Draft DPDP Rules 2025: A closer look at the hits and misses

The Ministry of Electronics and Information Technology (Meity) has drafted the Digital Personal Data Protection Rules, 2025, to facilitate the implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act), which establishes a framework for processing digital personal data in India. It aims to strengthen the legal framework for the protection of digital personal data by providing necessary details and balancing the individual’s right to protect personal data with the need to process such personal data for lawful purposes.

The draft rules touch upon the various implementation aspects such as the notice by the data fiduciary to the individuals, registration and obligations of consent manager, processing of personal data for issuance of subsidy, benefit, service, etc. by state, the applicability of reasonable security safeguards, intimation of a personal data breach, providing details about availing of their rights by the individuals, processing of personal data of child or of a person with a disability, setting up the data protection board, appointment and service conditions of the chairperson and other members of the board, functioning of board as a digital office, the procedure to appeal to the appellate tribunal, among others.

However, there are certain areas where, experts think, more consultations and discussions are required to fully safeguard the digital data rights of individuals in India.

The ministry has sought feedback or comments on the draft rules from the stakeholders by February 18, 2025. Feedback or comments can be submitted via the MyGov portal.

Here's what experts think are hits and misses in draft DPDP Rules 2025:

Forward-looking framework:

The legislation grants individuals greater control over their information in an increasingly digitalised world. Experts term it is a forward-looking framework, which could establish new benchmarks for digital trust and security. Jaspreet Singh, Partner, Grant Thornton Bharat, says that by introducing stringent regulations for data collection, processing, and storage, the DPDPA Rules 2025 aim to strike a balance between technological progress and the right to privacy. "The act mandates transparency from data handlers, enforces consent-driven data usage, and imposes substantial penalties for data breaches and non-compliance. With its emphasis on accountability and user empowerment, the DPDPA Rules 2025 reaffirms the importance of data privacy as a fundamental right."

Obligations on businesses:

The DPDPA rules are quite detailed and give much-needed direction to the businesses in India by expounding upon compliance to be carried out by them. "We foresee that businesses will face some complex challenges in managing consent as it forms the heart of the law. Maintaining consent artefacts and offering the option to withdraw consent for specific purposes could necessitate changes at the design and architecture level of applications and platforms. Further, organisations will need to invest in both technical infrastructure and processes to meet these requirements effectively. This includes relooking into data collection practices, implementing consent management systems, establishing clear data lifecycle protocols and percolating down these practices at an implementation level," says Mayuran Palanisamy, Partner, Deloitte India.

Rules for cross-border data sharing:

An interesting development in the draft rules is the introduction of potential obligations for significant data fiduciaries regarding cross-border data sharing. "While the Act largely permits such transfers, apart from blacklisted jurisdictions, the draft rules hint at the possibility of additional oversight. A proposed committee may recommend that certain personal data be restricted from being transferred outside India, which adds a new dimension to the regulatory landscape that will be important for stakeholders to consider," says Shreya Suri, Partner, IndusLaw.

Additionally, says Suri, the classification of data fiduciaries in the draft rules, which focuses on defining retention periods for data, seems to currently apply only to three categories of fiduciaries. "However, there are concerns among various stakeholders regarding the need for additional use cases, which have yet to be addressed. This leaves some important questions about data retention practices for certain types of data fiduciaries still unanswered."

Significant ground to cover:

Shreya Suri, Partner, IndusLaw, says it is encouraging to finally witness progress on this front. However, as the industry reviews the draft rules for the Digital Personal Data Protection Act, there are a few initial reflections to consider. "These rules were highly anticipated, with the expectation that they would address implementation challenges, procedural gaps, and areas where the Act required further clarity. While the draft does attempt to cover some of these aspects, there is still significant ground to cover. I anticipate rigorous public consultations to gather comprehensive feedback, ensuring that the final version reflects the needs and perspectives of all stakeholders. Continued input and guidance from the government will be essential to drive effective implementation.”

According to Suri, the draft rules provide some clarity on framing and displaying notices under the Digital Personal Data Protection Act, but they fall short of offering guidance on the mode of delivery or issuance—something well-defined under GDPR. "In the absence of further clarity, much of this is likely to be left to market practice and stakeholder discretion."

Draft rules treat all breaches uniformly:

Another anticipated aspect was the introduction of thresholds for data breach reporting, where minor breaches could have had fewer compliance obligations. Suri of IndusLaw says the current draft treats all breaches uniformly, requiring the same level of reporting and notification to the data protection board and affected data principals, without granting any discretion whatsoever to data fiduciaries. "While the rules outline certain considerations for reasonable security practices, the lack of detailed guidance leaves room for varied interpretations. Stakeholders will likely adopt practices aligned with the nature and scale of their data processing, but further guidance from the government would be crucial to ensure consistency and compliance across the industry.”

Limited guidance on children:

The draft rules offer limited guidance on children, who will be identified to seek verifiable parental consent from their parents or guardians. "It seems the approach might rely on self-declaration by users, allowing them to indicate whether they are minors or adults. This could potentially lead to broader processing of parental or guardian data, which raises interesting considerations regarding the scale and scope of such data collection," Suri asserts.

Similarly, while the Act references the processing of personal data for persons with disabilities, the rules primarily address children and their parents. "There remains some ambiguity around how self-declaration would apply in cases where individuals may not be able to disclose their status independently," Suri says.

Supratim Chakraborty, Partner, Khaitan & Co, says by requiring verifiable parental consent before processing such data, the Act and the draft rules aim to establish a higher standard of accountability for businesses. "This new legal mandate will require significant overhaul of existing data handling practices, including the integration of identity verification systems to authenticate the identity and age of parents or lawful guardians providing consent. Ensuring that the consenting individual is a legally identifiable adult adds a critical layer of accountability, reflecting the government’s commitment to safeguard the vulnerable groups."

This shift will also demand investments in technology, operational diligence, and collaboration with trusted verification entities like Digital Locker service providers, added Chakraborty.