tl;dr
The Ministry of Electronics and Information Technology (“MeitY”) has finally published the much awaited Draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”) on January 3, 2025 for public consultation. Seeking to enforce the Digital Personal Data Protection Act, 2023, we find the Draft Rules to be “too little, too vague, and too late”. Below, we offer our initial analysis of the Draft Rules.
Background
After years of deliberation and several iterations of the data protection law, MeitY enacted the Digital Personal Data Protection Act, 2023 (“Data Protection Act”), on August 11, 2023, establishing a governance framework for personal data protection (read more here). This was a long-awaited step for the enforcement of the fundamental right to privacy guaranteed under Article 21 of the Constitution, as affirmed in the landmark judgment of Justice (Retd.) K.S. Puttaswamy v. Union of India ([2017] 10 S.C.R. 569). However, the Data Protection Act could not come into force as the complementary Rules needed to operationalise the same had not been released. After more than 16 months of anticipation, MeitY has now published the Draft Rules, which is open for public comments till February 18, 2025 (you can send your comments here).
While the Draft Rules address some gaps, many issues remain unclear and are left to the discretion of the Union government. Recently, Ashwini Vaishnaw, the Minister for MeitY, clarified that this approach was intentional, and aimed at avoiding overly prescriptive measures due to the rapidly evolving nature of digital technology. However, these omissions raise concerns, and the Draft Rules require further deliberation and analysis to fully understand their potential impact.
Analysis
Notice Given by Data Fiduciary to Data Principal
According to Section 2(i) of the Data Protection Act, "Data Fiduciary" refers to any individual or entity who, either alone or in collaboration with others, decides the purpose and methods for processing personal data.
Section 2(j) provides us with a definition of a "Data Principal." It refers to an individual to whom the personal data pertains, and in cases where the individual is: (i) a child, it includes the child's parents or legal guardian; (ii) a person with a disability, it includes the lawful guardian acting on their behalf.
Section 5 of the Data Protection Act states that every request for consent for processing data made to a Data Principal under section 6 must be accompanied or preceded by a notice from the Data Fiduciary. This notice should inform the Data Principal about:
(i) the personal data and its intended purpose for processing;
(ii) how to exercise rights under section 6(4) and section 13;
(iii) how to file a complaint with the Data Protection Board of India (“DPBI”), as prescribed.
In the context of the above mentioned Sections, Rule 3 of the Draft Rules spells out clear standards for the notice to be given by the Data Fiduciary to the Data Principal. They are required to be presented in clear and plain language and include details necessary to enable the Data Principal to give specific and informed consent for the processing of their personal data.
This includes a detailed description of the personal data, its specific purpose, and a list of goods and services that will use the personal data. The Data Fiduciary must also provide an easily accessible link to their website and/or app, along with the means for the Data Principal to withdraw consent, exercise their rights under the Act, and file a complaint with the DPBI.
While there are standards prescribed under Rule 3 for the notice for consent that is to be given by Data Fiduciaries, the mechanisms and specifics of how the notice is to be given is largely left up to the discretion of the Data Fiduciaries. This causes concerns that Data Fiduciaries might engage in dark patterns and give notice in a manner and does not adequately inform the Data Principals about the particulars of the data that they are consenting to sharing. Clear and informed consent is the cornerstone of any data protection regime.
Reasonable security safeguards
Section 8(5) of the Data Protection Act stated that the Data Fiduciary shall protect personal data in its possession or under its control by taking “reasonable security safeguards” to prevent personal data breach. To bring more clarity, Rule 6 of the Draft Rules expands on this requirement of “reasonable security safeguards”, specifying that Data Fiduciaries must, at a minimum, adopt suitable data security measures (such as encryption, obfuscation, masking, and the use of virtual tokens), access control protocols, and data backups to protect against data destruction or loss of access.
It also mandates the inclusion of appropriate provisions in contracts entered into between Data Fiduciaries and Data Processors to ensure that reasonable security safeguards are transferred between these entities. This particular rule is a step in the right direction but still remains vague and requires more specifics. A lot will also depend on how it is implemented.
Contact information of the person to answer questions about processing.
Under Section 8(9) of the Data Protection Act, it was stated that Data Fiduciary shall, in the prescribed manner, publish the business contact information of a Data Protection Officer (if applicable) or a designated individual who can address any questions raised by the Data Principal regarding the processing of their personal data. In relation to this, Rule 9 of the Draft Rules put an obligation on Data Fiduciaries to prominently publish contact information for a Data Protection Officer or a designated representative, enabling Data Principals to easily inquire about the processing of their personal data. This ensures clear communication channels for the Data Principals.
Registration and obligations of Consent Manager
Section 6 of the Data Protection Act defines consent by stating that it shall be given by an individual in a free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of his/her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.
According to Section 2(g) of the Data Protection Act, a “consent manager” means a person registered with the DPBI, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.
The Draft Rules, under Rule 4, outline specific provisions for Consent Managers that enable users to provide, manage, review, and revoke their consent for the processing of their personal data by Data Fiduciaries. It is further stated that companies meeting certain criteria are eligible to apply as consent managers. These managers must register with the DPBI and meet specific technical, operational, and financial requirements. The DPBI has broad discretion in approving consent managers and may request information from them. Consent managers must retain consent records for at least seven years and are prohibited from outsourcing services to data processors to prevent conflicts of interest with Data Fiduciaries.
Exemptions from Data Protection
Section 7(b) of the Data Protection Act allows the State and its agencies to process personal data for subsidies, benefits, and services under two conditions: the Data Principal must have consented to the processing, and the data must already exist in state records. In furtherance of this, Rule 5 proposes that state agencies can process personal data without fresh consent, as long as they inform users. However, the broad purposes lack clear limits, raising concerns about misuse and bypassing safeguards like "proportionality" and "necessity" from the Puttaswamy judgement. Additionally, the unclear definition of "instrumentalities" raises fears of state surveillance.
Additionally, Section 17 provides exemptions for startups and certain Data Fiduciaries based on data volume. Rule 15 exempts data processing for research, archiving, or statistics but does not clarify what qualifies as legitimate research or who can use the exemption, nor does it require consent from Data Principals.
Intimation of personal data breach
Section 8 of the Data Protection Act directs that a Data Fiduciary “shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach”, adding that in the event of a breach, “the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed.” As part of this, Rule 7 of the Draft Rules outlines the obligations of a Data Fiduciary in the event of a personal data breach.
Under Rule 7(1), the Data Fiduciary is obligated to inform the affected parties (ie. Data Principal) in a “concise, clear and plain manner” and “without delay” through either their user account or any other mode of communication that is registered with the Data Fiduciary.
Such intimation is required to include a description of the breach - which includes its nature, extent, timing and location - and its consequences as well as the measures taken to mitigate the risk and the safety measures the user may take to protect their interests. In addition, the Data Fiduciary is also required to provide the business contact information of the individual who is empowered to respond on behalf of the Data Fiduciary. Such a framework for intimation can promote accessibility, ensuring that individuals easily understand the nature of the breach and its potential consequences.
Further, the Data Fiduciary is required to report such incidents to the DPBI within 72 hours, including information such as a description of the breach, including its nature, extent, timing and location of occurrence and the likely impact, information relating to the events, circumstances and reasons leading to the breach, measures implemented or proposed, if any, to mitigate risk, any findings regarding the person who caused the breach, remedial measures taken to prevent recurrence of such breach, and a report regarding the intimations given to affected Data Principals.
While Rule 7(1) does not provide a clear timeline within which such incidents are to be communicated to the Data Principals, Rule 7(2)(b)(vi) specifies that the intimation to the DPBI ought to include a report regarding the intimations given to affected Data Principals. This ensures that Data Principals will also be notified within the 72 hour window as provided in the Rules.
Retention and erasure of personal data
Rule 8 requires data to be erased after 3 years or the commencement of the Data Protection Rules, whichever is latest, unless the Data Principal interacts with the Data Fiduciary or exercises their rights within that time period.
In addition, Rule 8(2) requires that Data Fiduciaries inform the Data Principal of such erasure at least 48 hours prior to the completion of the time period for the erasure of such personal data.
Rule 13(2) provides for the erasure of personal data of the Data Principal upon submitting a request to the Data Fiduciary to whom the consent was given for processing such personal data.
Verifiable Parental Consent for children’s data
Rule 10 of the Draft Rules sets out how Data Fiduciaries should handle personal data when it comes to children or people with disabilities. The main focus is on making sure that the parent or legal guardian gives their consent before a child's or a person with a disability's data can be processed or used by these companies.
Data fiduciaries need to ensure that they get clear and verifiable consent from a parent before they process or use a child’s personal data.
To confirm the parent is really the adult in charge, the fiduciary is required to check the parent's identity and age. This check can be done through reliable details like ID documents or a Digital Locker, a government system where people store personal information. Digital Locker is used for verifying the identity of parents, which means the parent may need to provide their details via this government service.
For people with disabilities, data fiduciaries are required to check that the person claiming to be the guardian (the one making decisions for the person with a disability) is really the legal guardian. The guardian’s authority must be verified through a court order or official documents.
Instead of simply verifying that a parent or guardian has the authority to give consent, the law requires the collection of unnecessary sensitive data. Additionally, the requirement to use Digital Locker for identity verification raises substantial concerns about centralization. Digital Locker is a government-controlled system where individuals' personal details are stored and made accessible to various entities. People who may not wish to use Digital Locker or have no access to it will be forced to use it to verify their identity as a lawful guardian of children.
Rule 11 provides the exemption to certain types of Data Fiduciaries, such as healthcare professionals, educational institutions, and childcare providers, from the requirement to obtain verifiable consent from a child's parent or legal guardian, provided the data is collected for specific purposes outlined in Schedule IV. Part A of the schedule lists these Data Fiduciaries, while Part B details the purposes for which the exemptions apply, including legal duties, issuing subsidies or benefits, creating user accounts for communication, and ensuring children don't access harmful content. Although the rule restricts data processing to activities like health services, educational activities, safety monitoring, and transportation tracking, the broad nature of these terms creates room for misinterpretation. For example, “educational activities” could be extended to include marketing or behavioral tracking on educational platforms, which deviates from the intended purpose of child protection. Similarly, safety monitoring could be misused to justify excessive surveillance or unnecessary data tracking, even in situations where it’s not truly required.
Obligations of Significant Data Fiduciaries
Section 10 of the Data Protection Act states that the Union government may notify any Data Fiduciary or a class of Data Fiduciaries as a Significant Data Fiduciary. This will be done on the basis of factors like volume, sensitivity of personal data, rights of the Data Principal, potential impact on the sovereignty, integrity and security of India, risk to electoral democracy, and public order.
The Significant Data Fiduciary, a subset of Data Fiduciary, will have stricter obligations. Under the Data Protection Act, the Significant Data Fiduciary must appoint a Data Protection Officer based in India, and an independent data auditor. Now, Rule 12 has enlisted more obligations for the Significant Data Fiduciaries, that includes:
- Conducting a Data Protection Impact Assessment (“DPIA”) and an audit every year.
- Reporting the findings to the DPBI, showing how well they follow data protection rules.
- Ensuring that any software they use to process personal data does not harm individuals' rights, including software for storage, hosting, and sharing data.
- They must follow specific rules when processing certain personal data, ensuring it stays within India.
- Further, the government can ask them to not transfer certain kinds of personal data out of the country.
While the DPIA and audits are good for data protection, the lack of clear guidelines on their depth could lead to weak assessments. Reporting to the DPBI might also become just a formality without proper external oversight. Further, the requirement to localise data on Significant Data Fiduciaries raises concern on cross-border data transfers and could significantly impact international trade in services.
Rights of Data Principals
Sections 11 to 14 of the Data Protection Act initially granted key rights to Data Principals. These included the right to access personal data, request corrections, updates, or erasure, seek grievance redressal, and nominate individuals to exercise these rights in case of death or incapacity. Building on these statutory rights, Rule 13 of the Draft Rules now provides detailed guidelines for their implementation. The Draft Rules mandate Data Fiduciaries and Consent Managers to publish clear procedures on their websites or apps, specifying how Data Principals can exercise their rights. This includes outlining the means for making requests, necessary identifiers for verification, and the timeframe for grievance redressal. By operationalizing the rights from Sections 11 to 14, Rule 13 ensures that Data Principals can effectively exercise their rights, enhancing transparency and accountability in data protection practices.
While these provisions offer important steps toward data sovereignty and accountability, significant concerns about implementation, oversight, and potential misuse persist. The exception allowing Data Fiduciaries to share personal data with law enforcement without full transparency is deeply concerning. It creates a significant loophole that could be exploited for mass surveillance and undermines the overall privacy framework. This broad exception lacks adequate safeguards, which raises the risk of misuse and eroding trust in the system.
Cross Border Data Transfer
Initially, the Data Protection Act allowed cross border data transfers except to the countries specifically restricted by the government. However, the present Draft Rules do not specify which countries will be blacklisted and it rather mentions if a Data Fiduciary wants to transfer personal data to another country, they must abide by “certain regulations”. This applies in two situations: when the data was processed within India, or when the data was processed outside India but relates to offering goods or services to people in India.
These requirements will be notified through general or special orders, particularly when Data Fiduciaries intend to share data with a foreign government or any entity controlled by a foreign government. Additionally, in Rule 12(4) it has been mentioned that the Union government on the basis of the recommendations of a committee constituted by it can also determine the types of personal data that SDFs must localize within India's borders. This grants the government significant power, with a broad scope of authority.
The draft rules proposal to place restrictions on how Data Fiduciaries can share the data of Indian citizens with foreign governments is a positive step but foreign companies operating in India could find themselves in a difficult position and this rule can potentially lead to data localisation.
Appointment of Chairperson and other Members.
Rule 16 of the Draft Rules prescribes the method for appointment of the Members and the Chairperson of the DPBI through the constitution of a ‘Search-cum-Selection Committee’. This Committee, composed of government officials and two “experts” selected by the government, is responsible for recommending the candidates for appointment. Ultimately, the Union government has the authority to finalise these appointments. This structure raises significant concerns regarding the independence of the DPBI, as the process could be influenced by political considerations, undermining the DPBI’s credibility and impartiality.
Notably, Rule 16(4) of the Draft Rules states that the Search-cum-Selection Committee cannot be called into question on the ground merely of the existence of any vacancy or absences in the committee or defect in its constitution. This effectively shields the Search-cum-Selection
Procedure for meetings of Board and authentication of its orders, directions and instruments.
Rule 18 outlines the procedure for the meetings and decision-making within the DPBI, including the Chairperson’s role, quorum requirements, and dealing with time-sensitive issues. The provision requires that the meetings of the DPBI be chaired by the Chairperson who shall fix the date, time and place of meetings as well as approve the items of the agenda. The quorum requires one-third of the members of the DPBI to be present.
In the case of an emergency, the Chairperson is required to record the reasons in writing and take any such action as necessary which is to be communicated to the DPBI within 7 days and ratified at the next meeting.
Section 27 of the Data Protection Act empowers the DPBI to be intimated about personal data breaches, inquire into the same and impose relevant penalties. Any inquiry by the DPBI on intimation of personal data breach is required to be completed within a period of six months from the date of receipt of the intimation under section 27 of the Data Protection Act and if extended, the reasons are to be recorded in writing.
Rule 18(5) states that if a Member of the DPBI has an interest in any item of business to be transacted at a meeting of the DPBI, then they shall not participate in or vote on the same. This recognition of conflicts of interest ensures impartiality and prevents biased decision-making.
Terms and conditions of appointment and service of officers and employees of Board.
In addition to appointing the Chairperson and the Members of the DPBI under Rule 16, Rule 20 allows the Union government to approve the appointment of officers and employees of the DPBI, and also dictate their terms and conditions of service. By having a say in both the staffing and appointment processes, the Union government increases its influence over the DPBI’s overall operations, making it impossible for the DPBI to act autonomously.
Appeal to Appellate Tribunal.
Rule 21, concerning appeals to the Appellate Tribunal from orders of the DPBI, raises several concerns regarding accessibility and fairness. The requirement for appeals to be filed only in digital form under Rule 21(1) could potentially exclude individuals without reliable internet access or digital literacy, creating barriers for certain groups. Furthermore, while digital tools aim to increase efficiency, the reliance on digital hearings may exclude those unable to participate in such proceedings, further hindering access to justice.
The appeal fee structure under Rule 21(2) does allow the Chairperson of the Tribunal to waive the fee at their discretion, but it fails to specify any clear criteria for when or why the fee may be waived, leading to potential inconsistencies and a lack of transparency in the decision-making process.
Additionally, the Tribunal’s discretion to regulate its own procedures, independent of established civil procedure laws, could result in unpredictable outcomes and inconsistent application, undermining fairness and transparency in the appeals process.
Excessive state powers to access data from data fiduciaries and intermediaries
Section 36 of the Data Protection Act read with Rule 22 of the Draft Rules provides the Union government through the corresponding authorised person, the power to demand “any” information from a data fiduciary or an intermediary for the purposes listed in the Seventh Schedule. The Seventh Schedule has been reproduced below:
The first purpose of the Seventh Schedule allows the State or any of its instrumentalities to call for the personal information of individuals in the interest of the sovereignty and integrity of India or the security of the State. In terms of the authority of may call for such personal data is essentially any body of the State that the Union government may notify for this purpose. As it currently stands, the list of such authorities has not been notified by the Union government.
This provision has wide-ranging consequences for the data protection of people in India. Terms such as ‘sovereignty’, ‘integrity’ and ‘security’ do not have clear cut definitions or meanings held in common parlance. This allows the Union government to arbitrarily designate any situation that they deem fit as something that is necessary for the sovereignty, integrity and/or security of India and call for personal data of people. There is a huge potential for the Union government to misuse this power and call for personal data for surveillance, policing, stifling dissent and furthering the agendas of the ruling parties/government. Further, this could also require data fiduciaries and intermediaries to break End-to-End Encryption (“E2EE”), which goes against the terms and conditions under which Data Principals agreed to share data with data fiduciaries in the case of encrypted platforms.
Unchecked access to personal data by the state violates the right to privacy as established under Justice K. S. Puttaswamy v. Union of India [2017] 10 S.C.R. 569. While K. S. Puttaswamy does allow for the privacy of individuals to be balanced against legitimate state interests, the fact remains that Rule 22 does not provide for any checks or protections to adequately perform this balancing task. If at all, this power had to be given to the state, protections to safeguard personal data from misuse by the state ought to be built in. This could take the form of (i) more stringent language which states that personal information may only be called for as a last resort in extreme circumstances, (ii) a requirement for permission to be taken from an independent review committee before calling for personal information and (iii) a ban on breaking E2EE while calling for personal data.
The second purpose of the Seventh Schedule includes similarly vague language wherein the Union government may call for data for the performance of any function under any law and for disclosure of any information for fulfilling any obligation under any law. This can also result in individual privacy being sacrificed at the altar of state interests, especially since there are no safeguards or privacy protections built in.
Lastly, it is also pertinent to note that the Draft Rules also prevent the data fiduciary or intermediary from disclosing information about such demands, in situations where it could “prejudicially affect the sovereignty and integrity of India or security of the State”, a provision that could be broadly interpreted and potentially lead to arbitrary action by the government. This also results in a lack of transparency as citizens will be completely left in the dark as to the type and amount of data that was called for by the Union government from data fiduciaries and intermediaries.
Conclusion
The Draft Rules, released by MeitY, mark an important step in implementing the Data Protection Act, however, they still present several challenges. While they address several key issues such as the obligations of Data Fiduciaries, security measures, and the rights of Data Principals, the rules remain vague in several areas and leave room for discretionary interpretation by the government. The lack of specificity around crucial aspects like data breach notifications, exemptions, and cross-border data transfer raises questions about potential misuse, particularly regarding state access to personal data. Furthermore, the rules give the government broad powers to compel data sharing under vaguely defined circumstances, which could lead to surveillance and undermine privacy protections. The appointment process for members of the DPBI and the potential for arbitrary state interventions create additional concerns about the independence and effectiveness of the regulatory framework. As the Draft Rules remain open for public consultation until February 18, 2025, it is crucial that they undergo further scrutiny and refinement to ensure robust data protection that upholds privacy rights while balancing state interests.