In a significant development, the Ministry of Electronics and Information Technology (MeitY) has unveiled the Draft Digital Personal Data Protection Rules, 2025 (Draft Rules) marking a critical step forward after the enactment of the Digital Personal Data Protection Act, 20231 (DPDP Act). Released 16 months after the DPDP Act, these Draft Rules aim to provide much-needed clarity and operational guidance for its implementation. The DPDP Act represents India’s first comprehensive data protection framework, safeguarding all categories of personal data compared to the earlier limited regime that focused solely on “sensitive personal data and information”. By introducing robust mechanisms for consent, notices, data principal rights, and breach notifications, the DPDP framework aligns India’s data protection standards with global benchmarks.
The Draft Rules are characterised by simplicity and clarity in language, making them accessible to a wide audience. Below are the key highlights:
(1) Form of notice
The Draft Rules mandate that any notice issued to data principals by data fiduciaries must be independently understandable without reliance on additional information. This ensures transparency and comprehensibility, promoting trust and informed consent.
(2) Consent managers
The DPDP Act has introduced the concept of consent managers. The Draft Rules now outline their eligibility criteria and obligations. A consent manager must be an entity incorporated in India with a minimum net worth of INR 2,00,00,000 (approximately USD 240,000). Additionally, they are required to demonstrate technical, financial, and operational capacity. The Draft Rules emphasise sound financial health and general character, though these requirements remain broadly defined. It will be clearer if specific quantifiable benchmarks are incorporated to eliminate ambiguity which will ensure uniform compliance.
(3) Reasonable security safeguards
The data fiduciaries and processors are obligated to implement reasonable security measures, such as encryption and obfuscation, to protect personal data. They must maintain visibility over data access through appropriate logs and monitoring mechanisms, enabling detection, investigation, remediation of unauthorised access, and measures to prevent recurrence.
(4) Intimation of data breach
The DPDP Act mandates data breach notifications to data principals. The Draft Rules, however, lack differentiation among breaches based on severity, nature of data, or impact. Categorising breaches and introducing quantitative thresholds for notification would alleviate unnecessary burdens on the data fiduciary and save the data principals from constant intimations, while ensuring timely intimation of critical incidents.
(5) Retention and erasure
The Draft Rules introduce data retention timelines for specific fiduciary classes (for instance, an e-commerce entity having not less than 2 crore users in India is required to retain personal data for three years from the date which the data principal last approached them for the performance of the specified purpose or exercise of her rights, or the commencement of the Draft Rules whichever is latest) and require them to notify data principals 48 hours prior to data erasure if the specified purpose is unfulfilled or rights remain unexercised. However, it will be helpful if more clarity is provided on retention obligations for data fiduciaries not listed in the Third Schedule. Comprehensive guidance would aid in consistent adherence across sectors.
(6) Verifiable consent for children’s data and person with disability
The Draft Rules detail processes for obtaining verifiable parental consent when processing children’s personal data and personal data of person with disability. This includes validating parental identity and age through reliable documents or digital locker tokens. Notably, the Explanatory Statement to the Draft Rules, requires fiduciaries to confirm the parent-child relationship, a potentially onerous task. Further clarification on the extent of fiduciary diligence in such cases is imperative to avoid operational challenges. Additionally, the Draft Rules also now provide clarity on what constitutes a “person with disability” under the Rights of Persons with Disabilities Act, 20162 and National Trust for Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 19993.
(7) Obligations of significant data fiduciaries
The DPDP Act had introduced the concept of significant data fiduciaries (SDFs) to be determined basis factors such as data volume, sensitivity, and potential risks to democracy and individual rights. While the Draft Rules state that SDFs must conduct annual audits and data protection impact assessments (DPIAs), they do not prescribe a format or manner of conducting such DPIAs. Further, while the DPDP Act provides the factors for determination of an SDF, the Draft Rules do not shed any further clarity on the classification based on those factors. The classification will be helpful for determining whether particular operations/businesses will be classified as an SDF or an entire entity (which could be in multiple businesses) will be classified as an SDF.
(8) Rights of data principals
The Draft Rules elaborate on the role of consent managers in enabling data principals to exercise their rights. They also specify the information consent managers must publish to facilitate the exercise of these rights, ensuring transparency and accessibility.
Conclusion
India’s data protection journey is unfolding against the backdrop of a dynamic Asia-Pacific landscape, where countries like Vietnam and Indonesia are enacting robust data protection laws, and China is advancing regulations for emerging technologies like deepfakes. The DPDP Act positions India as an active participant in the region, with potential to influence future governance of artificial intelligence and national cybersecurity. MeitY’s recent “Report on AI Governance Guidelines Development” highlights the DPDP Act‘s foundational role in shaping cybersecurity frameworks. However, there are gaps that need to be addressed for an efficient implementation of the DPDP Act. The Government may consider releasing “Frequently Asked Questions” as was done in case of directions issued by the Indian Computer Emergency Response Team. These will help in addressing aspects such as form and manner of DPIA, classification of SDFs, etc.
From a business compliance perspective, implementation strategies should prioritise proactive measures such as:
(i) Conducting readiness assessments to align existing processes with the DPDP framework.
(ii) Investing in capacity-building for data protection officers and compliance teams.
(iii) Leveraging technological solutions like automated consent management and breach detection tools.
(iv) Conducting awareness and training sessions for employees and vendors.
By adopting these measures, businesses can not only ensure compliance but also build consumer trust and strengthen their competitive edge in a privacy-conscious marketplace. The DPDP Act and its Draft Rules, once finalised, promise to be transformative, setting a new benchmark for privacy governance in India.
*Partner, Khaitan & Co.
**Associate, Khaitan & Co.
1. Digital Personal Data Protection Act, 2023.
2. Rights of Persons with Disabilities Act, 2016.
3. National Trust for Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999.
