Vikram Jeet Singh & Prashant Daga
Since their release on January 3, 2025, BTG Advaya’s TMC Team has been looking into the ‘nitty-gritties’ of the draft Digital Personal Data Protection Rules, 2025 (“Rules”). While many practical nuances are yet to be discovered, we can share some learning on some major aspects of these Rules.
Here are a set of FAQs, throwing light upon these:
(Prior to diving-in, you can also check out our FAQs on the Digital Personal Data Protection Act, 2023 (“DPDPA”) here to refresh your memory.)
The Digital Personal Data Protection Act, 2023, was notified back in 2023. Why the Rules?
The DPDPA lays down the substantive provisions on processing personal data, but its enforcement has been contingent to the issuance of the rules. These address some critical administrative and operational elements for DPDPA’s enforcement – not least of which is the constitution and functions of the new data regulator, the Data Privacy Board (“Board”)! Once these draft Rules are finalized and notified by the Indian IT Ministry, the DPDPA’s enforcement will progress.
What do the Rules say about the ‘Privacy Notice’ to be provided by Data Fiduciaries?
The Rules do not prescribe incremental requirements, but clarified that a notice should comprise (a) description of personal data collected; (b) specified purpose; (c) goods/services to be provided pursuant to the process; (d) means to exercise their rights, (e) mechanism to withdraw consent, and make complaints to the Board.
Are there any pre-registrations required to operate as a consent manager?
Yes. The Rules specify conditions to be met for registering as a consent manager with the Indian IT Ministry. These include (inter alia) being a company incorporated in India, minimum net worth requirements, restrictions on transfers, etc.
Any clarity on the obligations of a Data Fiduciary?
The components of “reasonable security safeguards” have been listed out; these include access controls, data security measures like encryption, implementing processes to detect unauthorized access, set up audit logs for visibility on access, etc. The details of the individual designated to be the Data Principal’s point of contact for information on processing should be made part of each response to a Data Principal’s query.
Any more details on the ‘additional’ obligations of a Significant Data Fiduciary (“SDF”)?
Every twelve months, an SDF is to undertake a ‘Data Protection Assessment and Audit’. The significant observations gathered from such assessment are to be presented to the Board in a report. Notably, the Rules also require SDFs to observe due-diligence with respect to ‘algorithmic software’ (AI) deployed by it, to ensure it does not pose a risk to the Data Principals.
How are Data Fiduciaries required to report personal data breaches?
On becoming aware of the occurrence of a breach, the Data Fiduciary is required to without delay inform each affected Data Principal, describing the nature of the breach, extent, timing, location and likely impact. In addition, without delay but in any event within 72 hours of becoming aware of a breach, the Data Fiduciary is required to intimate the Board with details such as mitigation measures taken, findings pertaining person responsible for the breach, remedial measures to prevent recurrence, etc.
What is the limitation on the retention of records?
Personal data should only be retained for as long as it is needed for the purpose of its processing, or if required to be retained under law. The draft Rules identify certain Data Fiduciaries and associated purposes, and prescribe some limitation periods. For instance, social media intermediaries having a minimum of 20 million users should not retain personal data of its users for a period beyond 3 years (apart from certain purposes, such as enabling the user to access their account and/or virtual tokens issued to them which can be used to get money, goods and services).
What constitutes as verifiable consent from parents/guardians when processing children’s personal data?
The Rules do not mandate any one particular means to obtain verifiable consent; this has been left tech-agnostic. Data Fiduciaries are required to implement requisite due-diligence measures to be able to verify the identity and age of the person identifying themselves as the parent/guardian (basis information available with them) and voluntarily provided details of identity and age (issued by a government body.
Do you wish to understand how these Rules will impact your organisation?
India’s new privacy framework is expected to be ‘in force’ by early 2025. You can access additional training materials and our insights on the new privacy law on our dedicated privacy microsite.
If you are interested in learning more about the Rules or have questions about how you and your organisation will get affected by the Rules, please reach out to us at practicemanager@btglegal.com , and we will connect with you the right lawyer who can assist you.