The government released the draft Digital Personal Data Protection Rules 2025 for public consultation. Once these rules are notified, effective implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act) will be ensured.
Key Provisions of Digital Personal Data Protection Rules 2025 Draft Rules
Parental consent for children’s data
- Verification required: Social media and online platforms will have to take parental consent before creating children’s accounts.
- Identity verification: Proof of age and identity of parents will be done through government-issued identity card.
- Exceptions: Health, mental health institutions, educational institutions, and daycare centers are exempt from this rule.
Role and responsibilities of data fiduciaries
- Institutions that collect and process personal data are called “data fiduciaries”.
- Key Data Fiduciaries (SDFs): Processing large-scale or sensitive data that affects national sovereignty, security, or public order.
Data Protection
- Data can be stored only for the period of consent; it must be deleted after that.
- Fiduciaries must ensure encryption, access control, and monitoring of unauthorized access.
Consent Management
- Consent Managers: Institutions managing consent records must follow strict verification processes.
- Grievance Redressal: Data fiduciaries must establish mechanisms for redressal of grievances and withdrawal of consent.
Data Localization
- Re-introduction: Prohibition on transfer of certain types of personal and traffic data outside India.
- Monitoring: A committee formed by the government will determine restricted categories on data transfer.
Data Breach Reporting
- Information Obligation: In case of a breach, fiduciaries must immediately notify affected users and the Data Protection Board.
- Equal Treatment: No discrimination between minor and major breaches; All reporting required.
Safeguards for government data processing
- Lawful processing: Government agencies must process citizen data lawfully.
- Specific safeguards: Special safeguards have been specified to address concerns over exemptions for national security and public order.
Challenges in implementation
- Violation of right to privacy: Giving exemptions to the state in data processing may violate the fundamental right to privacy.
- Lack of regulation in data processing: Lack of measures to prevent threats from personal data processing.
- Data transfer abroad: Personal data allowed to be transferred outside India, which prevents proper assessment of data protection standards in other countries.
- Short tenure of Data Protection Board members: The tenure of board members will be only two years, which may affect independent functioning.
Significance
- Empowering citizens: Rules to give citizens more control over their data.
- Increasing trust in digital platforms: Provisions such as informed consent, right to data deletion, and grievance redressal.
- Balance between development and rights: The rules prioritise citizen welfare while promoting economic growth.
- Quick redressal of grievances: Digital process of Data Protection Board ensures quick and transparent resolution of grievances.