Grey areas in draft data protection rules need a relook

While the rule limits excessive data retention, the arbitrary three-year timeframe and selective classification raise concerns.

By Aman Shankar & Abir Roy

The Digital Personal Data Protection Act, 2023 (“Act”) marked a significant milestone in India’s data protection landscape. Enacted on August 11, 2023, the Act signaled India’s intent to modernise data governance. Now, over 16 months later, the Ministry of Electronics and Information Technology (“MeitY”) has introduced the draft Digital Personal Data Protection Rules, 2025 (“Rules”), inviting public consultation. We attempt to evaluate some headline hits and misses of the Rules, assessing their clarity, feasibility, and potential impact on businesses.

Transparency in Notice Requirement

Rule 3 supplements the notice and consent requirements under Sections 5 and 6 of the Act by emphasizing that the Privacy Notice must be “understandable independently”. This also poses a question for businesses which have a short description of their ‘Cookies Policy’ in the Privacy Notice with an appended link for details. Such practices may need to be reconsidered.

While the Rules do not prescribe a specific format for the Privacy Notice, they require an itemised description of personal data to be processed, the specified purpose of processing, and the goods or services enabled by such processing. This mandates that data fiduciaries disclose not only the data sets collected—whether provided by users, automatically, or via third parties—but also the specific purposes of processing (e.g., content curation, marketing, security, etc.), rather than a generic ‘provision of services’ purpose. A meticulous drafting of the Privacy Notice will be a key factor.

Data Breach Notification

The Rules impose a unified obligation on the Data Fiduciary to notify both the Data Principal and the Data Protection Board of any personal data breach "without delay" upon “becoming aware” of it. This obligation is crucial for managing data breach incidents. However, for the Data Fiduciary, this presents practical challenges, as it may take time to fully understand the scope of the breach and identify all affected Data Principals, risking premature or inaccurate notifications. To address this, the Rules allow for notifications to be made "to the best of its knowledge." Therefore, Data Fiduciaries must maintain detailed and up-to-date breach incident reports to mitigate liability.

Significant Data Fiduciary- A conundrum

The Rules generated significant anticipation regarding the classification of Significant Data Fiduciaries (“SDFs”) and the additional obligations they would face. However, the Rules remain unclear on the criteria for determining SDF status, leaving ambiguity about its application. SDFs are required to conduct a Data Protection Impact Assessment (“DPIA”) and an audit annually, with results to be reported to the board, highlighting key findings.

A vague new requirement is the obligation for SDFs to perform due diligence on "algorithmic software" to ensure their systems, used for hosting, sharing, or modifying personal data, do not pose "likely risks" (a term yet to be defined) to data subjects' rights. The necessity of this obligation for all algorithms, given that businesses typically use all kinds of algorithms in their operations, has not been clearly considered. The law may be intended to capture harms induced by cases of profiling, automated decision making, etc. however, the intent gets eroded for lack of specificity.

The Rules also introduce data localisation requirements for SDFs, deviating from the initial promise of the Act. SDFs have to ensure that certain set of “personal data” and “traffic data” pertaining to the flow (not defined again, and also not clear why it should be localised) which will be specified by the Central Government, is processed within India’s borders and not transferred abroad. While the Government has noted that such restrictions will follow consultation, the lack of clarity on the scope of applicable data sets introduces uncertainty.

Finally, it is significant to point out that neither the Act nor the Rules indicate about any transition or grace period for SDFs to comply with additional obligations, once they are designated. It may be that after the enforcement of the complete Act, certain data fiduciaries may be designated as SDFs in an ongoing manner. However, as the law stands, they have to be then compliant with all additional obligations from day one.

Data Retention- A Classification of data fiduciaries

The Rules, providing clarity to Section 8(7) of the Act, mandate that certain data fiduciaries—such as e-commerce entities, social media intermediaries, and online gaming platforms—retain personal data for a maximum of three years, subject to specific legal exemptions. This requirement will necessitate robust internal processes, including maintaining detailed records of processing activities and implementing effective data retention policies.

While the rule limits excessive data retention, the arbitrary three-year timeframe and selective classification raise concerns. Data minimisation should be driven by purpose, not fixed time periods. Additionally, the exclusion of other sectors weakens the rule’s overall impact, allowing businesses outside these categories to adopt flexible data retention policies.

Consent Manager: Work in Progress

The concept of a Consent Manager, introduced by the Act, had previously drawn comparisons to the Account Aggregator framework in the fintech sector. The key idea is that a Consent Manager platform, as an independent entity, allows a Data Principal to make an informed choice regarding the consent for personal data processing by a Data Fiduciary. However, the Rules provide limited clarity on the practical implementation of this framework. They outline the registration, obligation, accountability and interoperability requirements for Consent Managers, enforced by the Data Protection Board, but the business model remains uncertain. Part B of the First Schedule specifies that a Consent Manager will facilitate the management of Data Principals' consent by onboarding Data Fiduciaries. However, from a business perspective, Data Fiduciaries may also seek to be onboarded by Consent Managers to build trust and drive consumer engagement. The monetisation model for Consent Managers also remains unclear.

Conclusion

The Draft DPDP Rules represent significant progress, though they indicate a long road ahead. The Rules propose a phased implementation, prioritising the establishment of the Data Protection Board before the broader provisions can take full effect. Notably, they introduce an exemption for processing personal data for "statistical purposes," which could offer businesses some flexibility. While the Rules effectively address key delegated aspects of the Act and align largely with its prescriptions, certain areas still remain unresolved.

(The authors are advocates at Sarvada Legal.)

Views are personal, and do not represent the stand of this publication.