Introduction 

The Digital Personal Data Protection, Act 2023 (“DPDP Act”) was notified in the official gazette on 11 August 2023 for general information. The framework of the DPDP Act relies heavily on rules to be issued under the DPDP Act with the Government having the power to draft rules on 26 subjects. Two key reasons delaying the enforcement of the DPDP Act has been the issuance of the rules, and the setting up of the Data Protection Board of India (“Board’).

The draft Digital Personal Data Protection Rules, 2025 (“DPDP Rules”) were finally issued for public comments on 3 January 2025. Comments on the draft rules can be submitted to the Ministry of Electronics and Information Technology (“MEITY”) until 18 February 2025. This Alert summarizes the key requirements under the DPDP Rules, and what this will mean practically for data fiduciaries processing personal data. While the most significant impact of the DPDP Rules will be on entities processing large volumes of personal data (e.g. e–commerce entities, social media intermediaries, online gaming companies, financial and health institutions), the requirements of the DPDP Act are relevant, and will have to be complied with, by all entities which process digital personal data.

Key takeaways 

• The DPDP Rules will be implemented in phases but the timeline for compliance has not been specified yet.
• Notice for consent should be independent of other information, and itemized with respect to personal data, purpose, and use.
• Withdrawal of consent should be as easy as giving of consent.
• Substantial obligations on Significant Data Fiduciaries – conduct DPIAs, submit key findings to Board, and also retain identified categories of data only in India.
• Government to have increased discretion in imposing cross border data transfer restrictions.
• E-commerce, social media and online gaming entities to retain data only until three years from last interaction with user.
• Processing of children’s data will require verification of age and identity of the parent.
• Personal data breaches to be notified to both data principals and Board, “without delay”.  Board to be given more detailed information within 72 hours.
• Detailed regime in relation to ‘consent managers’ introduced.

Overview of the DPDP regime 

Entities which determine the purpose and means of processing data are referred to as data fiduciaries under the DPDP Act, and the individuals whose data is collected are referred to as data principals. Significant Data Fiduciaries (“SDFs”) are categories or classes of data fiduciaries that the Government may notify, based on such factors that the Government considers relevant, including the volume and sensitivity of personal data processed, risks to the rights of the data principals, impact on sovereignty and integrity of India, risk to electoral democracy, and security of state and public order. More stringent requirements apply to SDFs. Data fiduciaries may further engage data processors to process data in the manner determined by the data fiduciaries in accordance with the DPDP Act.  Data fiduciaries will be liable for actions of such data processors.

Processing generally covers any actions taken on digital personal data including any wholly or partly automated set of operations such as data collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.

(i) Timeline for compliance with the DPDP 

(a) The general expectation has been that data fiduciaries will be given time for complying with the requirements of DPDP Act. The Government has however, in various discussions, warned that a long lead time will not be given, and their expectation is that data fiduciaries have already initiated steps towards compliance. Informally, the Union Minister for Electronics & Information Technology, Ashwini Vaishnaw, has indicated that data fiduciaries will be given a transition period of two years for compliance with the DPDP^[1].

(b)  It appears that some flexibility has been given in this regard, with the DPDP Rules providing that rules 3 to 15 (which set out the main compliance requirements with respect to processing of data), 21 (procedure for appealing to appellate tribunal) and 22 (right of government to call for information from data fiduciaries and intermediaries) will be effective from a specified date (which we assume will be published in the notified DPDP Rules), while other provisions (which all relate to appointment and terms of services of the Board) will be effective from the date the DPDP Rules are published in the official gazette.

(ii) Data Protection Board 

(a) The DPDP Act provides for the establishment of the Board, which will be the primary statutory body responsible for the administration of the DPDP Act. The Board becoming functional is another important milestone which will have to be completed before the DPDP Act is made effective.

(b) The DPDP Rules have introduced provisions to facilitate the constitution of the Board, and related matters, which provisions will enable the Government to take steps towards the establishment of the Board. It is proposed that the Board will function as a ‘digital office’ and shall have the right to adopt techno-legal measures to conduct proceedings in a manner that does not require the physical presence of any individual.

(iii) Notice to be given by the data fiduciary to the data principal 

(a) A significant (and more burdensome) change that has been introduced by the DPDP Act is the requirement that processing of all personal data under the DPDP Act should be based on consent, unless it can be justified as being for a ‘legitimate use’ (of which very few are recognized). Currently consent is required only for processing sensitive personal data and information.

(b) Section 5 of the DPDP Act requires that a data fiduciary, either before, or while seeking consent, issue a notice to the data principal (in the 22 languages of Schedule VIII of the Constitution of India) in such manner as would be prescribed under the DPDP Rules.

(c) The DPDP Rules have set out some very detailed and prescriptive requirements that such a notice should satisfy, including that the notice must be presented and understandable independently of other information that is  provided by the data fiduciary, give sufficient information for the data principal to give specific and informed consent, which information,  at the minimum,  should be itemized (both in terms of the personal data being collected, and the goods, services or purposes for which the personal data is proposed to be processed).

(d) In practice, this will be one of the most significant changes that data fiduciaries will need to make to their existing practices. Currently, it is the norm to provide notices with a wide description of categories of personal data that are collected, and an indicative list of purposes for which this personal data is proposed to be processed. Such notices, in their current form, will not satisfy the requirement of the DPDP Rules.

(e) The DPDP Act also requires these notices be given to data principals whose data is being processed based on consent acquired prior to the commencement of the DPDP Act.  Thus, in addition to revising the notices, data fiduciaries will also have to review their data processing practices so that the practices can be aligned with the notices and the consent that will be obtained (except where another ‘legitimate use’ applies), including with respect to the period for which the data can be retained. At the minimum, data fiduciaries will need to undertake a data mapping exercise, before the notice and consent matrix for each individual whose personal data has been collected, can be updated. This will be further complicated for SDFs and other entities for whom other stringent requirements, as described in paragraphs (v) and (vi) below, apply.

(f) Additionally, the notice should also include the communication link for accessing the website and/or app, the means through which the data principal can withdraw consent (the ease of which has to be comparable with the ease with which consent was granted) and also a mechanism by which the data principal can exercise their rights and make a complaint to the Board. These are relatively easy requirements that can be complied with by most data fiduciaries.

(iv) Appointment of a point of contact and other means to facilitate exercise of rights by data principal 

(a) Currently, entities processing personal data must appoint a grievance officer to address any grievances of data principals. Additionally, all organizations have to designate a point of contact to the Computer Emergency Response Team (“CERT-In”) for CERT-IN to liaise with, especially in case of any cyber security incidents.

(b) The DPDP Act provides for a similar construct, obligating data fiduciaries to publish the business contact information of the data protection officer, (under the DPDP Act, only SDFs are required to appoint a data protection officer who must be based in India) or any person who can address questions raised by the data principal. To further enable data principals to exercise their rights, data fiduciaries are also obliged to publish the period under its grievance redressal system, within which it will address grievances of data principals, and implement appropriate technical and organisational security measures to achieve this.

(c) A data fiduciary should be able to satisfy its regulatory requirement by designating one person as the sole point of contact under various laws. Other than SDFs, who must appoint DPOs based in India, it is hoped that other organisations (especially with smaller establishments in India) can satisfy this requirement by designating an appropriate person or team for addressing grievances, even if such person is not based in India. This information must be published prominently on the website or the app of the data fiduciary and mentioned in every response to a communication for the exercise of the rights of the data principal.

(v) Significant Data Fiduciaries 

a. The DPDP Act imposes the more stringent requirements in respect of data processing only on SDFs, easing compliance requirements for those data fiduciaries not categorized as such.  SDFs are subject to the following obligations:

(A) conduct a data protection impact assessment (DPIA) and audit every 12 months, and cause a report with significant observations to be submitted to the Board;

(B) observe due diligence to verify that algorithmic software deployed by it for processing personal data are not likely to pose a risk to the rights of the data principal; and

(C)  comply with the data localization requirement, as described in paragraph (vii) below.

b. The most significant impact of the DPDP Act and DPDP Rules will be felt by SDFs, both in terms of immediate compliance as well as on an ongoing basis, and we expect SDFs to also be subject to more regulatory oversight. The requirement to submit the DPIA and audit report to the Board is quite significant. The purpose of the submission of the report is not clear; it is hoped that the report itself will not be the basis for taking any action under the DPDP Act against such SDF. The obligation to conduct the DPIA, and submitting a report to the Board, will force SDFs to adopt best practices in relation to processing of personal data, that are compliant with the requirements of the DPDP Act and DPDP Rules.

(vi) Retention of personal data

(a) Generally, the DPDP Act provides that once it is reasonable to assume that the specified purpose for which personal data was collected is no longer being served, data fiduciaries must erase the data, subject to requirements of applicable law.

(b) The DPDP Rules have now provided that  identified categories of data fiduciaries, namely, e-commerce entities, online gaming intermediary and social media enterprises (each, with a prescribed number of users), not retain personal data of their users after three years from (A) the date on which the data principal last approached the data fiduciary for the performance of the specified purpose or exercise of their rights or (B) the commencement of the DPDP, whichever is later. This restriction however does not apply to any data processed by these entities for the purpose of enabling the data principal’s access to (A) their user account or (B) any virtual token issued by / on behalf of the data fiduciary and stored on its digital platform which may be used to procure money, goods and services.

(c) While such a data retention restriction has been imposed on such data fiduciaries, a separate obligation has also been imposed on the data fiduciary pursuant to which at least 48 hours prior to the completion of the above-mentioned retention period (and consequent deletion of personal data), the data principal must be informed that the data will be erased in such time unless the data principal logs into their account or contacts the data fiduciary for processing of their data for a purpose or exercising their rights. Data fiduciaries will need to consider automated solutions in order to comply with the above requirement.

(vii) Data localisation

(a) Data localisation has been a controversial topic in the context of Indian personal data protection laws. While earlier versions of India’s data protection law had express requirements relating to data localisation (for critical personal data alone), there was general relief when the DPDP Act did not include a requirement for data localisation. This was especially welcome given the general trend towards data localisation that was visible in certain other laws and actions by the Government (e.g. draft e-pharmacy rules had a data localisation requirement and the Government banned several Chinese apps on the grounds that user personal data was being transferred outside India (although there was no rule prohibiting such transfer)).

(b) However, the DPDP Rules now provide that SDFs must ensure that while processing identified categories of personal data (as determined by a committee constituted by the Government), such personal data and the traffic data relating to its flow (more commonly known as meta data) is not transferred outside India.

(c) The above requirement is similar to the concept of ‘critical personal data’ that was proposed in an earlier version of the data protection law – the Government has not given any formal indications of what categories of data are likely to be identified to be subject to this data localisation requirement.

(d) The Minister of Information Technology has informally noted^[2] that this process of categorisation of information by a committee, will be driven by sectoral needs, allowing sectoral regulators to propose specified data which should be localised in India to the committee. Post this, the committee will review the requirement, hold consultations, and issue final recommendations. The Government seems to view the above provision as a means to prevent disruptions that could arise if sectoral regulators issue localisation notifications, without following due process. To illustrate, the Reserve Bank of India, India’s banking regulator requires that ‘payments data’ be stored only in India. Data localisation requirements are also specified under insurance laws.

(viii) Cross Border Data Transfer 

(a) The DPDP Act allows the Government, by notification, to restrict the transfer of personal data to any country outside India. Since the notification of the DPDP Act, the Government has not provided any particular indication on which (if any) countries are likely to be subject to such restriction and the DPDP Rules do not provide any more clarity on this issue. The general interpretation of the DPDP Act has been that cross-border transfer of personal data would be freely permitted to most countries, other than a (hopefully small) list of countries to whom there would be an express prohibition on transfer. The DPDP Rules however seem to give the Government significant flexibility on cross border data transfers and take a view on the transfer on a case-to-case basis, expanding the scope of the provision as originally contemplated in the DPDP Act.

(b) The DPDP Rules provide that any processing of personal data within India or outside India, if it is in connection with the offering of goods or services to data fiduciaries in India, is subject to the general restriction that the data fiduciary shall comply with requirements imposed by the Government (through a general or special order), in respect of making such personal data available to any foreign state, or to any person or entity under the control of, or any agency of such state.

(c) This suggests that: 

(A) the restriction is not specific to any territory but is based on access i.e.  ensuring that a particular state and its agencies do not have access to the personal data irrespective of wherever that data is situated; and 

(B) the Government can determine the list of states (or its agencies) to whom access should not be given, at any time, by means of an order. 

(d) In relation to (A), it is unclear on the extent of measures that a data fiduciary is expected to take to prevent access, especially where dependency on cloud-based services (which allows access from various geographies through the internet) are increasing. The drafting suggests that the Government will have significant flexibility on determining the state(s) that should be prohibited from having access to personal data, including at short notice, which adds further uncertainty while determining data storage and processing solutions. 

(ix) Personal data breach

(a) The DPDP Act requires data fiduciaries to inform the Board and the data principals of any data breach ‘in such manner as may be prescribed’.

(b) The DPDP Rules have set out detailed requirements on the manner in which the notification has to be made, both to the data principal as well as the Board. While notifications to both the data principal and the Board must be made ‘without delay’, more detailed information (such as information on cause of breach, events leading up to the breach, remedial measures taken to prevent recurrence and report regarding intimation made to the affected data principals) must be submitted to the Board within 72 hours.

(c) While transparency is perhaps the rationale for imposing an obligation to notify all data breaches to both data principals and Board, without any test of ‘harm’ that such a personal data breach may cause, it should be considered whether this would be counterproductive. Notification of all breaches (and consequent increase of volume of notifications) could result in significant data breaches getting lost or not getting the attention they deserve, while also resulting in unnecessary panic, even in situations when not warranted. This will also result in a material compliance burden, both for the data fiduciaries, and also for the Board, who will be compelled to consider all notifications made, irrespective of their severity. A preferable approach may be to introduce some materiality criteria for determining the grounds of harm based on which a notification of a breach should be made, and separate thresholds of materiality and/or harm can be proposed for notification to data principals and the Board.

(x) Implementation of security safeguards 

(a) The DPDP Act requires data fiduciaries to protect data in its possession or under its control (including in respect of processing done by a data processor) by taking reasonable security safeguards to prevent personal data breaches.

(b) The DPDP Rules, without prescribing any specific technical standards, have prescribed the minimum controls that a body corporate needs to implement to prevent personal data breach. In addition to data security measures (such as securing data through encryption, obfuscation or masking, use of virtual tokens), access controls, implementation of backups, and detection of unauthorised access, data fiduciaries are obliged to include appropriate provisions in the contracts with their data processors to ensure that such data processors also implement reasonable security measures.

(c) For enabling detection of unauthorised access, its investigation, remediation to prevent access and continued processing in the event of such a compromise, data fiduciaries are also required to maintain logs and personal data for one year, unless other requirements apply under applicable law. This appears to be in addition to the CERT-IN requirement to maintain logs for a rolling period of 180 days.

(xi) Processing of data of children or persons with disability 

(a) Under Section 9 of the DPDP, data fiduciaries may only process personal data of children or persons with disability after obtaining ‘verifiable consent’ of the parent or lawful guardian, as the case may be. Consent in the case of persons with disability must be obtained from a lawful guardian appointed by a court of law, designated authority or local level committee, under the law applicable to guardianship and the data fiduciary will have to undertake due diligence to ensure the same.

(b) The DPDP Rules have set out detailed requirements in relation to obtaining such consent in relation to children, including with illustrations on obtaining this consent in various scenarios. Data fiduciaries will now face the additional burden of verifying the age and identity of parents of minors who consent to the processing of a minor’s data. From the illustrations, it appears that each data principal will not be required to provide a proof of age, and such obligations will apply only to minors who self-identify themselves or are identified by their parents. However, specific clarity on this has not yet been provided.

(c) The DPDP Act also requires data fiduciaries to not undertake behavioral monitoring of and targeted advertising towards children. It is not clear from the DPDP Rules whether this is restricted to children identified through the means above or if data fiduciaries will be required to undertake additional due diligence on all the users of its website and/or app.

(d) Specified data fiduciaries such as healthcare providers and educational institutions are exempt from obligations regarding children’s data for identified purposes, which are linked to the main objects of those institutions, as set out in the fourth schedule of the rules. This will significantly ease compliance burden for these entities. To illustrate, a clinical health establishment, mental health establishment or healthcare professional is exempted from obtaining consent if the purpose of processing the personal data is for the provision of health services by such establishment, to the extent necessary for the protection of the health of such child.

(e) Such obligations also do not apply to processing of data when it is done for (A) actions in the interests of the child under any law, (B) provision of subsidies, benefits, etc, (C) creation of a user account by email, (D) ensuring that information likely to cause a detrimental effect on the well-being of a child is not accessible to the child, (E) confirmation that the data principal is not a child and (F) undertaking due diligence for verifiable consent. Processing under these exemptions must be restricted to the extent necessary for the above purposes.

(xii) Consent Managers

(a)  The DPDP Act establishes a new concept of consent managers, who are likely to become an integral part of the Indian ‘consent’ driven data privacy regime.

(b) Consent managers are registered entities (only entities who satisfy certain prescribed requirements are eligible), which act as a single point of contact to enable a data principal to manage, give, review and withdraw consent. Consent managers are accountable to the data principal. The DPDP Rules propose the manner of and conditions for registration of consent managers. They also specify the obligations applicable to consent managers, including the obligation to: ensure that the data is not readable by the consent manager; maintain records of consents, notices and disclosures; reasonable security safeguards and avoid conflict of interest. Data fiduciaries and data principals should prepare to engage with consent managers, to ensure compliance with, and exercise their rights under the DPDP Act.

(xiii) Government empowered to call for information from data fiduciaries and intermediaries 

(a) Section 36 of the DPDP Act allows the Government to call for information from the Board, a data fiduciary or any intermediary, for purposes of the DPDP.

(b) The seventh schedule to the DPDP Rules set out the purposes for which this information may be called, and these are drafted very broadly to cover any use  (A) by the state (or any instrumentalities) in the interest of sovereignty, integrity of India, or security of the state; (B) performance of any function under any law for the time being in force in India; (C) disclosure of any information for fulfilling any obligation under any law for the time being in force in India; and (D) carrying out an assessment for notifying any data fiduciary or classes of data fiduciaries as SDFs.

(c) The broad access rights given to the Indian state and its agencies means that India will continue to not meet the European Essential Guarantees for surveillance measures as adopted on 10 November 2020 and will not be a jurisdiction to which personal data from the European Union can be freely transferred. Organisations from the EU transferring personal data to India will need to continue to take adequate measures to ensure the confidentiality and security of such personal data, before transferring to ensure that they meet the requirements of EU law.

(xiv) Processing for research, archiving or statistical purposes 

(a) The DPDP Act is only applicable to personal data capable of identifying an individual which is digital or been digitised. Further, the DPDP Act is not applicable in case of processing (A) by instrumentalities of the state, as the Government may notify, in the interest of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognizable offence relating to any of these or for (B) research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a data principal and such processing is carried on in accordance with such standards as may be prescribed.

(b) While the DPDP Rules have not provided any more detail in relation to the exemption given to the state and its instrumentalities, the DPDP Rules have  in the second schedule prescribed the standards that must be complied with in order to be eligible for the exemption relating to research, archiving and/or statistical purposes, and these ensure that processing is done (A) in a lawful manner, (B) to the extent necessary to achieve the purpose, (C) with reasonable efforts to ensure accuracy of the data and with implementation of reasonable security safeguards, and (D) with accountability for effective observance of the standards.

Conclusion 

While the timeline for enforcement of the DPDP Act is still unclear, with the draft DPDP Rules having been issued which also includes provisions for establishing the Board, the general expectation is that the Government will move towards implementation quite quickly. In October 2024 itself, the Government had in an informal meeting asked companies to begin the process of compliance with the DPDP Act and warned that significant lead time should not be expected, especially given all around familiarity with data privacy requirements, especially for multinational corporations.

Except for some provisions in relation to data localisation and cross border transfers, several of the provisions of the DPDP Rules are along expected lines and give clarity on the actions that data fiduciaries need to take to meet the deadline for implementation, whenever that maybe. A large number of data fiduciaries have already started their compliance programs, and these draft DPDP Rules will help refine those programs, and for those who haven’t, the issuance of the DPDP Rules hopefully serves as an impetus to start taking steps towards compliance soon 

Authors – Deepa Christopher – Partner and Aanchal Kabra – Associate 

Footnotes: 

¹ Data protection rules balance regulation & innovation safeguard citizens’ rights: Vaishnaw, Indian Express, available at https://indianexpress.com/article/business/data-protection-rules-balance-regulation-innovation-vaishnaw-9759909/ (last accessed 7 January 2025); Exclusive interview | Union Minister Ashwini Vaishnaw discusses draft data protection rules, emphasises innovation, privacy, and digital compliance, CNBC, available at https://www.cnbctv18.com/business/information-technology/exclusive-interview-ashwini-vaishnaw-digital-personal-data-protection-rules-2025-19534563.htm (last accessed 7 January 2025). 

² Sectoral needs to drive data localisation; restrictions to be applied only where needed: Govt, Financial Express, available at https://www.financialexpress.com/life/technology-sectoral-needs-to-drive-data-localisation-restrictions-to-be-applied-only-where-needed-govt-3707437/ (last accessed 7 January 2025).

Disclaimer: This alert only highlights key issues and is not intended to be comprehensive. The contents of this alert  do not constitute any opinion or determination on, or certification in respect of, the application of Indian law by Talwar Thakore & Associates (“TT&A”). No part of this alert should be considered an advertisement or solicitation of TT&A’s professional services. This communication is confidential and may be privileged or otherwise protected by work product immunity.