Draft Digital Personal Data Protection Rules 2025

What’s in today’s article?

• Why in News?
• Major Provisions of the Draft Rules
• Industry and Expert Reactions
• Penalties and Enforcement
• Conclusion

Why in News?

• The Government of India released the draft Digital Personal Data Protection Rules, 2025, under the Digital Data Protection Act, 2023, outlining provisions for data privacy, compliance, and processing mechanisms.

‹ ›

 Major Provisions of the Draft Rules:

• Parental consent for children’s data:
  • Verification required: Social media and online platforms must obtain verifiable parental consent before children create accounts.
  • Identity validation: Parents’ age and identity must be validated through government-issued identity proof.
  • Exception: Health, mental health establishments, education institutions, and daycare centers are exempt from this requirement.
• Role and responsibilities of data fiduciaries:
  • Definition of data fiduciaries:
    • Entities collecting and processing personal data are categorised as “Data Fiduciaries.”
    • Significant Data Fiduciaries (SDFs) are those processing high volumes or sensitive data, impacting national sovereignty, security, or public order.
  • Data retention: Data can only be retained for the duration of consent and must be deleted afterward.
  • Security measures: Fiduciaries must ensure encryption, access control, and monitoring for unauthorised access.
• Consent management:
  • Consent managers: Entities entrusted to manage consent records must comply with robust verification processes.
  • Grievance redressal: Data fiduciaries must establish mechanisms to address grievances and allow withdrawal of consent.
• Data localisation:
  • Reintroduction: Localisation mandates restrict transferring certain personal and traffic data outside India.
  • Oversight: A government-formed committee will determine the categories of data restricted from cross-border transfer.
• Data breach reporting:
  • Intimation obligations: In case of a breach, fiduciaries must inform affected users and the Data Protection Board promptly, detailing its nature, timing, and mitigation measures.
  • Uniform treatment of breaches: No differentiation between minor and major breaches; all require reporting.
• Safeguards for government data processing:
  • Lawful processing: Government agencies must process citizen data lawfully, with specific safeguards outlined to address concerns over exemptions for national security and public order.

Industry and Expert Reactions:

• Compliance challenges:
  • Complex consent management: Maintaining consent records and ensuring opt-out mechanisms may require redesigning existing platforms and systems.
  • Infrastructure investments: Organisations need to overhaul data collection, storage, and lifecycle practices to comply with the rules.
• Ambiguity in security standards: Experts have raised concerns about the lack of detailed guidance on security practices, potentially leading to varied interpretations.
• Data localisation controversy: Global tech giants like Meta and Google have expressed concerns over the implications of data localisation on service delivery.

Penalties and Enforcement:

• Fines: Non-compliance with safeguards or failure to prevent data breaches can attract penalties of up to Rs 250 crore.
• Consent manager violations: Repeat violations by consent managers may lead to suspension or cancellation of their registration.

Conclusion:

• The draft Digital Personal Data Protection Rules, 2025, aim to strengthen India’s data privacy framework while addressing challenges for businesses and individuals.
• The reintroduction of data localisation and emphasis on consent management mark significant developments, but clarity on implementation and compliance mechanisms remains crucial.

Q.1. What is the Digital Data Protection (DPDP) Act, 2023?

The DPDP Act provides for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.

Q.2. What is right to privacy in India?

The right to privacy in India is a fundamental right that protects a person’s ability to make personal choices without unwarranted interference. It is guaranteed by Article 21 of the Constitution of India, which also protects the right to life and personal liberty.

Source: NIE | IE