# DIGITAL PERSONAL DATA PROTECTION RULES 2025 — DRAFT (January 2025) ## G.S.R. 02(E) — Ministry of Electronics and Information Technology **Published for public consultation:** 3rd January, 2025 **Consultation period:** 45 days (until ~17 February 2025) **Status:** Superseded by final Rules notified 13 November 2025 (G.S.R. 846(E)) **PIB Press Release:** https://pib.gov.in/PressReleasePage.aspx?PRID=2089159 **Draft PDF:** https://www.meity.gov.in/static/uploads/2025/01/Draft-DPDP-Rules-2025.pdf --- ## OVERVIEW The Ministry of Electronics and Information Technology (MeitY) published the draft Digital Personal Data Protection Rules, 2025 on 3 January 2025 for public consultation. The draft contained 22 rules and 7 schedules to operationalise the Digital Personal Data Protection Act, 2023. Key highlights from the draft: ### 1. Notice and Consent Framework (Rules 3–5) **Notice requirements**: Data Fiduciaries must provide notices in a "clear and plain language" that are self-contained and understandable independently. The notice must include an itemised description of personal data collected and the specific purpose. **Consent withdrawal**: Must be as easy as giving consent. Data Fiduciaries must provide specific links/mechanisms for withdrawal. **Consent Manager registration**: Rs. 150 crore minimum net worth requirement for registration. Consent Managers act as intermediaries enabling Data Principals to manage all consents from one platform. ### 2. Children's Data Protection (Rule 9) **Age verification**: Data Fiduciaries must obtain verifiable parental consent before processing children's data. This requires robust age-gating mechanisms. **Behavioral monitoring ban**: Prohibited for all Data Fiduciaries processing children's data. **Exemptions**: Certain categories (healthcare, educational institutions) may be exempted by Central Government notification. ### 3. Data Principal Rights (Rules 12–13) Data Principals can exercise rights (access, correction, erasure, nomination) through the Data Fiduciary's platform or through a registered Consent Manager. Grievances must be resolved within a period to be prescribed (draft suggested 48-hour acknowledgment, 30-day resolution). ### 4. Data Protection Board (Rules 17–21) The draft prescribed detailed procedures for Board operations as a "digital office" — all proceedings (intimation, inquiry, appeals) conducted online. **Board composition**: Chairperson + Members appointed by Central Government; 2-year terms, eligible for reappointment. **Inquiry procedure**: On receipt of a personal data breach intimation or Data Principal complaint, Board determines if grounds exist to proceed; issues notices; can impose penalties per the Schedule. ### 5. Security Safeguards (Rule 22 / Schedule 3) Draft prescribed specific technical requirements: - Encryption of data at rest and in transit - Access controls and authentication - Regular security audits - Incident response procedures - Backup and recovery mechanisms ### 6. Significant Data Fiduciary Obligations (via Act Section 10) SDFs (notified by Central Government) must: - Appoint a Data Protection Officer (India-based) - Appoint an independent data auditor - Conduct annual Data Protection Impact Assessments - Publish DPO contact details ### 7. Cross-border Data Transfer (Rule 16) The draft Rules did not specify restricted countries; the Central Government retains power to notify restricted territories. Data transfers to non-restricted countries are permitted. ### 8. Schedules | Schedule | Subject | |----------|---------| | First | Consent Manager: registration conditions (Part A) + obligations (Part B) | | Second | Standards for State processing of personal data | | Third | Security safeguards for Data Fiduciaries | | Fourth | DPIA framework for Significant Data Fiduciaries | | Fifth | Forms/procedures for Data Principal rights exercise | | Sixth | Breach notification format | | Seventh | Criteria for Significant Data Fiduciary classification | --- ## KEY CHANGES: DRAFT → FINAL RULES The final Rules (G.S.R. 846(E), November 2025) made several modifications from this draft: 1. **Commencement phasing**: Final Rules split into three phases (immediate/1-year/18-month) versus draft's more unified approach 2. **Techno-legal measures**: New defined term introduced in final Rules 3. **Consent Manager timeline**: Deferred to 1 year post-notification 4. **Security safeguards**: Rule 22 retained with 18-month implementation window 5. **Board rules**: Rules 17–21 brought into immediate effect --- ## CONSULTATION PROCESS MeitY received thousands of responses from industry bodies, civil society, academia, and individuals during the 45-day consultation period. Key concerns raised: - **Compliance burden on SMBs**: Consent Manager net worth requirements seen as too high - **Children's data age verification**: Technical feasibility concerns - **Cross-border transfers**: Industry sought clarity on permitted countries - **Grievance timelines**: Requests for more realistic resolution windows - **Startup exemptions**: Requests to operationalise Section 17(3) startup carve-outs --- *Note: This document is based on the PIB press release and consultation documents. For the final notified Rules, refer to DPDP_Rules_2025.md.*