The Ministry of Electronics and Information Technology (MeitY) has recently released the much-awaited draft of the Digital Personal Data Protection Rules, 2025 (Rules) for public consultation. These proposed Rules provide important insights into the upcoming implementation of India’s new data protection law, which has been under development for some time.

The enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act) marks a significant shift in India’s data privacy landscape, laying the foundation for a comprehensive framework governing the collection, use and management of personal data.

Key aspects of the draft Rules:

---

Phased Implementation

The draft Rules outline a gradual implementation strategy. Initially, provisions relating to the establishment of the enforcement body – the Data Protection Board (DP Board) – will come into effect immediately upon publication of the final version of the Rules in the Official Gazette. These include appointing the DP Board’s chairperson and members, as well as establishing regulations on compensation, meeting protocols and employment terms. More substantive provisions, including Rules 3 to 15, 21 and 22, will come into effect at a later date, as specified within the Rules.

Consent Is a Must

The Sensitive Personal Data or Information (SPDI) Rules require explicit written consent before collecting sensitive data. The DPDP Act builds upon this by mandating that data fiduciaries provide a clear and comprehensive notice to data principals before collecting personal data. This notice must include specific details about the data being processed, its purpose and the entities involved. Additionally, it must inform the data principal of the rights available to them under the DPDP Act. The draft Rules further stipulate that the notice should be in clear and plain language, which is easy to understand, itemized and include specific information about the goods or services resulting from the data processing.

The consent provided by the Data Principal must be free, specific, informed, unconditional and unambiguous. It should involve clear affirmative action, indicating agreement to the processing of their personal data solely for the specified purpose and limited to such personal data as is necessary for such specified purpose.

Reasonable Security Safeguards

The SPDI Rules already require businesses to implement security measures that protect sensitive personal data in line with global standards like ISO/IEC 27001. Similarly, the draft Rules require Data Fiduciaries to adopt baseline security measures, such as encryption, obfuscation, masking and access control, to protect personal data from breaches. Data fiduciaries must also ensure that contracts with data processors include provisions to maintain these safeguards.

Data Breach Notification

Under the IT Act and SPDI Rules, there has been no obligation to notify data owners or processors in the event of a data breach. However, the DPDP Act mandates breach notifications to both the DP Board and affected data principals. The draft Rules specify that these notifications must be clear, concise and timely, outlining the nature, scope, timing and impact of the breach, along with mitigation steps. Data fiduciaries are required to notify the DP Board within 72 hours of discovering a breach.  Although not a part of the DPDP, we note there are also obligations to notify the computer emergency response team in India within six hours of discovering a breach.

Data Retention

While the SPDI Rules limit the retention of sensitive data to the period necessary for its intended purpose, the DPDP Act introduces similar provisions, stating that personal data should be erased when consent is withdrawn or when it is no longer needed for the specified purpose. The draft Rules set a three-year retention period for certain types of data fiduciaries, such as e-commerce platforms, online gaming services and social media intermediaries, provided they meet user thresholds outlined in the Rules.

Data Protection Officers

The SPDI Rules mandated the appointment of a grievance officer. The DPDP Act goes further, requiring significant data fiduciaries to appoint a data protection officer (DPO) based in India. Smaller data fiduciaries can either appoint a DPO, or designate an individual to handle data processing queries. The draft Rules also mandate that businesses display the DPO’s contact information on their website and in communications with data principals.

Children and Their Personal Data

While the IT Act and SPDI Rules did not specifically address children’s personal data, the DPDP Act introduces more stringent provisions. Data fiduciaries must obtain verifiable parental consent before processing children’s data and are prohibited from using such data for specific purposes, like targeted advertising. The draft Rules clarify how consent should be obtained, including requirements for verified identity and age verification.

Cross-border Data Transfer

The SPDI Rules allowed the transfer of sensitive data outside India, provided that the receiving party adhered to adequate data protection standards. The DPDP Act imposes stricter restrictions on cross-border data transfers, requiring the government to issue guidelines outlining when such transfers are permissible. The draft Rules specify that data fiduciaries in India may transfer personal data abroad only in compliance with conditions set by the government.

Consent Managers

The DPDP Act introduces the concept of consent managers—entities that facilitate the management of consent between data principals and data fiduciaries. These managers must be registered with the DP Board and provide user-friendly platforms for individuals to manage their consent. The draft Rules provide detailed requirements for these consent managers, including financial and operational thresholds, security measures and record-keeping. The DP Board will also have the authority to audit their operations.

Conclusion

The DPDP Act represents a significant advancement in strengthening data privacy and security in India. The draft Rules provide further clarity on the law’s implementation, particularly around consent, data retention, security, breach notifications, children’s data and cross-border data transfers. While there are still areas that remain unclear, such as the practical implementation of consent managers and the impact of cross-border restrictions, the draft Rules pave the way for more robust data protection. Businesses must stay informed about the evolving regulatory framework to ensure compliance and protect the rights of data principals in this increasingly digital world.

For more information, please contact the authors or your Squire Patton Boggs relationship attorney.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.