Decoding India's Draft Digital Personal Data Protection Rules

Finally, Some Direction (Sort of)

While I was (genuinely) reflecting and jotting down thoughts on policy expectations for 2025, the long-awaited rules under the Digital Personal Data Protection (DPDP) Act, 2023 quickly shot to the top of my list. For months, the absence of these rules left data fiduciaries and data principals feeling like lost chickens—wandering aimlessly without a sense of direction. But, like a breeze clearing smoke, the release of the draft rules by MeitY (finally!) has brought some much-needed clarity to the chaos.

A Quick Recap of the DPDP Act

Since it’s been a while, let’s revisit the basics. The Digital Personal Data Protection Act, 2023 was enacted after four iterations. The Act establishes the foundation for digital data governance in India—covering how personal data is collected, processed, stored, and protected.

Key Highlights of the Act:

• Scope and Application: Governs the processing of personal data collected online or offline, provided it is digitised at any stage. The Act applies to data processed within India and foreign entities handling Indian residents' data.
• Consent-Centric Approach: Personal data can only be collected with explicit consent from the individual (data principal), except in limited cases such as legal obligations or emergencies.
• Rights of Data Principals: Individuals can access, correct, erase their data, and withdraw consent anytime.
• Duties of Data Fiduciaries: Fiduciaries (entities handling data) must ensure transparency, maintain records, and secure personal data. Significant Data Fiduciaries (SDFs) face stricter obligations like audits and impact assessments.
• Penalties: Non-compliance could lead to hefty fines, but the draft rules do not explicitly cap the upper limit of penalties.

Example – Consent Management in Retail: Imagine entering a retail store and signing up for their loyalty program by providing your phone number. The store digitises this information and later uses it to send promotional offers. Under the Act, the store (a data fiduciary) must obtain explicit consent at the collection point. A simple verbal agreement won’t suffice. Instead, they might send a one-time password (OTP) or digital form for you to approve—creating a verifiable consent trail.

Breaking Down the Draft DPDP Rules (Released Jan 3, 2025)

The draft rules are best understood by looking at the four key stakeholders defined in the Act:

1. Data Principal (a.k.a. You and Me)

Definition: The individual to whom personal data relates.

Rights:

• Access, correct, erase data.
• Portability of data (like switching telecom providers).
• Grievance redressal if data is misused.

Obligations:

• Provide accurate information during data collection (no fake details!).
• Avoid filing frivolous complaints—penalties apply for misuse.

Scenario: A student signs up for an EdTech platform and uploads personal data. Later, the student decides to switch platforms and requests the deletion of their data. The platform must erase this data unless it is required for legal or academic recordkeeping. However, the process for ensuring complete erasure across backups or third-party service providers remains ambiguous.

2. Data Fiduciary (The Data Handlers)

Definition: Any person, company, or government entity processing personal data.

Obligations:

• Obtain informed consent from data principals in an explicit, clear format.
• Ensure data security through reasonable safeguards.
• Limit data processing to the original purpose.
• Notify users immediately in case of a data breach, with a detailed report to the Data Protection Board (DPB) within 72 hours.
• Conduct audits and impact assessments if classified as an SDF

Designation as SDF: The Government designates SDFs based on the volume and sensitivity of data processed, potential harm, and implications for national security or public order.

Example: A health-tech company collects sensitive patient data for diagnostics and processes it through cloud servers in Singapore. Due to the volume and sensitivity of data involved, the government designates the company as an SDF, requiring annual audits and the appointment of a Data Protection Officer (DPO).

3. Consent Managers (The Middlemen for Your Data)

Definition: Independent entities managing consent between data principals and fiduciaries.

Role:

• Provide a single platform to view, manage, and withdraw consents.
• Register with the DPB for accountability.
• Operate transparently across sectors.

• Onboarding consent managers is not mandatory for fiduciaries but is highly recommended to streamline compliance.

Scenario: A fintech app partners with a consent manager to handle user data. When customers sign up for financial products, they can manage all their consents—loan approvals, data sharing with credit agencies, etc.—through the consent manager’s dashboard.

4. Data Protection Board (DPB is Back!)

Definition: The regulatory authority enforcing the DPDP Act.

Functions:

• Handle grievances and disputes.
• Impose penalties for non-compliance.
• Advise the government on data protection issues.

The Elephant in the Room – Cross-Border Data Flow and Age Restrictions

One of the more contentious areas in the draft DPDP rules concerns cross-border data transfers. The Act permits personal data to be transferred to government-approved jurisdictions, which (unsurprisingly) echoes previous data localisation efforts. This essentially mandates that sensitive data remain within India or be shared only with nations deemed “trusted” by the government.

The DPDP Act doesn’t impose an outright ban on cross-border data transfers, but Rule 14 introduces some strict oversight.

Rule 14 gives the Indian government extraterritorial authority, meaning it can regulate and restrict foreign governments or agencies seeking access to personal data. Even if the data is processed outside India, if it involves businesses operating here or contains the personal data of Indian citizens, India has a say.

Routine cross-border data flows for business and operational purposes remain unaffected. But, if a foreign intelligence agency or law enforcement body requests personal data from an Indian company (or a company handling Indian user data), the government can step in and set conditions.

The goal is simple:?prevent foreign entities from accessing Indian data unregulated. Rule 14 ensures that sensitive data is not handed over without proper oversight.

Minimum Age Threshold – A Complex Dilemma

Another pivotal issue is the minimum age threshold of 18. Under the DPDP Act, platforms must secure parental consent to process the personal data of minors (below 18).?

Global Comparisons:

? EU (GDPR): Sets the minimum age at 16, allowing individual countries to lower it to 13.

? US (COPPA): Applies to children under 13, mandating parental consent for data collection.

? China: Follows a tiered system with enhanced protections for users under 14.

? India: Takes a stricter stance, keeping the threshold at 18 across the board, despite examples of other laws having varying age limits.?

In a country with over 250 million adolescents, restricting access to online platforms could stifle educational opportunities, limit social interaction, and hinder participation in the digital economy.

The Digital Literacy Gap:

? Overall Literacy Rate: ~77% (as per NSSO 2022).

? Digital Literacy: Estimated at 40% in rural areas and 60% in urban regions (MeitY reports).

? Parental Digital Proficiency: A significant portion of Indian parents, particularly in rural regions, lack the digital skills needed to manage consent for their children, potentially creating access barriers.

Addressing this requires a nuanced approach—perhaps adopting a tiered consent system like the EU or introducing graded age bands for different types of services.

Scenario- A 17-year-old signs up for a gaming app, but the app requires parental consent to process the data. If parents are digitally illiterate, the minor may lose access to the platform, limiting engagement.

Grey Areas and What Lies Ahead

While the rules clarify certain fronts, implementation is the real challenge. Harmonising the responsibilities of data principals, fiduciaries, and consent managers is essential, but several areas still require more attention:

? AI, Machine Learning, and Algorithmic Transparency: The rules don’t explicitly address how personal data will be used to train AI models or how algorithm biases should be mitigated. For instance, sectors like healthcare and finance rely on vast datasets to train predictive models—where’s the line between innovation and intrusion? The Act is silent on algorithmic accountability, a pressing issue as machine learning influences everything from loan approvals to job recruitment. For instance, an AI startup trains its model using anonymised datasets. The rules don’t specify if anonymised data falls under the Act’s purview, creating ambiguity about AI-driven data analysis.

? National Security and Public Interest Exemptions: While national security is a legitimate concern, the broad and undefined scope of these exemptions raises fears of surveillance overreach. The Act allows the government to access data without informing the user, citing national interest—a provision that demands clearer boundaries.

? Sector-Specific Gaps (Health and FinTech): Critical sectors like healthcare, financial services, and EdTech process vast amounts of sensitive data. However, the rules lack sector-specific guidance, which could leave room for interpretation, inconsistent application across industries, and overlapping of existing sectoral norms. A hospital collects health data through physical forms but digitizes it later. The Act doesn’t clarify when protections kick in—at collection or digitization.

The Act acknowledges the existence of sector-specific data localisation requirements and permits their continuation. While the Act does not impose broad data localisation mandates, it allows the Central Government to restrict data transfers to certain countries through notifications. Importantly, the Act does not override sectoral regulations that may have stricter localisation norms. For instance, the Reserve Bank of India’s guidelines on payment data localisation remain effective alongside the DPDP Act.?

? The healthcare industry, for example, stores highly personal patient data. Should hospitals be considered significant data fiduciaries by default? These are the questions that still lack definitive answers.

A Work in Progress

As India inches closer to implementing the DPDP Act, the coming months will be crucial for ironing out ambiguities and preparing businesses and consumers for the road ahead. While the draft rules bring much-needed structure, the deeper nuances of digital governance are far from settled.

The public consultation process is open, and now is the time to engage. If you have thoughts on the DPDP rules—whether from the perspective of a business, consumer, or tech enthusiast—I encourage you to submit your comments. The more inclusive the feedback, the stronger the framework will become.

And if navigating the intricacies of the Act feels overwhelming, feel free to reach out.?