MeitY Releases Draft DPDP Rules 2025—a comprehensive framework outlining how personal data must be managed. Here’s a quick summary of the key provisions

1. Notice Requirements (Rule 3) 

• • Data Fiduciaries must issue clear notices to Data Principals detailing: 
    • The purpose of processing personal data. 
    • The rights of Data Principals. 
    • The process for grievance redressal. 

2. Consent (Rule 4) 

• • Consent must be: 
    • Freely given, specific, and informed. 
    • Withdrawable as easily as it is given. 
    • Consent Managers must meet operational and transparency standards to manage and facilitate consent. 

3. Processing of Data for Children and Persons with Disabilities (Rule 10) 

• • Children: 
    • Verifiable consent must be obtained from parents or guardians before processing children’s personal data. 
    • Fiduciaries must ensure parents are identifiable adults, using methods such as Digital Locker services or government-provided identity tokens. 
  • Persons with Disabilities: 
    • Verifiable consent must be obtained from a lawful guardian appointed by a court, designated authority, or local-level committee under relevant laws (e.g., Rights of Persons with Disabilities Act, 2016, or National Trust Act, 1999)​​. 

4, Significant Data Fiduciaries (Rule 12) 

• • Additional obligations include: 
    • Conducting annual Data Protection Impact Assessments and audits. 
    • Ensuring transparency of algorithmic processing to avoid discriminatory practices. 
    • Implementing measures to restrict certain types of personal data from leaving India as directed by the Central Government​. 

5. Cross-Border Data Transfers (Rule 14) 

• • Transfers are allowed only if Data Fiduciaries comply with conditions set by the Central Government. No blanket approval for jurisdictions is mentioned; requirements may vary by context​. 

6. Data Breach Notifications (Rule 7) 

• • Notifications to affected individuals and the Data Protection Board must: 
    • Include details of the breach, potential consequences, and mitigation measures. 
    • Be submitted within 72 hours​. 

7. Data Retention and Erasure (Rule 8 and Schedule 3) 

• • Data must be erased when the purpose is fulfilled unless required by law. 
  • Data Principals must receive at least 48 hours’ notice before erasure​. 

Retention Periods (Schedule 3): 

• E-commerce Entities (2+ crore users): 

• • Retain data for three years from the last user interaction or commencement of the rules, whichever is later. 

• Online Gaming Intermediaries (50+ lakh users): 

• • Similar retention requirements apply​. 

• Social Media Intermediaries (2+ crore users): 

• • Same retention period for specified purposes​. 

8. Rights of Data Principals (Rule 13) 

• • Data Principals can: 
    • Access and correct their data. 
    • Withdraw consent and request data erasure. 
    • Nominate representatives for posthumous management of their data​. 

9. Consent Manager Requirements (Schedule 1) 

• • Companies acting as Consent Managers must: 
    • Be incorporated in India with a minimum net worth of INR 2 crore. 
    • Operate interoperable platforms that enable consent management. 
    • Maintain transparency about shareholders and key management​.

10. Exemptions to Consent Requirements (Schedule 4) 

• • Consent is not required for: 
    • Public Interest: For children’s health, safety, or educational purposes. 
    • Legal Compliance: Fulfilment of duties under Indian law. 
    • Government Services: Provision of subsidies, benefits, or certificates. 
    • Special Cases: Creating user accounts for restricted purposes like email communication​. 

11. Public Consultation Timeline 

• • Public objections and suggestions are invited until February 18, 2025, via the MyGov portal​.

We are ringing in the draft rules with a dynamic discussion featuring top industry experts on data privacy to explore the implications of these changes and how they will impact your preparations for the upcoming privacy regime – “Assessing Organisational Readiness for the DPDP Regime: Strategies to Ensure Compliance and Strengthen Data Privacy”

Reserve your spot: Link

Here’s a copy of the draft rule: Link

Disclaimer

This content is intended for informational purposes only and does not constitute a legal opinion. Despite our efforts to maintain accuracy, we do not make representations, warranties or undertakings regarding the quality, completeness or reliability of the content. Readers are encouraged to seek legal counsel prior to acting upon any of the information provided herein. This content, including the design, text, graphics, their selection and arrangement, is Copyright 2024, Lexplosion Solutions Private Limited or its licensors. ALL RIGHTS RESERVED, and all moral rights are asserted and reserved.

For any clarifications, please reach out to us at 91-33-40618083 or inquiries@lexplosion.in. Refer to our privacy policy by clicking here.

Share this: