India is taking significant strides towards enhancing the security and management of personal data with the release of the draft Digital Personal Data Protection Rules, 2025. This follows the passage of the Digital Personal Data Protection Act, 2023, by Parliament in August 2023, marking a major milestone in the country’s data privacy framework. While the Act is yet to be implemented, the draft rules provide a sneak peek into the upcoming regulations that will shape how personal data is protected in the digital era.
One of the key features of the draft rules is an emphasis on transparency. The rules mandate that individuals, known as data principals, must be fully informed about how their data will be collected and used. This is particularly important as many people are often unaware of the extent to which their personal information is processed online. The new rules specify that notices about data collection must be standalone documents—clear and easy to understand—rather than hidden within lengthy terms and conditions or privacy policies. This move is aimed at making data usage more transparent and ensuring users are fully aware before consenting to data collection.
Another important aspect is the responsibility placed on data fiduciaries—the organizations that collect and process data—to implement reasonable security measures to protect personal data. The rules provide flexibility, allowing businesses to customize their security protocols according to their needs, rather than imposing a rigid set of guidelines. This approach aims to strike a balance between safety and practicality.
Also Read: Data Protection Bill introduced in LS amid protests
However, concerns remain, particularly around data breaches. The rules require businesses to notify affected individuals and the Data Protection Board of India if a breach occurs, but the timeline for notification is unclear. The rules state that companies must notify “without delay,” but there is no precise definition of what constitutes a reasonable timeframe. This ambiguity could lead to challenges in meeting these requirements, particularly with the dual-stage notification process that mandates an initial report followed by a detailed submission within 72 hours.
Data retention is another area where the rules aim to create a more structured approach. The draft proposes that personal data should be erased once its purpose for processing is fulfilled. While some large companies like e-commerce platforms and social media intermediaries will have set retention periods, smaller businesses are allowed to determine their own timelines for data storage. This selective approach may lead to inconsistencies in compliance practices across industries.
Cross-border data transfers also pose challenges, as the rules restrict the movement of personal data to jurisdictions approved by the Indian government. While this aims to protect Indian citizens’ data, it could complicate operations for companies that work globally, especially when dealing with existing data in restricted jurisdictions.
The draft rules also introduce the concept of consent managers, intermediaries who will help individuals manage their data rights through platforms that are interoperable across various services. This could simplify compliance for businesses but might increase operational costs.
Despite its forward-thinking approach, the draft has faced criticism for its perceived vagueness and the delayed release. Some concerns include the potential overreach of localization requirements, issues around protecting minors’ data, and the challenges associated with verifying parental consent.
Overall, while the draft rules are not without their challenges, they represent a significant step forward in aligning India’s data protection framework with global standards. If fully implemented, they could bring greater control to individuals over their personal data, increase transparency, and push companies to prioritize data security—benefiting common users who are increasingly concerned about their digital privacy.
(This story is sourced from a third-party syndicated feed. Raavi Media takes no responsibility or liability of any nature. Raavi Media management/ythisnews.com can alter or delete the content without notice for any reason.)
