Govt. Floats Draft Digital Personal Data Protection Rules, 2025 | Seeks Public Comments

G.S.R. 02(E) dated 03-01-2025

The Ministry of Electronics and Information Technology has floated the Draft Digital Personal Data Protection Rules, 2025. The draft rules prescribe procedures for issue of notice by Data Fiduciary to Data Principal, Registration and obligation of consent manager, process of intimation of personal data breach, etc. The key provisions as prescribed under the draft rules are summarised hereunder:

(a) Manner of Serving the Notice by Data Fiduciary to Data Principal (Rule 3)

Data Fiduciaries must provide clear, standalone notices to Data Principals detailing personal data use, purposes, and rights, including consent withdrawal and complaint mechanisms. The notice must ensures transparency and informed consent for data processing

(b) Norms for Registration and obligations of Consent Manager (Rule 4)

Consent Managers must register with the Board, adhere to specified obligations, and ensure compliance with conditions in the First Schedule. Non-adherence can result in directives, suspension, or cancellation of registration to protect Data Principals’ interests.

(c) Processing of personal data by the State for certain specific purposes (Rule 5)

The State and its instrumentalities may process personal data to provide subsidies, benefits, or services under laws, policies, or public funding, adhering to standards in the Second Schedule. Such provisions are governed by legal or executive powers and public financial resources.

(d) Security safeguards to be followed by data fiduciary to protect the data breach and to protect the personal data from loss (Rule 6)

Data Fiduciaries must implement reasonable security safeguards, including encryption, access controls, logging, and backups, to prevent personal data breaches and ensure continued processing in case of compromise. Contracts with Data Processors must include provisions for adherence to these safeguards.

(e) Manner of intimation of data breach by the data fiduciary (Rule 7)

Upon discovering a personal data breach, a Data Fiduciary must promptly notify affected Data Principals and the Board with detailed information, including the breach description, likely consequences, mitigation measures, and remedial actions, while adhering to specified timelines

(f) Time line to erase the personal data by the data fiduciary (Rule 8)

A Data Fiduciary must erase personal data after the time specified in the Third Schedule if the Data Principal neither engages with the specified purpose nor exercises rights concerning such data, unless retention is required by law. The Data Fiduciary must inform the Data Principal at least 48 hours before erasure, allowing the Data Principal to initiate contact or exercise rights.

(g) Process for obtaining of consent for processing of personal data of child or of person with disability who has lawful guardian (Rule 10)

A Data Fiduciary must implement measures to obtain verifiable consent from a parent or lawful guardian before processing the personal data of a child or a person with a disability. Verification involves checking reliable identity and age details, either available with the Fiduciary or provided through authorized entities or Digital Locker services.

(h) Norms for processing personal data outside India (Rule 14)

The transfer of personal data outside India by a Data Fiduciary is restricted and subject to requirements set by the Central Government. These requirements apply when personal data is processed either within or outside India, particularly for activities related to offering goods or services to Data Principals in India.

The objections and suggestions, if any, may be submitted on the website of MyGov (https://mygov.in) by 18th February 2025.

Click Here To Read The Full Update