The Ministry of Electronics and Information Technology (MeitY) has unveiled the draft Digital Personal Data Protection (DPDP) Rules, 2025, under the Digital Personal Data Protection Act, 2023, marking a pivotal step for India’s privacy landscape. The draft rules detail obligations for data fiduciaries, consent manager roles, and handling children’s personal data.
Additionally, the draft rules outline the establishment of the Data Protection Board, including the process for appointing the chairperson and other members, along with their terms and conditions of service, marking a key step in implementing the Digital Personal Data Protection Act to safeguard personal data and ensure accountability. The said draft rules shall be taken into consideration after 18th February, 2025.
- Significant Data Fiduciary definition seems to be missing
- Silent on DPO, need this clarity
Here’s our analysis of the unique and impactful aspects of these draft rules:
Consent Managers: India introduces a framework to streamline consent management, empowering users with standardized tools to review, manage, and withdraw consent.
Localized Data Retention: Mandates data deletion after three years of inactivity, ensuring precise retention timelines.
Algorithmic Accountability: SDFs must conduct annual DPIAs and algorithm audits, addressing AI risks beyond GDPR standards.
Child Data Protections: Requires verifiable parental consent for children’s data, leveraging Digital Locker for authenticity.
Data Localization: Restricts cross-border transfers of critical data, emphasizing sovereignty and economic growth.
Government Accountability: Sets transparency standards for government data use in public services and benefits.
Data Breach Notifications: Mandates 72-hour breach reporting to Data Principals and the Data Protection Board, enhancing clarity and mitigation.
Integrating Consent Managers with Data Fiduciaries while ensuring robust data security is a key concern, especially with breaches occurring every 39 seconds. Effective safeguards are critical to building trust and compliance. Despite initial challenges, the rules position India as a trusted data economy, balancing global standards with local needs.
