India’s Draft Digital Personal Data Protection Rules, 2025: Paving the Way for Privacy and Accountability

India’s Draft Digital Personal Data Protection Rules, 2025: Paving the Way for Privacy​​ and Accountability

Shubhangi Singh, Associate¹

The Ministry of Electronics and Information Technology (MeitY) on January 3, 2025, unveiled the Draft Digital Personal Data Protection Rules (“DPDP Rules”), and is currently inviting feedback from stakeholders through the MyGov portal. With a submission deadline of February 18, 2025, the draft rules aim to operationalize the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and establish a robust framework for digital privacy compliance in India.

The DPDP Act is the culmination of years of legal and policy groundwork. ​​ Right to privacy was first time recognized as a fundamental right by the Supreme Court in the landmark 2017 judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India. Following extensive deliberations, MeitY drafted the DPDP Bill in 2022, which eventually became the DPDP Act but it is yet to be notified and requires the promulgation of rules, following which the Central Government will bring it into effect. Now, the Draft DPDP Rules add further clarity and precision to this legal framework.

Highlights of the Draft DPDP Rules

The Draft DPDP Rules addresses​​ key issues such as consent management,​​ rights of data principals, security measures while handling personal data of a child,​​ data security, and procedures for handling data breaches. These rules are designed to balance the rights of individuals (Data Principals) with the responsibilities of entities handling personal data (Data Fiduciaries).

Consent management lies at the heart of the DPDP framework. Data Fiduciaries must provide clear, transparent notices when requesting consent to process personal data. The rules emphasize simplicity and accessibility, ensuring that individuals can easily understand how their data will be used.​​ Additionally, withdrawing consent has been designed to be just as simple, mandating that Data Fiduciaries offer a hassle-free process for Data Principals to revoke their consent.

Security measures are another critical aspect of the draft rules. Data Fiduciaries must implement robust safeguards to prevent data breaches, including encryption, access controls, activity monitoring, and backup systems. Importantly, these obligations extend to Data Processors through enforceable contracts and organizational policies. Should a data breach occur, Data Fiduciaries are required to promptly notify affected individuals and the Data Protection Board, providing detailed reports and actionable steps within 72 hours.

The Draft DPDP Rules empower individuals by granting them greater control over their personal data. Data Principals have the right to access their data, request its erasure, and even withdraw consent if their data is no longer necessary for its intended purpose. Special provisions safeguard the data of children and individuals with disabilities, requiring verifiable parental or guardian consent before processing such data.

In recognition of the unique challenges posed by significant data fiduciaries, the rules introduce additional obligations for these entities. They must conduct annual Data Protection Impact Assessments and audits, submitting key findings to the Data Protection Board. Furthermore, measures are mandated to prevent unauthorized data transfers outside India.

Exemptions are provided in specific cases, allowing flexibility for certain categories of Data Fiduciaries. Additionally, the Union Government retains the authority to request personal data in matters concerning the sovereignty, integrity, and security of India.

Grievance Redressal and Accountability

A well-defined grievance redressal mechanism is central to the Draft DPDP Rules. Data Fiduciaries and consent managers are required to address complaints effectively, publishing clear timelines for resolution. This ensures transparency and builds trust between individuals and data-handling entities.

A Step Forward in Digital Privacy

The​​ draft DPDP Rules, 2025 mark a significant milestone in India’s journey toward a comprehensive data protection regime and bring forward an array of significant provisions designed to safeguard privacy and data protection in India. Nevertheless, the lack of clarity on the implementation timeline raises concerns, the government has yet to outline whether compliance requirements will be rolled out in phases.​​ As stakeholders prepare to share their​​ feedback, the potential for these rules to transform India’s data privacy landscape is undeniable. With the DPDP Act and its accompanying rules, India is poised to set new standards for digital privacy and data protection in the years to come.