The government notified the draft Digital Personal Data Protection Rules aimed at safeguarding citizens’ rights to protect their personal data.
The objective of the rules is to operationalize the Digital Personal Data Protection Act, 2023 (DPDP Act), in line with India’s commitment to create a robust framework for protecting digital personal data.” The draft rules aim to establish a robust framework for personal data protection while balancing compliance with ease of doing business,” said Ankit Rajgarhia, Principal Associate, Karanjawala & Co.
The objective is to provide a data protection framework. Data Fiduciaries must provide clear and accessible information about how personal data is processed, enabling informed consent. Citizens are empowered with rights to demand data erasure, appoint digital nominees, and access user-friendly mechanisms to manage their data. The draft Rules under the Digital Personal Data Protection Act, 2025, reflect India’s bold vision for a secure and inclusive digital future. With innovative features like Consent Managers, mandatory breach notifications to individuals, and algorithmic assessments, these Rules strike a fine balance between protecting individual rights and fostering digital innovation,” said Ankit Sahni, Partner, Ajay Sahni & Associates
The rules empower citizens by giving them greater control over their data. Provisions for informed consent, the right to erasure and grievance redressal enhance trust in digital platforms. Parents and guardians are empowered to ensure online safety for their children. “The draft rules underscore the government’s commitment to fostering a secure digital environment while enabling innovation. However, stakeholders are likely to highlight challenges, such as the potential for compliance costs, the complexity of cross-border data transfer restrictions, and ensuring effective enforcement,” he said.
The draft rules provide exemptions from obligations in processing personal data of children to specific types of Data Fiduciaries and for certain purposes, subject to conditions laid out in Schedule IV such as healthcare professionals, educational institutions, and childcare providers, are exempt from specific provisions related to children’s data.
Further exempting from the Act for research, archiving, or statistical purposes. The Act does not apply to the processing of personal data carried out for research, archiving, or statistical purposes if it adheres to the specific standards outlined in Schedule II.
The objective of this exemption is to ensure that necessary data processing for academic and policy research can occur while maintaining certain safeguards and standards to protect personal data.”While Schedule 2 of the Draft DPDP Rules provides specific standards for the processing of personal data by the state and its instrumentalities under section 7(b) and for the purposes specified in section 17(2)(b), Rule 15 allows exemptions for research, archiving and “statistical purposes” – without providing an exhaustive definition of what “statistical purposes” entails,” said Pranav Bhaskar, Partner, SKV Law Offices
The Draft Rules outline additional obligations of Significant Data Fiduciaries bringing specific responsibilities for Significant Data Fiduciaries.
The provisions mandate that these Fiduciaries must conduct a Data Protection Impact Assessment (DPIA) and a comprehensive audit once every year. The results of these assessments and audits must be reported to the Board, which needs to contain key findings related to their adherence to data protection requirements.
Further, the provision holds Significant Data Fiduciaries accountable for verifying that any algorithmic software they use to process personal data does not pose a risk to the rights of Data Principals.
This includes algorithms used for data hosting, storage, and sharing. Entities must adopt measures to ensure that personal data identified by the Central Government is processed in compliance with specific restrictions, ensuring that the data and any related traffic data are not transferred outside of India. “One aspect which will require some clarity is para 12(4) of the draft rules which prescribes additional responsibility on significant data fiduciaries for data localization in addition to the general data localization requirements stated in section 16 of the Digital Personal Data Protection Act,” said Goldie Dhama, Partner, Deloitte.
Nakul Batra, Partner, DSK Legal also highlights the issue related to the transfer of personal information outside India is subject to further restrictions and conditions that the government may prescribe. “While it is unclear at the moment if the intent is to put data localization restrictions, but this is likely to ensure that the transferee country meets the data protection adequacy requirements,” he added.
The proposed framework aims to lessen the compliance burden for smaller businesses and startups. An adequate period would be provided so that all stakeholders, from small enterprises to large corporations, may transition smoothly to achieve compliance with the new law. “It would be time-sensitive for businesses to evaluate the adequacy of their existing measures and allocate dedicated budgets for a tech-enabled compliance approach. The draft is open for public consultation till Feb 18 and businesses should use the window to engage with the government as we take one step closer to DPDPA’s implementation,” said Arya Tripathy, Partner, Cyril Amarchand Mangaldas.
The objective is to strike a balance between fostering innovation and regulation to protect personal data. Unlike restrictive global frameworks, these rules encourage economic growth while prioritizing citizen welfare.