Draft Digital Personal Data Protection Rules an Analysis
SUMMARY
Released on January 3, 2025, the much-anticipated Draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”) provide critical clarifications and elaborate on key provisions of the Digital Personal Data Protection Act, 2023 (“DPDP Act”). The Draft Rules address various aspects, including content and manner of notices, consent management, security measures, breach reporting, data retention, and the rights of Data Principals. They outline specific responsibilities for Data Fiduciaries and Consent Managers, including transparent notice requirements, robust security measures, verifiable consent mechanisms for children’s data, and procedures for reporting and mitigating data breaches. Significant Data Fiduciaries have additional obligations such as annual Data Protection Impact Assessments and stricter controls on algorithmic systems and cross-border data transfers.
The rules also introduce complex compliance requirements, such as stringent consent manager registration norms and extensive disclosure obligations, which may disproportionately impact smaller enterprises, as per Rashmi Deshpande, founder, Fountainhead Legal.
“The challenge for gaming and social media companies is two-fold: first, complying with these regulations entails significant investment in implementing the necessary mechanisms,” said Rashmi Deshpande, Founder, Fountainhead Legal.
“Second, there is a considerable risk that parents may withhold consent, potentially leading to a reduction in younger users.” One way to address this is by reimagining offerings for younger users, Deshpande said. “A notable example is YouTube Kids, launched by Google in response to increasing scrutiny over children’s data privacy under laws like COPPA in the US and GDPR in the EU.”
To comply, organizations must deploy comprehensive efforts, including the adoption of technical and organizational safeguards, implementing interoperable consent management platforms, and maintaining detailed records of consent activities. They must ensure clarity in user communication, conduct regular audits, and develop mechanisms for effective grievance redressal. Specific challenges include managing data retention policies, safeguarding cross-border data flows, and verifying guardianship credentials for children or individuals with disabilities.
Invitation for Stakeholder Comments
As these are Draft Rules, stakeholders are encouraged to submit comments and suggestions by February 18, 2025. This is a crucial opportunity to address operational concerns, propose practical adjustments, and ensure the rules are balanced and effective in achieving the DPDP Act’s objectives.
How Fountainhead Legal Can Assist
Fountainhead Legal offers comprehensive support in analyzing the Draft Rules, identifying their implications for businesses, and drafting detailed stakeholder comments. Our team of legal and data protection experts can help organizations navigate the complexities of compliance, propose actionable recommendations, and articulate well-informed feedback tailored to their specific industry and operations.
ANALYSIS OF THE DRAFT RULES
A. Content and Manner of Notices: The notice must be independently understandable without requiring reference to other information provided by the Data Fiduciary. It should clearly explain the personal data being collected, its purpose, and how it enables specific goods or services, using plain and accessible language. The notice must provide a link or means for individuals to withdraw consent, exercise their rights under the Act, and file complaints with the Data Protection Board.
B. Consent Manager Requirements:
- Registration Process: Consent Managers must be companies incorporated in India, meeting the eligibility criteria specified in the Draft Rules. Applicants must demonstrate technical, operational, and financial capacity, including a minimum net worth of INR 2 crore, and submit the necessary documentation to the Data Protection Board. The Board evaluates applications, either granting registration and publishing details online or rejecting them with reasons provided.
- Obligations and Compliance: Registered Consent Managers must enable Data Principals to give, manage, review, and withdraw consent securely and transparently. They must ensure personal data is handled without being readable by them, maintain detailed records of consent activities for at least seven years, and provide Data Principals access to these records. They are required to comply with robust technical, operational, and organizational safeguards, avoid conflicts of interest, and operate independently without subcontracting obligations.
- Transparency and Accountability: Consent Managers must publish information about their directors, promoters, and significant shareholders, along with measures to prevent conflicts of interest with Data Fiduciaries. Their governing documents must ensure adherence to specified obligations, with any changes requiring prior Board approval.
- Enforcement Actions: The Data Protection Board monitors compliance, issuing directives for corrective measures when non-adherence is identified. In cases of persistent violations, the Board may suspend or cancel registration to protect the interests of Data Principals. Any transfer of control of the Consent Manager requires prior approval from the Board.
- Technical and Security Measures: Consent Managers must implement robust technical systems, maintain an interoperable platform for managing consent, and ensure compliance with prescribed data protection standards. They must also adopt reasonable security safeguards to prevent data breaches and ensure audit mechanisms are in place to regularly monitor and report compliance to the Board.
C. State Exemptions for Data Processing: Government bodies can process personal data without needing explicit permission from individuals when offering public benefits, services, or documentation such as certificates or licenses. Such processing must align with the provisions of the Act.
D. Mandatory Security Measures & Retention: Data Fiduciaries are required to implement robust security measures to protect personal data from breaches, whether handled directly or by a Data Processor. These safeguards must include encryption, obfuscation, or tokenization of data, access control measures for computer resources, logging and monitoring to detect unauthorized access, and remediation processes to prevent recurrence. Additionally, organizations must ensure data availability and integrity through backups and continued processing mechanisms in case of compromise. Contracts with Data Processors must mandate these security measures, and technical and organizational frameworks should be in place to enforce compliance. Logs and data must be retained for at least one year unless a longer period is required by law.
E. Reporting Data Breaches: When a personal data breach occurs, the Data Fiduciary must promptly notify affected Data Principals in a clear and concise manner through their registered communication channels. The notification should include a description of the breach, its potential consequences, steps taken to mitigate risks, recommended safety measures, and contact information for further queries.
F. The Data Fiduciary must also inform the Data Protection Board without delay, providing a description of the breach and its likely impact. Within 72 hours, or a longer period if allowed, the Data Fiduciary must submit detailed updates, including facts about the breach, mitigation efforts, remedial measures to prevent recurrence, and a report on notifications sent to affected individuals.
G. Time Period for Erasure of Personal Data – Data Fiduciaries must erase personal data if the specified purpose for its processing is no longer served, unless retention is required by law. For e-commerce entities and social media intermediaries with two crore or more registered users, and online gaming intermediaries with fifty lakh or more users, the data must be erased if the Data Principal does not engage with the platform for three years. Exceptions apply for retaining data necessary to enable user account access or virtual tokens stored on the platform for transactions.
At least 48 hours before erasure, Data Fiduciaries must notify the Data Principal, providing an opportunity to log in or exercise their rights to prevent deletion. User accounts encompass any registered profiles or communication channels through which the Data Principal interacts with the Fiduciary’s services. These provisions ensure data retention is limited to necessity, promoting user privacy and regulatory compliance.
G. Special Provisions for Children’s Data: Data Fiduciaries must adopt appropriate technical and organizational measures to obtain verifiable consent from parents before processing the personal data of children. This includes verifying the parent’s identity and age through reliable details already held by the Fiduciary or using information provided voluntarily, such as identity documents or tokens issued by authorized entities, including Digital Locker service providers. The Data Fiduciary must exercise due diligence to ensure that the individual claiming to be a parent is an identifiable adult. Similar diligence applies when verifying consent from lawful guardians of persons with disabilities, ensuring they are appointed by a court, designated authority, or local-level committee under relevant laws.
Data Fiduciaries must comply with legal frameworks, such as the Rights of Persons with Disabilities Act, 2016 or the National Trust Act, 1999, to validate guardianship and provide adequate safeguards during data processing. These measures ensure that the personal data of children and persons with disabilities is handled responsibly, with proper authorization and accountability.
H. Additional Obligations of Significant Data Fiduciaries: Significant Data Fiduciaries must annually conduct a Data Protection Impact Assessment and audit to ensure compliance with the Act and submit reports of significant findings to the Data Protection Board. They must exercise due diligence to ensure their algorithmic systems do not pose risks to Data Principals’ rights and must restrict cross-border data transfers for specified personal and traffic data, as determined by the Central Government.
I. Rights of Data Principals: Data Fiduciaries and Consent Managers are required to provide clear methods for Data Principals to exercise their rights, such as accessing, erasing, or nominating individuals to handle their data. This includes publishing information on their websites or apps regarding procedures, identifiers required, and grievance redressal timelines, along with implementing technical and organizational measures to ensure timely responses.
J. Cross-Border Data Processing: Personal data processed within India or for services offered to individuals in India can only be transferred outside the country if the Data Fiduciary complies with restrictions and requirements specified by the Central Government, ensuring data security and regulatory compliance in international transfers.
K. Data Protection Board Formation: A Data Protection Board will be established to oversee compliance with the Act, mediate disputes, and ensure adherence to the rules. The Board will consist of appointed members, including a Chairperson.
Authors:
- Rashmi Deshpande
- Aarushi Ghai
