Published on 8th April 2025
Authored By: Aditi Yashasvi
Amity Law School, Noida
Introduction
In this new digitized era, the advent of technology has led to an emergence of ‘Data Protection’, serving as an inseparable aspect of governance, striking a balance within individual’s right to privacy in juxtaposition with technological development leading to the improved economic condition of the country. When it comes to India and its expedition in ‘Data Protection’ embarking an evolvement overtime, predominantly to participate in the global trend like European Union’s (EU)- ‘General Data Protection Regulation’ (GDPR). In India, the groundwork of ‘Data Protection’ has been placed through precedents set by judicial decisions, notably so, SC’s landmark verdict in the ‘right to privacy case’ i.e., K.S. Puttaswamy v. Union of India[1], wherein ‘the right to privacy was recognized as a fundamental right’, which ignited the formulation of the DPDP Act of 2023[2].
This Act of 2023 aims to streamline the regulation of personal data given by the ‘Data Principal’ or DPs, which are to be processed by the entities, while making it certain that consent of DPs has been duly obtained in a way that such DPs always possess control over their information. However, the Act has raised certain applicability concerns ever since it was notified and implemented. Certain concerns raised were regarding the regulatory independence, immunity and exemptions that are granted to government agencies/ bodies, and the potential dilution of rights of the users. In the meantime, the ‘EU’s GDPR’ continues to remain the standard legislation governing data protection, while offering a unique framework that is rights-based coupled with rigorous compliance mechanisms in place and penalties imposed. On the other hand, the framework in India, though stemming from ‘GDPR’, has certain gaps that substantially impedes its capacity, particularly with respect to enforceability, ‘data localization; which shows that while adopting any standard laws from another jurisdiction, there is a risk-factor involved i.e., a significant chance of error when directly applied on itself without taking into consideration the dynamics of one’s jurisdiction if at all it requires a differentiated treatment.
After much anticipation, the new ‘draft Data Protection Rules[3]’, has been floated in the public domain, for public opinion and suggestion, to supplement the DPDP Act of 2023,but have been faced with criticism for certain provisions that it seeks to bring into force.
Provisions under Draft Digital Data Protection Rule 2025
Any parent statute is dependent on its delegated legislation i.e., rules and regulations formulated under it. Likewise, effective implementation of DPDP Act relies on rules that outline the operational and enforcement aspects of compliance. Hence, the new draft DPDP Rules is floated with an intent to regulate collection and processing of data, user-consent, redressal of grievances, and stringent compliance requirements for entities that are entrusted to handle personal data. These rules are projected to bridge the gaps in the DPDP Act, address the issues which could not be dealt within the scope of the Act and provide a structured approach to maintaining digital privacy.
These Rules is applicable on both ‘Data Fiduciaries’ (any organization or entity processing personal data, responsible for handling such sensitive data and who is required to determine the purpose for collection of data) and ‘Significant Data Fiduciaries’ (SDFs) (which are entities or data fiduciaries that become significant because of the large volumes of sensitive personal data handled by them). The said rules extend its application to ‘foreign organizations’ that process personal digital data of Indian citizens, ensuring that multinational corporations comply with the domestic regulations. Furthermore, this rule covers ‘government agencies’ with certain exemptions such as in cases where there is processing of data that is of national importance and directly impacts national security or may violate law in force, and can prove to be against the interest of the public at large.
A vital provision of the draft rule mandates that ‘Data Fiduciaries’ are required to obtain unwavering, explicit, informed, and free consent from the principals prior to collection of their data. The nature of such consent is to be in clear and plain syntax, making it easy for individuals (Data Principals) to give an informed consent after assessing how their data will be used.
Another obligation upon the ‘Data Fiduciaries’ is to provide a notice to DPs, during the period of data collection, highlighting the purpose for which the data has been collected, itemized description and categories of personal data in the process of it being collected and rights of DPs, including the DPs right to withdraw consent.
A structured framework for ‘Consent Managers’, the intermediaries who will act instrumental for individuals to efficiently manage their preferences while granting consent. A ‘consent manager’ has to be duly registered and remain in due compliance of guidelines in place by regulatory bodies to maintain accountability and transparency standards.
The 2025 Rules classify certain entities as ‘Significant Data Fiduciaries’ (SDFs) based on three factors- firstly the large volume of data to be processed taking into account its sensitivity; its potential impact on national security; and the nature of risk associated with algorithm-based software used by SDFs ensuring it is not exercised in breach of the rights of the DPs. Since SDFs are entrusted with handling of such large volume of data, they are expected to comply with a plethora of compliances, that includes mandatory auditing of data, Data Protection Officer (DPO) being appointment and an additional implementation of DPIA i.e., ‘Data Protection Impact Assessment’ for all such data that possess ‘high-risk data processing’ activities.
Further, Fiduciaries are to address complaints, grievances or any dispute arisen from Principals in a ‘time-bound manner’. For instance, if a ‘Data Principal’ is discontented with such resolution, they have the right to re-escalate the matter to the DPBI i.e., ‘Data Protection Board of India’, the body which is responsible for enforcing the Data Protection Act.
One of the most controversial provisions brought in by this rule is the ‘Data Localization’ concerns for SDFs. The said rule state that ‘Personal data’ belonging to DPs can be transferred only to those countries and to those DFs (who will process data outside the jurisdiction of India) which are approved by the government of India. In line with this, the government has is list out those trusted countries and notify the same periodically owing to the corresponding protection standards with respect to data. Therefore, entities involved in processing of data outside India, belonging to DPs in India i.e., engaging in ‘cross-border data processing’ has to comply with the domestic Indian regulations.
Lacunas in DPDP Rule
Firstly, the debate on ‘data localization’ strikes a chord for ‘Significant Data Fiduciaries’ and raises most concerning roadblocks in the path of their business growth. So, while ‘data fiduciaries’ are entities that collect and process ‘personal data’ and is responsible for determining the purpose for which such data is collected, ‘Significant Data Fiduciaries’ will be determined on the basis of the large volume and sensitivity of ‘personal data’ they are entrusted to process, and the risks they might pose to the sovereignty and integrity of the country, electoral democracy, security, and public order. Further, all major multinational tech companies including Wipro, Ericsson, Meta, Google, Apple, Microsoft, and Amazon are anticipated to be categorized as ‘significant data fiduciaries’. Hence, they will be on the receiving end of this localization restriction, making it difficult for them to navigate their provision of services and goods in the Indian market. Meanwhile, under the Act passed in August 2023, the government had merely stated it would notify a list of those territories where ‘personal data’ of Indians cannot be taken to, facing a restriction due to the limitation put on jurisdiction. This promise by the government was seen as a big-win , however, it followed an immaculate lobbying effort by the tech companies against a provision in one of the older versions of the draft law on ‘data protection’ which mandated such strict ‘data localization’ mandates. With the advent of fresh draft rules, these ‘data localization’ requirements have made a re-entry as it was anticipated to be added in the Act itself but could not be done so, conversely, through this draft rule, it was re-introduced, setting a clear standard globally by Indian law on data protection regime it is intending to take up. Hence, such ‘data localization’ norms could make it “difficult” for the company to offer its services in the country due to the restrictions imposed on them with regards to processing of personal data.[4]
Secondly, the secondary most contentious issue raised after the introduction of this draft rule was on the subject of ‘verifiable parental consent’. As per the rule, DFs are required to obtain a ‘verifiable parental consent’ in case of a minor being a user of the good or receiver of the service provided by the DFs, for which their data is required to be processed. The rule allows all those tech companies, processing a minor’s data, to deduce and implement any appropriate mechanism of their own, for collecting “verifiable” parental-consent before processing any sort of ‘personal data of children’ who are below the age of 18 years. Therefore, it is evident from this that the government has abstained from proposing any standard mechanism to obtain such a consent from its side under any provision of this Rule, and by refraining from this, the government has left it to the entities to identify and adopt a robust system of their liking. The government had to refrain from laying out any standardized procedure in this regard as various social-media entities expressed dire concern and complained that any sort of uniform code in this regard could pose a significant difficulty in implementation. The rule has only provided certain guidelines such as companies are to verify the identity of parents/guardians of children, whose ‘personal data’ is to be processed, by various means i.e., through ‘digilocker’ (digital locker service providers). However, obtaining parental consent is tricky as users who are minors could misuse the system and get around the platform requiring such ‘parental consent’ by not indicating the platform that they do not meet the age threshold. It becomes easier for them to impersonate themselves to be a parent granting due consent which poses a major threat to the entire concept.
Lastly, upon occurrence of any breach of data, DFs have to intimate the aggrieved individuals ‘without any delay’- description of the data breach (including the nature of it, its extent and the time and location of its incidence) within 72 hours of having its knowledge.[5] It seems an oxymoron when the expression ‘intimating without a delay’ and ‘intimating within 72 hours of coming to know’ is combined together as one negates the other. In todays advanced digital ecosystem where a cutting-edge software system is being developed by every passing second leading to an increased risk of unique ways of breaching the data, even a day long delay in such intimation could lead to severe loss of data or chance of subsequent breaches, let alone 3 days long time-period. Further this ‘72 hours of period’ is granted after DFs comes to know of such ‘data breach’ which is an inexcusable delay as DPs must be intimated immediately once DF becomes aware of such breach.
Conclusion
The ‘Draft DPDP, 2025’, though an important attempt towards supplementing India’s ‘digital privacy framework’ aligning with standards set internationally, brings forth a few critical tests to overcome before being notified. Certain facets of the rules, including stringent requirement for ‘data localization’, procedural infirmities in obtaining ‘verifiable parental consent mechanisms’, and the problematic ‘72-hour breach notification clause’, remain contentious so far, raising major concerns among stakeholders.
In due course, while these ‘Draft Rules’ mark an advanced step in ‘India’s data protection administration’, a plethora of thoughtful revisions are awaited to oversee they do not involuntarily stifle any irresponsible and unnecessary innovation. Therefore, it becomes of prime importance to strike a precise balance between ‘privacy of DPs’ and ‘business-viability’ is crucial to integrate a ‘resilient digital economy’ that protects rights of a DP while endorsing technological growth.
References
[1] K.S. Puttaswamy v. Union of India, 1 SCC 1 [2019]
[2] Digital Personal Data Protection Act 2023
[3] Draft Digital Personal Data Protection Rules 2025
[4] Soumyarendra Barik, ‘In move that may impact Big Tech companies, govt now proposes localisation of personal data in draft rules’ Indian Express (New Delhi, 4 January 2025)
[5] [5] Draft Digital Personal Data Protection Rules 2025, r 7
