A step forward, but not without concerns

By Arun Prabhu and Arya Tripathy,

Moving a step closer towards the implementation of India’s maiden data protection law, the government has released the draft Digital Personal Data Protection Rules, 2025, for public consultation.

The rules make an earnest attempt to bring procedural clarity on some building blocks like notice to seek consent, consent managers, retention periods for certain businesses, certain data principal rights, and breach notification, but not without keeping alive concerns around verifiable parental consent, obligations of significant data fiduciaries, exemptions, and implementation timelines, and reviving some issues which we had hoped were put to rest, such as cross-border data transfers, and use of algorithms.

The long-awaited rules, published following much discussion and inter-ministry consultation, will be open for public comments for at least 45 days. Once finalised, certain parts of the rules (largely, dealing with the Data Protection Board or DPB) and corresponding parts of the DPA, will come into force upon their publication. The rest of the rules will come into force on a later date, to be specified in the final rules.

The Rules require that notice for consent be for specified purposes through a distinct document that is easily understandable. This notice must, at the least, provide descriptions of personal data, the specified purpose of processing, list goods or services and use cases to be enabled through processing, and provide clear means for exercising data principal rights.

While this emphasis on itemised details may help transparency and accountability, it will mean that businesses have to satisfy a demanding, rigid, and expensive consent regime. Given this background, entities may be well advised to examine their existing notices, grievance redress and data principal right mechanisms to meet timelines for implementation.

Substantial details about qualifications, functions, and obligations of consent managers, who will be a very important part of India’s new data ecosystem, have been provided in the rules. Entities must be incorporated in India, have a minimum net worth, and a suitable technology platform to apply for registration as a consent manager. On getting registration, they will act as “data blind intermediaries” that enable data principals to grant (or reject) consents sought by data fiduciaries who are onboarded with consent managers. They are required to act on behalf of individuals and help exercise data protection rights, while avoiding any conflict of interest. Defaults by consent managers could result in cancellation or suspension of registrations, in addition to the fines under the DPA. The details provided are timely, but kickstarting consent activities will continue to depend on interoperability standards that are imminent.

Underlining the importance of implementing reasonable security measures for preventing data breach, the rules specify a list of “minimum” safeguards including access control, log reports, deployment of encryption tools, tokenisation, masking, and requiring fiduciaries to contractually obligate processors to ensure data security.

The rules prescribe a demanding, “one-size-fits-all” requirement for reporting data breaches to the DPB and data principals, without regard to the harms resulting from breach. The reporting is required to be done promptly and supplemented with a very detailed report in 72 hours. Given this background, businesses may need to revisit the sufficiency of their existing measures around reporting to see if they can meet the demanding new requirements.

Another subject for entities to worry about is “verifiable consent” from parents for processing children’s data. Before dealing with children’s data, entities must reliably verify age and identity of parents based on already available data, or data provided voluntarily, or through services of a government authorised body that maintains virtual tokens including DigiLocker service providers. This seems to come with an added due diligence obligation to vet the authenticity of the data provided for verification purposes, which may be financially onerous, especially for small entities.

Significant data fiduciaries, to be identified by officers who will be appointed for this purpose, are required to meet much higher requirements. These include annual impact assessments and audits, with key findings going to the DPB.

Much more concerningly, the rules seem to risk reviving two key concerns which many had felt were put to rest. For significant fiduciaries, the government may require identified data to be kept in India. The rules also provide for additional rules to be specified for all entities in relation to cross-border data transfers. These (currently open-ended) requirements can have a mammoth impact on the operations of several platforms. Perhaps even more concerningly, the rules also prescribe open-ended “additional due diligence” for the use of “algorithmic software” by significant data fiduciaries.

Greater clarity on each of the above, during the consultation process on the rules, will be very helpful.

The release of the draft rules marks an important step towards recognising, enforcing, and strengthening data protection norms in India. Where retained as is, they could potentially present hurdles for implementation, require businesses to make expensive adjustments, and may also result in consent fatigue for data principals. Given this background, effective public consultation and dialogue is critical, and businesses should use the period leading up to implementation of the rules wisely, both to provide their comments and to prepare for the implementation of the final rules.

Authors Arun Prabhu and Arya Tripathy are respectively head partner, technology and Partner at Cyril Amarchand Mangaldas.

Disclaimer: Views expressed are personal and do not reflect the official position or policy of FinancialExpress.com. Reproducing this content without permission is prohibited.