The following article, authored by Adv. Neelanshu Srivastava, delves into the Draft Digital Personal Data Protection Act (DPDPA) Rules, 2025, a landmark regulatory initiative shaping the future of data privacy in India.

Introduction

The Digital Personal Data Protection Act (DPDPA) Rules, 2025, represent a pivotal regulatory framework aimed at safeguarding personal data in an increasingly digitized world. Enacted under the Digital Personal Data Protection Act, 2023, the Rules articulate the obligations of data fiduciaries, rights of data principals, and the mechanisms for ensuring compliance. The regulatory architecture reflects India’s commitment to upholding privacy as a fundamental right, aligning with global data protection practices while catering to unique domestic requirements. This article delves into the salient features, potential drawbacks, and suggestions for enhancing the efficacy of these Rules.

Salient Features of the Draft DPDPA Rules, 2025

The DPDPA Rules, 2025, encapsulate several significant provisions to bolster data protection:

1. Data Fiduciary Obligations: Data fiduciaries are mandated to issue clear and accessible notices to data principals regarding the processing of personal data. Such notices must include the purpose of data collection, categories of data processed, and mechanisms for consent withdrawal, ensuring transparency and informed consent.
2. Consent Management Framework: Recognizing the criticality of consent, the Rules introduce stringent requirements for obtaining, managing, and withdrawing consent. Consent managers must register as per prescribed conditions and ensure that their platforms facilitate seamless consent handling in compliance with notified data protection standards.
3. Children and Persons with Disabilities: The Rules provide enhanced safeguards for the personal data of children and individuals with disabilities. Verified parental consent is required for processing children’s data, and mechanisms must ensure that persons with disabilities can exercise their data rights effectively.
4. Data Breach Notification: In the event of a personal data breach, data fiduciaries are obligated to notify both affected data principals and the Data Protection Board within stipulated timelines. The notification must detail the nature, scope, and mitigating measures adopted, fostering accountability.
5. Cross-border Data Transfers: The Rules impose conditions on transferring personal data outside India. Such transfers are contingent on compliance with government-specified safeguards, ensuring that cross-border data flows do not compromise national security or individual privacy.
6. Grievance Redressal Mechanisms: Data fiduciaries are required to establish robust grievance redressal systems, prominently publishing contact details of data protection officers or designated representatives to address data principal queries.
7. Penalties and Accountability: Non-compliance with the Rules attracts significant penalties, emphasizing the government’s resolve to enforce strict adherence.

Lacunae’s in Draft Digital Personal Data Protection Rules, 2025

1. Lack of Clarity on Consent Withdrawal: Fiduciaries are required to provide mechanisms for consent withdrawal. No specific technical standards are prescribed, leading to inconsistent implementation and confusion for data principals.
2. Ambiguity in Data Breach Handling: Fiduciaries must notify the Board and data principals of breaches within 72 hours. The rules lack definitions for breach severity or guidelines for impact assessment, causing inconsistent reporting.
3. Unclear Cross-Border Data Transfer Rules: Transfers are allowed only if the receiving country ensures adequate protection. There is no framework to evaluate adequacy, creating uncertainty for businesses engaging in international data exchanges.
4. Insufficient Protections for Children’s Data: Parental consent is mandatory for processing children’s data. The absence of reliable mechanisms to verify parental identity in low-tech areas increases the risk of misuse.
5. Weak Retention and Deletion Standards: Data must be deleted once its purpose is fulfilled, with prior notification to principals. Vague timelines and no audit mechanisms make enforcement weak, leading to potential delays or non-compliance.
6. Limited Accountability for Consent Managers: Consent managers must register and adhere to operational guidelines. The lack of penalties for non-compliance undermines accountability and enforcement.
7. Minimal Data Principal Education: Fiduciaries are required to issue clear and concise notices. The rules fail to mandate initiatives to educate data principals about their rights and data protection measures.
8. Insufficient Safeguards for State Data Processing: State entities can process personal data for public purposes. There is no independent oversight or strict checks, which may lead to excessive or invasive data collection.
9. Vague Criteria for Significant Fiduciaries: Significant fiduciaries are subject to additional compliance requirements. The criteria for classification remain unclear, and no specific accountability measures are defined.
10. Accessibility Barrier: Fiduciaries and the Data Protection Board are mandated to operate digitally. Over-reliance on digital mechanisms excludes individuals without internet access or technological literacy, especially in rural areas.

Suggestions for Improvement

1. Clear Consent Standards: Develop standardized technical guidelines to ensure uniform and user-friendly consent withdrawal mechanisms.
2. Breach Classification: Introduce a framework to classify breaches by severity and provide guidelines for assessing their impact.
3. Cross-Border Framework: Define clear metrics and a transparent process for determining the adequacy of foreign data protection standards.
4. Flexible Parental Consent Mechanisms: Implement alternative methods for verifying parental consent in low-tech regions.
5. Retention Audits: Mandate regular audits to verify adherence to data retention and deletion timelines.
6. Penalties for Consent Managers: Specify penalties for non-compliance to strengthen enforcement and accountability.
7. Public Awareness Campaigns: Launch educational initiatives to inform data principals about their rights and the rules’ protections.
8. State Oversight: Introduce independent oversight mechanisms to monitor data processing by state entities and prevent misuse.
9. Transparent Classification of Fiduciaries: Clarify criteria for significant fiduciaries and establish mechanisms to hold them accountable.
10. Inclusive Grievance Mechanisms: Ensure grievance processes are accessible to individuals without digital access, using offline alternatives where necessary.

Conclusion

The DPDPA Rules, 2025, mark a significant milestone in India’s data protection journey, reflecting a proactive approach to addressing emerging challenges in the digital landscape. While the Rules establish a robust framework to safeguard personal data, their successful implementation hinges on addressing the identified challenges and adopting a balanced approach to stakeholder concerns. By refining the Rules and ensuring inclusive, transparent, and accountable mechanisms, India can position itself as a global leader in data protection, fostering trust and innovation in its digital economy.

Also Read About- The Digital Personal Data Protection (DPDP)Act, 2023 Vs GDPR- “Click Here”

Guest