India's Ministry of Electronics and Information Technology released the draft Digital Personal Data Protection (Act) Rules, 2025 for public consultation until 18 Feb. This marks a significant milestone in the evolving data protection landscape of the world's largest democracy. The rules complement the Digital Personal Data Protection Act, 2023 and explain how its provisions should be operationalized. The draft rules were published along with an explanatory note clarifying some of its aspects.
The clock is ticking
The draft rules outline the implementation timeline for India's new data protection regime, beginning with the establishment of the Data Protection Board of India as the enforcement authority established under the DPDPA. The board's constitution will take effect immediately upon the official notification of the rules in the Official Gazette, following the conclusion of the public consultation period. However, the dates on when the rules would be final remains unclear. The remaining provisions of the rules will be implemented on such dates that are specified in the final version. News reports suggest the government seeks to allow businesses abouttwo-year timeframe to implement this law.
Admittedly, precise timeframes for notifying substantive provisions under the rules may have enhanced regulatory certainty. However, a two-year transition period provides businesses, particularly small and medium enterprises, in India's culturally diverse digital economy a valuable opportunity to prepare and come up to speed with this quantum leap in India's data protection landscape.
Notice as a granular and independent document
Data fiduciaries — entities determining the means and purposes of processing personal data — are required to provide a comprehensive notice that goes beyond traditional privacy policies. The notice is required to be a standalone document—distinguishable from contractual agreements with individuals, such as terms of use, or employment contracts—and directly accessible to data principals — individuals identifiable by or in relation to their personal data.
The draft rules require increased transparency through granular details of processing activities. Data fiduciaries are required to provide an itemized list of categories of personal data processed as well as purposes of processing. In essence, data fiduciaries are expected to specify not only what personal data they collect but also connect each dataset collected to its intended use or the corresponding goods or services to be provided. When read in conjunction with the DPDPA requirement that consent provided is "free, specific, informed, unconditional and unambiguous," the notice and consent requirements under the DPDPA are comparable to the EU General Data Protection Regulation.
This may require data fiduciaries to reevaluate their models, and reconsider not only their existing documentation, but also reassess existing data monetization and marketing practices, e.g., pay or consent models. Wherever required, businesses may need to consider unbundling consent sought from data principals for various data processing activities, such as by segregating necessary and unnecessary elements within the notice and link such terms with one or more consent preferences as required. This may be particularly concerning for international businesses dependent on lawful bases such as "legitimate interests" and "contractual necessity" available globally, but unavailable under the DPDPA.
The draft rules also require data fiduciaries to establish streamlined communication channels to data principals. Data principals should be provided straightforward methods to revoke consent, exercise their privacy rights, and submit grievances. For multinational businesses operating in India, this warrants a thorough gap assessment of existing privacy notices and communication mechanisms to ensure compliance with these requirements.
Personal data breach notification
Upon discovering a personal data breach, defined comparably to the GDPR, data fiduciaries are required to file an initial report with the Data Protection Board of India, notably without delay, which may be interpreted as immediately, or as early as possible. The report should document the incident's essential characteristics — including nature, scope and timing. This must be followed by a more detailed update within 72 hours, unless a longer reporting time is permitted by the board, a timeline that largely mirrors the GDPR's breach notification requirement but demands more comprehensive documentation.
The draft rules require affected data principals to be notified of a personal data breach without delay and this may also be interpreted as immediately, or as soon as possible. While the draft rules do not specify exact reporting timelines, or an outer limit to furnish certain details, unlike the reporting requirement to the board, the detailed report to the board is required to include information regarding the notifications made to affected data principals.
This means the government intends that data principals should be informed of a breach within the 72-hour timeframe. Notably, the DPDPA does not prescribe a risk-based materiality threshold for breach reporting, unlike the GDPR.
For global enterprises, these requirements warrant a careful recalibration of incident response protocols across India's complex regulatory structure. Businesses now need to consider developing sophisticated workflows internally that satisfy the rigid reporting requirements to the board, along with meeting the Computer Emergency Response Team India (India's nodal agency for responding to cybersecurity incidents) requirements as well as various sector-specific regulators in India, wherever applicable, while ensuring communication to affected individuals. Consequently, businesses need to not only have robust incident detection and assessment capabilities but careful coordination between legal, technical and communications teams.
The absence of a materiality threshold for breach reporting may possibly create a sense of alarm, even where unnecessary, such as upon the occurrence of innocuous breaches where the risk of harm to data principals is nonexistent or negligible. This may possibly lead businesses to over-reportpersonal data breachesfor abundance of caution inundating the board and affected data principals with information.
Mechanism to exercise data principal rights
The draft rules mandate data fiduciaries establish and document specific mechanisms to enable data principal requests on their platform — including access, correction and erasure rights, similar to those under the GDPR, with some variations. However, the rules fall short of clarifying the scope or extent of some of these rights, such as the level of detail that needs to be provided when a data fiduciary receives a right to access request.
Unlike some privacy frameworks that prescribe rigid data subject access requests windows, the draft rules provide data fiduciaries with the flexibility to determine their own response timelines in getting back to data principals. However, organizations are required to clearly communicate these self-imposed deadlines to data principals and consistently meet these timeframes. More efficient response timeframes will create an opportunity to leverage better privacy practices comparable to the market practice, effectively providing a competitive advantage for businesses.
A distinctive feature of India's data protection framework is its forward-looking approach to privacy rights continuity. The framework gives data principals the right to nominate or designate representatives who can exercise their data protection rights on their behalf in the event of their death or incapacity. For multinational organizations, implementing the right to nominate would necessitate strategically modifying existing rights management systems, to accommodate a new, additional right, over and above what has been offered in alignment with global frameworks such as the GDPR.
International data transfers
The draft rules grant the government certain authority to establish conditions in relation to international data transfers against the disclosure of such information to foreign government agencies. While the nature of conditions that may be imposed remains unclear at present, it is possible that they may be comparable to adequacy requirements under the GDPR.
For businesses with a global footprint, this creates a complex landscape where restrictions against data transfers under Indian data protection law potentially conflict with obligations under foreign law, particularly in areas such as surveillance and law enforcement access requests. Additionally, significant data fiduciaries — classes of data fiduciaries notified based on their volume and nature of personal data processed — may be required to, under certain conditions, store personal data, as well as traffic data relating to its flow, only within India, raising a significant concern for big tech businesses with servers situated overseas.
Consent management framework
The draft rules prescribe the conditions for operating as consent managers. These are intermediaries envisaged under the DPDPA to help data principals give, manage, review and withdraw their consent through an interoperable platform as a single point of contact. Consent managers can enable data principals seamlessly provide consent for data sharing with data fiduciaries or facilitate data portability between them, addressing the practical challenge of limited direct interfaces or contractual relationships between data principals and data fiduciaries.
The draft rules provide comprehensive illustrations to describe how consent would be intermediated through consent managers, such as the following: "Individuals are enabled to give, manage, review and withdraw their consent to the processing of their personal data through P, a platform maintained by a Consent Manager. X, an individual, is a registered user on P. B1 and B2 are banks onboarded onto PB1 sends a request on P to X for consent to process personal data contained in her bank account statement. X maintains her bank account with B2. X uses P to route her consent through B2 to B1, while also digitally instructing B2 to send her bank account statement to B1. B2 proceeds to send the bank account statement to B1."
Since consent is the primary basis for processing personal data under the DPDPA, consent managers could be key to enabling data principals to port their data from one data fiduciary to another, without requiring an existing consent-based interface or exchange, for example, through the consent manager as an intermediary having onboarded relevant data fiduciaries onto its platform.
Consent to port personal data through consent managers may unlock the potential of India's digital economy, while enabling consented data sharing for specific, granular purposes, ensuring user empowerment.
The draft rules require consent managers to incorporate a company in India, consequently requiring international businesses looking to offer consent management as a service to operate through an Indian arm. Notably, consent managers are required to act in a fiduciary capacity to data principals and are required to avoid any conflict of interest with data fiduciaries, including any material pecuniary financial relationship.
Consent managers are required to maintain a minimum net worth of INR20,000,000 (approximately USD240,000) and are tasked with facilitating interoperable consent processing. They would also be required to register with the board, operate with complete data blindness, and maintain rigorous audit trails that the board may request to see.
This structure presents both opportunities and challenges for international businesses seeking to integrate consent management solutions into their operations. Organizations already performing data fiduciary functions may find it challenging to establish the business of consent management considering the restrictions against conflict-of-interest. They may need to explore viable business models, such as requiring data principals to pay for such services, which may in turn be a function of their propensity or ability to pay for greater control over their personal data.
Baseline security requirements
The draft rules prescribe baseline security requirements that need to be implemented by data fiduciaries. This development is particularly relevant for global businesses, operating global capability centers or captive units in India, or engaging outsourced service providers.
Notably, instead of imposing the full spectrum of privacy obligations, the DPDPA only requires the implementation of reasonable security safeguards to protect personal data of foreign residents being processed in India under a contract with an overseas entity. At the minimum, these safeguards include encryption, obfuscation techniques, data masking, etc., as well as access control mechanisms to ensure personal data is accessible only to authorized personnel on a need-to-know basis, and further measures to ensure the confidentiality, integrity and availability of data.
Verifying parental consent and guardianship
The draft rules clarify how verifiable parental consent is to be obtained to process personal data of children and persons with disabilities with lawful guardians. Due diligence must be undertaken to ensure the individual identifying themselves as the parent is an identifiable adult. This can be achieved either through reliable identity and age details already held by the data fiduciary, or by using a virtual token mapped to such data principal issued by authorized entities, such as digital locker service providers — entities that will be authorized by the government to provide digital locker repository facilities.
While the draft rules do not specifically require data fiduciaries to verify kinship between the parent and child, for persons with disabilities, they do require data fiduciaries to check whether the guardian in is in fact appointed in accordance with Indian guardianship laws.
For international businesses, implementing these requirements would be practically challenging, and require a deep understanding of complex Indian guardianship laws. These due diligence requirements resonate the global trend seeking to enhance protection for children particularly, while creating new operational challenges for businesses.
Significant data fiduciaries are subject to additional obligations under the draft rules, including conducting annual data protection impact assessments and audits through independent data auditors, and furnishing the significant findings from these processes to the board. They are also required to exercise due diligence to confirm their algorithms are designed and verified to safeguard against any risks to data principal rights.
This corresponds with the requirement under the DPDPA that personal data processed to make a decision about a data principal, such as the decision to display a targeted advertisement pertaining to an employment, housing or loan opportunity, to be complete, accurate and consistent. This reflects a forward-looking understanding of the implications of automated decision-making on an individual's right to privacy. International businesses, particularly tech giants involved in algorithmic decision-making as their core business functions may have to become more accountable in this respect.
The draft rules establish specific retention periods for certain data fiduciaries, including social media intermediaries and e-commerce platforms with 20 million or more registered users and online gaming intermediaries with 5 million or more registered users in India. However, they do not clarify how data fiduciaries should determine who would constitute a "registered" user. These data fiduciaries are required to delete personal data of inactive users after a three-year maximum retention period, except for certain purposes such as enabling the data principal to access his or her account, or access any virtual token that may be used to avail money, goods or services.
The draft rules also mandate at leasta 48-hour advance notice to users prior to erasing their personal data. This necessitates sophisticated data management systems capable of tracking user activity, managing retention periods, and executing timely notifications, and may warrant process automation.
Restrictions against behavioral monitoring
With exceptions for specific data fiduciaries such as health care institutions and service providers, childcare providers and educational institutions under certain conditions, the draft rules continue to generally restrict the processing of children's personal data for behavioral monitoring, tracking and targeted advertisements. This will require international businesses, especially those offering their services to children to revisit their existing business models with respect to India.
Research, archiving and statistical purposes
The draft rules enable businesses to process personal data for research, archiving or statistical purposes if the processing is lawful and limited to such purposes; data collected is necessary for such purposes; reasonable efforts are made to ensure accuracy of the data processed; data is retained only for as long as required; appropriate measures are in place to prevent a personal data breach; and where applicable, contact details and a communication link are provided for data principals to exercise their rights.
They offer a significant opportunity for India Inc. to gain a competitive edge in the global innovation economy by exempting lawful data processing for research, archiving, and statistical purposes. This exemption, subject to strict conditions, promotes innovation through data-driven initiatives while maintaining safeguards such as ensuring data accuracy, preventing breaches, and limiting data collection, retention and use strictly to what is necessary.
This provides a structured pathway for leveraging data in India’s artificial intelligence-driven future, fostering public-private collaborations that bring together academia, research institutions, and private enterprises. Such synergies could drive transformative advancements in critical areas like healthcare, climate science, and beyond, strengthening India’s position as a leader in data innovation and responsible AI development.
What we still await
Certain aspects of the DPDPA require further clarity and are expected to become clearer through notifications from the government. Notably, the DPDPA empowers the government to notify certain classes of data fiduciaries to which its provisions may not apply for a specified period within five years of the DPDPA's commencement.
However, the nature of data fiduciaries which may be exempt under this provision at present remains unclear. Perhaps, since the DPDPA does not provide for a journalistic exemption comparable to the GDPR, the government could consider exempting news publishers, media outlets, press houses and journalists going forward, to the extent required to enable them carry out their journalistic functions.
The government is additionally empowered to notify certain classes of data fiduciaries, including startups considering the volume and nature, e.g., sensitivity, of exemptions of personal data processed from compliance with the DPDPA requirements, enabling a balanced and proportionate approach to regulating India’s digital economy.
Key takeaways
The draft rules represent a significant step forward in India's privacy framework, aligning with global standards while also standing out through some unique features. For international businesses, they provide welcome clarity but also introduce new compliance challenges. As they move through public consultation, organizations have an opportunity to address practical implementation challenges and help shape a framework that balances effective privacy protection with operational feasibility.
For privacy professionals worldwide, these developments signal India's emergence as a major player in global data protection regulation. Notable features such as the unique consent management framework, verifiable parental consent and verification of lawful guardianship accountability in algorithmic decision making, and possible restrictions against international data transfer, which may influence both foreign relations, as well as privacy frameworks overseas. These aspects as currently prescribed may be further refined after public consultation, culminating into the final version of the rules.
Businesses operating in or considering entry into the Indian market should begin preparing now for these comprehensive new requirements, which will likely set the standard for data protection in one of the world's most important digital economies.
Supratim Chakraborty is a partner and Siddharth Sonkar is a senior associate at Khaitan & Co.
