Blog 11 min read

Deadline for Comments Fast Approaching on Draft Rules under the Indian Digital Personal Data Protection Act

Jan 31, 2025 Deadline for Comments Fast Approaching on Draft Rules under the Indian Digital Personal Data Protection Act

This blog was originally posted on 31st January, 2025. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.

AUTHORED BY SIDDHANT SHAHANE, REGULATORY COMPLIANCE SPECIALIST AND ANI NOZADZE, SENIOR REGULATORY COMPLIANCE SPECIALIST & TEAM LEAD, COMPLIANCE & RISKS


The Indian Ministry of Electronics and Information Technology has recently released the highly anticipated draft Digital Personal Data Protection Rules which aim to operationalise India’s Digital Personal Data Protection Act (“DPDP Act”), enacted in 2023 in line with the country’s commitment to create a robust framework for protecting personal data.

The rules are designed to empower citizens in a rapidly growing digital economy. They also seek to achieve the right balance between regulation and innovation in order to benefit India’s growing innovation ecosystem and digital economy. The rules also address existing challenges, such as unauthorised commercial use of data, digital harms and personal data breaches.

The rules are also accompanied by an explanatory note which aims to clarify some aspects of the draft Rules.

Key features of the draft Rules include:

Notice Given by Data Fiduciary to Data Principal

The notice given by the Data Fiduciary to the Data Principal shall 

the link for accessing the website or app, or both, and a description of other means, if any, using which the Data Principal may withdraw their consent (as easily as such consent was given), exercise their rights under the DPDP Act and make a complaint to the Data Protection Board.

  • Be presented and be understandable independently of any other information made available by such Data Fiduciary;
  • Give, in clear and plain language, “a fair account of the details” necessary for the Data Principal (the data subject) to give specific and informed consent for the processing of their personal data, which, as a minimum, includes:
    • An itemised description of such personal data; and
    • The specified purpose of, and an itemised description of the goods or services to be provided or uses to be enabled by, such processing;

Reasonable Security Safeguards

The draft Rules propose certain minimum safeguards that shall be put in place by Data Fiduciaries, who, according to the DPDP Act, are required to protect personal data in their possession or under its control, including in respect of processing undertaken on its behalf by a Data Processor.

Significant Data Fiduciaries

Significant Data Fiduciaries are those who will be designated as a special class of entities per the DPDP Act, based on criteria such as the volume and sensitivity of data processed and the risk of harm. The draft Rules require these entities to carry out annual data protection impact assessment and audit.

Intimation of Personal Data Breaches

On becoming aware of any personal data breach, the Data Fiduciary must, to the best of its knowledge, intimate to each affected Data Principal, in a concise, clear and plain manner and without delay, through their user account or any mode of communication registered by her with the Data Fiduciary.

Intimation requirement to the Data Protection Board consists of intimation at the time of becoming aware of the breach (without delay), and intimation with more detailed information (given within 72 hours of becoming aware of the breach) which shall include, among others, measures undertaken to mitigate risks.

Those who fulfil the conditions for registration of Consent Managers set out in Part A of First Schedule (companies incorporated in India having a minimum net worth of INR 20 million) may apply to the Board for registration as a Consent Manager by furnishing such information and documents as the Board may publish.

Time Period for Specified Purpose to be Deemed as no Longer Being Served

Data retention periods are specifically limited for those Data Fiduciaries who are of such class and are processing personal data for such corresponding purposes as are specified in Third Schedule. They must erase personal data, unless its retention is necessary for compliance with any law.

Data Fiduciaries have the obligation to inform Data Principals at least 48 hours before completion of the time period for erasure of personal data that such personal data will be erased upon completion of such period.

Other classes of Data Fiduciaries will most likely have to decide on retention periods on a case-by-case basis.

Contact Information of a Person to Answer Questions About Processing

Every Data Fiduciary is required to prominently publish on its website or app, and mention in every response to a communication for the exercise of the rights of a Data Principal under the Act, the business contact information of the Data Protection Officer, if applicable, or a person who can answer the questions regarding personal data processing on behalf of the Data Fiduciary.

Processing of Personal Data Outside India

The DPDP Act introduced the concept of a negative list which will prohibit transfers of personal data to specific jurisdictions on the list. Furthermore, the draft Rules state that personal data transfers to any country or territory outside India by a Data Fiduciary is subject to the restriction and requirements of the Central Government.

Feedback from the public and stakeholders on the draft Rules can be submitted until 18 February 2025 through MyGov platform.

It is anticipated that after the consultation process is completed and the Rules are adopted, they, along with the Act, will shortly enter into force in a phased manner.

Stay Ahead Of Regulatory Changes

Want to stay ahead of these regulatory developments?

Accelerate your ability to achieve, maintain & expand market access for all products in global markets with C2P – your key to unlocking market access, trusted by more than 300 of the world’s leading brands.
C2P is an enterprise SaaS platform providing everything you need in one place to achieve your business objectives by proving compliance in over 195 countries.

C2P is purpose-built to be tailored to your specific needs with comprehensive capabilities that enable enterprise-wide management of regulations, standards, requirements and evidence.
Add-on packages help accelerate market access through use-case-specific solutions, global regulatory content, a global team of subject matter experts and professional services.

  • Accelerate time-to-market for products
  • Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
  • Enable business continuity by digitizing your compliance process and building corporate memory
  • Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
  • Save time with access to Compliance & Risks’ extensive Knowledge Partner network

Updates on Key EU Environmental Regulations and China RoHS

Uncover recent key updates and issues that could have significant effects on manufacturers, their approaches to product development, and their supply chains.