal fails to contact the Data Fiduciary to fulfill the specified purpose or to exercise their right of erasure within the time frame given in the third schedule of the Draft DPDP Rules.[9] The aforementioned clause in the Draft DPDP Rules emphasizes a crucial component of an individual’s right to privacy, which is the ability to request that their data be taken down from public sources if they so desire.
Personal Data of Minors: According to section 9 of the DPDP Act, the Data Fiduciary must get the parent or guardian of the child in issue to provide verified consent before processing the child’s personal data. The Data Fiduciary must also make sure that the child’s data isn’t processed for any harmful reasons or in relation to targeted advertising. In order to strengthen these provisions, rule 10 of the Draft DPDP Rules mandates that the Data Fiduciary further confirm that the individual from whom such verifiable consent is obtained is, in fact, identifiable as the child’s parent or guardian. To do this, the required due diligence may entail confirming the child’s parent or guardian’s identity, age, and other details.[10] Because of the Supreme Court of India’s ruling in the case of Justice KS Puttaswamy (Retd) & Anr v. Union of India & Ors,[11] the latter feature which permits a Data Principal to revoke their consent highlights the significance of personal information and the right to privacy, which was added to the list of fundamental rights of individuals. It is also crucial to remember that the Data Principal may withdraw their approval ‘at any time’ in accordance with section 6(4) of the DPDP Act, and that they must be able to do so easily and in the manner specified at the time of consent.[12]
Extra Territorial transfer of data: When it comes to limiting the extraterritorial transfer of personal data processed domestically or related to an activity involving the offering of goods and services within India, the DPDP Rule 14 would be an effective tool.[13] This rule aims to comply with section 16 of the DPDP Act, which grants the central government the authority to publish a notice limiting a Data Fiduciary’s ability to transfer personal information to countries outside of India.[14] This significant clause is comparable to the pertinent guidelines in the General Data Protection Regulation (GDPR) of the European Union, which was enacted in April 2016 and serves as the standard for data protection in the field of international law and privacy.
OTHER PROVISIONS AT GLANCE
According to Rule 9, the company’s website or application must include the Data Protection Officer’s contact information.[15] Rule 12 outlines the unique conditions that a Significant Data Fiduciary must meet. It declares that an annual audit and data protection impact assessment will be conducted to make sure the DPDP Act’s provisions are being applied correctly.[16] According to Rule 13, the Data Fiduciary must provide the means for a Data Principal to exercise his or her rights on its website or application. Additionally, it outlines a grievance redressal system that the consent manager and the data fiduciary should implement, including dates for redressal, among other things.[17]
CONCERNS OVER DRAFT DPDP RULES, 2025
Disability rights advocates are attempting to have a crucial section of the Digital Personal Data Protection Act, 2023 changed or removed, arguing that it infantilizes PwDs, disregards their capacity for decision-making, and stems from a misunderstanding of how guardianship functions for Persons with Disabilities (hereinafter,PwDs). disability rights activists have raised concerns about Section 9(1) of the Act, which mandates guardian consent for processing the personal data of PwDs with lawful guardians.[18] Critics argue this provision undermines the autonomy of PwDs by presuming their incapacity and failing to distinguish between full and limited guardianship. It also overlooks inter-sectional issues, such as gender and disability, potentially restricting the decision-making rights of PwDs capable of independent consent. Additionally, the draft rules broadly define PwDs requiring guardian consent as those with long-term impairments affecting societal participation or specific conditions like autism and cerebral palsy. This categorization risks unnecessary restrictions on individuals who can make their own decisions. While the DPDP Act aims to protect personal data, these provisions have sparked debate, with activists advocating for revisions to ensure the law respects the autonomy and dignity of PwDs, aligning with principles of inclusivity.[19] Notwithstanding its strong structure, stakeholders have difficulties due to certain ambiguities:
a) Data privacy assessment: Compare the current documentation, working procedures, and data privacy posture to the requirements of the DPDP Act and Rules.
b) Finding and mapping data: Determine the points of contact for personal data and carry out data mapping and discovery tasks.
c) Data flow diagram and RoPA: Record the processing of personal data and how it moves across different systems, applications, processes, and third parties.
d) Management of notice and consent: Create consent forms, privacy notifications, cookie banners, and cookie policies to be used at all points of contact where personal information is gathered.
e) Impact assessment on privacy: Determine the risks associated with data privacy by conducting privacy impact assessments for processing operations and defining the controls that should be put in place to mitigate those risks.
f) Third-party risk management: Make sure technological and organizational security measures are put in place for third parties handling personal data by incorporating them into contracts and implementing sound governance procedures.
g) Technical protections: Determine and put into place the necessary technical protections to guarantee that personal information is protected against data breaches.
h) Setting up a data protection office: Establish a data protection office by choosing the appropriate group to be in charge of maintaining compliance inside the company.
i) Automation and implementation: Put in place the controls necessary to ensure compliance and look for ways to automate compliance management to increase efficiency.
j) Monitoring and maintenance: To establish a regular monitoring program to evaluate compliance at different points in time.
Undefined thresholds for exemptions present operational issues, especially for startups. Furthermore, it is unclear if consent responsibilities apply retroactively, which casts doubt on the legality of earlier consents.[20]
CONCLUSION
One significant step in the nation’s regulation of digital personal data is the Draft DPDP Rules-2025. It establishes the foundation for a strong and secure digital environment. The entire framework will protect citizens’ rights, safeguard digital personal data, and increase data principals’ trust in the entire digital data ecosystem. Businesses will have to pay more for compliance, impact assessments, and audits, but these expenses are inevitable. “Although there are always costs associated with security, the investment is ultimately rewarded.” The honest application of the Rules by the Data Fiduciaries while upholding the spirit of the law will be essential to DPDP Act , 2023’s success. Nevertheless, there will be challenges in putting these regulations into effect. Consent managers and data fiduciaries will have to handle the challenges of guaranteeing trustworthy grievance redressal procedures, and companies especially multinational ones may find the extensive reporting requirements and data localization requirements onerous.
KEYWORDS: Digital Data, Data Fiduciary, Data Principal, Privacy, Personal Data
[1] Ministry of Electronics & IT, Gov’t of India, Press Release, (2025-26), https://pib.gov.in/PressReleasePage.aspx?PRID=2090271.
[2] Justice K.S. Puttaswamy (Retd.), and Anr. v. Union of India and Ors., [2017] 10 S.C.R. 569.
[3] The Digital Personal Data Protection Act, 2023, No. 22 of 2023, S. 5 (Ind.).
[4] The Digital Personal Data Protection Act, 2023, No. 22 of 2023, S. 6 (Ind.).
[5] The Draft Digital Personal Data Protection Rules, 2025, R. 3(b) (Ind.).
[6] The Draft Digital Personal Data Protection Rules, 2025, R. 6 (Ind.).
[7] The Draft Digital Personal Data Protection Rules, 2025, R. 6 (Ind.).
[8] The Digital Personal Data Protection Act, 2023, No. 22 of 2023, S. 8(6) (Ind.).
[9] Draft Digital Personal Data Protection Rules, 2025, R. 8 (Ind.).
[10] Draft Digital Personal Data Protection Rules, 2025, R. 10 (Ind.).
[11] Justice K.S. Puttaswamy (Retd.), and Anr. v. Union of India and Ors., [2017] 10 S.C.R. 569.
[12] The Digital Personal Data Protection Act, 2023, No. 22 of 2023, S. 6(4) (Ind.).
[13] The Draft Digital Personal Data Protection Rules, 2025, R. 14 (Ind.).
[14] The Digital Personal Data Protection Act, 2023, No. 22 of 2023, S. 16 (Ind.).
[15] The Draft Digital Personal Data Protection Rules, 2025, R. 9 (Ind.).
[16] The Draft Digital Personal Data Protection Rules, 2025, R. 12 (Ind.).
[17] The Draft Digital Personal Data Protection Rules, 2025, R. 13 (Ind.).
[18] The Digital Personal Data Protection Act, 2023, No. 22 of 2023, S. 9(1) (Ind.).
[19] Abhinay Lakshman, “Why are PwDs worried about DPDP rules? | Explained”, The Hindu (February 28, 2025), available at: https://www.thehindu.com/news/national/why-are-pwds-worried-about-dpdp-rules-explained/article69266425.ece.
[20] Sujay Maskara et. al, “Transforming data privacy: DPDP Rules, 2025”, Ernst & Young (January 28, 2025), available at: https://www.ey.com/en_in/insights/cybersecurity/transforming-data-privacy-digital-personal-data-protection-rules-2025#:~:text=India’s%20DPDP%20Rules%2C%202025%2C%20aim,third%2Dparty%20risks%20need%20addressing.&text=Data%20principles%20gain%20the%20ability.
