The Ministry of Home Affairs has, on December 31, 2024, finalized draft rules for the Digital Personal Data Protection Act, 2023 (hereinafter referred to as “the Act”). These draft rules were a result of the inter-ministerial consultations. Thereafter, on January 3, 2025, the Ministry of Electronics and Information Technology (“MeitY”) released the DPDP Rules for public consultations and notice was given to the stakeholders to submit their feedback/comments on the DPDP Rules (hereinafter referred to as “the rules”) by February 18, 2025. The Rules shall eventually come into effect on the date of their publication in the Official Gazette of India.
Background
With numerous incidents of data breaches and thefts, the urgent need for a comprehensive data privacy and protection legislation was felt. The landmark Supreme Court judgement of K.S. Puttaswamy vs. Union of India, played a pivotal role in this direction by declaring the ‘Right to Privacy’ as a fundamental right under Article 21 of the Indian Constitution, thus acknowledging the need for data privacy and protection. Upon recognising the significance of personal data and protection, MeitY on July 31, 2017, constituted a committee of experts under the chairmanship of (Retd.) Justice B N Srikrishna (“Justice Srikrishna Committee”) to:
(a) examine the various issues related to data protection in India;
(b) recommend methods to address the issues related to data protection in India; and
(c) suggest a draft Data Protection Bill.
On July 27, 2018, the Justice Srikrishna Committee submitted its report and Data Protection Bill, 2018 to MeitY for consideration, and the same was placed before the stakeholders for suggestions. After several consultations and multiple revisions, on August 11, 2023, the Ministry of Law and Justice, Government of India notified the Act of 2023.
The Act, although a milestone in Indian legislature, could not be implemented due to the delay in framing of the Rules. Once the Rules come into effect, the provisions of the Act will be implemented in a phased manner and the Act, the rights and safeguards contemplated under the Act will be made available to the consumers and companies engaged in collecting and processing data. The Rules are meant to bring clarity and will expand various aspects of different clauses under the Act and are intended to bring clarity on procedural aspects of implementing the Act in consonance with the rules that apply to diverse specific industries.
ANALYSIS OF THE KEY PROVISIONS COVERED UNDER THE RULES
1. Notice & consent
One of the most important aspects of the Act is ‘consent’. Any individual whose data is being collected must give their free consent for use of their data, by the person collecting such data. According to Section 5 of the Act, consent must be accompanied by or preceded by a ‘notice’ which is provided for under Section 4 of the DPDP Act. Rule 3 stipulates the content of such specified notice. The notice shall, in clear and plain language, inform the details necessary to enable the “data principal” to give specific and informed consent.
2. Consent manager
Section 2(g) of the Act defines “consent manager” but there was no clarity as to who a consent manager could be or what his duties are. In this context, Rule 4 provides for consent manager's registration with Data Protection Board of India (“Data Protection Board”). Thus, the Rule 4, inter alia, states that a consent manager shall be registered with Data Protection Board and must be a company incorporated in India and shall have a net worth of not less than INR 2,00,00,000 (Two crore rupees). The rules provide detailed duties of a Consent Manager for the protection of personal data.
3. Intimation of breach of data
Section 8(6) of the Act states that a “data fiduciary”, i.e. the person collecting and holding such personal data, must intimate the Data Protection Board and the affected data principals about any breach of personal data. In this context, Rule 7 stipulates a time limit of 72 hours within which a data fiduciary shall intimate the details of such personal data breach to the Data Protection Board.
4. Lapse of ‘specific purpose’ to collect data
Section 8(7)(a) of the Act states that a data fiduciary shall, unless retention is necessary for compliance with any law, erase the personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier. In this context, Rule 8 provides a 3 year time period for retention of data, for class of data fiduciaries, like e-commerce platforms, gaming platforms and social media and after the lapse of such time, there is no specific purpose for which the data can be collected, processed and stored. Thus, the data must be erased after 3 years. Rule 8(2) specifies that the data fiduciary shall intimate the data principal within 48 hours of expiry of the applicable time period that their data will be so duly erased.
5. Grievance redressal
As per Section 8(9) of the Act, data fiduciaries shall publish the contact information of a business contact who is able to answer the questions raised by the data principals about the processing of their personal data. In this context, Rule 9 stipulates that data fiduciary shall publish such information on their app or website or both and intimate the data principals through push-notifications. In the event the data fiduciary comes under the ‘Significant’ category under the Act, then the contact information shall be of data protection officer as appointed by the Significant data fiduciary.
6. Exemption on processing of data in certain cases
Rule 10 states that the data fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian, obtain verifiable consent of the parent of such child or the lawful guardian, and a data fiduciary shall not undertake tracking or behavioral monitoring of children or targeted advertising directed at children.
Further, Rule 11 states that provisions under Section 9(1) and 9(3) of the Act shall not be applicable to processing the personal data of a child by data fiduciaries as specified under Part A of Schedule IV to the Rules.
7. Data Protection Impact Assessment
Under Section 10(2)(c) of the Act, a significant data fiduciary must undertake periodic Data Protection Impact Assessment (“DPIA”). However, the Act does not provide any timeline for undertaking such DPIA. In this context, Rule 12 provides that a Significant data fiduciary shall undertake periodic DPIA at least once a year, but the Rules do not provide for the definite procedure on how and when to conduct the DPIA.
8. Power of Central Government to call for information
Section 36 of the Act states that the Central Government may, for the purposes of the Act, require the Data Protection Board and any data fiduciary or intermediary to furnish such information as it may call for. In this context, Rule 22 enables the Central Government to require data fiduciaries or intermediaries to provide specific information of data principals for purposes outlined in Schedule VII (i.e. sovereignty and integrity of India or security of the State, performance of any function under any law, assessment for notifying any data fiduciary or class of data fiduciaries as significant data fiduciary).
IMPACT OF DPDP ACT ON CERTAIN INDUSTRIES
In the rapidly evolving digital landscape, various industrial sectors find themselves at the intersection where technology meets law. After the enactment of the Act, in addition to technological advancements and digital transformation, safeguarding and protection of the personal data of individuals have become paramount duty for various entities whose business depends upon personal data. A few of these businesses are:
(a) Manpower Recruitment Industry;
(b) Aviation Sector; and
(c) Healthcare Sector.
Manpower recruitment agencies work on a model where they collect personal data of employment seekers and employers, so that appropriate opportunities are provided to employment seekers and vacancies are filled as per the requirement of the employers. Therefore, the operations of such agencies depend upon and revolve around the exchange of personal data of individuals.
Similarly, in the aviation industry and healthcare industry, airlines or airports and hospitals respectively become the data fiduciaries as they decide the purpose and means of processing the personal data of data principals (passengers in case of aviation industry and patients and/or their guardians is case of hospitals).
However, with the advent of the Act and the Rules, the sectors/industries that collect personal data will now need to comply with the requirements of:
i. notice and consent;
ii. withdrawal of consent;
iii. erasure and retention of personal data;
iv. if it is a significate data fiduciary, then with the appointment of data protection officer; and
v. grievance redressal.
In the event, aforesaid sectors/industries fall short in compliances or breach any provision of the Act, they would be liable to suffer a monetary penalty which may be up to INR 250,00,00,000 (Indian Rupee two hundred fifty crore).
CONCLUSION
Although, the DPDP Rules will greatly increase the efficiency and implementation of the Act, there are certain issues that are not covered by the DPDP Rules and remain ambiguous:
i. There is no specified time period within which intimation of the personal data breach is to be given to the data principal who has been affected. This creates an opportunity for data fiduciaries to set their own arbitrary timelines.
ii. Rule 4 provides that data principals who have given consent for collection and processing of their data before the commencement of the Act shall also be provided with a notice as soon as it is reasonably practicable. The words ‘as it is reasonably practicable’ do not provide clarity and the statement appears contentious.
iii. The Rules, inter alia, provide for the transfer to any country or territory outside India of personal data processed by a Data Fiduciary is subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State. However, as the draft Rules stand today, this provision does not clearly specify the circumstances under which personal data may be transferred outside India. Such transfer can have effect of laws of another country being applicable to the personal data processed in India or outside the territory of India in connection with any activity related to offering goods or services to Data Principals in India, therefore the transfer needs to be regulated.
iv. There is lack of clarity on the scope of a DPIA nor the procedure to be adopted for conducting a DPIA, including timelines and qualifications for the person supervising or conducting such DPIA. Unlike DPDP Act, GDPR explains and defines DPIA as a part of the “protection by design” principle. It mandates that organisations should conduct a DPIA when they carry out data processing activities that are likely to result in a high risk to the rights and freedoms of individuals, particularly in cases where systematic and extensive profiling occurs, when there is processing of special categories of data (e.g., health, racial, or genetic data), when new technologies or large-scale data processing are involved that may impact privacy. Perhaps similar principles can be adopted and applied to DPIAs under the Act and Rules.
v. The Act and the Rules shall be effective mainly for organised sectors, wherein the personal data which is proposed to be processed is collated as per the provisions embodied under the Act and Rules. However, for the personal data that is collated in unorganised sector e.g. real estate brokers or the personal data that is misused by the employees/ agents of person collating the data (eg. misuse of the pan card/aadhar card collected by the employees/distributors/sellers of sim card of mobile connectivity provider), there is no mechanism which can protect the identity/interest of the Data Principal. In addition to the Act, the government also needs to streamline the implementation of the applicable criminal laws to control the onslaught of identity theft and online frauds that originate from the theft of the personal data or information.
vi. The Data Fiduciary should be responsible for ensuring that no data collated by it is misused by its employees or agents. For this purpose, there can be internal checks formulated by the Data Fiduciary, which can prevent/detect such misuse or leakage of the personal data. There can be a compliance officer or auditor appointed specifically to ensure that there is no such misuse.
The Rules do provide certain clarity in the implementation and operationalization of the Act as well as with regard to the direction in which data protection ecosystem is expected to evolve. While international precedents have been looked at, there may be a need for expanding the scope of the Act and Rules to cover the larger informal sector and others not explicitly covered as of now.
