What does this mean for businesses, individuals, and the broader digital landscape? The draft rules address a range of critical issues by providing for a consent manager framework, regulation of the state’s use of Personal Data, implementation of reasonable security safeguards, data breach intimation mechanism, data erasure formalities, providing a detailed mechanism for children’s personal data, additional obligations for significant data fiduciary, creating a provision for data localisation, and specifying the functions of the Data Protection Board (“Board”). In this article, we explore the key provisions of the draft rules, unpack their potential implications, and discuss the challenges they might pose in the journey toward robust data protection in India. Here are the key implications:
Presenting Consent Notice Independently Reduces Confusion
Data Fiduciary should present the consent notice independently and not be tagged along with other information. This is done to avoid any chance of confusion pertaining to other information. The notice should also comprise the communication link through which the Data Principal can withdraw consent, exercise his rights, and file a complaint before the Board.
Framework of Consent Managers
The concept of Consent Manager is both innovative and practical, offering a structured approach to managing consent between data principals and data fiduciaries. According to the draft rules, only an Indian company with a net worth of at least INR 2 Crore is eligible to qualify as a Consent Manager. This ensures that the role is handled by entities with significant financial standing and operational stability.
However, the draft rules seek to impose strict controls on the Consent Manager’s operations. For instance, any alterations to the company’s Memorandum of Association (MoA) and Articles of Association (AoA), or changes in control of the company, can only be made with approval from the Board. Additionally, the Consent Manager is prohibited from subcontracting or assigning its obligations under the Act to any third parties, ensuring that the integrity of the service remains intact.
A notable aspect of the framework is the clear demarcation of potential conflicts of interest. The draft rules specify that directors, key managerial personnel, or senior management of the Consent Manager cannot have any directorship, financial interest, employment, or ownership in Data Fiduciaries that might lead to conflicts. The term “material pecuniary relationship” is notably broad and could be subject to interpretation, which could create uncertainty regarding its enforcement.
Furthermore, the draft rules envisage disclosure on ownership, stating that if any person holds more than 2% of shares in the Consent Manager company or any corporate entity in which the director, key managerial personnel, or senior management of the Consent Manager holds over 2% of shares, it has to be published on its Platform. This aims to prevent undue influence.
Despite the practical framework provided, one significant area of concern lies in the enforcement mechanisms for non-compliance. The draft rules suggest that, in case of violations by the Consent Manager, the Board will only instruct the Consent Manager to take adequate measures to ensure adherence to the rules. This lenient approach may prove insufficient when violations could have a direct impact on the Data Principal’s rights and interests. Given the pivotal role the Consent Manager plays in the data protection ecosystem, more stringent penalties for non-compliance might be necessary to ensure accountability and build trust in this new system.
Processing by State and Privacy Concerns
The state and its instrumentalities are permitted to process personal data for a broad range of purposes, including providing subsidies, benefits, services, certificates, licenses, and permits. This effectively covers a significant portion of governmental functions, allowing the state to access and process personal data across various sectors.
However, there are concerns regarding the unrestricted use of personal data by the state, especially when public funds are involved. The draft rules stipulate that when the state uses personal data for activities done through public funds, such data usage would be governed by the provisions laid out in the regulations. While this theoretically ensures that the use of personal data is legitimate, it also raises questions about potential overreach. The provision could allow the state to process data without adequate checks, as long as the processing aligns with public funding requirements. This broad authorisation, while aimed at facilitating governmental functions, might also enable unchecked data usage, which could compromise individual privacy and raise concerns about surveillance or misuse. Therefore, a more robust framework with clear limitations on the state’s data processing powers may be necessary to balance efficiency with privacy protection.
Data Breach Notification: No Distinction Between Major and Minor Breaches
The data breach notification framework mandates Data Fiduciaries to report data breaches to both the Data Principal and the Data Protection Board. However, a notable concern arises from the fact that the draft rules do not differentiate between minor and major data breaches, imposing the same reporting requirements for both. This lack of distinction could lead to unnecessary notifications for minor breaches that do not pose significant risks, potentially overwhelming both organisations and the Data Protection Board with excessive reports.
Additionally, the draft rules require that the Data Principal and Board be notified of a breach “without delay,” a term that is left open to interpretation. This ambiguity could lead to delays in reporting, leaving room for inconsistent application of the requirement. Moreover, the draft rules stipulate that the Board must be informed within 72 hours of the breach, along with updates, reports, and findings.
Data Erasure After Specified Period
The draft rules direct e-commerce entities, online gaming intermediaries, and social media intermediaries having significant users to retain data for a period of 3 years from the date when the Data Principal last approached the Data Fiduciary. Notification of data erasure has to be sent to the Data Principal 48 hours before completion of this 3-year time period.
Publishing Requirements
The draft rules emphasise transparency and accountability for Data Fiduciaries and Consent Managers by mandating the publication of contact information for their designated Data Protection Officer (DPO) or an equivalent officer responsible for data protection. This ensures that individuals, regulators, and other stakeholders have direct access to the right point of contact for addressing any concerns related to data privacy.
Additionally, a significant responsibility is sought to be placed on Data Fiduciaries and Consent Managers to establish an effective grievance redressal mechanism. If this system is found to be ineffective or not functioning properly, it would be considered a violation of the rules. To ensure that grievances are handled promptly, the draft rules require these entities to publish a clear timeline for responding to grievances. This provision is aimed at ensuring timely resolution of issues raised by Data Principals, fostering trust in the system and preventing prolonged delays that could undermine the effectiveness of the redressal process.
By making these requirements mandatory, the draft rules aim to create a more transparent environment where individuals can feel confident that their grievances will be addressed and that there is clear accountability in the management of their personal data. However, the effectiveness of this system will largely depend on how rigorously the timelines are enforced and whether the grievance redressal mechanisms are equipped to handle a large volume of complaints efficiently. The responsibility of effectiveness vests with the Data Fiduciary and any ineffectiveness is treated as a violation, requiring Data Fiduciaries to ensure greater compliance.
Processing Personal Data of Children: Verifiable Consent to be Obtained
Verified Consent is the new innovative framework created under the draft rules aimed at ensuring that sensitive personal data of children is processed securely and responsibly. Under this framework, certain verified data points or virtual tokens — such as education data, healthcare data, and bank account data — are used to confirm a person’s age, providing a reliable mechanism for determining whether consent is required from a parent or guardian.
For entities handling children’s data, the draft rules emphasise that the Data Fiduciary must verify the identity of the parent or guardian before processing any children’s data. This verification process may involve a combination of documents already held by the fiduciary or official identification data from government services. The framework aims to ensure that consent is both authentic and reliable, reducing the risks of unauthorised data collection or processing.
While the draft rules impose strict requirements on the verification process, they also introduce exemptions for certain entities, including healthcare professionals, educational institutions, and childcare providers. These organisations are permitted to process children’s personal data, but only for specific, essential activities such as health services, educational activities, safety monitoring, and transportation tracking. However, the processing of broader or non-essential data related to children, parents, or guardians is not permitted unless additional conditions are met.
This framework seeks to balance the need for organisations to access and process personal data for legitimate purposes, such as health and education, while safeguarding the privacy and rights of children. Nevertheless, the implementation of verifiable consent could pose challenges for organisations in ensuring the proper and secure collection of consent data, as well as managing the complexity of verifying parental identities through multiple data points.
Significant Data Fiduciaries
The draft rules specifically empower the formation of a committee by the Central Government for the purpose of data localisation for Significant Data Fiduciary. The Significant Data Fiduciary is further required to undertake a Data Protection Impact Assessment and Data Protection Audit and report to the Board to ensure the effectiveness of the Act and the Rules. A more critical obligation for significant data fiduciary is that it should observe due diligence to verify that algorithmic software used for dealing with personal data is not likely to pose a risk to the rights of the Data Principals.
Data Localisation
The draft rules also lay an emphasis on data localisation. This provision indicates that the transfer of data outside the country will be subject to restrictions as specified by the Central Government. Data localisation requirements extend to the processing of personal data of Data Principals who are within India.
This move is intended to enhance data security and privacy, ensuring that the government has better control over data flows and can enforce regulations effectively. However, it is expected to face serious opposition from large multinational companies. Many of these companies rely on a global infrastructure of data centres; and forcing them to build or maintain local data centres in India, could incur significant operational costs. Additionally, the complexity of managing multiple localised data systems might pose logistical and financial challenges for businesses with a global user base.
Moreover, concerns regarding the interference of local laws with international standards could arise, particularly for companies that operate in regions with stringent data protection regulations, such as the EU’s GDPR. Balancing the need for national security and privacy with the demands of global businesses will be a key challenge as India moves forward with these data localisation requirements.
Data Protection Board
Another innovative approach is the digital-by-design Data Protection Board. This forward-thinking framework ensures that all activities undertaken and implemented by the Board will be executed exclusively through digital platforms. This means that the entire process—from case filings and hearings to decision-making and compliance tracking—will be managed digitally.
To facilitate this transition, we expect the Data Protection Board to develop a digital portal, which will serve as the central hub for interactions with stakeholders, including data principals, data fiduciaries, and legal entities. Additionally, the Board will implement a digital workflow and a comprehensive digital process management system, ensuring that all functions are streamlined, efficient, and transparent.
This approach promises to enhance efficiency, reduce delays, and increase the accessibility of the grievance redressal process. By digitising the entire functioning of the Board, India takes a significant step towards modernising its data protection ecosystem and ensuring that the regulatory framework is in line with the evolving digital landscape. However, the transition will require substantial investment in technology infrastructure and a careful balance to ensure accessibility for all stakeholders, including those who may have limited digital access.
Conclusion
The Draft Digital Personal Data Protection Rules, 2025, represent a crucial step forward in India’s evolving data protection landscape, bringing both innovation and significant challenges. Key provisions, such as verifiable consent for processing children’s data, data localisation requirements, and the digital-by-design approach for the Data Protection Board, aim to enhance privacy and accountability while addressing the rapidly changing digital environment. These draft rules present much-needed frameworks for managing personal data, improving transparency, and safeguarding the rights of individuals, particularly in sensitive areas like healthcare, education, and children’s data.
However, the implementation of these rules will not be without hurdles. Data Fiduciaries and Consent Managers will need to navigate the complexities of ensuring reliable grievance redressal systems, while businesses, particularly global entities, may find the data localisation requirements and broad reporting obligations burdensome. The digital processes proposed for the Data Protection Board promise improved efficiency, but they will require careful planning to ensure accessibility and effectiveness for all stakeholders.
As India moves forward with these regulations, it will be essential to find a balance between enhancing data security and respecting privacy rights, while also fostering an environment that allows businesses to thrive in an increasingly global digital economy. The success of these rules will depend not only on their implementation but also on how effectively they adapt to the dynamic intersection of technology, law, and governance.
