The Ministry of Electronics and Information Technology (MeitY) has published a draft of the Digital Personal Data Protection Rules, 2025 (“Draft Rules”). Public comments have been invited on the Draft Rules till 18th February, 2025. Objections and suggestions, if any, may be submitted through the MyGov portal: https://mygov.in. In continuation to the Alert shared earlier (please refer to e-mail in trail for details), please see below the key takeaways from the Draft Rules. You may also want to refer to the following before sending comments to MeitY:

Key Takeaways:

1. Notice Requirements:
   • Data Fiduciaries must issue clear notices to Data Principals detailing:
     • The purpose of processing Personal Data.
     • The rights of Data Principals.
     • The power of grievance redressal.
2. Consent:
   • Consent must be:
     • Freely given, specific, and informed.
     • Withdrawable as easily as it is given.
     • Consent Managers must meet operational and transparency standards to manage and facilitate consent.
3. Processing of Data for Children and Persons with Disabilities:
   • Children:
     • Verifiable consent must be obtained from parents or guardians before processing children’s personal data.
     • Fiduciaries must ensure parents are identifiable adults, using methods such as Digital Locker services or government-provided identity tokens.
   • Persons with Disabilities:
     • Verifiable consent must be obtained from a lawful guardian appointed by a court, designated authority or local-level committee under relevant laws (e.g., Rights of Persons with Disabilities Act, 2016, or National Trust Act, 1999)​.
4. Significant Data Fiduciaries:
   • Additional obligations include:
     • Conducting annual Data Protection Impact Assessments and audits.
     • Ensuring transparency of algorithmic processing to avoid discriminatory practices.
     • Implementing measures to restrict certain types of personal data from leaving India as directed by the Central Government.
5. Cross-Border Data Transfers:
   • Transfers are allowed only if Data Fiduciaries comply with conditions set by the Central Government. No blanket approval for jurisdictions is mentioned; requirements may vary by context.
6. Reasonable Security Measures:
   • Data Fiduciaries must:
     • Implement reasonable security measures including encryption, access control, monitoring for unauthorized access, and data backups to protect Personal Data.
     • Ensure that Contracts with Data Processors to include provisions on ensuring reasonable security safeguards.
7. Data Breach Notifications:
   • Notifications to affected individuals and the Data Protection Board must:
     • Include details of the breach, potential consequences, and mitigation measures.
     • Be submitted within 72 hours.
8. Data Retention and Erasure:
   • Data must be erased when the purpose is fulfilled unless required by law.
   • Data Principals must receive at least 48 hours’ notice before erasure.
   • Retention Periods
     • E-commerce Entities (2+ crore users): Retain data for three years from the last user interaction or commencement of the rules, whichever is later.
     • Online Gaming Intermediaries (50+ lakh users): Similar retention requirements apply.
     • Social Media Intermediaries (2+ crore users): Same retention period for specified purposes​.
9. Rights of Data Principals:
   • Data Principals can:
     • Access and correct their data.
     • Withdraw consent and request data erasure.
     • Nominate representatives for posthumous management of their data.
10. Consent Manager Requirements:
    • Companies acting as Consent Managers must:
      • Be incorporated in India with a minimum net worth of INR 2 crore.
      • Operate interoperable platforms that enable consent management.
      • Maintain transparency about shareholders and key management​.
11. Exemptions to Consent Requirements:
    • Consent is not required for:
      • Public Interest: For children’s health, safety, or educational purposes.
      • Legal Compliance: Fulfilment of duties under Indian Law.
      • Government Services: Provision of subsidies, benefits or certificates.
      • Special cases: Creating user accounts for restricted purposes like email communication.
12. Public Consultation Timeline:
    • Public objections and suggestions are invited until February 18, 2025, via the MyGov portal​.

For a detailed read of the Draft Rules, please refer to the link provided below.

Source: Ministry of Electronics and Information Technology

Share this: