The Digital Personal Data Protection Rules, 2025, mark a new phase in data privacy in India. These rules, developed under the Digital Personal Data Protection Act (DPDPA), 2023, aim to strengthen the protection of personal data, enhance individual rights, and set clear operational guidelines for data fiduciaries (entities that determine the purpose and means of processing personal data).
The DPDPA Rules, 2025, provide much-needed clarity (‘hits’) in several areas, strengthening data protection and transparency. One significant aspect is the emphasis on clear notices from data fiduciaries, ensuring that individuals are informed about the purposes of data collection, data categories, and their rights, including consent withdrawal and complaint mechanisms. The rules also enhance data principal rights by granting individuals the ability to access, correct, and erase data, as well as withdraw consent, with fiduciaries required to establish clear mechanisms for exercising these rights.
In the event of a data breach, fiduciaries must promptly notify both data principals and the Board, detailing the nature, scope, and impact of the breach. Additional information must be provided within 72 hours to facilitate timely mitigation.
To safeguard children's personal data, the rules mandate verifiable parental consent, relying on reliable identity and age verification methods for parents, such as government-issued virtual tokens. However, this requirement does not extend to specific sectors such as healthcare and education. Educational institutions and healthcare companies are exempt from obligations related to obtaining verifiable parental or guardian consent and restrictions on behavioural targeting of children, ensuring the practical implementation of the Act.
Security remains a core focus, with mandated measures such as encryption, virtual tokens, access management, logging and monitoring, data backups, and log retention for one year to detect breaches. These measures establish a foundational security framework across all data fiduciaries, which must also be extended to data processors.
Despite the strengths of the DPDPA Rules, 2025, several areas lack clarity (‘misses’), posing challenges for compliance and implementation. One major concern is the ambiguity surrounding the classification of Significant Data Fiduciaries. While the Act identifies several factors—such as entities handling large volumes of sensitive data, risks to the rights of data principals, and state security—the rules do not define precise criteria for qualification. This, along with broader regulatory uncertainties, increases compliance burdens, particularly for smaller organisations that struggle with audits, Data Protection Impact Assessments (DPIAs), and reporting obligations.
Additionally, the rules adopt a one-size-fits-all approach to data breach management, treating all breaches equally regardless of severity. This could lead to inefficiencies by failing to prioritise incidents based on their impact.
Another gap exists in the notification requirement for data collected before the Act came into effect, as no timeline has been specified for informing data principals, leaving a compliance loophole. Start-ups also face uncertainty due to the absence of clear thresholds or conditions for exemptions from the obligations of a data fiduciary.
Cross-border data transfer policies remain undefined, with no specified list of restricted countries or clear instruments for enabling transfers, leaving businesses dependent on future government decisions. Similarly, the rules do not clarify whether DPIAs must be conducted by an independent party or outline the format and necessary details, nor do they provide guidance on the eligibility and empanelment of data auditors.
The exemption for research, archiving, and statistical purposes applies only when prescribed technical safeguards are maintained. However, it remains unclear whether this exemption is limited to central and state bodies involved in research-related activities for public interest or whether it also extends to private corporations engaging in research-related activities for corporate benefits.
Another area that needs more clarity is the role of consent managers. While the rules specify the registration requirements and obligations of consent managers, further guidance is needed on the use of internal consent management capabilities (either custom-developed for the data fiduciary or via a third-party platform) versus the use of external consent managers registered with the Data Protection Board.
In conclusion, the DPDPA Rules, 2025, represent a significant advancement in India’s data protection landscape, strengthening transparency, consent mechanisms, and breach reporting. However, unresolved ambiguities must be addressed to ensure comprehensive compliance. To strike the right balance between privacy, innovation, and enforceability, continuous engagement among businesses, regulators, and stakeholders is essential. The Ministry has shown keen interest in a collaborative approach, which will be crucial to refining the framework, making it more adaptable, practical, and future-ready for India’s evolving digital ecosystem.
(Mini Gupta is Technology Consulting – Partner at EY India)
Disclaimer: These are personal views of the writer. They do not necessarily reflect the opinion of www.business-standard.com or the Business Standard newspaper
No comments:
Post a Comment
Have a Say?..Note it down below.