LexOrbis

MeitY Circulates the Draft Rules Under DPDP Act, 2023

MeitY Circulates the Draft Rules Under DPDP Act, 2023The Government of India, through the Ministry of Electronic & Information Technology (MeitY), has circulated the much-awaited Digital Personal Data Protection Rules, 2025 (the “Rules”) under the Digital Personal Data Protection Act, 2023 (DPDPA). The Rules were published on January 3, 2025, and are available for the stakeholders’ feedback/comments, which can be submitted on the website of MyGov (https://mygov.in) by February 18, 2025.

Some of the key features of the Rules are as follows:

  1. Notice by Data Fiduciary to Data Principal

To further detail Section 5 of the DPDPA, the notice has been defined as clear, standalone, understandable, and distinct from any other information shared by the Data Fiduciary. It has to be in simple, plain language with a full and transparent account of the information necessary for giving informed consent to process personal data.

It needs to include, at a minimum, an itemised list of the personal data being collected and a clear description of the purpose for processing, along with an itemised explanation of the goods, services, or uses enabled by such processing. It must provide a communication link to the Data Fiduciary’s website or app and describe methods for the Data Principal to withdraw consent with ease, exercise their rights and complain to the Board.

  1. Registration and Obligations of Consent Manager

A very important section was the understanding of the Consent Manager, which was defined in Sections 2(e) and 6 of the DPDPA. The registration and obligations of the Consent Manager have been defined. As per the Rules, the Consent Manager under the Act must be a company incorporated in India with sound financial and operational capacity and a minimum net worth of two crore rupees. The company must have a reputation for fairness and integrity in its management and a certified interoperable platform enabling Data Principals to manage their consent.

The registration and cancellation of the Consent Manager is prescribed through the Board constituted under the DPDP Act, 2023.

  1. Reasonable Security Safeguards

The DPDPA in Section 8(5) talks of the Reasonable Security Safeguards; the minimum standards for the Data Fiduciaries are set out in the draft rules and include encryption, obfuscation or masking or use of virtual tokens, access control measures, log monitoring for detection, investigation and remediation, maintenance of confidentiality, integrity and availability (CIA triad) due to destruction or loss of access to personal data, maintenance of logs for 1 year unless compliance with applicable laws requires otherwise, appropriate contract with Data Processor for taking reasonable security safeguards and appropriate technological and organisational measures (TOM’s) to ensure effective observance of security safeguards.

  1. Intimation of Personal Data Breach

The Data Fiduciary has to promptly notify all affected Data Principals on becoming aware of a personal data breach. This is in line with Section 8 (6) of the DPDPA.

This notification must be clear and straightforward, explaining the breach’s nature, extent, and timing, potential consequences for the affected individuals, any measures taken to mitigate the risks, safety recommendations for protecting their data, and the business contact information of a responsible person for inquiries must be included.

Data Fiduciary must inform the Board about the breach without delay with details on the description – nature, extent, timing, location of occurrence and likely impact;

Within 72 hours or a longer time, if permitted, the Data Fiduciary is obligated to provide updated and detailed information, including the events that led to the breach, Actions – implemented or proposed for risk mitigation, the identity of the individual responsible, if known and report on the remedial steps taken to prevent future breaches and details on the notifications sent to affected Data Principals.

  1. Time Period for Specified Purpose to be Deemed as No Longer Being Served

“Purpose no longer served” has been used in Section 8(8) of the DPDPA. This draft rule further elaborates on that and states that the personal data of the Data Principal who does not engage with the Data Fiduciary within a specified period, the personal data must be erased unless required for legal compliance.

A class of companies (in Schedule III) – E-commerce, Gaming and Social Media intermediaries

shall erase such personal data if the Data Principal neither approaches such Data Fiduciary for the performance of the specified purpose nor exercises her rights in relation to such processing.

They may retain personal data for up to three years from the last interaction or the coming into effect of the Rules, whichever is later, except when the data is needed for the principal to access their account or virtual tokens.

One important point is that at least forty-eight hours before completion of the time period for erasure of personal data under this rule, the Data Fiduciary shall inform the Data Principal that such personal data shall be erased upon completion of such period; there is a login into the account or the Data Principal otherwise initiates contact with the Data Fiduciary for the performance of the specified purpose or exercises her rights in relation to the processing of such personal data.

  1. Contact Information

Business contact information of the Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary the questions of the Data Principal about the processing of her personal data to be displayed and prominently published in the website or app.

  1. Verifiable Consent for Processing of Personal Data of Child or Person with Disability Who Has Lawful Guardian

One of the most important clauses that was called into question in Section 9 of the DPDPA, as it was not clear, was “Verifiable Consent”, which has been detailed. Data Fiduciaries must implement measures to ensure:

  1. that the person providing consent for a child’s data processing is the child’s parent or legal guardian,
  2. and that the parent or guardian is identifiable.

For a child, the Data Fiduciary must verify that the parent is an adult by using reliable identity details or a virtual token mapped to such details. This verification process is critical to ensure that consent is being given by a responsible adult in compliance with relevant laws.

  1. Exemptions From Certain Obligations Applicable to Processing of Personal Data of Child

In continuance of Section 9(4) of the DPDPA, specific classes of companies – healthcare professionals, educational institutions, and childcare providers (Schedule IV) are exempt from the provisions of sections relating to the processing of personal data of a child for defined purposes. The processing of children’s personal data by these entities is permitted, with restriction of processing activities like health services, educational activities, safety monitoring, and transportation tracking necessary for the well-being and safety of the child, ensuring that data processing is done within a defined and limited scope.

  1. Additional Obligations of Significant Data Fiduciary

In line with Section 10 of the DPDPA, the additional obligations have been detailed, and this class of Data Fiduciary needs to conduct a Data Protection Impact Assessment (DPIA) and Audit once every 12 months; a report by the Party conducting the DPIA must for significant observations. Also, due diligence to verify the algorithmic software is not likely to pose a risk to the rights of Data Principals, which needs to be provided. Further, they need to undertake measures to ensure that personal data specified by the Central Government, basis the recommendations of a committee constituted by it, is processed subject to the restriction that the personal data and the traffic data pertaining to its flow are not transferred outside the territory of India.

  1. Rights of Data Principals

In further explanation to Chapter III of the DPDPA, the Data Fiduciary/ consent manager must publish on the website or app details of making such request and particulars, if any, including identifying details like usernames to facilitate identification.

In all aspects, the rule states that whether for access, erasure or nomination, the same means must be used to make a request by using what was published and provided by the Data Fiduciary. The grievance redressal mechanism is to be published, and appropriate TOMs will be implemented.

  1. Processing of Personal Data Outside India

In sync with Section 16(1) of the DPDPA, it will be subject to the restrictions set by the Central Government to transfer personal data to a foreign country.

This has some localisation implications, though its implementation will need to be seen.

  1. Rules 16-21 talk about the Board and its constitution
  • Appointment of Chairperson and other Members (Section 19 of the DPDPA)
  • Salary, allowances and other terms and conditions of service of Chairperson and other Members (Section 20 of the DPDPA)
  • Procedure for meetings of the Board and authentication of its orders, directions and instruments (Section 23 of the DPDPA)
  • Functioning of the Board as a digital office (Section 28 of the DPDPA)
  • Terms and conditions of appointment and service of officers and employees of the Board (Section 24 of the DPDPA)
  1. Appeal to Appellate Tribunal

In sync with Section 29(1) of the DPDPA, if dissatisfied with the order of the Board, an Appeal can be filed to the Appellate Tribunal following the procedure as set. It will work as a Digital Office.

  1. Calling for Information from a Data Fiduciary or Intermediary

Central Government may require any Data Fiduciary or intermediary to furnish such information as may be called for, as mentioned and for the purposes mentioned in the Seventh Schedule. This is in line with Section 36 of the DPDPA.

Author: Srinjoy Banerjee

First Published by: Lexology here