top of page
Writer's pictureVikram Jeet Singh

India’s Draft Data Privacy Rules – 7 Key Takeaways

The draft Digital Personal Data Protection Rules, 2025 (Draft Data Privacy Rules), intended to implement India’s new privacy law, were released for public comments on January 3, 2025. This step comes more than 7 years after the inciting incident that triggered the search for a new data privacy law. It was on September 26, 2018, that the Indian Supreme Court ruled information privacy as a fundamental right, and required the Indian Government to come up with a new data law.

 

The 7 years that have passed since the Puttaswamy judgment have seen continuing rapid growth in digitalisation in India and across the world; we have also been through a global pandemic, 2 national elections in India, and the experience of the implementation of the EU GDPR in 2018. More recently the emergence of game-changing new technologies such as generative AI have challenged privacy regulations and models.

 

Here are 7 Key takeaways for businesses from the Draft Privacy Rules:

 

  1. Privacy Notices – Keeping it Clear and Simple

 

The Draft Privacy Rules double down on the requirement for notices provided to data principals to be presented and understandable independently, and in clear and plain language. At the minimum, an itemized description of personal data and specific purposes has to be provided. Finally, the notice should contain a link to the relevant website/application, and also point out how consent can be withdrawn and how data principals’ rights can be exercised.

 

  1. Spelling out Security Safeguards

 

The Draft Privacy Rules spell out 7 security safeguards that should be implemented by all data fiduciaries who process personal data. These include security measures such as encryption or masking, physical access control restrictions, data-backups, access logs to detect breaches, etc. The data fiduciary is required to retain such logs for one (1) year, and also insert data security provisions in its contracts with data processors.

 

  1. Data Breach Timelines Clarified

 

A data fiduciary is required to intimate affected data principals of data breaches, ‘without delay’ on becoming aware of such breach. The Draft Privacy Rules do not provide for any set time limit here; but a time limit of 72 hours is specified for reporting such breaches to the Data Protection Board. In the past, we have seen that very onerous reporting timelines (like the Cert-In Directions, 2022 that mandate ‘6-hour’ reporting!) are unworkable in practice. A 72-hour ‘outer limit’ on reporting data breaches to the Board is not unreasonable, and is in line with global standards.

 

  1. Different Data Retention Periods for Different Folks!

 

The Draft Privacy Rules contain a good amount of detail on the data retention timelines allowed to different categories of data fiduciaries. The III Schedule in these draft rules prescribes bespoke retention periods for e commerce companies, online gaming platforms, and social media companies, and also denote the purposes for which such data can be retained. In addition, data fiduciaries will need to give a 48 hour notice to data subjects before erasing their personal data.

 

  1. Processing Children’s Data, with some exemptions

 

The requirement under the parent act to obtain ‘verifiable parental consent’ for processing children’s data continues in these draft rules. The Illustration accompanying this Rule contemplates a child informing the data fiduciary that she is a minor, and the data fiduciary then engaging with the child’s parent or guardian to verify age and identity; a scenario that does not involve a parent/guardian is not contemplated in these Rules. Such verification is required before a child’s account can be created and her data processed. The subsequent Rule exempts certain data fiduciaries, such as hospitals and educational institutions, from obtaining verifiable parental consent for certain specified purposes.

 

  1. More Obligations on ‘Significant’ Data Fiduciaries

 

The Draft Privacy Rules add a few additional compliances for Significant Data Fiduciaries (though they do not specify who qualifies as such – this will likely be notified by the Government once the law is operationalized). These obligations include undertaking a Data Protection Impact Assessment once every 12 months, and an audit to demonstrate compliance with the privacy law. In addition, due diligence should be undertaken to ensure that any algorithmic software (which may also include AI tools) deployed by them do not pose risks to data principals.

 

  1. (Almost) No Restrictions on Cross Border Data Transfers

 

As was clarified in the parent law, there are no overarching restrictions on the transfer of personal data outside India. However, the Central Government retains the power to specify restrictions in cases where such personal data is made available to any foreign State, or any instrumentality of a foreign state. In addition, Significant Data Fiduciaries will need to adopt measures to ensure that certain personal data (as identified by the Government, but as yet unspecified) is not transferred outside India.

 

What Happens Next: The Draft Privacy Rules are available for public consultation until February 18, 2025. After the consultation period, these Rules will likely be finalized and notified, which will also operationalize the Digital Personal Data Protection Act, 2023.

 


bottom of page