From Consent to Compliance: Understanding India’s New Data Privacy Rules

Datalaws
From Consent to Compliance: Understanding India’s New Data Privacy Rules

By – Neha Das and Chandan Kumar

Table of Contents

Introduction

In the digital economy, personal data has become a valuable and sensitive resource which is essential for business operations, governance, and social interaction. However, the absence of a comprehensive legal framework for data protection exposes individuals to risks such as identity theft, financial fraud, surveillance, and unauthorized profiling.

Recognizing the need for data privacy and protection in a data-driven world, the Government enacted the Digital Personal Data Protection Act, 2023 (“DPDP Act”) to establish a structured and rights-based framework for digital privacy regulation.

Evolution of India’s Data Privacy Framework

Pre-DPDP Legal Regime

Until 2023, India’s data protection laws were primarily governed by the Information Technology Act, 2000 (“IT Act”), along with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Privacy Rules”) issued thereunder. While these provisions introduced baseline security standards and defined certain categories of sensitive data, they were inadequate to address evolving technological challenges such as algorithmic decision-making, large-scale data processing, data collection, storage, and cross-border transfers of personal data.

Constitutional Recognition of Data Privacy

In 2017, the Supreme Court delivered a landmark judgement in Justice K. S. Puttaswamy (Retd.) v. Union of India, wherein it recognized the right to privacy, including informational and data privacy, as a fundamental right under Article 21 of the Constitution1. This decision laid the constitutional foundation for the development of a comprehensive legal framework for data privacy and protection.

​​Legislative Journey Toward the DPDP Act

Thereafter, the Government initiated a multi-year process of stakeholder consultation and legislative drafting for data privacy and protection. This resulted in the enactment of the Digital Personal Data Protection Act, 2023, passed by Parliament in August 2023, thereby laying the foundation for India’s long-awaited data protection laws and broadly aligning its regulatory regime with international standards, including key principles of the European Union’s General Data Protection Regulation, 2016 (“GDPR”)2.

The DPDP Act incorporates core principles such as fairness, purpose limitation, data minimisation, storage limitation, and accountability of data fiduciaries. Notably, it adopts a more flexible approach to data localisation—cross-border transfers of personal data are generally permitted unless restricted by government notification3. This marks a significant shift from earlier legislative proposals, such as the 2018 Draft Personal Data Protection Bill, which had mandated strict domestic storage or mirroring of certain types of personal data4.

Overview of the DPDP Act and Draft Rules

To facilitate the implementation of the DPDP Act, the Ministry of Electronics and Information Technology (MeitY) released the Draft Digital Personal Data Protection Rules, 2025 (“DPDP Rules”) on 03.01.2025, for public consultation5. Although the DPDP Rules have been notified as draft rules, they are yet to be brought into effect.

Once enforced, the DPDP Rules will provide the necessary regulatory framework for implementing the DPDP Act by prescribing detailed compliance obligations, procedural requirements, and other enabling provisions.

This article offers a detailed analysis of the Draft DPDP Rules, evaluating their key features, examining their legal implications for stakeholders, and assessing their alignment with internationally accepted data protection standards.

Rights of Data Principals and Redressal Mechanism

The DPDP Act establishes a rights-based framework aimed at empowering individuals, referred to as Data Principals, in relation to their personal data. Section 2(j) of the Act defines a Data Principal as “the individual to whom the personal data relates and includes, in the case of a child, the parents or lawful guardian.”

The entity responsible for determining the purposes and means of processing such data is defined in Section 2(i) as the Data Fiduciary, i.e., “any person who alone or in conjunction with others determines the purpose and means of processing of personal data.”

Additionally, Section 2(g) introduces the concept of a Consent Manager — “a person registered with the Board who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.”

To operationalize these roles and enable Data Principals to effectively exercise their rights, Rule 13 of the Draft DPDP Rules, 2025 mandates that Data Fiduciaries — and, where applicable, Consent Managers — must publish on their website or mobile application the process through which a Data Principal can submit a rights request, along with the identifiers (such as username, customer ID, enrolment number, etc.) required to verify the Data Principal’s identity.

As per Rule 13(2), a Data Principal may submit a request to the Data Fiduciary — to whom she has previously granted consent — to access her personal data or request its erasure using the published method and identity verification.

Further, Rule 13(4) allows a Data Principal to nominate one or more individuals to act on her behalf. Such nominations must comply with the Data Fiduciary’s terms of service and applicable law and must be submitted through the prescribed mechanism made publicly available.

Additionally, Rule 13(3) requires Data Fiduciaries and Consent Managers to clearly state the time period within which grievances will be addressed under their respective grievance redressal mechanisms. They are also expected to adopt appropriate technical and organizational measures to ensure adherence to these declared timelines.

However, the Rules do not prescribe a uniform or mandatory statutory timeframe for grievance resolution across entities. This lack of consistency may reduce the enforceability of Data Principals’ rights and result in uneven implementation across platforms.

Data Protection Board of India

The Data Protection Board of India (“the Board”) is the adjudicatory authority established under Section 18 of the DPDP Act, 2023, to ensure the enforcement and compliance of its provisions. The Board is empowered to inquire into complaints, investigate personal data breaches, and impose penalties on Data Fiduciaries and Consent Managers for violations of the Act or the associated Rules.

It is also tasked with overseeing the registration and regulation of Consent Managers and ensuring that Data Fiduciaries fulfil their responsibilities regarding consent, notice, data security, breach notifications, and grievance redressal.

Under Section 19(3) of the DPDP Act, 2023, the Chairperson and Members of the Board must be individuals of ability, integrity, and standing, possessing specialised knowledge or practical experience in fields such as data governance, information technology, law, the digital economy, consumer protection, or other relevant areas as may be notified by the Central Government.

Notably, at least one Member must be an expert in law. Section 20 further provides that all Members, including the Chairperson, shall hold office for a term of two years and may be considered for reappointment.

Notice and Consent Framework

Section 6(1) of the DPDP Act, 2023 mandates that Data Fiduciaries must provide a clear and standalone notice to the Data Principal before seeking consent. Rule 3 of the Draft DPDP Rules, 2025 elaborates that such notice must be presented independently of any other content and must be written in plain and easily understandable language.

The notice must include an itemised description of the personal data proposed to be collected, the specific purpose for processing, and a description of the goods or services linked to such processing. It must also contain a direct communication link to the website or application of the Data Fiduciary, through which the Data Principal can withdraw consent, exercise her rights under the Act, and file complaints with the Data Protection Board.

These requirements aim to ensure that consent is not only informed and specific but also easily revocable by the Data Principal.

Transparency Obligations for Data Fiduciaries

Rule 9 requires all Data Fiduciaries to publish the business contact details of their Data Protection Officer (“DPO”) or an equivalent representative on their website or application.

This provision ensures that Data Principals have a reliable and direct channel to exercise their rights or raise grievances effectively.

Role and Regulations of Consent Managers

Rule 4 of the DPDP Rules governs the registration and oversight of Consent Managers. A person meeting the eligibility criteria specified under Part A of the First Schedule may apply to the Data Protection Board for registration.

Once satisfied, the Board may grant registration and publish the Consent Manager’s particulars on its official website. Registered Consent Managers are required to comply with the obligations outlined in Part B of the First Schedule. These include maintaining interoperable consent platforms, retaining records for seven years, and operating independently of Data Fiduciaries to avoid any conflict of interest.

Data Security and Breach Notification

Rules 6 and 7 of the Draft DPDP Rules, 2025 impose specific obligations on Data Fiduciaries regarding data security and breach reporting.

Rule 6 requires Data Fiduciaries to implement reasonable security safeguards. These include measures such as encryption, obfuscation or masking of data, access controls, maintenance of audit logs, regular data backups, and retention of logs for a minimum period of one year.

In the event of a personal data breach, Rule 7 mandates that Data Fiduciaries notify both the Data Protection Board and the affected Data Principals. The notification must clearly specify the nature of the breach, its likely consequences, the measures taken to mitigate its effects, and a designated contact point for follow-up.

While the Board must be informed within 72 hours of becoming aware of the breach, affected individuals must be notified “without delay.” However, the absence of a defined timeframe for notifying individuals may lead to interpretational ambiguity and inconsistent compliance practices.

Data Retention and Deletion

Rule 8 mandates that specified classes of Data Fiduciaries — including large platforms such as e-commerce, social media, and gaming intermediaries — must erase personal data if a Data Principal has not interacted with them for a continuous period of three years, unless such retention is required under law.

To ensure transparency and user control, the Rule further requires that at least 48 hours prior to deletion, the Data Fiduciary must notify the Data Principal and provide an opportunity to retain the data. This can be done by logging into the account or exercising her rights under the Act.

While this provision promotes the principle of data minimisation and helps curb excessive data retention, it also demands that Data Fiduciaries establish robust systems for data tracking, archival, and notification management.

Parental Consent and Processing of Children’s Data

Rule 10 requires Data Fiduciaries to obtain verifiable consent from a parent or lawful guardian before processing the personal data of a child or a person with disability. The verification must rely on reliable identity and age proofs, such as government-issued documents or virtual tokens authenticated through authorised entities like DigiLocker.

While limited exemptions may be granted to educational and healthcare institutions, these entities are expressly prohibited from engaging in behavioural tracking or targeted advertising involving such individuals.

This rule reinforces safeguards for vulnerable data subjects and imposes stricter accountability on entities processing data of minors and persons with disabilities, ensuring that consent is both informed and lawfully obtained.

Significant Data Fiduciaries (SDFs)

A Significant Data Fiduciary (SDF) is a category of Data Fiduciary designated by the Central Government under Section 10(1) of the DPDP Act, 2023. This classification is based on factors such as the volume and sensitivity of personal data processed, the potential risk of harm to Data Principals, and the broader impact on electoral democracy, national security, or public order.

Rule 12 of the Draft DPDP Rules, 2025, outlines additional compliance obligations for SDFs. These include conducting annual Data Protection Impact Assessments (DPIAs), undertaking yearly data audits, and submitting reports with key observations to the Data Protection Board.

SDFs are also required to ensure that any algorithmic systems used for processing personal data do not violate the rights of Data Principals. Additionally, sub-clause 4 mandates that SDFs must comply with data localisation restrictions, ensuring that specific categories of personal and traffic data are not transferred outside India, as notified by the Central Government. 

Cross-Border Transfers

Rule 14 permits the transfer of personal data outside India but subjects it to future restrictions that may be imposed by the Central Government through general or special orders.

This provision enables the government to regulate such transfers to specific countries or foreign entities. While this flexible framework aligns with global practices, the lack of a predefined list of permitted or restricted jurisdictions currently creates uncertainty for businesses engaged in cross-border data processing.

Exemptions under Specified Circumstances

Rule 15 provides exemptions for data processing undertaken for research, archival, or statistical purposes from certain provisions of the DPDP Act, provided such processing adheres to the standards prescribed in the Second Schedule.

However, the absence of clear and uniform definitions for these terms—“research,” “archival,” and “statistical purposes”—creates significant ambiguity. This lack of precision increases the risk of broad or unintended interpretation and may open the door to potential misuse of personal data under the guise of exempted categories.

Key Gaps and Recommendations for Reform

While the Draft DPDP Rules, 2025 lay a strong foundational framework for implementing the DPDP Act, several critical gaps remain that merit focused regulatory attention.

Grievance Redressal Timelines

The absence of a fixed statutory timeline for grievance resolution undermines the enforceability of Data Principals’ rights. Although Rule 13 mandates that Data Fiduciaries and Consent Managers publish their redressal periods, no uniform or binding deadline has been prescribed. Introducing a statutory resolution timeline, along with penalties for non-compliance, would significantly enhance accountability and user trust.

Ambiguity in Exemption Definitions

Undefined terms such as “research,” “archival,” and “statistical purposes” under Rule 15 introduce risks of broad or inconsistent interpretation. These terms should be narrowly and precisely defined, with exemptions confined to clearly specified entities that operate under regulated and auditable standards to prevent misuse.

Uncertainty in Cross-Border Transfer Provisions

Although the Rules permit cross-border transfers of personal data, Rule 14 does not yet specify a list of permitted or restricted jurisdictions. This regulatory vacuum introduces uncertainty for businesses that rely on offshore data processing. A periodically updated whitelist of jurisdictions—based on comprehensive adequacy assessments—would offer legal clarity and facilitate smoother compliance.

Proportionality in Compliance Burdens

Certain obligations, such as mandatory annual Data Protection Impact Assessments (DPIAs) and audits under Rule 12, could impose a disproportionate burden on small and low-risk entities. Implementing a tiered compliance framework that accounts for the size and risk profile of Data Fiduciaries would promote both proportionality and regulatory efficiency, without compromising on safeguards.

Conclusion

The Draft Digital Personal Data Protection Rules, 2025 represent a crucial step forward in operationalizing the DPDP Act, 2023 and advancing India’s data protection ecosystem. These Rules establish key procedural and compliance mechanisms for Data Fiduciaries and Consent Managers, while reinforcing the rights of Data Principals through detailed obligations related to notice, consent, grievance redressal, security practices, breach notifications, and governance obligations for Significant Data Fiduciaries.

Importantly, the framework reflects a strong alignment with global data protection norms and principles, drawing from models such as the GDPR to promote transparency, accountability, and individual autonomy.

However, critical gaps persist. The lack of statutory redressal timelines, undefined exemptions, unclear classification thresholds for SDFs, and the absence of jurisdiction-specific guidance on cross-border data transfers create practical challenges for consistent enforcement and business compliance.

As India transitions into a robust digital regulatory environment, incorporating these refinements will be essential to balancing privacy rights with innovation, ease of doing business, and regulatory clarity. Only then can this framework effectively foster public trust and support the sustainable growth of India’s data-driven economy.

FAQs

  1. What is the Digital Personal Data Protection (DPDP) Act, 2023?

    The DPDP Act, 2023 is a landmark legislation aimed at regulating the processing of digital personal data in a way that balances the individual’s right to privacy with the legitimate needs of data processing for lawful purposes. It establishes a structured framework that mandates accountability for data handlers while empowering individuals—referred to as Data Principals—with enforceable rights over their personal information.

  2. What are the key highlights of the draft DPDP Rules 2025?

    The Draft Digital Personal Data Protection Rules, 2025 provide the procedural framework necessary to operationalize the DPDP Act, 2023. They detail the obligations related to notice and consent, grievance redressal, breach notification, data retention, and cross-border data transfers. The Rules also specify responsibilities for Significant Data Fiduciaries and Consent Managers, including the appointment of Data Protection Officers and conducting impact assessments. Issued under the Central Government’s authority under Section 40 of the Act, these Rules are currently in draft form and open for stakeholder feedback before final implementation.

  3. Who is a Significant Data Fiduciary (SDF)?

    A Significant Data Fiduciary (SDF) is a Data Fiduciary designated by the Central Government based on factors such as the volume and sensitivity of personal data processed, the potential risk to Data Principals, and the impact of such processing on national interest. Once designated, SDFs must adhere to enhanced compliance requirements including annual Data Protection Impact Assessments, independent data audits, and more stringent obligations outlined in Rule 12 of the Draft DPDP Rules.

  4. What is the role of Consent Managers under the DPDP Rules?

    Consent Managers serve as neutral intermediaries who help individuals manage their data consent preferences in a user-friendly, transparent, and secure manner. Registered with the Data Protection Board, these entities are required to maintain technological interoperability, ensure data security, and operate independently of Data Fiduciaries to prevent conflicts of interest. Their responsibilities are clearly defined under Rule 4 and the First Schedule of the Draft Rules.

  5. How are cross-border data transfers regulated under DPDP Rules?

    The Draft DPDP Rules allow personal data to be transferred outside India, provided such transfers are not specifically restricted by the Central Government. Under Rule 14, the government retains the power to issue general or special orders restricting transfers to specific countries or entities if necessary for data sovereignty, national security, or other public interest considerations.

  6. What are the penalties for non-compliance under DPDP Rules 2025?

    Non-compliance with the DPDP Act or the Draft Rules can attract significant monetary penalties, which are adjudicated by the Data Protection Board of India under Section 33 of the Act. For instance, a Data Fiduciary that fails to implement reasonable security safeguards to protect personal data may face penalties up to ₹250 crore. The Board is also empowered to initiate inquiries, conduct investigations, and take enforcement action for other breaches.

  7. What are the 5 principles of the DPDP Act, 2023?

    The DPDP Act is anchored in five key data protection principles. It emphasizes that personal data must be collected for lawful, specific purposes and processed fairly and transparently. The principle of data minimisation mandates collecting only what is necessary. It also requires that personal data not be retained longer than required and imposes a duty of accountability on Data Fiduciaries, who must not only comply with the law but also be able to demonstrate such compliance.

  8. What is the latest update on the DPDP Act?

    The DPDP Act, 2023 received Presidential assent and was published in the Official Gazette on August 11, 2023. Subsequently, in January 2025, the Ministry of Electronics and Information Technology (MeitY) released the Draft DPDP Rules for public consultation. However, the Act has not yet come into force, as the government has not issued a notification under Section 1(2) specifying its date of commencement.

  9. What is the penalty for data breaches?

    Under Chapter VIII of the DPDP Act, the Data Protection Board is empowered to impose penalties for data breaches, especially where Data Fiduciaries fail to meet their legal obligations. If a Data Fiduciary does not notify the Board or the affected individuals about a breach, it may be liable to pay a penalty of up to ₹250 crore, as specified in the penalty schedule of the Act.

  10. Who is liable for a data breach?

    The responsibility for a personal data breach lies primarily with the Data Fiduciary. This includes instances where a breach results from the actions or negligence of a Data Processor acting on its behalf. Under the DPDP Rules, Data Fiduciaries are required to maintain adequate security measures under Rule 6 and report any breaches to the relevant authorities and individuals as stipulated in Rule 7.

References

  1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1–88
  2. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1–88
  3. Section 16(1) of DPDP Act – The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified. 
  4. https://prsindia.org/billtrack/draft-personal-data-protection-bill-2018
  5. Ministry of Electronics and Information Technology (MeitY), “Draft Digital Personal Data Protection Rules, 2025”, released on 03.01.2025.

More from Neeti Niyaman Team –