IT Ministry notifies draft rules under data protection law

Draft Digital Personal Data Protection Rules, 2025 released by Indian government to enforce data protection principles and regulations.

The Union government on Friday (January 3, 2025) evening released the draft Digital Personal Data Protection (DPDP) Rules, 2025, which will enforce provisions of the Digital Personal Data Protection Act, 2023. While the Act was passed over a year ago, the rules that will result in its enforcement have thus far been under development, and are only now being floated for public consultation. The DPDP Act provides a legal framework for “data fiduciaries” — entities that collect personal data from “data principals” or users — in order to protect that data against misuse and penalise firms who violate data protection principles.

The draft rules are open for public feedback until February 18.  “The submissions will be held in fiduciary capacity in MeitY and shall not be disclosed to any one at any stage,” the Ministry of Electronics and Information Technology said on the MyGov portal, where it is accepting submissions from stakeholders.

The draft rules specify the nature of the notice that data fiduciaries must provide users when collecting their data: what data they’re collecting, why they’re collecting it, and “a fair account of the details necessary to enable the Data Principal to give specific and informed consent for the processing of her personal data”.

The draft also provides for the registration of so-called consent managers, which work with data fiduciaries for collecting consent under the specified format from users. Subject to certain “standards,” the government and its “instrumentalities” can collect data for the purpose of providing subsidies and benefits, the draft rules say. Data collected for “statistical” purposes is also exempt.

A data fiduciary “shall protect personal data in its possession or under its control … by taking reasonable security safeguards to prevent personal data breach,” the rules say, by providing for technical and operational safeguards. Within 72 hours of a data breach, the Data Protection Board of India (DPBI), which is yet to be set up, should be informed, the rules say.

In certain cases where a user is not using an e-commerce provider, social media platform, or online gaming service anymore for an extended period of time, the rules say, their data must be deleted, after providing 48 hours of advance notice and time to stop deletion. The contact information of a data protection officer must be provided on the data fiduciary’s website. “Significant” data fiduciaries must periodically conduct a “Data Protection Impact Assessment and an audit to ensure effective observance of the provisions of this Act,” the rules say.

For minors, “appropriate technical and organisational measures [shall be adopted] to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child,” the rules say.