All You Wanted to Know About the Draft Digital Personal Data Protection Rules, 2025

On January 3, 2025, the Ministry of Electronics and Information Technology (MeitY) released the Draft Digital Personal Data Protection Rules (DPDP Rules). The government invited suggestions and objections from stakeholders via the MyGov portal, with a submission deadline of February 18, 2025. An explanatory note accompanied the draft Rules to provide further context.

The draft Rules, consisting of 22 provisions and Seven Schedules, aim to operationalise the Digital Personal Data Protection Act, 2023 (DPDP Act). These Rules clarify crucial aspects, including consent management, security safeguards and procedures for handling personal data breaches.

The DPDP Act represents a significant shift in India’s approach to data privacy. It builds on years of recommendations and judicial decisions that have shaped personal data protection in the country.

In 2011, the Justice A.P. Shah Committee laid the foundation for this legislative framework by recommending privacy laws to safeguard individual data rights. This effort gained momentum after the Supreme Court’s landmark 2017 ruling in Justice K.S. Puttaswamy (Retd.) versus Union of India, which recognised the right to privacy as a fundamental constitutional right.

In 2017, MeitY formed a committee of experts led by former Supreme Court Justice B.N. Srikrishna to address data protection issues in India and draft a data protection Bill. Following extensive deliberations, the Joint Parliamentary Committee (JPC) adopted a draft report on The Personal Data Protection Bill, 2019, on November 22, 2021.

Despite this progress, the government abruptly withdrew the legislation in October 2022 before the Parliament could consider it. Subsequently, MeitY re-examined the issues surrounding digital personal data protection and drafted the DPDP Bill in 2022.

The DPDP Act attempts to establish a comprehensive legal framework for digital personal data protection in India. It balances the rights of individuals to safeguard their personal data with societal needs and the lawful purposes of data processing. The Act applies to processing digital personal data collected online or offline, provided it is eventually digitised.

The Act imposes specific obligations on data fiduciaries— entities that determine the purpose and means of processing personal data. It requires these entities to obtain explicit consent from individuals (data principals) before processing their data. However, the Act allows for certain exceptions where consent is not required.

Key features of the draft DPDP Rules, 2025

The Draft DPDP Rules, 2025 aim to enhance digital privacy compliance across India. Here is an overview of their key features:

Implementation framework: The draft Rules provide a structured framework to enforce the DPDP Act. They outline the steps organisations must take to comply with the new data protection regulations.

Data fiduciary obligations: The Rules clearly establish the responsibilities of data fiduciaries. Organisations must obtain informed consent from data principals, ensure transparency in data processing and adopt robust security measures.

They are required to provide concise and clear information about the personal data being processed, its intended purpose and the procedure for withdrawing consent.

Establishment of the Data Protection Board (DPB): The draft Rules propose setting up the Data Protection Board, which will function digitally. This board will address grievances and enforce compliance with the DPDP Act. Its primary objective is to hold data fiduciaries accountable and safeguard personal data effectively.

Penalty provisions: The draft Rules introduce strict penalties for data breaches, emphasising the importance of personal data protection. Data fiduciaries who fail to fulfill their obligations may face significant fines, compelling organisations to prioritise data security and compliance.

Exemptions from compliance: The Rules specify several exemptions for data fiduciaries. Certain provisions related to judicial and regulatory functions, enforcement of legal rights and prevention of criminal activities may not require full compliance. Moreover, specific categories of data fiduciaries, such as startups and research organisations, might be exempted from some requirements.

Clinical establishments, healthcare professionals, educational institutions, crèches and childcare facilities are also exempt from restrictions under the DPDP Act in specific cases. For example, these entities may engage in behavioural monitoring or tracking of children to provide healthcare services, support educational activities, or ensure child safety.

Call for information: The draft Rules empower the Union government, through authorised personnel, to request personal data from data fiduciaries or intermediaries. This may occur in scenarios involving India’s sovereignty, integrity and security or to fulfill obligations under Indian law.

However, neither the DPDP Act nor the draft Rules outline specific safeguards, such as review or oversight mechanisms, for these requests. Nevertheless, any government processing of personal data must align with the constitutional safeguards prescribed by the Supreme Court in the landmark privacy ruling in Justice K. S. Puttaswamy and Anr. versus Union of India and Ors.

Consent manager framework: The Rules introduce a detailed framework for consent managers, specifying registration conditions, roles and responsibilities. Only India-incorporated companies that meet certain net worth requirements and possess certified interoperable platforms for managing consent can register as consent managers.

Consent managers must provide accessible and transparent platforms that allow data principals to give, manage, review and withdraw consent. They must ensure data fiduciaries can process personal data directly or through intermediaries onboarded on their platform.

To remain impartial, consent managers must operate as ‘data blind’, avoiding conflicts of interest with data fiduciaries. Their responsibilities include maintaining records of consent activities, offering web or mobile platforms for data principals and implementing audit mechanisms.

Public consultation and feedback mechanism: The Rules encourage active stakeholder participation by allowing public comments for 45 days. Individuals and organisations can submit feedback through the MyGov platform, ensuring diverse perspectives shape the final Rules.

The DPDP Act represents a significant shift in India’s approach to data privacy. It builds on years of recommendations and judicial decisions that have shaped personal data protection in the country.

Key principles of data protection

The DPDP Act sets forth clear principles to ensure organisations process personal data lawfully, transparently and securely. These principles closely mirror those of the General Data Protection Regulation (GDPR), reflecting a shared commitment to protecting individual privacy while allowing necessary data processing.

Lawful processing: Organisations must process personal data in compliance with relevant laws. The DPDP Act mandates that data processing occurs only for specific, lawful purposes.

Purpose-specific processing: Personal data can only be processed for legitimate purposes as outlined in the DPDP Act, particularly Sections 7(b) and 17(2)(b). This principle prevents misuse by limiting data processing to the purposes for which individuals have provided consent.

Data minimization: The Act requires organisations to collect and process only the minimum amount of personal data necessary to achieve specific goals. This principle reduces excessive data collection, enhancing security and minimising risks.

Accuracy: Organisations must take steps to ensure that personal data remains accurate and up-to-date. This safeguards individuals from harm caused by inaccuracies and upholds the integrity of data processing activities.

Retention: The DPDP Act mandates that organisations retain personal data only as long as necessary to fulfill the intended purposes or meet legal obligations. By limiting data retention, this principle reduces the risk of breaches or unauthorised access.

Transparency: The DPDP Act emphasises transparency in data processing. Organisations must inform individuals about how their data is processed, their rights and how to exercise them. This builds trust and empowers individuals to make informed decisions about their data.

Accountability: The Act holds organisations accountable for complying with data protection laws and principles. Data fiduciaries and consent managers must maintain records of processing activities, provide grievance redress mechanisms and ensure staff are trained on their data protection duties.

Security safeguards: Organisations must implement reasonable security measures, such as encryption, access controls and monitoring to protect personal data from breaches. These safeguards ensure the confidentiality, integrity and availability of data throughout its lifecycle.

The Act applies to processing digital personal data collected online or offline, provided it is eventually digitised.

Rights of data principals

The Draft DPDP Rules, 2025, empower individuals, known as data principals, by granting them comprehensive rights over their personal data. These Rules emphasise transparency, control and accountability, enabling individuals to actively manage their data while holding organisations responsible for its proper handling.

Key rights

Right to access and correction: Data principals can access their personal data held by data fiduciaries. They can verify the accuracy of their data and request corrections if they spot any inaccuracies. Data fiduciaries must clearly explain the process for exercising this right through their websites or applications.

Right to erasure: Data principals can request the erasure of their personal data under specific conditions, such as when the data is no longer necessary for its intended purpose or when they withdraw consent. Data fiduciaries must inform data principals about this right and the conditions under which they can exercise it.

Right to grievance redressal: Data principals can raise concerns or complaints regarding how their personal data is handled. The Rules require data fiduciaries to set up a grievance redressal mechanism and provide clear information about the process, including timelines for resolving complaints.

Informed consent and notices: The draft Rules mandate data fiduciaries to issue clear and detailed notices to data principals, explaining what personal data is collected and the purpose behind its collection. This transparency empowers data principals to make informed decisions about their data.

Right to nominate representatives: Data principals can appoint one or more representatives to exercise their rights on their behalf. This provision ensures that individuals, especially those with disabilities or other challenges, can effectively assert their data rights.

Notification of data breaches: Data fiduciaries must notify data principals of any data breaches that might impact their personal data within a specified timeframe. This transparency helps foster trust and enables data principals to take timely steps to protect their interests.

Obligations of data fiduciaries

The Draft DPDP Rules, 2025 establish key responsibilities for data fiduciaries to ensure the lawful, transparent and secure handling of personal data. These obligations aim to enhance accountability and protect the rights of individuals.

Key obligations

Ensure transparency and obtain consent: Data fiduciaries must issue clear and concise notices to data principals, explaining why personal data is collected and how it will be processed. These notices should be written in simple language and include an itemised list of the data being collected, the rights of data principals and the timelines for resolving grievances.

Comply with Union government restrictions: Data fiduciaries must process personal data according to any restrictions set by the Union government, such as prohibiting the transfer of sensitive data outside India. This ensures alignment with national policies and protects sensitive personal data.

Maintain accountability in data processing: Data fiduciaries must ensure their data processing activities, including using algorithmic software for hosting, storing and sharing data, do not violate the rights of data principals. They are fully accountable for these activities, reinforcing the importance of ethical and responsible data practices.

The draft Rules provide a structured framework to enforce the DPDP Act. They outline the steps organisations must take to comply with the new data protection regulations.

Notify data principals of personal data breaches: Data fiduciaries must immediately inform affected data principals about any personal data breach. They should provide clear details regarding the breach, including its nature, scope, timing and potential impact.

Fiduciaries must also describe the steps to mitigate risks and offer recommendations to protect the data principals’ interests. Additionally, they must share the contact information of a representative who can address any further questions.

Within 72 hours of becoming aware of a breach (or within a longer timeframe as permitted by the board), data fiduciaries must provide further information, such as:

1. Facts related to the event, circumstances and reasons behind the breach.

2. Risk assessments and mitigating measures taken.

3. Findings regarding the person responsible for the breach.

4. Remedial actions to prevent recurrence.

5. A report on notifications given to affected data principals.

Implement reasonable security safeguards: Data fiduciaries must establish strong security measures to protect personal data, including encryption, access controls and continuous monitoring for unauthorised access.

They must maintain logs to detect and respond to breaches promptly, ensuring that data remains confidential, intact and accessible. Fiduciaries must also ensure that data processors comply with these security measures through contractual agreements, preventing breaches during processing activities.

Age-gating and verifiable parental consent: Data fiduciaries must obtain verifiable consent from a parent (or guardian, if applicable) before processing the personal data of a child (under 18 years old) or an individual with disabilities.

Fiduciaries must ensure the individual providing consent is an identifiable adult, using reliable identity and age verification methods.

Conduct annual data protection impact assessments: Significant data fiduciaries are required to conduct annual data protection impact assessments and comprehensive audits. They must report the results to the Data Protection Board, outlining their compliance with data protection requirements and identifying areas for improvement.

Neither the DPDP Act nor the draft Rules outline specific safeguards, such as review or oversight mechanisms, for these requests.

Compliance and enforcement: Key components

Grievance redressal mechanisms: Data fiduciaries and consent managers must establish efficient grievance redressal systems to handle complaints effectively. They are required to publish clear timelines for addressing grievances raised by data principals, fostering accountability and trust.

Monitoring and enforcing compliance: The Data Protection Board will monitor adherence to the DPDP Rules. In cases of non-compliance, the Data Protection Board can direct consent managers and data fiduciaries to implement corrective measures.

Addressing non-compliance with penalties: The draft Rules have drawn criticism for their lack of stringent penalties for non-compliance. Unlike the GDPR in the European Union, which imposes substantial fines, the DPDP Rules include weaker sanctions. Stronger consequences for violations would reinforce accountability and deter negligent practices.

Role of the Data Protection Board: The Data Protection Board will oversee the implementation and enforcement of the Rules. Its responsibilities include balancing the rights of data principals with the obligations of data fiduciaries. To execute its mandate effectively, the Data Protection Board requires sufficient authority and resources to monitor compliance and impose meaningful penalties. This oversight is essential for upholding the accountability principles embedded in the DPDP framework.

Stakeholder reactions

The Draft DPDP Rules, 2025 have drawn mixed reactions from the business community. Many businesses appreciate the framework's pragmatic approach, particularly its tiered system that scales responsibilities based on organisational size.

Startups and ‘micro, small and medium enterprises’ benefit from reduced compliance obligations, enabling them to transition smoothly, while larger organisations face more rigorous requirements to ensure robust data protection standards.

Despite these advantages, concerns persist about the compliance burden the Rules impose. Smaller companies, in particular, find it challenging to meet requirements such as appointing data protection officers and implementing stringent security measures.

These obligations could overwhelm small businesses, stifle innovation, and increase operational costs. Additionally, businesses anticipate complexities in updating privacy policies and introducing new consent mechanisms, further straining resources.

The Rules are also expected to intensify regulatory scrutiny, particularly in sectors such as healthcare and financial services. Non-compliance could lead to funding losses, increased oversight or additional costs from mandatory audits. Investigations into potential violations might disrupt operations and deplete resources.

While the Rules related to establishing the Data Protection Board have been praised, concerns remain about the board’s discretion in imposing penalties.

To remain impartial, consent managers must operate as ‘data blind’, avoiding conflicts of interest with data fiduciaries.

Comparative analysis

The Draft DPDP Rules, 2025 mark a pivotal step in establishing a robust data protection framework. Drawing parallels with the European Union's GDPR, both frameworks share a focus on compliance, accountability and safeguarding personal data, yet diverge in their approaches to enforcement, data localisation and procedural clarity.

Both the DPDP Rules and GDPR emphasise the importance of accountability for data controllers and processors. GDPR mandates the implementation of technical and organisational measures, requiring documented frameworks to demonstrate adherence to data protection principles.

Similarly, the DPDP Rules compel significant data fiduciaries to process personal data in accordance with government specifications. However, the frameworks differ in addressing non-compliance. While GDPR enforces stringent fines, up to 4 percent of global annual turnover for violations, the DPDP Rules appear less punitive, focusing on reinforcing compliance without imposing substantial penalties for repeated infringements.

Data localisation is another point of divergence. The DPDP Rules mandate that personal data remain within India unless exceptions are specified by the Union government, aligning with global trends emphasising national sovereignty over data.

Conversely, GDPR permits international data transfers but requires specific safeguards, such as adequacy decisions or standard contractual clauses, ensuring data protection beyond EU borders.

On procedural governance, GDPR offers more detailed guidelines for notifying individuals and authorities about data breaches, fostering consistency across EU member States. The DPDP Rules, while addressing compliance requirements, lack uniformity in breach notification processes.

However, the Indian framework's commitment to public consultations before finalisation mirrors the rigorous discussions that shaped GDPR, reflecting an acknowledgment of the complexities in effective implementation.

Anticipated operational challenges

The implementation of the Draft DPDP Rules, 2025 is expected to bring several operational challenges that could hinder their effectiveness if not addressed properly.

One key issue lies in the gaps within the draft Rules, particularly concerning the treatment of data breaches. The absence of thresholds for minor breaches and the lack of uniform guidance on notifications create room for varied interpretations and inconsistent industry practices.

In contrast, frameworks such as the GDPR provide clear protocols, making compliance more straightforward for organisations. Without such clarity, businesses may struggle to meet regulatory expectations uniformly.

Smaller enterprises and startups are likely to bear a disproportionate burden of compliance. With limited resources and infrastructure, these organisations may find implementing systems for consent management and data protection challenging. Many will need to rely on costly external consulting services to align with the Rules. Meanwhile, larger corporations, already accustomed to international data regulations, are better positioned to transition seamlessly, widening the compliance gap between small and large entities.

Balancing the need for innovation with regulatory oversight poses another significant challenge. The government aims to foster an environment conducive to growth while ensuring adequate data protection. However, overly stringent regulations could stifle innovation, particularly in data-driven sectors.

Fiduciaries must ensure the individual providing consent is an identifiable adult, using reliable identity and age verification methods.

The compliance requirements outlined in the Rules, such as appointing data protection officers and implementing robust security measures, demand substantial investments in new frameworks. For many smaller organisations, these adjustments may prove financially unsustainable, creating an additional layer of complexity in achieving compliance.

Addressing these challenges necessitates a robust public consultation process. By gathering stakeholder feedback, the government can refine the Rules to ensure they are practical and effective. Such engagement will be critical in crafting a regulatory framework that balances the interests of businesses and consumers with the overarching goal of enhanced data protection.

Nota bene

The Draft DPDP Rules, 2025 bring several noteworthy provisions, many of which remain open to interpretation and practical challenges. One of the key aspects is the Data Protection Board, which is expected to be operationalised first, while other provisions may follow in a phased manner.

However, the timeline for implementation remains unclear, and the government has yet to specify whether compliance obligations will be staggered to allow data fiduciaries time to adapt. To ensure smooth execution, it would be prudent for the government to notify distinct dates for implementing substantive provisions and establish guardrails for the board's emergency powers to prevent arbitrariness.

The Rules allow flexibility in how data fiduciaries issue notices to data principals, refraining from mandating a rigid template. This approach provides organisations with the creative freedom to design their notices, provided they meet the specified requirements. Similarly, the standards for reasonable security safeguards strike a balanced tone, offering flexibility to implement measures as long as minimum prescribed thresholds are met. This balance is likely to garner acceptance within the industry.

Cross-border data transfers emerge as a critical area with the government’s powers expanded to impose additional compliance measures. The Rules suggest that such transfers may be allowed, subject to specific conditions, rather than blacklisting foreign States outright. However, ambiguity persists on whether these restrictions apply solely to physical transfers or extend to data shared with foreign-affiliated entities within India. Clarification in this regard would aid in eliminating uncertainty.

The introduction of a consent manager role represents a novel addition, but its practical implementation remains untested. Stakeholders will need to observe how this concept translates into real-world operations. Meanwhile, the absence of a materiality threshold for personal data breach notifications has raised concerns.

They must maintain logs to detect and respond to breaches promptly, ensuring that data remains confidential, intact and accessible.

Mandating all breaches to be reported, regardless of severity, risks overwhelming both data principals and organisations, potentially desensitising them to critical breaches. The short timelines for breach reporting and the requirement to include detailed information in intimations pose additional compliance challenges.

Exemptions for research, archiving and statistical purposes also lack clarity, leaving stakeholders uncertain about the scope of permissible activities under this provision. While these Rules present opportunities for enhanced data protection, they require further refinement and clarity to address these operational and interpretational challenges effectively.

End note

The Draft Digital Personal Data Protection Rules, 2025 were long-awaited to bring clarity to the obligations under the DPDP Act. While they offer direction on several fronts, they leave some critical issues unresolved, creating uncertainties that could delay smooth implementation and compliance efforts.

One area of concern is the independent presentation and understanding of notices by data principals, the foundation of consent-based processing. This raises doubts about the continued relevance of existing privacy notices and consent flows. Similarly, ambiguities exist in provisions such as the verification of the identity and age of parents or lawful guardians, leaving room for varied interpretations.

Several essential details are yet to be addressed through specific notifications. These include the identification of significant data fiduciaries, restrictions on personal data transfers to certain countries, guidelines for government-maintained databases and additional cross-border data transfer conditions.

These gaps create a potential conflict of laws and raise questions about the State’s authority to demand information without safeguards similar to those in other laws. These uncertainties underscore the need for further clarity once the final Rules are published.

The novel introduction of consent managers requires data fiduciaries to integrate their systems with this platform, ensuring seamless compliance. Businesses will also need to revise their notices to include the additional information mandated by the draft Rules.

Mandating all breaches to be reported, regardless of severity, risks overwhelming both data principals and organisations, potentially desensitising them to critical breaches.

Furthermore, significant data fiduciaries engaged in cross-border data sharing may need to restructure their arrangements to accommodate potential data localisation requirements.

Businesses should assess their current data protection practices based on their sector, industry and the type of personal data they handle. This evaluation will help them upgrade their technological infrastructure and refine internal processes to align with the new requirements.

Engaging in the consultation process and advocating for publishing a detailed series of frequently asked questions can help resolve ambiguities, ensuring the final framework balances regulatory objectives with practical implementation.

Harsh Gour is studying law at NALSAR University of Law, Hyderabad.