Background
India, with a population exceeding 1.4 billion, is experiencing an unparalleled digital transformation with a rapidly growing internet user base. According to the Telecom Regulatory Authority of India (TRAI), as of 2024, the country had over 970 million active internet users, making it the second-largest online market globally. Mobile phone penetration has reached approximately 80%, with 1.1 billion mobile connections as of 2022. This surge can be attributed to affordable smartphones and low-cost internet plans and push through campaigns such as Digital India. However, while connectivity has increased, digital literacy remains uneven; Only 38% households in India are digitally literate, with a stark urban-rural divide. Digital literacy is significantly higher in urban areas at 61%, compared to just 25% in rural regions.
This digital boom has resulted in an explosion of personal data generation, from financial transactions and health records to social media interactions. However, it has also made India one of the most targeted countries for data breaches, with over 12 million records compromised in 2022 alone. However, the number has dropped by 56% – to 5.3 million breached accounts in 2023. The lack of robust data protection measures has left citizens—many of whom are first-time internet users—vulnerable to privacy violations and misuse of personal information.
By addressing these challenges, the Digital Personal Data Protection Act 2023 and Draft Digital Personal Data Protection Rules 2025 aim to empower individuals with greater control over their data. Implementing such a framework is crucial not only for safeguarding individual privacy but also for ensuring equitable participation in India’s burgeoning digital ecosystem. These much-anticipated rules aim to streamline implementation of the Act and provide clarity on several provisions that remained ambiguous in the legislation.
The DPDP Act, 2023, India’s first comprehensive privacy law, lays down a framework for regulating the processing of digital personal data, safeguarding individuals’ privacy rights, and imposing obligations on entities handling such data. Key provisions of the Act include the recognition of data principals’ rights (such as access, correction, and erasure of personal data), stringent obligations for data fiduciaries, and penalties for data breaches.
However, while the Act provided a broad legislative framework, it left many operational and procedural aspects undefined, necessitating the formulation of detailed rules. The DPDP Rules address this gap by specifying how core provisions of the Act will be implemented, including processes for consent management, grievance redressal, and mechanisms to ensure accountability of data fiduciaries. These rules are critical for translating the principles of the Act into actionable, enforceable measures, paving the way for effective privacy protection in India.
The DPDP Rules are open for public comments till 18 February 2025 here.
Key Provisions of the Draft Rules
Rights of Data Principal
The DPDP Act and Rules introduce several robust measures to safeguard the personal data of individuals. Under the DPDP Rules, ‘Data Principals’—individuals whose personal data is being processed—are empowered with the right to access, correct, update, and erase their data. This ensures that individuals maintain control over their personal information, deciding how much data they want to share, how it is processed, and when they wish to stop its use entirely.
To further reinforce these rights, the Rules mandate the establishment of grievance redressal mechanisms for Data Principals. If a Data Fiduciary (the entity processing the data) violates these rights or fails to adhere to the provisions of the Act, individuals have recourse to address their grievances.
Data Protection Board and Consent Managers
The Data Protection Board of India, set up by the Government, is tasked with monitoring compliance, adjudicating complaints, imposing penalties for data breaches, and ensuring accountability from Data Fiduciaries and Data Processors operating in India.
The Consent Manager, registered with the DPBI, acts as a single point of contact for Data Principals, simplifying the process of managing their personal data. Through Consent Managers, individuals can access, update, or erase their data, empowering them with greater control over their privacy.
Obligations of the Data Fiduciaries
Data Fiduciaries—individuals or organizations responsible for processing personal data—are bound by several key obligations under the DPDP Rules. Before processing any personal data, Data Fiduciaries are required to provide a clear and unambiguous notice to Data Principals. This notice must include an itemised list of the data being collected, the specific purpose of its collection, and how it will be processed. This transparency ensures that individuals are fully informed and can make decisions regarding their data with confidence. Additionally, Data Fiduciaries must implement robust security safeguards as outlined in the DPDP Rules to protect personal data against unauthorized access, breaches, or misuse. They are also required to establish accessible and efficient grievance redressal mechanisms to address any complaints or concerns raised by Data Principals.
The government has also introduced a category of data fiduciaries known as Significant Data Fiduciaries (SDFs). These entities are designated by the government based on volume and sensitivity of personal data they process, as well as their potential impact on national security, public order, or individual privacy. Significant Data Fiduciaries are subject to enhanced obligations to ensure a higher standard of data protection. One such requirement is conducting a Data Protection Impact Assessment (DPIA) on a periodic basis, typically every 12 months, to identify and mitigate risks associated with their data processing activities.
In the event of a data breach, all data fiduciaries, including SDFs, are required to notify each affected Data Principal promptly. This notification must include:
- The nature of the breach, including what data was compromised.
- The potential consequences of the breach for the individual.
- The measures implemented by the fiduciary to address the breach.
- Recommended steps the Data Principal should take to minimize further risks, such as changing passwords or enabling additional security features.
These provisions aim to enhance accountability and transparency, ensuring that both fiduciaries and Data Principals are adequately prepared to handle data-related incidents.
Processing Personal Data of Children
The DPDP Rules outline specific conditions that data fiduciaries must adhere to when processing the data of children (individuals under the age of 18). A key requirement is that consent from a legal guardian must be obtained before processing any personal data related to children. In addition to this, the Rules explicitly prohibit targeted advertising directed at children and behavioural monitoring of their online activities. These provisions aim to safeguard children’s privacy and protect them from exploitation or undue influence in the digital space.
However, the Fourth Schedule of the DPDP Rules introduces certain conditions under which data fiduciaries may be exempt from these obligations. If these conditions are not carefully adhered to, there is a risk of misuse or processing of children’s data without appropriate safeguards, potentially undermining the protection intended by the Act.
Gaps and Missing Links
While the DPDP Act and Rules aim to create a robust framework for data protection, several provisions require further clarification and refinement to ensure seamless implementation and effective safeguarding of personal data.
Overarching State Exemptions
The DPDP Act grants the government broad exemptions for data processing under Section 7(b), allowing the state to process personal data without obtaining consent from Data Principals for purposes such as providing subsidies, scheme benefits, or licenses. While the Act mandates adherence to certain processing standards, it lacks clear guidelines or benchmarks for these standards. Without explicit safeguards and accountability measures, this exemption risks being misused, potentially compromising the privacy rights of individuals. The government must clarify what constitutes these “standards” and ensure that they align with globally accepted norms for secure and ethical data processing.
Ambiguities and Practical Challenges
The DPDP Rules have some vague definitions and ambiguous language, which can create confusion, hinder compliance, and open avenues for misuse. For instance, Rule 6 requires the implementation of reasonable security safeguards, but terms such as “appropriate measures” and “reasonable measures” are subjective and lack specificity. Without concrete, measurable benchmarks, data fiduciaries may adopt inconsistent practices, leading to vulnerabilities in data protection.
Critical terms in the Act and Rules, such as “reasonable purposes,” “harm,” and “public interest,” are not clearly defined. This lack of clarity makes these provisions open to interpretation, which could result in inconsistent enforcement or even exploitation of loopholes.
Ambiguities in implementation details could lead to varying interpretations by data fiduciaries. This creates a compliance disparity between large corporations with dedicated data privacy teams and smaller entities that may struggle to navigate the ambiguities. By not addressing these ambiguities, the DPDP Act and Rules risk uneven implementation and potential legal challenges. Clear, precise language and actionable guidelines are essential to ensure all stakeholders understand their responsibilities and comply effectively with the Rules.
Inadequate Focus on Security Standards
While the Act prescribes periodic audits and Data Protection Impact Assessments (DPIAs) for Significant Data Fiduciaries, it fails to provide specific guidelines on how these should be conducted. Without clear direction, these assessments risk becoming superficial compliance exercises rather than effective tools for identifying and mitigating risks.
Similarly, the Act requires Consent Managers, Data Fiduciaries, and Significant Data Fiduciaries to implement “reasonable security safeguards” to prevent breaches or misuse of data. However, the lack of detailed implementation guidelines makes it challenging to ensure uniformity in practices. This vagueness dilutes the effectiveness of the safeguards and could hinder the goal of building trust in the system.
Recommendations for Improvement
To enhance the effectiveness and clarity of the DPDP Act and Rules, the following recommendations are proposed:
Clarify State Exemptions and Oversight: The broad exemptions granted to the government under Section 7(b) require strict criteria and transparent oversight mechanisms. Clear benchmarks should specify permissible purposes, the standards for processing personal data, and mechanisms to ensure accountability.
Clarify Exemptions for Research, Archiving, and Statistical Purposes: Ambiguities surrounding exemptions for research, archiving, and statistical purposes leave stakeholders uncertain about permissible activities. The government should provide clear definitions, specify eligibility criteria, and outline safeguards to ensure that these exemptions are not misused while still fostering innovation and public interest.
Define Clear Security Standards: Terms such as “reasonable measures” and “appropriate safeguards” in the Rules lack specificity, making compliance subjective and inconsistent. The government should provide detailed technical and operational standards, including templates for audits, guidelines for Data Protection Impact Assessments (DPIAs), and best practices for implementing security measures.
Strengthen Data Protection for Children: While the Rules prohibit targeted advertising and behavioural monitoring of children, the Fourth Schedule exemptions dilute these protections. The government should limit these exemptions and enforce strict penalties for violations. Additionally, guidelines for verifying the age of children and obtaining parental consent should be provided to prevent misuse.
Public Awareness and Capacity Building: Raising awareness about data rights among citizens is essential. The government should launch public education campaigns and provide resources for small and medium enterprises to build their compliance capabilities.
Establish a Detailed Implementation Timeline: A comprehensive implementation roadmap is essential to ensure stakeholders are prepared for compliance. The timeline should outline key milestones, including the development of guidelines, capacity-building for data fiduciaries, and the operationalization of the Data Protection Board. A phased approach can provide organizations sufficient time to adapt and address challenges systematically.
Conclusion
The Draft Digital Personal Data Protection Rules, 2025, along with the DPDP Act, represent a significant step forward in establishing a framework for data privacy in India. By outlining rights for data principals, obligations for data fiduciaries, and mechanisms for grievance redressal, the framework addresses many key concerns of data protection in the digital age. However, the Act and Rules also leave critical gaps such as state exemptions, ambiguous provisions, and inadequate clarity on security standards.
For the framework to succeed, it must strike a balance between protecting individual privacy, ensuring compliance by data fiduciaries, and fostering innovation in India’s digital economy. Addressing ambiguities, providing clear implementation guidelines, and strengthening oversight mechanisms will be crucial in achieving these goals. Moreover, focusing on transparency, accountability, and public awareness can help build trust in the system and ensure its long-term effectiveness.
As India navigates its journey toward a robust data protection ecosystem, it must remain adaptable to emerging challenges, incorporate global best practices, and prioritise the interests of its citizens. Only then can the DPDP framework truly safeguard digital privacy while enabling India’s digital future.
