INTRODUCTION
In a period where personal information is constantly handled like money and traded as currency, India has made a significant move to guard its citizens’ data and privacy. Whether buying groceries online or managing our banking, ensuring one’s data remains private is increasingly pivotal. As internet operation in India increases, so do the concerns about securing personal information. Online shopping and communication lead to a large quantum of data collection, but this information isn’t well-defended because of weak regulations. To fill in the loopholes and prevent exploitation, DPDP Rules 2025 has been introduced. These rules seek to strengthen and make the data protection framework strict.
WHAT IS THE DRAFT DIGITAL PROTECTION RULES 2025?
The Draft Digital Protection Rules 2025 intends to regulate and govern the collection, processing, and retention of individuals’ personal data to ensure the privacy rights of individuals. It takes into account majorly four stakeholders:
- Data Principals: The persons whose data is processed.
- Data Fiduciaries: The bodies processing data on behalf of the data principals.
- Consent Managers: Intermediaries that manage and facilitate the process of consent for data processing.
- Data Protection Board: An overwatch body responsible for taking complaints and enforcing compliance.[1]
Data Fiduciaries are those businesses and organizations such as social media platforms, e-commerce companies, online gaming platforms, etc. that collect and process the personal data of the users. Among the salient principles in Draft Rules is informed, specific, and explicit consent by the data principal before processing their data. According to Rule 3 of the Draft, clear, itemized notices of purposes of data processing must be issued by the data fiduciaries and there shall be an easy procedure for withdrawal of consent. The data is to be erased upon the fulfillment of the purpose albeit via a 48 hours’ advance notice to the data principal. As per Rule 13, the right allows an individual the right to seek erasure of data, designate digital nominees, and obtain data management tools that are accessible so that persons can be masters of their data in order not to let it be misused or stored unnecessarily for long. However, data processing for purposes such as archiving, research, or statistical analysis on set standards may keep the provisions of the DPDP Rules 2025 out of range. The system accommodates exemptions for children’s health to be maintained or for the safety of the public to be safeguarded in educational or health facilities.[2]
Rule 4 pertains to the intermediaries involved in the process of getting data principals’ consent safely and transparently. These are known as Consent Managers. They need to be registered with the Data Protection Board, be transparent, reach a point of commonality with the data fiduciaries, and maintain confidentiality without accessing or divulging the contents of the data as submitted by the data principals.[3] This is especially so in India, where literacy levels and digital literacy vary considerably across the map.
Rule 6 of the Draft mandates data fiduciaries to implement security controls such as encryption, masking, and data backup to mitigate breaches while maintaining access logs to detect unauthorized access. These logs and backup data must be kept for at least one year. Rule 7 mandates that data fiduciaries provide notice to individuals and the Board within 72 hours of a data breach, including its nature and impact. Data fiduciaries and consent managers also have to ensure that they organize grievance mechanisms that address complaints expeditiously.[4] Businesses that handle large volumes of sensitive information, known as Significant Data Fiduciaries, are required to regularly perform Data Protection Impact Assessments. This policy shall address the digital major platforms which are having high numbers of users like Facebook, Instagram, YouTube, Amazon, Flipkart, and Netflix, since they are dealing with a massive amount of user data.[5] Meanwhile, graded responsibilities shall be beneficial to startups and MSMEs as there is a decrease in compliance burdens. Transfers of personal data outside India would be restricted and subject to certain conditions for the transfer of personal data to foreign entities, which would help to ensure data sovereignty.[6]
Rule 10 provides greater protection to the data of minors. These are greatly needed since children are ever more engaging digitally and risk facing the dangers of online privacy. For persons under eighteen years of age, verifiable consent of parents or legal guardians shall be required. For persons with disabilities, consent shall be required of such person’s legally recognized guardian.[7]
The State may collect personal data in the process of issuing subsidies, benefits, and public services for reasons of necessity and proportionality. It may mandate data fiduciaries to provide data to exercise sovereignty, security, or legal obligation but all this is scrutinized not to compromise individual privacy.[8] The Data Protection Board is a digital-first quasi-judicial body; it exercises oversight of compliance, hears grievance redressal, and meets out penalty according to the seriousness of default and degree of mitigation efforts. The DPDP Rules 2025 are “digital by design,” with consent mechanisms, grievance redressal, etc., operating digitally. The Data Protection Board operates as a digital office with a digital platform and app, so that citizens can file complaints and interact with workflows online, rather than requiring them to be present in person.[9]
POTENTIAL IMPLICATIONS AND CHALLENGES
Draft Rules provide both an opportunity to be successful in the industry while posing challenges in operating within the realm too. While people have greater control over their data, the complexity of consent mechanisms might make it challenging for consumers to understand and navigate. International business rules and guidelines clarity is critical for a cosmopolitan approach. Moreover, these regulations may impose a disproportionate burden on SMEs in the form of compliance costs arising out of data management costs.[10] However, compliance will lead to long-term consumer trust.
The landmark opportunity that is emanating due to the Draft Rules can bring regulation and innovation to an equilibrium, hence, flourishing India’s digital economy. MeitY envisions these rules as a global template for data governance. India’s data protection approach, as said by Union Minister Ashwini Vaishnaw, has been reflected to be realistic and growth-acquainted, balancing the need to protect citizens while creating space for invention, and reducing compliance burdens for startups and small businesses. Prime Minister Narendra Modi at the United Nations Summit of the Future spoke about a human-centric approach that represents India’s vision of putting people first in shaping the world’s future.[11] Hence, India can dream of its leadership in the digital data protection domain globally by attracting foreign investment in the IT and Tech sectors.
CONCLUSION
For the DPDP Rules 2025 to operate effectively and efficiently, the government plans to educate people and the business community through awareness campaigns as to what the Draft Rules require and what can be expected. As part of the commitment of the Government towards an inclusive approach to law-making, The Ministry of Electronics and Information Technology has sought comments and views from stakeholders and the public through the MyGov platform till 18.02.2025.[12]
The Draft Digital Protection Rules 2025 is a landmark step in the direction of protecting the rights of Indian citizens over their digital privacy. The initiative focuses on the most critical aspects, such as consent, data retention, and grievance redressal mechanisms, thereby promising to address the individual’s rights within the complex challenge of enforcement versus digital innovation. Is this a turning point for India, positing itself as the global leader within the digitally evolving economy?
Author(s) Name: Aditi Kumar (Nirma University, Ahmedabad)
Refrences
[1] Archana Rao, ‘India Draft DPDP Rules 2025: Key Provisions and Updates’ (India Briefing, 6 January 2025) <https://www.india-briefing.com/news/india-draft-dpdp-rules-2025-key-provisions-updates-35697.html/> accessed 9 January 2025
[2] ‘Draft Digital Personal Data Protection Rules, 2025: A Comprehensive Overview’ (J. P. Associates, 3 January 2025) <https://jpassociates.co.in/digital-personal-data-protection-rules/> accessed 8 January 2025
[3] Rao (n 1)
[4] Anuj Bahukhandi and Armaan Tuli, ‘Draft Digital Personal Data Protection Rules 2025’ (Mondaq, 9 January 2025) <https://www.mondaq.com/india/privacy-protection/1566556/draft-digital-personal-data-protection-rules-2025> accessed 9 January 2025
[5] ‘Draft DPDP Rules 2025 Explained: Data Protection in India’ (Rediff MoneyWiz, 8 January 2025) <https://money.rediff.com/news/market/draft-dpdp-rules-2025-explained-data-protection-in-india/20626220250108> accessed 9 January 2025
[6] Ibid
[7] Draft Digital Personal Data Protection Rules, 2025: A Comprehensive Overview (n 2)
[8] Rao (n 1)
[9] The Hitavada, ‘Digital Data Protection Rules to Empower Citizens: Govt’ (The Hitavada, 6 January 2025) <https://www.thehitavada.com/Encyc/2025/1/6/Digital-data-protection-rules-to-empower-citizens-Govt.html> accessed 9 January 2025
[10] Draft Digital Personal Data Protection Rules, 2025: A Comprehensive Overview (n 2)
[11] ‘Draft Digital Personal Data Protection Rules 2025 Prioritise India’s Commitment to Citizen-Centric Governance: PM’ (The Statesman, 7 January 2025) <https://www.thestatesman.com/world/draft-digital-personal-data-protection-rules-2025-prioritise-indias-commitment-to-citizen-centric-governance-pm-1503383865.html> accessed 9 January 2025
[12] ‘Digital Personal Data Protection Rules Draft’ (Mathrubhumi, 5 January 2025) <https://english.mathrubhumi.com/news/india/digital-personal-data-protection-rules-draft-1.10225825> accessed 9 January 2025
