A glimpse of the draft digital personal data protection rules in India

Gagan Anand

Legacy Law Offices, New Delhi

anand@legacylawoffices.com

Introduction

On 3 January 2025, the Ministry of Electronics and Information Technology, as part of the Government of India, published the draft Digital Personal Data Protection Rules, 2025 (the ‘Draft DPDP Rules’), inviting comments and suggestions from the public until 18 February 2025. The Draft DPDP Rules are intended to supplement the Digital Personal Data Protection Act, 2023 (the ‘DPDP Act’), which was given presidential approval on 9 August 2024.

Digital data protection is critical in the era of artificial intelligence, where even the likeness of an individual is deemed ‘imitable’ and when multinational social networking giants are frequently accused of using the personal data of individuals for targeted advertisements. In such circumstances, while the DPDP Act was held to be a momentous piece of legislation, the promulgation of the Draft DPDP Rules may bring added relief to citizens, who have been classified as ‘data principals’ (DPs) in the DPDP Act. While the Draft DPDP Rules remain to be finalised and implemented, subsequent to the public consultation, it is worthwhile to look more closely at the main rules proposed by the government in regard to the processing of personal data of DPs across India.

Analysis of the provisions relating to the processing of personal data

A notice for processing of data

Under section 5 of the DPDP Act, the data fiduciary (DF), a person (either alone or in conjunction with others) determining the purpose and means of personal data processing, is required to attain consent from the DPs, through the provision of a notice, prior to processing their personal data. Such consent must be in accordance with the provisions in section 6 of the DPDP Act and, thus, consent must be given freely, and must be specific, clear and unambiguous, thereby following the conditions prescribed in section 6 and other provisions enshrined in the DPDP Act.

The Draft DPDP Rules seek to further clarify the provisions guiding the requirement to gain such consent, by obligating the DF to ensure that the notice requesting consent is presented to the DP and is understandable, independent of other data made available to the DP. It has been specified that such notice shall provide a ‘fair account of details necessary to enable the DP to give specific and informed consent for the processing of their personal data’.[1]

To reduce any shortcomings in regard to the implementation of section 6 of the DPDP Act, the aforementioned provision within the proposed Draft DPDP Rules requires the notice to, at a minimum, provide an itemised description of the nature and objective of the data processing, while providing the DP with a unique and mandatory link, which will enable them to withdraw their consent, exercise any right and lodge a complaint with the Data Protection Board of India established pursuant to the DPDP Act.

The latter feature, allowing a DP to withdraw their consent, highlights the importance of personal data and the right to privacy, which was added to the list of fundamental rights of a person as a result of the judgment before the Supreme Court of India in the case of Justice KS Puttaswamy (Retd) & Anr v Union of India & Ors.[2]

It is also important to note that section 6 (4) of the DPDP Act allows the DP to withdraw their consent ‘at any time’ and that they must be allowed to do so with ease, in such a way that was provided at the time when their consent was given.

The protection of personal data

At a time when data breaches are gaining dangerous momentum, rule 6 of the Draft DPDP Rules places an obligation on the DF to undertake reasonable security safeguards to ensure the protection of the personal data within its possession. Such measures should include, as a minimum, encryption, access limitations and record keeping, among other prescribed actions. Draft rule 7, read with Section 8 (6) of the Draft DPDP Rules, further provides that, in the case of any breach of personal data, immediate, precise and unambiguous notification must be provided to the Data Protection Board of India and the affected DPs. Whereas no time limitation for such notification has been prescribed with respect to DPs, the DF must inform the Data Protection Board of India of the data breach within 72 hours of its discovery or within any such extended time that may be permitted.

A notable feature of the Draft DPDP Rules is the manner in which the erasure of data is highlighted, wherein, while the DPDP Act merely provides for the erasure of personal data subsequent to a request made by the DP or within a ‘reasonable time’, the Draft DPDP Rules require that such erasure should occur within a specified timeframe. Rule 8 specifies that if a failure occurs on the part of the DP to approach the DF for the performance of the specified purpose or to exercise their right of erasure within the period specified under the third schedule of the Draft DPDP Rules, the data shall be erased after the serving of a 48-hour notice to the DP.

The aforementioned provision within the Draft DPDP Rules highlights an important aspect of the right to privacy of an individual, namely the right to have their data removed from public sources, if they so choose.

The personal data of minors

Under section 9 of the DPDP Act, in cases where the personal data of children is required to be processed, it is mandatory for the DF to obtain verifiable consent from the parent or guardian of the child in question. Furthermore, the DF must ensure that the data of the child is not processed for any detrimental purposes or in regard to targeted advertising.

To further solidify these provisions, rule 10 of the Draft DPDP Rules requires the DF to further ensure that the person, from whom such verifiable consent is obtained, is actually identifiable as the parent or guardian of the child in question, in pursuit of which, the necessary due diligence may involve the verification of the identity, age and other details of the child’s parent or guardian.

The extra-territorial transfer of data

Rule 14 in the Draft DPDP Rules would be a powerful tool in terms of its ability to restrict the extra-territorial transfer of personal data processed within the country or pertaining to an activity relating to the offering of goods and services within India. This rule seeks to act in accordance with section 16 of the DPDP Act, according to which the central government would be given a the power to issue a notification restricting the transfer of personal data by a DF to territories outside India.

This landmark provision is akin to the relevant rules in the European Union’s General Data Protection Regulation (GDPR), which was adopted in April 2016 and which is the hallmark on data protection in the international legal and privacy domain.

An overview of the Draft DPDP Rules

The Draft DPDP Rules were introduced almost four months after the enactment of the DPDP Act, which may raise issues in regard to any unprecedented delays in the actual enforcement of the rules. However, it is also pertinent to note that the publication of the Draft DPDP Rules is a momentous achievement on the part of the legislature towards the upholding of the right to privacy of all individuals.

A perusal of the Draft DPDP Rules indicates that the provisions have been drafted in a way that would complement the provisions highlighted in the DPDP Act, thereby helping to streamline the actual implementation of the law.

It may, however, be noted that the actuality of such implementation and the effect will be dependent on the enactment of a final version of the Draft DPDP Rules, after the conclusion of the public consultation.

Conclusion

In 2021, the Supreme Court of the United Kingdom (SC) adjudicated on the case of Lloyd v Google LLC,[3]  where accusations were made against Google for a data breach involving the data of several individuals without their knowledge or consent. While the decision in the case went in favour of Google, the SC observed that while Google was in breach of its duties as a data controller, representative action filed by the group of individuals was unlikely to succeed. However, this particular observation by the SC, finding Google to be in breach of its duties, gave rise to a crucial question.  

In an era when multinational giants like Meta Inc and ABC Inc are facing accusations relating to severe data breaches in the form of class action suits before the courts in different countries, raises the question as to whether there is a need for multifaceted action to hold these companies accountable for the protection of the personal data of individuals.

While the answer to this question may remain part of an ever-lasting debate, it may be said that the Draft DPDP Rules, in line with the DPDP Act, is definitely a positive step in the right direction.