DPDP Draft Rules – could they be the pillars of privacy protection

The Digital Personal Data Protection Act, 2023 (DPDPA 2023) received assent of the President of India on 11 August 2023. First-of-its kind for India, the legislation seeks to provide for a notice and consent-based framework for collecting and processing digital personal data of individuals.

In furtherance to the same, the Ministry of Electronics and Information Technology (‘MeitY’) released the Digital Personal Data Protection Rules, 2025 (Draft Rules) on 3 January 2025 for public comments.  

While the DPDPA 2023 provides for a broad framework for processing of personal data, the rules guide stakeholders through the manner of implementation of the DPDPA 2023. Cumulatively, they form a comprehensive data protection framework for striking a balance between the Right to Privacy of individuals with that of processing of personal data by businesses for performing their functions.  

It is pertinent to note that the Supreme Court of India held the Right to Privacy as an intrinsic component of fundamental right to life and personal liberty under Article 21 of the Constitution and a part of the freedoms guaranteed by Part III of the Constitution (Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors.). Taking cognizance of the apex court, a committee of experts was set up by the Government of India which published a white paper providing a roadmap for digital data protection framework in India. 

After thorough deliberations and consultations, the rubrics of India’s Digital Personal Data Protection statute have now been erected on the principles of transparency implemented through notice and consent-based framework underlined by the purpose for obtaining, retaining and deleting digital personal data. 

To this end, the Draft Rules, read with the DPDPA 2023, provide details of key stakeholders under the data protection framework viz. Data Principal, Data Fiduciary, Data Processor and Consent Manager.   

The Draft Rules detail out the manner of giving a notice to Data Principals prior to collection of information, notification of data breaches, legal access after the purposes of the access have been met or changes in the Data Processor’s privacy policy. As per the Draft Rules, a notice — among other details, must include an itemised description of personal data sought as well as the goods and services to be provided. The obligation for drafting and displaying notice rests with the Data Fiduciary. 

Among other things, the requirement to provide itemised description of personal data sought along with goods and services to be provided to data principals needs to be aligned well with the purpose of obtaining said data in the first place. To this end, it is important for Data Fiduciaries to prepare and maintain an open architecture policy for obtaining, using, retaining and disposing digital personal data of data principals.   

Further, given the notice forms the basis of informed consent, an appreciable effort made towards balancing its contents in the Draft Rules. While an expansive notice deters readers from going through the notice, a brief notice would be inadequate for explaining the personal information collected and reasons thereof. Thus, a well-balanced, thoughtful approach is adopted towards the prescriptions on notice. 

The second key pillar of the digital data protection framework is consent. The responsibility of obtaining consent rests with the Data Fiduciary. Consent Managers may, however, facilitate the process of obtaining consent. Such Consent Managers must register themselves with the Data Protection Board (‘DPB’) to be established under the DPDPA 2023. 

The Draft Rules provide for conditionalities for such registration and obligations to be fulfilled by the Consent Manager. While other regulated entities having a systemic importance are required to satisfy similar conditions, the Draft Rules carry a much clearer prescription of the regulator’s expectations and assessment parameters for Consent Managers. However, there could have been additions wherein certain quantifiable aspects could have been included — such as what is exactly meant by ‘financial conditions’ and ‘volume of business’ requirements to register as a consent manager. 

Among other obligations, Data Fiduciaries are responsible for the security of personal data collected by it, as well as Data Processors collecting information and functioning on its behalf. For ensuring this, a robust agreement should be entered into with the Data Processors. Further, appropriate technical and organisational measures should be set up and maintained on an ongoing basis.  

The Draft Rules provide for a considerable discretion to Data Fiduciaries to deploy security safeguards. This would enable setting up safeguards as per the dynamics of the Data Fiduciary. However, their adequacy should always be subject to review by the DPB.  

The Draft Rules suggest enhanced due diligence on the part of Data Fiduciaries in the case of children and person with disabilities. This would entail devising separate consent systems for children/ person with disability.  Further, the consent of the parent/ guardian should be obtained in line with the established processes, prior to accessing their personal information for carrying out their due diligence.  

Further, while age and identity verification is required in the case of children, in the case of person with disabilities, due diligence required is to be done on the lawful appointment of the guardian. As such, no means of verification is specified for guardians and person with disabilities. 

Further, the age for accessing social media platforms in India is 13 years; however, the Draft Rules prescribe the age for providing consent as 18 years.  This anomaly may be rectified by aligning the age with US’ Children’s Online Privacy Protection Act and/ or GDPR. 

—The authors; Rakesh Nangia, is Founder and Managing Partner, and Mayank Arora, Director-Regulatory, at Nangia & Co LLP. The views are personal.