The Digital Personal Data Protection Rules, 2025 (Draft Rules under the Digital Personal Data Protection Act, 2023): Summary

The Digital Personal Data Protection Rules, 2025 (Draft Rules under the Digital Personal Data Protection Act, 2023) aim to establish a comprehensive framework for personal data protection. Here is a summary of key provisions:

Short Title and Commencement: The Rules come into effect upon publication, with certain sections (3-15, 21, 22) effective later.

Definitions: Terms in the Rules mirror those in the Act unless context requires otherwise.

Notice by Data Fiduciary to Data Principal: Data Fiduciaries must provide a clear, understandable, and detailed notice to Data Principals, outlining data collection, processing purposes, and the methods for withdrawing consent.

Consent Manager Registration: Consent Managers must be Indian companies with a minimum net worth of ?2 crore and must maintain a secure platform for managing consents. They are responsible for ensuring transparency, security, and conflict-free operations. Audits and transparency in ownership and management are required.

State Processing Data: The government and its agencies can process personal data to provide services or subsidies but must follow strict guidelines for transparency and security, ensuring that the data is used for lawful purposes.

Reasonable Security Safeguards: Data Fiduciaries must implement measures like encryption and access controls to protect data from breaches. These must comply with industry standards.

Breach Notification: Data Fiduciaries must promptly notify Data Principals and the Board about breaches, including details on the nature and steps taken for mitigation.

Data Retention and Erasure: Personal data must be erased after a specified period if the Data Principal does not engage, with at least 48 hours' notice before erasure.

Contact Information for Queries: Data Fiduciaries must provide clear contact details for handling data-related queries, ensuring transparency and accountability.

Consent for Children and Disabled Individuals: Verifiable consent from a parent/guardian is required before processing personal data of children or persons with disabilities.

Exemptions for Children’s Data: Specific sectors like healthcare and education are exempt from standard rules for processing children's data if necessary for their safety or well-being.

Obligations of Significant Data Fiduciaries: Significant entities must conduct Data Protection Impact Assessments (DPIAs) annually, assess algorithmic risks, and comply with data localization rules.

Rights of Data Principals: Data Fiduciaries must clearly communicate how Data Principals can exercise their rights, such as access and erasure, ensuring timely responses to grievances.

Processing of Data Outside India: Data Fiduciaries must comply with government requirements regarding the transfer of personal data outside India.

Research, Archiving, or Statistical Purposes: Data processing for research or statistics is exempt if it meets certain safeguards, ensuring balance between data utility and privacy.

Appointment of Board Members: The Central Government will appoint the Chairperson and other members of the Data Protection Board, following recommendations from a selection committee.

Salary and Terms of Service: The Chairperson and Board members will receive salaries of ?4.5 lakh and ?4 lakh per month, respectively, with no housing or car allowances.

Board Meetings: Procedures for convening and conducting meetings are outlined, with decisions made by majority vote, and quorum requirements set. The Board can act urgently when necessary.

Board's Digital Functioning: The Board will operate digitally, enhancing efficiency by reducing physical attendance requirements.

Staff Appointment for the Board: The Board can appoint staff as needed, with approvals from the Central Government, ensuring the necessary expertise for its operations.

Appeals Process: Individuals can appeal to the Appellate Tribunal regarding Board decisions, with digital submission and fee structures defined.

Information Requests from Data Fiduciaries: The government can request information from Data Fiduciaries or intermediaries for national security, legal compliance, or assessment purposes, subject to restrictions on sensitive data disclosures.

These rules aim to ensure the protection of personal data while balancing the interests of data controllers and principals in a transparent and accountable framework.