Rules of protection: Draft regulations should enhance data security

The Ministry of Electronics and Information Technology last week released the draft “Digital Personal Data Protection Rules, 2025” for public feedback. This follows up on the Digital Personal Data Protection Act, 2023 (DPDP), which passed into law in August 2023. The Rules are critical in that these provide the details for the implementation framework of the Act. The Act and the Rules refer to individual digital users as “data principals”, and the Act is expected to offer individuals greater control over their personal information, with provisions like requirements for explicit consent and the right to access, correct, and erase data. Entities that collect data are referred to as “data fiduciaries”. The draft provides for registering “consent managers”, which may work with data fiduciaries for collecting consent from users. Entities with more than a specific threshold of users are classified as “significant”. This includes e-commerce entities with at least 20 million registered users in India, online gaming intermediaries with 5 million registered users, and social-media intermediaries with 20 million registered users. The responsibilities for fiduciaries have been outlined, and significant data fiduciaries have greater compliance requirements. 

Broadly, the Rules do give principals much more control over their personal data (PD) than what exists in practice. Collection and usage of data must occur with the explicit personal consent of principals. Principals may also ask for the deletion of their PD. Fiduciaries must not only obtain explicit consent for data collection; they must inform principals as to the purposes. They cannot hold the data for more than three years beyond the time of requirement, and at least 48 hours before deletion, the principals must be informed and given the option to review the data. The PD of underage individuals, and individuals with specific disabilities, receives further layers of protection. The explicit, verifiable consent of legal guardians or parents must be obtained before the collection of such data. In the case of a data breach, fiduciaries must inform principals about the breach and outline the possible consequences and mitigation measures undertaken. Fiduciaries also need to appoint data-protection officers to conduct audits to ensure the new Rules are effectively implemented. The processing of the data of Indian citizens cross-border will be subject to “requirements” which are not specified. 

However, some critical gaps remain. The Act itself gives sweeping powers to government agencies to collect, hold, and process personal data for very broadly defined purposes. The Rules could have modified or more closely defined such powers. But this has not been done. The Act and the Draft reiterate setting up a Data Protection Board, which has not yet been done, as well as the institution of consent managers. The entire system of PD hinges on these systems. Businesses will face challenges in dealing with the implementation of new provisions. This ranges from setting up legal contracts for granular consent to deploying data-protection officers and consent managers, to deploying advanced encryption algorithms and secure protocols. This will require big, expensive changes to business models, software upgrades, and new hires, adding considerably to overheads. Nevertheless, the Rules should ensure that India’s data security practices improve and, thus, offer better protection of privacy. This will help foster trust in the digital ecosystem, which is extremely critical.