Digital Personal Data Protection Act, 2023. A perspective

On 3 January 2025, the Ministry of Electronics and Information Technology (MEITY) published the draft Digital Personal Data Protection Rules, 2025 (Rules) for public consultation. These Rules are proposed to be made by the Central Government in exercise of the powers conferred in it by the Digital Personal Data Protection Act, 2023 (Act) which was passed on 11 August 2023.

The Rules have been published after a long wait by data subjects and industry players alike. It is expected to complete and bring into effect the first dedicated data protection regime proposed to be implemented in India.

The Rules end the uncertainty and bring clarity on open points in the Act, including:

• Manner of giving the notice for consent
• Form and manner of intimation of breach incident
• Time period for the specified purpose to be deemed as no longer been served
• Reasonable security safeguards
• Data Protection Impact Assessments and audits by Significant Data Fiduciaries*
• Manner in which erasure requests may be made by a data principal (individual to whom the personal data relates)
• Verification of parent consents.

These Rules will help in building greater trust among data principals while using digital platforms. The specific requirements mentioned in the Rules leave less scope for interpretation. This will promote compliance-preparedness and building of customer confidence, by industry players leading to their business growth.

While it is helpful for the law to be objective, in certain aspects expectations could be more outcome centric. In comparison with its European counterpart, which takes reasonability, availability of technology and cost of implementation into consideration while setting out standards, our Rules seem to be more process oriented and prescriptive.

For smaller players the increase in cost could be disproportionate, e.g., as per the Rules, a data fiduciary’s notice for obtaining consent must be standalone. This means that consent notices cannot be combined with any other documentation to be accepted by the customers.?This may require revamping of the processes adopted by data fiduciaries despite them meeting the generally acceptable standards for the consent being voluntary, specific, informed and unambiguous.

* “Data fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

Further, the Rules prescribe that before erasing personal data which no longer fulfils the specified purpose, the data fiduciary is to notify the data principal at least 48 hours in advance. This may prove to be a cumbersome process for data fiduciaries with not much help to the data principals who have been inactive on the platform.

Moreover, the requirement of prompt reporting of personal data breach [TS1]?to data principals, could be premature and counter effective by creating panic and apprehension. Breach reporting under the Rules along with the reporting to CERT-In and other sectoral reporting to be made to SEBI, RBI, etc. may divert the data fiduciaries’ time and energy away from effective crisis management.

The Rules do not provide clarity on who will qualify as significant data fiduciaries. While it mentions that e-commerce entities, online gaming intermediaries, and social media platforms, larger than the prescribed size, may retain personal data for up to three years from the last interaction with the data principal; it is silent about other classes of entities.

While clarity is awaited on the time period available for compliance with the new regime, the industry players have already initiated assessment of their current processes for preparedness with the proposed regime.

Views expressed in this article are of Tripti Sinha and have no bearing on Vay Network Services Pvt. Ltd. or any of its entities.