Authors:

Mr. Sagar Devgan- Partner

Mrs. Shreya Paharia- Principal Associate

Mr. Raghav Khanna- Associate

The Digital Personal Data Protection Rules, 2025, provide the regulatory framework for implementing the Digital Personal Data Protection Act, 2023. Enacted with the aim of safeguarding the privacy of individuals in a rapidly evolving digital landscape, these Rules detail the operational and compliance requirements for the processing of personal data by entities operating within India or offering goods and services to individuals in the country.

The Rules emphasize a digital-first approach, with provisions for the establishment of a technologically enabled Data Protection Board and Appellate Tribunal, ensuring streamlined governance and accountability. By balancing individual privacy with business needs, the Rules are a critical step toward making India a global leader in data protection while fostering trust in the digital economy. 

Digital Personal Data Protection Rules, 2025

The Digital Personal Data Protection Act, 2023 (the "Act") received the assent of the President on 11th August 2023, and the draft Digital Personal Data Protection Rules, 2025 have been released to define the framework for its implementation. These Rules aim to provide further details on how the provisions of the Act should be applied and adhered to, ensuring the protection of personal data and fostering transparency, security, and accountability in data processing.

Commencement and Short Title:

The Rules, known as the Digital Personal Data Protection Rules, 2025, will come into force upon publication, with certain provisions (Rules 3 to 15, 21, and 22) taking effect at a later date. This phased implementation allows for sufficient time to prepare for full compliance.

Definitions and Notice Requirements:

The draft Rules define the terms used in the Act and establish that the language used must be clear, simple, and understandable. Data Fiduciaries, who are responsible for processing personal data, must provide Data Principals (individuals whose data is being processed) with a clear and standalone notice regarding the personal data being collected, its purpose, and the process for withdrawing consent. This ensures that Data Principals can make informed decisions about their data.

Consent Management:

Consent Managers, entities responsible for managing data processing consents, must be registered with the Data Protection Board and meet specific criteria, including financial capacity and a transparent management structure. These managers must implement measures to help Data Principals easily give, manage, review, and withdraw consent for their data processing. Additionally, the Board has the power to audit Consent Managers' operations to ensure compliance and transparency.

State and Public Data Processing:

The State and its instrumentalities can process personal data to provide public services like subsidies, licenses, and benefits. The processing must follow strict standards outlined in Schedule II of the Rules to ensure data is used only for the specified purposes, remains accurate, and is kept secure.

Security Safeguards and Data Breaches:

Data Fiduciaries are required to implement reasonable security safeguards like encryption and access control to protect personal data from breaches. If a breach occurs, they must promptly notify affected individuals and the Board within 72 hours, detailing the breach's nature, scope, and measures taken to mitigate risks.

Retention and Erasure of Data:

Data should only be retained for the period necessary to fulfil the specified purpose. After that period, it must be erased, except when retention is required for legal compliance. Data Fiduciaries are obligated to notify Data Principals at least 48 hours before data is erased to give them a chance to preserve it.

Rights of Data Principals:

The Rules ensure that Data Principals can easily exercise their rights to access, correct, or delete their personal data. Data Fiduciaries and Consent Managers must outline the process for exercising these rights clearly on their websites or apps, with specific timelines for responses to grievances.

Exemptions for Research and Statistics:

The Rules provide exemptions from certain provisions for the processing of personal data for research, archiving, or statistical purposes, as long as the processing adheres to specific safeguards in Schedule II. This ensures that such data processing can occur while still maintaining essential privacy protections.

Processing of Children's Data:

Special provisions are laid out for the processing of children's personal data. Verifiable parental consent must be obtained before collecting data from children, and the parental identity must be verified through reliable means. Certain exemptions apply to entities like healthcare providers and educational institutions, allowing them to process children’s data for specific services essential for the child’s welfare.Certain Classes Of Data Fiduciaries Under The Digital Personal Data Protection Rules, 2025. 

It identifies three categories of Data Fiduciaries based on their operations and user base:

1. E-commerce Entities: Platforms with at least 2 crore registered users in India.
2. Online Gaming Intermediaries: Platforms with at least 50 lakh registered users in India.
3. Social Media Intermediaries: Platforms with at least 2 crore registered users in India.

For all these categories, data must be retained only for specified purposes, primarily to allow users to access their accounts or any virtual tokens linked to their accounts. The retention period is capped at three years from the last interaction with the user or the commencement of the Rules, whichever is later.

The definitions for e-commerce, online gaming, and social media intermediaries, as well as the term "user," are provided, aligning with existing legal frameworks like the Consumer Protection Act, 2019, and the Information Technology Act, 2000.

The Fourth Schedule specifies the classes of Data Fiduciaries (Part A) and purposes (Part B) exempt from obtaining parental or guardian consent and restrictions on tracking, behavioral monitoring, or targeted advertising concerning children under Section 9(1) and (3) of the Act.

Part A of the Fourth Schedule: Classes of Data Fiduciaries

1. Healthcare Providers (e.g., clinics, mental health establishments, professionals): Processing is limited to health services for the child’s protection.
2. Allied Healthcare Professionals: Data can only be processed to support healthcare treatments or referrals for the child.
3. Educational Institutions: Processing is for educational purposes or ensuring the safety of children.
4. Childcare Providers (e.g., crèches, day-care centres): Processing is for tracking and monitoring the safety of children under their care.
5. Transport Services Engaged by Educational/Childcare Institutions: Processing is limited to tracking children during transit for their safety.

Part B of the Fourth Schedule: Purposes

1. Legal Obligations for the Child’s Welfare: Processing for functions, duties, or powers under child welfare laws.
2. Government Benefits/Services: Processing to provide subsidies, benefits, services, or licenses for children under laws or policies.
3. Email Communication Accounts: Processing data to create email accounts for communication only.
4. Restricting Harmful Information: Ensuring children do not access content that could harm their well-being.
5. Verifying Age and Compliance: Processing to confirm that the data subject is not a child and ensure compliance with due diligence rules.

Significant Data Fiduciaries' Obligations:

Significant Data Fiduciaries are subject to additional scrutiny, requiring them to conduct Data Protection Impact Assessments (DPIAs) and undergo annual audits. These Fiduciaries must ensure that algorithms used to process personal data do not pose a risk to Data Principals' rights, and any transfer of critical data outside India is restricted.

Data Processing Outside India:

Data Fiduciaries processing data of individuals in India or offering goods and services to Data Principals in India must comply with restrictions set by the Central Government to ensure that personal data remains protected under Indian law, even if the data is processed outside India.

Data Protection Board and Appeals:

The Data Protection Board will oversee compliance with the Act, and its members will be appointed by the Central Government through a transparent selection process. The Board will handle appeals, grievances, and disputes, with a procedure in place for filing appeals digitally. Additionally, the Appellate Tribunal has the authority to handle appeals and regulate its procedures.

The Sixth Schedule outlines the terms and conditions for the appointment and service of officers and employees of the Board. Here's a summary:

1. Appointment: Officers and employees may be appointed on deputation from government bodies, statutory entities, or public sector enterprises for up to 5 years. Deputation can also be from the National Institute for Smart Government under market-aligned salaries.
2. Gratuity: Gratuity benefits are provided under the Payment of Gratuity Act, 1972.
3. Travel Allowance: Officers and employees are entitled to travel allowances similar to Central Government employees.
4. Medical Assistance: Medical coverage is provided through a Board-approved group health insurance scheme.
5. Leave: Leave policies follow the Central Civil Services (Leave) Rules, 1972, including casual leave and earned leave encashment.
6. Leave Travel Concession (LTC): LTC is granted as per the Central Civil Services (LTC) Rules, 1988.
7. Other Terms:

•  Conduct rules follow the Civil Service (Conduct) Rules, 1964.
• Disciplinary rules align with the Central Civil Services (Classification, Control and Appeal) Rules, 1965. 
• Unspecified matters are decided by the Central Government, whose decision is final.

Transparency and Governance:

The Rules emphasize transparency by requiring Data Fiduciaries to publish their contact information for inquiries and complaints about data processing. They must also display information on how individuals can exercise their rights under the Act.

Government's Role in Information Collection:

The Central Government has the authority to request information from Data Fiduciaries and intermediaries as needed for compliance with the Act. These requests will not violate national security, sovereignty, or integrity, ensuring that sensitive data remains protected while fulfilling governmental requirements.

Conclusion:

The Digital Personal Data Protection Rules, 2025 mark a significant step in modernizing India’s approach to personal data privacy. The draft emphasizes empowering individuals (Data Principals) by ensuring their data is collected, processed, and stored transparently, with their explicit and informed consent. Provisions such as Consent Managers, clear breach notification protocols, and strict data retention rules aim to address concerns about data misuse and build trust between users and organizations.

At the same time, the Rules recognize the need for businesses, especially those in critical sectors like e-commerce and social media, to innovate while adhering to defined obligations. Measures like the classification of Significant Data Fiduciaries, requirements for impact assessments, and mandatory security safeguards reflect a careful balancing act between individual rights and business needs.

However, challenges remain in the Rules’ implementation. Ensuring the interoperability of Consent Managers, maintaining robust oversight by the Data Protection Board, and achieving compliance across a diverse digital ecosystem will require sustained effort. If executed effectively, this framework can make India a global leader in data protection, fostering both user trust and economic growth.