New Delhi: The Ministry of Electronics and Information Technology (MeitY) has taken a significant step toward operationalizing the Digital Personal Data Protection (DPDP) Act, 2023, by releasing the draft rules on 3 January. Titled the “Digital Personal Data Protection Rules, 2025,” these long-awaited draft regulations are now open for public consultation until 18 February 2025.
The rules aim to provide clarity on the Act’s implementation, covering aspects like data fiduciaries’ responsibilities, consent management, grievance redressal, and cross-border data transfers. With an emphasis on strengthening data protection mechanisms and fostering digital trust, the rules have drawn widespread attention from stakeholders, including businesses, legal experts, and tech leaders.
A Comprehensive Framework for Data Protection
The DPDP rules outline strict obligations for data fiduciaries, including providing clear notices to data principals, implementing security measures such as encryption, and maintaining transparency in data processing. Consent managers, a new category of certified entities, are expected to manage user consent, ensure data privacy, and maintain records in machine-readable formats.
Data principals are also empowered with rights to access, correct, and erase personal data, alongside grievance redressal channels. Significant data fiduciaries face additional compliance burdens, such as periodic audits and algorithmic accountability checks. Moreover, cross-border data transfers are restricted to trusted jurisdictions approved by the central government, reinforcing India’s stance on data sovereignty.
Long-Awaited Draft Rules
Ashok Hariharan, CEO and Co-founder of IDfy, welcomed the draft rules as a long-overdue development. “After a long wait of more than a year, the DPDP Draft Rules are finally here, marking a significant step forward in empowering citizens with their rights. These rules call on organizations to take privacy seriously, emphasizing the importance of seeking consent through a detailed notice. The decision to operate the Data Protection Board as a digital office is a commendable move, considering the sheer volume of requests and complaints in a digitally driven nation like India,” he said.
IDfy recently launched Privy, a DPDP-compliant solution suite, and PreView, an instant notice-generation tool developed with the Data Security Council of India (DSCI) and MeitY. Hariharan highlighted how the rules create opportunities for businesses to innovate in privacy-focused solutions.
Challenges in Implementation
Mayuran Palanisamy, Partner at Deloitte India, underscored the complexities businesses may face. “The DPDP rules are detailed and give much-needed direction, particularly for significant data fiduciaries and consent managers. However, businesses will face challenges in managing consent, which forms the heart of the law. Maintaining consent artefacts and offering the option to withdraw consent for specific purposes could require changes at the design and architecture levels of applications and platforms,” he noted.
Palanisamy emphasized the need for organizations to invest in technical infrastructure and establish clear data lifecycle protocols to meet compliance requirements effectively.
Goldie Dhama, also a Partner at Deloitte India, pointed out areas requiring further clarity, particularly around data localization and breach notifications. “The rules prescribe additional responsibilities on significant data fiduciaries for data localization. This requirement seems to override both generic provisions and even sector-specific localization mandates. Organizations will need to align their systems accordingly,” she said.
Dhama also highlighted the stringent obligations for breach reporting, which mandate that entities notify both data principals and the Data Protection Board at the earliest. “This will necessitate heavy investments in technology, systems, and processes to ensure timely compliance,” she added.
Legal Experts Call for Further Guidance
Shreya Suri, Partner at IndusLaw, welcomed the progress but identified gaps. “These rules were highly anticipated, with the expectation that they would address implementation challenges and procedural gaps. While the draft attempts to cover some aspects, significant ground remains to be covered. Rigorous public consultations will be key to ensuring that the final version reflects the perspectives of all stakeholders,” she said.
Suri highlighted issues around the uniform treatment of data breaches, the absence of thresholds for minor breaches, and limited guidance on notices. “The rules fall short in offering guidance on the mode of delivery or issuance for notices—something well-defined under GDPR. This could lead to varied interpretations and market-driven practices,” she explained.
Another key concern was the reliance on self-declaration for identifying minors or individuals with disabilities, which could lead to broader data collection of parental or guardian information. “This raises important questions about the scale and scope of data collection and its compliance implications,” Suri added.
Meanwhile, Shahana Chatterji, Partner at Shardul Amarchand Mangaldas & Co, noted that the DPDP Rules were intended to provide operational clarity to guide compliance and industry practices. “To a large extent, they do this with respect to how notice has to be provided, how the DPB (Data Protection Board) will be set up, and how personal data breach reporting must take place. Flexibility has been provided for how a data fiduciary must maintain reasonable security safeguards,” she stated.
However, Chatterji highlighted several compliance challenges within the draft rules. “The Rules on how to obtain verifiable parental consent are bound to create significant compliance challenges. This is because data fiduciaries will have to maintain different consent processes for adults, minors, and persons with disabilities who have lawful guardians,” she explained.
She further expressed concerns over additional conditions imposed on cross-border data flows and the possibility of data localization requirements for Significant Data Fiduciaries (SDFs), calling this an “overreach by the Rules and inconsistent with the provisions of the Act.” According to her, “The consultation process till February 18 will therefore be an important process.”
Opportunities and the Road Ahead
While the DPDP draft rules present challenges, they also open new avenues for innovation in privacy technology. By laying out a detailed compliance framework, they aim to build a robust digital ecosystem that prioritizes data protection and user empowerment.
As the draft undergoes public consultation, experts emphasize the need for the government to provide additional guidance and address ambiguities to ensure smooth implementation. Stakeholders have until 18 February to submit feedback via the MyGov portal, paving the way for a final version that balances regulatory requirements with industry needs.
The release of these draft rules is a crucial milestone in India’s digital journey, signalling its commitment to building a secure and privacy-centric digital future.
Discussion about this post