Digital Personal Data Protection Rules, 2025

Draft of rules proposed to be made by the Central Government in exercise of the powers conferred by sub-sections
(1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023 (22 of 2023), on or after the date of
coming into force of the Act, are hereby published for the information of all persons likely to be affected thereby;
and notice is hereby given that the said draft rules shall be taken into consideration after 18th February, 2025

Issue Draft Digital Personal Data Protection Rules, Comments

2025
Notice Rule 3: Notice given by Data Fiduciary to Data Principal. The Rules lay out clear standards in the
— notice to be given by the Data Fiduciary to
The notice given by the Data Fiduciary to the Data the Data Principal. They are required to be
Principal shall— presented in a clear and plain language and
(a) be presented and be understandable include details necessary to enable the Data
independently of any other information that has Principal to give specific and informed
been, is or may be made available by such Data consent for the processing of their personal
Fiduciary; data.
(b) give, in clear and plain language, a fair account
This includes an itemized description of
of the details necessary to enable the Data Principal
such personal data, its specified purpose as
to give specific and informed consent for the
well as an itemized list of the goods and
processing of her personal data, which shall include,
services that would use such personal data.
at the minimum,—
(i) an itemised description of such personal The Data Fiduciary is also required to
data; and provide an accessible link for the website
(ii) the specified purpose of, and an itemised and/or the app of the Data Fiduciary as well
description of the goods or services to be as the means to withdraw her consent,
provided or uses to be enabled by, such exercise her rights under the Act and make
processing; and a complaint to the Board.
(c) the particular communication link for accessing
the website or app, or both, of such Data Fiduciary, While there are standards prescribed by the
and a description of other means, if any, using which notice for consent that is to be given by
such Data Principal may— Data Fiduciaries, the mechanisms of how
(i) withdraw her consent, with the ease of the notice is to be given is largely left up to
doing so being comparable to that with which
the discretion of the Data Fiduciaries. This
such consent was given;
(ii) exercise her rights under the Act; and causes concerns that Data Fiduciaries might
(iii) make a complaint to the Board. engage in dark patterns and give notice in
a manner and does not adequately
 inform the Data Principles about the
particulars of the data that they are
consenting to sharing.

Registration and Rule 4: Registration and obligations of Consent The draft Rules outline specific provisions
obligations of Manager for Consent Managers that enable users to
Consent Manager (1)A person who fulfils the conditions for provide, manage, review, and revoke their
registration of Consent Managers set out in Part A of consent for the processing of their personal
First Schedule may apply to the Board for data by Data Fiduciaries.
registration as a Consent Manager by furnishing
such particulars and such other information and The draft Rules specify that companies
documents as the Board may publish in this behalf meeting the criteria which is given, among
on its website. others, are eligible to apply as consent
(2)On receipt of such application, the Board managers.
may make such inquiry as it may deem fit to
satisfy itself regarding fulfilment of the Consent Managers must apply for
conditions set out in Part A of First Schedule, registration with the Data Protection Board
and if it— of India (DPBI). They need to fulfil specific
(a) is satisfied, register the applicant as a conditions listed in the rules, including
Consent Manager, under intimation to the having sufficient technical, operational, and
applicant, and publish on its website the financial capacity. The DPBI is provided with
particulars of such Consent Manager; or wide discretionary powers to determine who
(b)is not satisfied, reject the application can be a consent manager. It also has the
and communicate the reasons for the right to request information from the
rejection to the applicant. managers.
(3)The Consent Manager shall have
obligations as specified in Part B of First The consent managers are required to
Schedule. maintain consent records for at least seven
(4)If the Board is of the opinion that a Consent years and cannot outsource their services
Manager is not adhering to the conditions and to data processors which is to avoid any
obligations under this rule, it may, after giving an conflict of interest with Data Fiduciaries.
opportunity of being heard, inform the Consent
Manager of such non-adherence and direct the
Consent Manager to take measures to ensure
adherence.
(5)The Board may, if it is satisfied that it is
necessary so to do in the interests of Data
Principals, after giving the Consent Manager an
opportunity of being heard, by order, for reasons to
be recorded in writing,—
(a) suspend or cancel the registration of
such Consent Manager; and
(b)give such directions as it may deem fit to
that Consent Manager, to protect the interests
of the Data
 Principals.
(6) The Board may, for the purposes of this rule,
require the Consent Manager to furnish such
information as the Board may call for.

Exemptions from Rule 5: Processing for provision or issue of subsidy, Section 7(b) of the DPDP Act authorised the
Data Protection benefit, service, certificate, licence or permit by State processing of personal data by the State
and its instrumentalities. and its 'instrumentalities' for issuing
(1)The State and any of its instrumentalities may subsidies, benefits, services, certificates,
process the personal data of a Data Principal under etc. This was permitted under two
clause (b) of section 7 of the Act to provide or to conditions. First, the Data Principal must
issue to her any subsidy, benefit, service, have previously consented to the
certificate, licence or permit that is provided or processing of their personal data to receive
issued under law or policy or using public funds. such subsidies or benefits. Second, the data
(2)Processing under this rule shall be done must already be available in any database,
following the standards specified in Second register, book, or similar record maintained
Schedule. by the State or its instrumentalities.
(3)In this rule and Second Schedule, the reference
to any subsidy, benefit, service, certificate, licence The rules propose that state
or permit that is provided or issued— instrumentalities may process personal
(a) under law shall be construed as a data without obtaining fresh consent to
reference to provision or issuance of such provide subsidies, benefits, services,
subsidy, benefit, service, certificate, licence or licenses, or permits. They are only required
permit in exercise of any power of or the to inform users about such processing.
performance of any function by the State or
any of its instrumentalities under any law for The rules allow the State and its
the time being in force; instrumentalities to process personal data
(b)under policy shall be construed as a for broad purposes.
reference to provision or issuance of such However, the lack of specificity regarding
subsidy, benefit, service, certificate, licence or the scope and limits of such processing
permit under any policy or instruction issued creates room for potential misuse. The
by the Central Government or a State language within them avoids the limitations
Government in exercise of its executive that emerge from the Puttaswamy judgement
power; and on the principles of, “proportionality” and,
(c) using public funds shall be construed as “necessity” that are essential safeguards in
a reference to provision or issuance of such any data protection regime.
subsidy, benefit, service, certificate, licence
or permit by incurring expenditure on the Additionally, there is also a lack of clarity in
same from, or with accrual of receipts to,— the definition of such “instrumentalities”
(i) in case of the Central Government or a which raises concerns about the provision
State Government, the Consolidated Fund of enabling state surveillance of Indian
India or the Consolidated Fund of the State or citizens.
the public account of India or the public
account of the State; or Under Section 17 of the DPDP Act, certain
other
 (ii) in case of any local or other authority within exemptions are also provided in the context
the territory of India or under the control of the of Startups and certain classes of Data
Government of India or of any State, the fund Fiduciaries are exempt from certain
or funds of such authority. provisions based on the volume and nature
of the personal data they process.
Rule 15: Exemption from Act for research, archiving or
statistical purposes. Rule 15 exempts the application of the act
The provisions of the Act shall not apply to the for the use of personal data for research,
processing of personal data necessary for research, archiving, or statistical purposes, but it
archiving or statistical purposes if it is carried on in does not specify what qualifies as
accordance with the standards specified in Second legitimate research or which entities are
Schedule. eligible to use this exemption. Additionally,
it does not require the consent of data
principals before their data is used for
research purposes.

It is essential that government collection

and processing of citizen data is regulated
to prevent misuse.
Security safeguards Rule 6: Reasonable security safeguards Section 8(5) of the DPDP Act mandates that
(1)A Data Fiduciary shall protect personal data in Data Fiduciaries safeguard the personal
its possession or under its control, including in data they possess or control by
respect of any processing undertaken by it or on implementing reasonable security
its behalf by a Data Processor, by taking measures to prevent data breaches.
reasonable security safeguards to prevent
personal data breach, which shall include, at the Rule 6 of the draft Rules further expands on
minimum,— this requirement, specifying that Data
(a) appropriate data security measures, Principals must, at a minimum, adopt
including securing of such personal data suitable data security measures (such as
through its encryption, obfuscation or masking encryption, obfuscation, masking, and the
or the use of virtual tokens mapped to that use of virtual tokens), access control
personal data; protocols, and data backups to protect
(b)appropriate measures to control access to against data destruction or loss of access.
the computer resources used by such Data These security safeguards are vague and
Fiduciary or such a Data Processor; contain much too ambiguity for thier
(c) visibility on the accessing of such personal effective implementation.
data, through appropriate logs, monitoring
and review, for enabling detection of It also mandates the inclusion of
unauthorised access, its investigation and appropriate provisions in contracts entered
remediation to prevent recurrence; into between Data Fiduciaries and Data
(d)reasonable measures for continued Processors to ensure that reasonable
processing in the event of confidentiality, security safeguards are transferred
integrity or availability of between these entities.
 such personal data being compromised as a
result of destruction or loss of access to This particular rule is a step in the right
personal data or otherwise, including by way of direction but still remains vague and
data backups; requires more specifics. A lot will also
(e) for enabling the detection of unauthorised depend on how it is implemented.
access, its investigation, remediation to
prevent recurrence and continued processing
in the event of such a compromise, retain
such logs and personal data for a period of
one year, unless compliance with any law for
the time being in force requires otherwise;
(f)appropriate provision in the contract
entered into between such Data Fiduciary and
such a Data Processor for taking reasonable
security safeguards; and
(g)appropriate technical and organisational
measures to ensure effective observance of
security safeguards.
(2) In this rule, the expression “computer resource”
shall have the same meaning as is assigned to it in
Information Technology Act, 2000 (21 of 2000).
Intimating data breach 7. Intimation of personal data breach.— Rule 7 outlines the obligations of the
Data Fiduciary in the event of a personal
(1)On becoming aware of any personal data breach, data breach. The Rule outlines that the
the Data Fiduciary shall, to the best of its Data Fiduciary shall notify the Data
knowledge, intimate to each affected Data Principal, Principal of the breach in a timely manner,
in a concise, clear and plain manner and without and requires that the communication be "in
delay, through her user account or any mode of a concise, clear, and plain manner". It also
communication registered by her with the Data requires that the Data Principal be informed
Fiduciary,— of the nature of the breach, likely
consequences, mitigatory measures taken
(a) a description of the breach, including its by the Data Fiduciary, and safety steps for
nature, extent and the timing and location of the Data Principal. Under Rule 7(1)(e), the
its occurrence; Data Fiduciary is also required to provide
(b) the consequences relevant to her, that the business contact information of a
are likely to arise from the breach; person who is able to respond on behalf
(c) the measures implemented and of the Data Fiduciary which can facilitate
being implemented by the Data communication if implemented correctly.
Fiduciary, if any, to mitigate risk;
(d) the safety measures that she may Rule 7(2) expands on the requirement by
take to protect her interests; and requiring that the Data Fiduciary inform the
(e) business contact information of a person Board on the data breach within 72 hours,
who is including information
 able to respond on behalf of the such as a description of the breach,
Data Fiduciary, to queries, if any, of the including its nature, extent, timing and
Data Principal. location of occurrence and the likely impact,
information relating to the events,
(2)On becoming aware of any personal data circumstances and reasons leading to the
breach, the Data Fiduciary shall intimate to the breach, measures implemented or
Board,— proposed, if any, to mitigate risk, any
findings regarding the person who caused
(a) without delay, a description of the the breach, remedial measures taken to
breach, including its nature, extent, timing prevent recurrence of such breach, and a
and location of occurrence and the likely report regarding the intimations given to
impact; affected Data Principals. Given that the
(b) within seventy-two hours of becoming information to the board includes a report
aware of the same, or within such longer regarding the intimations given to affected
period as the Board may allow on a request Data Principals, it can be assumed that
made in writing in this behalf,— Data Principals are likely to be intimated on
(i) updated and detailed such events within 72 hours.
information in respect of such
description;
(ii) the broad facts related to the
events, circumstances and reasons
leading to the breach;
(iii) measures implemented or
proposed, if any, to mitigate risk;
(iv) any findings regarding the
person who caused the breach;
(v) remedial measures taken to
prevent recurrence of such
breach; and
(vi) a report regarding the intimations
given to affected Data Principals.

(3)In this rule, “user account” means the online

account registered by the Data Principal with the
Data Fiduciary, and includes any profiles, pages,
handles, email address, mobile number and other
similar presences by means of which such Data
Principal is able to access the services of such Data
Fiduciary.
Retention and 8. Time period for specified purpose to be deemed as Rule 8 focuses on the retention and erasure
Erasure of Personal no longer being served.— of personal data by Data Fiduciaries,
Data requiring data to be erased after a
specified period unless the
 (1) A Data Fiduciary, who is of such class and is Data Principal interacts with the Data
processing personal data for such corresponding Fiduciary or exercises their rights.
purposes as are specified in Third Schedule, shall
erase such personal data, unless its retention is Under Rule 8(2), Data Fiduciaries are
necessary for compliance with any law for the time required to inform the Data Principal of such
being in force, if, for the corresponding time period erasure of personal data atleast 48 hours
specified in the said Schedule, the Data Principal before completion of the time period for
neither approaches such Data Fiduciary for the erasure of personal data.
performance of the specified purpose nor exercises
her rights in relation to such processing.

(2) At least forty-eight hours before completion of

the time period for erasure of personal data under
this rule, the Data Fiduciary shall inform the Data
Principal that such personal data shall be erased
upon completion of such period, unless she logs into
her user account or otherwise initiates contact with
the Data Fiduciary for the performance of the
specified purpose or exercises her rights in relation
to the processing of such personal data.

(3) In this rule, “user account” means the online

account registered by the Data Principal with the
Data Fiduciary, and includes any profiles, pages,
handles, email address, mobile number and other
similar presences by means of which she is able to
access the services of such Data Fiduciary.
Contact information 9. Contact information of person to answer questions Rule 9 requires Data Fiduciaries to
of the Data about processing.— prominently publish contact information for
Protection Officer a Data Protection Officer (DPO) or a
Every Data Fiduciary shall prominently publish on its designated representative, enabling Data
website or app, and mention in every response to a Principals to easily inquire about the
communication for the exercise of the rights of a processing of their personal data. This
Data Principal under the Act, the business contact ensures clear communication channels for
information of the Data Protection Officer, if the Data Principals.
applicable, or a person who is able to answer on
behalf of the Data Fiduciary the questions of the
Data Principal about the processing of her personal
data.
Processing of 10. Verifiable consent for processing of personal data The rule sets out how Data Fiduciaries
personal data of of child or of person with disability who has lawful should handle personal data when it comes
child or of person guardian.— to children or people with disabilities. The
with disability who main focus is on making sure that the
(1) A Data Fiduciary shall adopt appropriate parent or legal guardian gives their consent
has lawful
technical and organisational measures to ensure before a child's or a person with a
guardian that verifiable consent of the parent is obtained disability's data can be processed or used
before the processing of any personal data of a child by these companies.
and shall observe due diligence, for checking that
the individual identifying herself as the parent is an Data fiduciaries need to ensure that they
adult who is identifiable if required in connection get clear and verifiable consent from a
with compliance with any law for the time being in parent before they process or use a child’s
force in India, by reference to— (a) reliable details of personal data.
identity and age available with the Data Fiduciary; To confirm the parent is really the adult in
or (b) voluntarily provided details of identity and age charge, the fiduciary is required to check
or a virtual token mapped to the same, which is the parent's identity and age. This check
issued by an entity entrusted by law or the Central can be done through reliable details like ID
Government or a State Government with the documents or a Digital Locker, a
maintenance of such details or a person appointed government system where people store
or permitted by such entity for such issuance, and personal information.
includes such details or token verified and made
available by a Digital Locker service provider. Digital Locker is used for verifying the
identity of parents, which means the parent
may need to provide their details via this
government service.
(2) A Data Fiduciary, while obtaining verifiable
consent from an individual identifying herself as the For people with disabilities, data fiduciaries
lawful guardian of a person with disability, shall are required to check that the person
observe due diligence to verify that such guardian is claiming to be the guardian (the one
appointed by a court of law, a designated authority making decisions for the person with a
or a local level committee, under the law applicable disability) is really the legal guardian. The
to guardianship. guardian’s authority must be verified
through a court order or official documents.
(3) In this rule, the expression— (a) “adult” shall
mean an individual who has completed the age of Instead of simply verifying that a parent or
eighteen years; (b) “Digital Locker service provider” guardian has the authority to give consent,
shall mean such intermediary, including a body the law requires the collection of
corporate or an agency of the appropriate unnecessary sensitive data. Additionally,
Government, as may be notified by the Central the requirement to use Digital Locker for
Government, in accordance with the rules made in identity verification raises substantial
this regard under the Information Technology Act, concerns about centralization. Digital
2000 (21 of 2000); (c) “designated authority” shall Locker is a government-controlled system
mean an authority designated under section 15 of where individuals' personal details are
the Rights of Persons with Disabilities Act, 2016 (49 stored and made accessible to various
of 2016) to support persons with disabilities in entities. People who may not wish to
exercise of their legal capacity; (d) “law
applicable to guardianship” shall mean,— (i) in use Digital Locker or have no access to it
relation to an individual who has long term physical, will be forced to use it to verify their
mental, intellectual or sensory impairment which, in identity as a lawful guardian of children.
interaction with barriers, hinders her full and
effective participation in society equally with others Rule 11 provides the exemption to certain
and who despite being provided adequate and types of Data Fiduciaries, such as
appropriate support is unable to take legally binding healthcare professionals, educational
decisions, the provisions of law contained in Rights institutions, and childcare providers, from
of Persons with Disabilities Act, 2016 (49 of 2016) the requirement to obtain verifiable consent
and the rules made thereunder; and (ii) in relation from a child's parent or legal guardian,
to a person who is suffering from any of the provided the data is collected for specific
conditions relating to autism, cerebral palsy, mental purposes outlined in Schedule IV. Part A of
retardation or a combination of such conditions and the schedule lists these Data Fiduciaries,
includes a person suffering from severe multiple while Part B details the purposes for which
disability, the provisions of law of the National Trust the exemptions apply, including legal
for the Welfare of Persons with Autism, Cerebral duties, issuing subsidies or benefits,
Palsy, Mental Retardation and Multiple Disabilities creating user accounts for communication,
Act, 1999 (44 of 1999) and the rules made and ensuring children don't access harmful
thereunder; (e) “local level committee” shall mean a content. Although the rule restricts data
local level committee constituted under section 13 processing to activities like health services,
of the National Trust for the Welfare of Persons with educational activities, safety monitoring,
Autism, Cerebral Palsy, Mental Retardation and and transportation tracking, the broad
Multiple Disabilities Act, 1999 (44 of 1999); (f) nature of these terms creates room for
“person with disability” shall mean and include— (i) misinterpretation. For example,
an individual who has long term physical, mental, “educational activities” could be extended
intellectual or sensory impairment which, in to include marketing or behavioral tracking
interaction with barriers, hinders her full and on educational platforms, which deviates
effective participation in society equally with others from the intended purpose of child
and who, despite being provided adequate and protection. Similarly, safety monitoring
appropriate support, is unable to take legally could be misused to justify excessive
binding decisions; and (ii) an individual who is surveillance or unnecessary data tracking,
suffering from any of the conditions relating to even in situations where it’s not truly
autism, cerebral palsy, mental retardation or a required.
combination of any two or more of such conditions
and includes an individual suffering from severe
multiple disability.

11. Exemptions from certain obligations applicable to

processing of personal data of child.—

(1) The provisions of sub-sections (1) and (3) of

section 9 of the Act shall not be applicable to
processing of personal data of a child by such class
of Data Fiduciaries as are specified in Part A of
Fourth Schedule, subject to such
conditions as are specified in the said Part.

(2) The provisions of sub-sections (1) and (3) of

section 9 of the Act shall not be applicable to
processing of personal data of a child for such
purposes as are specified in Part B of Fourth
Schedule, subject to such conditions as are specified
in the said Part.

Rule 12. Additional obligations of Significant Data This rule sets out responsibilities for
Fiduciary Significant Data Fiduciaries. They are
required to conduct a Data Protection
(1) A Significant Data Fiduciary shall, once in every Impact Assessment (DPIA) and a thorough
period of twelve months from the date on which it is audit every year. They must report the
notified as such or is included in the class of Data results of these assessments to a Board,
Fiduciaries notified as such, undertake a Data which will include important findings on how
Protection Impact Assessment and an audit to well they are following data protection
ensure effective observance of the provisions of this rules.
Act and the rules made thereunder. Additionally, they are responsible for
making sure that any algorithmic software
(2) A Significant Data Fiduciary shall cause the they use to process personal data does not
person carrying out the Data Protection Impact harm the rights of individuals, i.e. Data
Assessment and audit to furnish to the Board a Principals. This includes software used for
report containing significant observations in the data hosting, storage, and sharing. Data
Data Protection Impact Assessment and audit. fiduciaries also need to ensure that certain
personal data, as identified by the Central
(3) A Significant Data Fiduciary shall observe due Government, is processed in a way that
diligence to verify that algorithmic software follows specific rules, including the
deployed by it for hosting, display, uploading, requirement that the data and related
modification, publishing, transmission, storage, traffic should not be transferred outside of
updating or sharing of personal data processed by it India.
are not likely to pose a risk to the rights of Data
Principals. The requirement for a Data Protection
Impact Assessment (DPIA) and annual
(4)A Significant Data Fiduciary shall undertake audits is a positive step towards ensuring
measures to ensure that personal data specified by data protection compliance. However, the
the Central Government on the basis of the scope and rigor of these audits are not
recommendations of a committee constituted by it is clearly defined, which could lead to
processed subject to the restriction that the insufficient scrutiny or superficial
personal data and the traffic data pertaining to its assessments. There's also a risk that
flow is not transferred outside the territory of reporting results to the Board could become
a mere formality if there is no external
oversight or
India. accountability in how the findings are acted
upon.

The requirement to localise data on

Significant Data Fiduciaries raises concern
on cross-border data transfers and could
significantly impact international trade in
services.

Rule 13. Rights of Data Principals.— It outlines the rights of Data Principals and
sets out requirements for Data Fiduciaries
(1)For enabling Data Principals to exercise their and Consent Managers to make it easy for
rights under the Act, the Data Fiduciary and, where individuals to exercise their rights under the
applicable, the Consent Manager, shall publish on its law.
website or app, or both, as the case may be, —
First, Data Fiduciaries and Consent
(a) the details of the means using which a Data Managers must clearly publish on their
Principal may make a request for the exercise of websites or apps the methods by which
such rights; and they can make requests for actions like
accessing their data or asking for its
(b)the particulars, if any, such as the username or deletion. They must also provide the details
other identifier of such a Data Principal, which may required to identify the Data Principal, such
be required to identify her under its terms of as a username or another identifier, as per
service. the data fiduciary’s terms of service. This
ensures that individuals know exactly how
(2)To exercise the rights of the Data Principal under to make requests and what information
the Act to access information about personal data they need to provide for identification.
and its erasure, she may make a request to the
Data Fiduciary to whom she has previously given To exercise their rights, Data Principals can
consent for processing of her personal data, using submit requests to the Data Fiduciary to
the means and furnishing the particulars published whom they previously gave consent for
by such Data Fiduciary for the exercise of such data processing. The requests must be
rights. made using the methods and with the
details the Data Fiduciary has published.
(3)Every Data Fiduciary and Consent Manager This creates a clear and structured way for
shall publish on its website or app, or both, as the individuals to request access to or deletion
case may be, the period under its grievance of their data.
redressal system for responding to the grievances
of Data Principals and shall, for ensuring the Furthermore, Data Fiduciaries and
effectiveness of the system in responding Consent
 within such period, implement appropriate technical Managers are required to disclose the
and organisational measures. timeframe in which they will respond to any
grievances or issues raised by Data
(4)To exercise the rights of the Data Principal Principals. They are required to implement
under the Act to nominate, she may, in effective systems and measures to ensure
accordance with the terms of service of the Data they meet these deadlines and address any
Fiduciary and such law as may be applicable, concerns promptly.
nominate one or more individuals, using the
means and furnishing the particulars published by Lastly, the provision allows Data Principals
such Data Fiduciary for the exercise of such right. to nominate others to act on their behalf
regarding their personal data. This can be
(5)In this rule, the expression “identifier” shall mean done in accordance with the terms set by
any sequence of characters issued by the Data the Data Fiduciary and applicable laws, and
Fiduciary to identify the Data Principal and includes the necessary identification details for the
a customer identification file number, customer nomination process is required to be clearly
acquisition form number, application reference outlined by the Data Fiduciary.
number, enrolment ID or licence number that
enables such identification.

Transfer Rule 14: Processing of personal data outside India. Initially the DPDP Act allowed cross border
and data transfers except to the countries
Processing Transfer to any country or territory outside India of specifically restricted by the government.
of personal personal data processed by a Data Fiduciary—
(a) within the territory of India; or However, the present draft Rules state that
data
(b)outside the territory of India in connection when a Data Fiduciary wants to transfer
with any activity related to offering of goods or personal data to another country, they
services to Data Principals within the territory must abide by certain regulations. This
of India, applies in two situations: when the data was
is subject to the restriction that the Data Fiduciary processed within India, or when the data
shall meet such requirements as the Central was processed outside India but relates to
Government may, by general or special order, offering goods or services to people in India.
specify in respect of making such personal data
available to any foreign State, or to any person or Before making such transfers, the Data
entity under the control of or any agency of such a Fiduciary must comply with specific
State. requirements set by the Indian
Government. The government may issue
these requirements through general or
special orders, particularly when Fiduciaries
intend to share data with a foreign
government or any entity controlled by a
foreign government.
 Additionally, in Rule 12(4) it has been
mentioned that the central government on
the basis of the recommendations of a
committee constituted by it can also
determine the types of personal data that
SDFs must localize within India's borders.
This grants the government significant
power, with a broad scope of authority.

The draft rules proposal to place restrictions

on how Data Fiduciaries can share the data
of Indian citizens with foreign governments
is a positive step but foreign companies
operating in India could find themselves in a
difficult position.

Data Protection Rule 16. Appointment of Chairperson and other Rule 16 provides the Union government
Board Members. with substantial control over the
appointment of not only the Chairperson
(1)The Central Government shall constitute but all the members of the Data Protection
a Search-cum-Selection Committee, with the Board through the formation of a Search-
Cabinet cum-Selection Committee. This Committee,
Secretary as the chairperson and the Secretaries to composed of government officials and two
the Government of India in charge of the Department “experts” selected by the government, is
of Legal Affairs and the Ministry of Electronics and responsible for recommending the
Information Technology and two experts of repute candidates for appointment. Ultimately, the
having special knowledge or practical experience in a Central Government has the authority to
field which in the opinion of the Central Government finalise these appointments. This structure
may be useful to the Board as members, to raises significant concerns regarding the
recommend individuals for appointment as independence of the Board, as the process
Chairperson. could be influenced by political
considerations, undermining the Board’s
(2)The Central Government shall constitute a credibility and impartiality.
Search-cum-Selection Committee, with the Secretary
to the Government of India in the Ministry of Additionally, Rule 16(4) shields the
Electronics and Information Technology as the Committee’s proceedings from any scrutiny,
chairperson and the Secretary to the Government of which limits transparency and
India in charge of the Department of Legal Affairs, accountability in the selection process.
and two experts of repute having special knowledge
or practical experience in a field which in the opinion
of the Central Government may be
 useful to the Board as members, to recommend
individuals for appointment as a Member other
than the Chairperson.

(3)The Central Government shall, after

considering the suitability of individuals
recommended by the
Search-cum-Selection Committee, appoint the
Chairperson or other Member, as the case may be.

(4)No act or proceeding of the Search-cum-

Selection Committee specified in sub-rules (1) of
this rule shall be called in question on the ground
merely of the existence of any vacancy or absences
in such committee or defect in its constitution.
Functioning of the 18. Procedure for meetings of Board and authentication Rule 18 outlines the procedure for the
Data Protection Board of its orders, directions and instruments.— meetings and decision-making within the
Data Protection Board (“the Board”),
(1)The Chairperson shall fix the date, time and including the Chairperson’s role, quorum
place of meetings of the Board, approve the items requirements, and dealing with time-
of agenda therefor, and cause notice specifying the sensitive issues.
same to be issued under her signature or that of
such other individual as the Chairperson may Rule 18 requires that the meetings be
authorise by general or special order in writing. chaired by the Chairperson who shall fix the
date, time and place of meetings as well as
(2)Meetings of the Board shall be chaired by the approve the items of the agenda. The
Chairperson and, in her absence, by such other quorum requires one-third of the members
Member as the Members present at the meeting of the Board to be present.
may choose from amongst themselves.
In the case of an emergency, the
(3)One-third of the membership of the Board shall Chairperson is required to record the
be the quorum for its meetings. reasons in writing and take any such action
as necessary which is to be communicated
(4)All questions which come up before any to the Board within 7 days and ratified at
meeting of the Board shall be decided by a the next meeting.
majority of the votes of Members present and
voting, and, in the event of an equality of votes, Any inquiry by the Board on intimation of
the Chairperson, or in her absence, the person personal data breach is required to be
chairing, shall have a second or casting vote. completed within a period of six months
from the date of receipt of the intimation as
per section 27 of the DPDP Act and if
extended, the reasons are to be recorded in
writing.
 (5)If a Member has an interest in any item of
business to be transacted at a meeting of the Board, The provision that members with a conflict
she shall not participate in or vote on the same and, of interest must refrain from voting on
in such a case, the decision on such item shall be specific issues under Rule 18(5) ensures
taken by a majority of the votes of other Members impartiality and prevents biased decision-
present and voting. making.

(6)In case an emergent situation warrants The provisions of Rule 20 provide the
immediate action by the Board and it is not feasible Chairperson with significant powers which
to call a meeting of the Board, the Chairperson may, can potentially lead to the centralization of
while recording the reasons in writing, take such power within that authority.
action as may be necessary, which shall be
communicated within seven days to all Members
and laid before the Board for ratification at its next
meeting.

(7)If the Chairperson so directs, an item of business

or issue which requires decision of the Board may
be referred to Members by circulation and such
item may be decided with the approval of majority
of the Members.

(8)The Chairperson or any Member of the Board,

or any individual authorised by it by a general or
special order in writing, may, under her signature,
authenticate its order, direction or instrument.

(9)The inquiry by the Board shall be completed

within a period of six months from the date of
receipt of the intimation, complaint, reference or
direction under section 27 of the Act, unless such
period is extended by it, for reasons to be
recorded in writing, for a further period not
exceeding three months at a time.
Employees of the Rule 20. Terms and conditions of appointment and In addition to appointing the Chairperson
Board service of officers and employees of Board. and the Members of the Board under Rule
16, Rule 20 allows the Central Government
(1)The Board may, with previous approval of the to approve the appointment of officers and
Central Government and in such manner as the employees of the Board, and also dictate
Central Government may by general or special their terms and conditions of service. By
order specify, appoint such officers and having a say in both the staffing and
employees as it may deem necessary for the appointment processes, the Central
efficient discharge of its functions under Government increases its influence over
the Board’s overall
the provisions of the Act. operations, making it impossible for the
Board to act autonomously.
(2) The terms and conditions of service of officers
and employees of the Board shall be such as are
specified in Sixth Schedule.

Rule 21. Appeal to Appellate Tribunal. Rule 21, concerning appeals to the
Appellate Tribunal, raises several concerns
(1)An appeal, including any related documents, by a regarding accessibility and fairness. The
person aggrieved by an order or direction of the requirement for appeals to be filed only in
Board, shall be filed in digital form, following such digital form under Rule 21(1) could
procedure as may be specified by the Appellate potentially exclude individuals without
Tribunal on its website. reliable internet access or digital literacy,
creating barriers for certain groups.
(2)An appeal filed with the Appellate Tribunal shall Furthermore, while digital tools aim to
be accompanied by fee of like amount as is increase efficiency, the reliance on digital
applicable in respect of an appeal filed under the hearings may exclude those unable to
Telecom Regulatory Authority of India Act, 1997 (24 participate in such proceedings, further
of 1997), unless reduced or waived by the hindering access to justice.
Chairperson of the Appellate Tribunal at her
discretion, and the same shall be payable digitally The appeal fee structure under Rule 21(2)
using the Unified Payments Interface or such other does allow the Chairperson of the Tribunal
payment system authorised by the Reserve Bank of to waive the fee at their discretion, but it
India as the Appellate Tribunal may specify on its fails to specify any clear criteria for when or
website. why the fee may be waived, leading to
potential inconsistencies and a lack of
(3)The Appellate Tribunal— (a) shall not be bound transparency in the decision-making
by the procedure laid down by the Code of Civil process.
Procedure, 1908 (5 of 1908), but shall be guided Additionally, the Tribunal’s discretion to
by the principles of natural justice and, subject to regulate its own procedures, independent
the provisions of the Act, may regulate its own of established civil procedure laws, could
procedure; and (b) shall function as a digital office result in unpredictable outcomes and
which, without prejudice to its power to summon inconsistent application, undermining
and enforce the attendance of any person and fairness and transparency in the appeals
examine her on oath, may adopt technolegal process.
measures to conduct proceedings in a manner that
does not require physical presence of any
individual.
Rule 22: Calling for information from Data Fiduciary or Section 36 of the DPDP Act read with Rule
intermediary. 22 provides the Union, government,
through the
(1)The Central Government may, for such purposes corresponding authorised person, the
of the Act as are specified in Seventh Schedule, power to demand “any” information from
acting through the corresponding authorised person data fiduciary, or an intermediary under
specified in the said Schedule, require any Data
the va for the purposes listed in the
Fiduciary or intermediary to furnish such information
as may be called for, specify the time period within Seventh Schedule. These reasons include
which the same shall be furnished and, where (i) “in the interest of sovereignty and
disclosure in this regard is likely to prejudicially integrity of India or security of the State”,
affect the sovereignty and integrity of India or (ii) “Performance of any function under any
security of the State, require the Data Fiduciary or law for the time being in force in India”,
intermediary to not disclose the same except with (iii)” Disclosure of any information for
the previous permission in writing of the authorised
fulfilling any obligation under any law for
person.
the time being in force in India” and
(2)Provision of information called for under this rule (iv) “Carrying out assessment for notifying
shall be by way of fulfilment of obligation under any Data Fiduciary or class of Data
section 36 of the Act. Fiduciaries as Significant Data Fiduciary”.
These broad and vague purposes for calling
for data allow for interpretational ambiguity
which could be misued the Union
government to collect vast amounts of data
from data fiduciaries and intermediaries.
This also presents the risk of breaking end-
to-end encryption of several platforms.

The draft rules also prevent the data

fiduciary or intermediary from disclosing
information about such demands, in
situations where it could “prejudicially
affect the sovereignty and integrity of India
or security of the State”, a provision that
could be broadly interpreted and potentially
lead to arbitrary action by the government.

Additionally, it is important to highlight that

Section 36 does not specify or limit the kind
of information which the Union government
may ask for in the future. Therefore, this
could be potentially
misused by the government without any
checks or balances.