Brief Overview of the Draft DPDP Rules

• Implementation: The DPDP Act empowers the Central Government to provide different dates for the coming into force of different provisions. The Draft DPDP Rules propose that the provisions about the Data Protection Board of India (“DPB”) will come into force immediately upon the notification of the rules. However, other provisions such as those on notice, consent, children’s data, and Significant Data Fiduciaries will come into effect at a later date (which has not been indicated in the Draft DPDP Rules).
• Notice: As per the DPDP Act, Data Fiduciaries are required to provide a notice describing the personal data collected, the purpose of processing such data, the manner of exercising the right to withdraw consent and the right to grievance redressal before or at the time of obtaining consent from Data Principals. The Draft DPDP Rules propose that notices be presented in clear and simple language and be self-contained, ensuring they can be presented independently of any other information. These notices should include an itemised description of the personal data being processed, the specific purpose of the processing, a list of goods or services enabled through the processing, a link to the relevant website or app and details on how Data Principals can withdraw consent, exercise their rights, or file complaints with the DPB.
• Registration and obligations of Consent Managers: The DPDP Act allows a Data Principal to give, withdraw or manage their consent through a Consent Manager who is registered with the DPB. The Draft DPDP Rules propose the conditions for registration and the obligations of the Consent Managers. As per the proposed Part A of the First Schedule of the Draft DPDP Rules a Consent Manager should, inter alia, be an India-incorporated company with a minimum net worth of INR 2 crore and should have sufficient technical, operational and financial capacity, to fulfil its obligations as a Consent Manager. According to the proposed Part B, Consent Managers, inter alia, would be responsible for onboarding Data Fiduciaries onto their platforms, enabling them to send consent requests to users through the platform. Consent Managers would also have to maintain, on their platform, a record of consents given, denied or withdrawn; notices preceding or accompanying requests for consent; sharing of personal data with a transferee Data Fiduciary etc.
• Time period for the erasure of personal data: The DPDP Act mandates that Data Fiduciaries erase personal data when either consent is withdrawn or the “specified purpose is no longer being served,” unless retention is required by law. To clarify the term “specified purpose is no longer being served,” the Draft DPDP Rules propose that certain Data Fiduciaries—namely e-commerce entities with at least 20 million users, online gaming intermediaries with at least 5 million users, and social media intermediaries with at least 20 million users in India—erase personal data after three years of the Data Principal’s last interaction (related to the specified purpose or rights) or three years from the Rules’ commencement, whichever is latest. This erasure is proposed to apply to all purposes except enabling the Data Principal to access their user account or any virtual tokens issued by or on behalf of the Data Fiduciary, which remain stored on the Fiduciary’s digital platform for use in obtaining money, goods, or services. Additionally, Data Fiduciaries must notify Data Principals at least 48 hours before the scheduled erasure, allowing them to log in or contact the Fiduciary to retain their personal data.
• Intimation of Personal Data Breach: The Draft DPDP Rules read with the DPDP Act state that a Data Fiduciary must notify each affected Data Principal and the DPB about a personal data breach “without delay.” This notification should include details such as the breach’s nature, extent, timing, location, and likely impact. Additionally, the Draft DPDP Rules propose that a Data Fiduciary submit a detailed report to the DPB within 72 hours of becoming aware of a breach unless an extension (on a written request) is granted by the DPB. This report should also cover the events, circumstances, and reasons behind the breach, mitigation measures, findings on responsibility, remedial actions, and records of notifications sent to affected Data Principals.
• Reasonable Security Standards: The DPDP Rules propose the minimum baseline security standards that Data Fiduciaries must implement. These standards include, among others, encryption; obfuscation, masking, or the use of virtual tokens mapped to personal data; ensuring visibility on the access to such personal data through appropriate logs, monitoring, and review; incorporating provisions in contracts between Data Fiduciaries and Data Processors to ensure reasonable security safeguards, etc.
• Processing of Personal Data of Children: The Draft DPDP Rules propose that Data Fiduciaries adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before processing of personal data of a child. Further, due diligence should also be observed to check that the individual identifying herself as the parent is an identifiable adult by referring to the reliable age and identity details available with the Data Fiduciary or age and identity details provided by the parent or a virtual token mapped to the same (issued by an entity entrusted by law/the Central Government/a State Government for the maintenance and issuance of the same) provided voluntarily. Further, the Draft DPDP Rules propose to exempt certain entities such as healthcare professionals, educational institutions, those responsible for the transport of children etc., for the purposes identified in the Fourth Schedule from the requirement of obtaining verifiable consent and the prohibition of undertaking tracking or behavioural monitoring of children or targeted advertising directed at children for specific purposes as identified.
• Verifiable consent for Persons with Disabilities: The Draft DPDP Rules propose that a Data Fiduciary observe due diligence to verify that the person identifying as the lawful guardian of the persons with disabilities is appointed by a court of law, a designated authority or a local-level committee, under the law applicable to guardianship.
• Additional Obligations of Significant Data Fiduciaries: The Central Government can notify certain Data Fiduciaries as Significant Data Fiduciaries (“SDF”) based on the assessment of factors provided in the DPDP Act. The Draft DPDP Rules propose an SDF to undertake Data Protection Impact Assessment (“DPIA”) and an audit annually. Further, if the Draft DPDP Rules are implemented in their current form, SDFs would also be required to ensure that the person conducting DPIA and audit furnishes the report on the observations to the DPB. SDFs would also have to ensure due diligence in verifying that the “algorithmic software” they use for hosting, displaying, uploading, modifying, publishing, transmitting, storing, updating, or sharing personal data does not pose a risk to the rights of Data Principals. The DPDP Rules also propose a data localisation requirement for an SDF for personal data and traffic data as specified by the Central Government (based on recommendations by a committee appointed by it).
• Contact Information of Data Protection Officer/Authorised Person: The Draft DPDP Rules propose that Data Fiduciaries provide the business contact information of the Data Protection Officer (“DPO”) for SDFs or an authorised person for other Data Fiduciaries. This contact information would have to be provided on the website/app and included in every response to communications regarding the exercise of the rights of a Data Principal, ensuring they can address any questions about processing the personal data.
• Rights of Data Principals: The Draft DPDP Rules state that the Data Fiduciary and Consent Managers should publish the details of the means for making a request for the exercise of rights and the particulars or other identifier that may be required to identify the Data Principal under its terms of service, on website and/or the app of the Data Fiduciary. Additionally, the period of grievance redressal and the means and particulars of exercising the right to nominate would also have to be provided on the website and/or app.
• Processing of Personal Data outside India: As per the DPDP Act, the Central Government would notify the countries to which the transfer of personal data would be restricted and also notify the restrictions. The Draft DPDP Rules state that the transfer of personal data by a Data Fiduciary in India or outside India (in connection with any activity related to the offering of goods or services to Data Principals in India) would be subject to the restrictions that the Central Government may specify, by general or special order, in respect of making personal data available to any foreign State, or any person/entity under the control of/any agency of a State..
• Exemption for research, archiving or statistical purposes: The Draft DPDP Rules propose exemptions in respect of the applicability of the provisions of the DPDP Act for the processing of personal data necessary for research, archiving or statistical purposes if it is carried on per the standards specified in the Second Schedule which include carrying out processing in a lawful manner, being limited to such personal data as is necessary for such uses or achieving such purposes, ensuring that personal data is retained till required for such purposes or otherwise required by law etc.
• DPB: The DPDP Act establishes the DPB as an independent regulatory authority in India to enforce the provisions of the DPDP Act. The Draft DPDP Rules propose the procedure for the appointment of the Chairperson and other Members of the DPB, salary and allowances, procedure for meetings of the DPB, as well as the terms and conditions of appointment and service of officers and employees of the DPB. The Draft DPDP Rules also state that the DPB must function as a digital office and must adopt techno-legal measures to conduct proceedings in a manner that does not require the physical presence of any individual. This will, however, not affect the power of the DPB to summon and enforce the attendance of any person and examine on oath.
• Appeal to Appellate Tribunal: If the Draft DPDP Rules are implemented in their current form, an appeal and related documents would have to be filed in digital form in the manner prescribed on the website of the Appellate Tribunal. The Appellate Tribunal will not be bound by the procedure provided in the Code of Civil Procedure, 1908 and would function as a digital office that adopts techno-legal measures to conduct proceedings in a manner that does not require the physical presence of any individual. However, the Appellate Tribunal would have the power to summon and enforce the attendance of any person and examine her on oath if required.
• Power to Call for Information: The Central Government is empowered under the DPDP Act to require the DPB and any Data Fiduciary or intermediary to furnish information called for by the Central Government. As per the Draft DPDP Rules, a Data Fiduciary/intermediary is not permitted to disclose these requests for information where such disclosure is likely to prejudicially affect India’s sovereignty, integrity, or state security. Also, the Central Government can require any Data Fiduciary or intermediary to furnish such information as may be called for and specify the time within which the same must be furnished.

In addition to the above, the Draft DPDP Rules propose to authorise the State and its instrumentalities to process personal data to provide or issue subsidies, benefits, services, certificates, licenses, or permits, as per the standards outlined in the Second Schedule as noted above.