The Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection (DPDP) Rules, 2025, on January 3, 2025, to implement the Digital Personal Data Protection Act, 2023. These rules aim to strengthen the legal framework for protecting digital personal data and provide a detailed implementation framework.
Key Provisions
- Notice Requirement: Data fiduciaries must provide clear notices to individuals about the data they collect, the purpose of collection, and obtain specific and informed consent.
- Consent Managers: The rules introduce the concept of consent managers who will work with data fiduciaries to collect and manage user consent.
- Data Protection for Minors: Verifiable parental consent is required for processing the personal data of children.
- Data Breach Notification: Data fiduciaries must inform the Data Protection Board of India (DPBI) within 72 hours of a data breach.
- Data Deletion: Users who stop using e-commerce, social media, or online gaming services for an extended period must be given 48 hours’ notice before their data is deleted.
- Data Localisation: Significant data fiduciaries must ensure that certain personal data is processed within India.
- Data Protection Impact Assessment: Significant data fiduciaries must conduct regular assessments and audits to ensure compliance with the DPDP Act.
Public Consultation
The draft rules are open for public feedback until February 18, 2025. Stakeholders are encouraged to submit their comments and suggestions to help refine the final version of the rules.
