Authors: Anju Gandhi, Partner, Hetal Sheth, Associate Partner and Aniket Rajpurohit, Principal Associate

In  light of the PIL filed by Justice Puttaswamy for the right to privacy as an independent right, the Hon’ble Supreme Court (SC) unanimously affirmed status of the right to privacy as a fundamental right. The SC further laid out a three-fold test of legality, legitimacy and proportionality that a strong data protection law must satisfy. While the Digital Personal Data Protection Act, 2023 (“Act”) passes the test of legality and legitimacy, draft Digital Personal Data Protection Rules (“Rules”) that made the first weekend of 2025, need to pass the test of proportionality. This article primarily deals with important Rules and our analysis on the same.

1. Notice for consent: Rule 3: Notice provided by the Data Fiduciary (“DF”) to the Data Principal (“DP”) must be clear, standalone and understandable on its own, without any other information. Notice shall include a detailed list of personal data; specific purpose of processing and mention description of goods or services to be provided or enabled, based on such processing. Notice must include communication link for DF’s website/app, and describe other means for DP to withdraw consent with ease, exercise rights under the Act and file complaints with the Data Protection Board (“Board”). As per the Act, DF is also required to issue a similar notice to DP, who would have earlier given consent for processing his/her personal data before commencement of the Act. But the Rules are silent on timelines for issuance of such notice by DF to DP. Further, no specific format is prescribed for issuance of such notice as it will be on-going and dynamic process. Lastly, Rules are silent about specific timelines within which DF must act upon for withdrawal of consent upon receipt of instructions from DP.
2. Verifiable Consent for Child or differently abled person: Rule 10 and 11: DF are required to obtain verifiable consent of parent or lawful guardian before processing personal data of a child or a differently abled person, respectively. To ensure authenticity, age and identity of the parent must be validated using government-issued identity proof. Authenticity of guardian is verified based on appointment of guardian through court order or by designated committee or appointed under law applicable to guardianship. However, health and mental health establishments, educational institutions and daycare centres are exempted from obtaining such verifiable consent of parent or lawful guardian. The Rules do not put any obligation on DF to conduct mandatory periodic audit for processing personal data of a child and do not provide clarity on obtaining consent of child upon turning into adults. While the Rules consider long-term physically differently abled persons, they do not make a distinction of some physically differently abled persons who have the ability to provide consent on their own. There will be a need for DFs to establish robust processes to verify identity of individuals claiming to be parents to prevent children from circumventing these measures. In this regard, best practices can be drawn from frameworks such as the GDPR, the COPPA of USA, and the PDPA of Singapore.

3. Data Security: Rule 6, 12: We understand that data security requirements outlined in the Rules provide reasonable safeguards to protect personal data by DF or Data Processor on behalf of DF. These safeguards include measures such as encryption, control access, continuous monitoring, review to detect unauthorized access, ensuring confidentiality and integrity, and maintaining data logs and backups. The contract between the DF and Data Processor must incorporate these security safeguards. Further, Significant Data Fiduciaries (“SDF”) are required to conduct annual data protection impact assessment and audit and submit report to the Board. The data security requirements are reasonable safeguards and seem to be aligned with the ISO 27001 standards, to ensure robust framework for data protection. . Further, the scope of audit of SDF is unclear.

4. Data Localization: Rule 12 (4) and 14: The Central Government (CG) will serve as a decisive authority in the flow of personal data outside India.

As per Rule 12(4), SDF must implement measures to ensure that personal data identified by the CG (basis recommendation of committee constituted by it) is processed in compliance with specific restrictions. This includes ensuring that both personal data and any data associated with that person is not transferred outside of India without due authorization. Accordingly, restrictions are laid down on SDF for data localization.

As per Rule 14, DF must comply with the CG’s requirements regarding personal data processed and transferred outside India, in cases where: (i) DF processing personal data is located within India, or (ii) goods or services are directed to a DP from outside India. Accordingly, said Rule permits processing of data outside data, but does not put any restriction for localisation of the same and will guide entities like MNCs.

Further, Rules are silent about adequacy of data protection by recipient jurisdiction, in case of cross-border data transfer. Additionally, cloud service providers are expected to store data and servers within India. Similarly, Data Processor must be based within India to ensure compliance with the Act and its associated Rules. There remains lack of clarity regarding functioning of the committee constituted by CG. As for data localization requirements for regulated entities, final decision will rest with the respective regulator or the committee, it is to be seen who will prevail in case of overlap.

5. Breach Report- Rule 7: In the event of a breach, DF is required to notify (i) immediately to the best of its knowledge, the affected DP and the Board about the breach; and (ii) the Board within 72 hours (or a longer period as permitted by the Board) with detailed report regarding intimation given to affected DP. There is no concept of ‘materiality threshold’ for breach notification under the Rule. This will lead to notifications of all breaches by DF. Further, notification to the DP is as per best knowledge of DF, which is subjective term and may lead to disputes.

6. Rights of DP: Rule 13: Data Fiduciaries and Consent Managers must clearly publish on their website or app the process by which DP can exercise their rights under the Act, including identifying details like usernames to facilitate identification. DP can request to access and erase their personal data by contacting DF. DF must provide clear timelines for responding grievances, ensuring an effective process with the necessary technical and organizational safeguards. DP may nominate one or more individuals to exercise their rights under the law, following the procedures set by the DF and applicable legal norms. The Rules lack clarity on timelines for responding to DP request (eg. access, correction or deletion of data), appointment of grievance redressal officer and mechanism for the same and outline procedure for data portability request. Further, the Act and Rules do not specify any compliance/procedure for appointment of nominee by DP under the Act.

8. Board: Rule 16: CG will form a Board with the Chairperson and other members. The Board is to operate as a digital office.

   The Rules do not specify qualifications and candidature requirements for the appointments.

9. Consent Manager (“CM”): Rule 4: A CM must be a registered company in India with a net worth of at least two crore rupees and a reputation for fairness. It should have a certified platform for DP to manage consent. To register, they must apply to the Board and follow Rules to let DP easily give, manage, and withdraw consent. They must keep records of consent and data sharing and ensure transparency and security. The Board can audit, suspend, or cancel registration if needed.

CM must avoid conflicts of interest and cannot subcontract its responsibilities. They must maintain independence and seek Board approval for changes like mergers or sales. The goal is to protect DP’s rights and ensure proper data management. Lastly, since DF and CM continue to manage independently with DP’s consent and grievances, it is not mandatory for DF to integrate with CM.

Conclusively, there are some aspects such as implication of AI-driven automated decision making, accommodation of emerging technologies and future innovations, whitelisting of countries for data transfer, etc. which are yet to be considered/prescribed under the Rules. More importantly, the Act along with the Rules must ensure that  privacy is respected and businesses are conducted morally. Notably, the Act and Rules do not impose criminal penalties, unlike other similar legislation whilst putting obligations on DF.