The DPDP Rules Unveiled: Progress, Shortcomings and the Road Ahead

Siddharth Chaturvedi is currently a 5th-year law Student at National Law University, Jabalpur, and a Research Assistant to Sayantan Dey, Co-chair Sweden, IAPP Programme.

Introduction

In India, the DPDP Rules were released by the Ministry of Electronics and Information Technology (MeitY) on January 3rd, 2025. (English translation begins on page 28.) MeitY is the nodal agency responsible for framing all laws and regulations related to the governance of technology in India. These Rules seek to complement the Digital Personal Data Protection Act, 2023 (DPDP Act).

The DPDP Act is India’s first major legislation that directly addresses the protection of Indian users’ personal data. However, it is yet to be made effective. The report by Business Standard, one of the leading newspapers in India, suggests that the primary reason there has been a delay in the enactment of the DPDP Act was due to the absence of rules. The Act has also been delayed since a law related to the data protection framework was suggested by the Srikrishna Committee on Data Protection in 2018. After privacy as a general right (along with informational privacy) was declared a fundamental right by the Supreme Court of India in the KS Puttaswamy Judgement in 2017, the Central Government created a Committee to examine the need for the protection of personal data, headed by the former Supreme Court judge, Justice Srikrishna.

Returning to the DPDP Rules, the press release states that these Rules have been made to ensure that there is simplicity and clarity regarding the governing of data of the country’s citizens. Those who work in the industry, including compliance officers, have already started analyzing how to incorporate these provisions in their day-to-day work. This Commentary analyzes these Rules by looking into the scope of rights provided for the users, examining the exemptions provided to various companies, and looking into the Rules’ shortcomings. I suggest certain changes which are required in the provisions, such as the addition of various categories of data (for example, critical personal data and sensitive personal data), the role of the Appellate Tribunal, clarifying the role of the right to be forgotten and so forth. This Commentary concludes that although the Rules are a welcome step, many provisions need to be modified to prepare them for the growing digital industry.

Some expansion for rights

Rule 13 of the DPDP Rules builds upon the rights provided in the DPDP Act and states that the Data Fiduciary and Consent Manager shall provide details about how any Data Principal may exercise their rights. Both entities also require a username or other identifier for accessing the services provided by Consent Managers and Data Fiduciaries. Regarding grievance redressal, however, there is little addition to already available information under the DPDP Act, which states that every data fiduciary needs to specify the time frame under which the grievance redressal must be given to the Data Principal. The right of nomination under Section 14 of the DPDP Act already allows a Data Principal to nominate any person in case of death or incapacity to exercise rights granted to him or her. The Rules merely add that the Data Principal can nominate one or two individuals.

The DPDP Rules also missed out on clarifying the scope of the right to erasure, considering there have been conflicting judgments by different high courts in recent times regarding the applicability of the same. The language in Rule 13(2) appears to be overly complex, and it can be simplified to state that whenever a person wishes to exercise the right to erasure or right to access information, he or she can simply approach the Data Fiduciary.

Exemptions for some entities

A notable step in the Rules is the exemption of applicability of the DPDP Act for research, archival, and statistical purposes as provided in Rule 15. A curious omission from this exemption is journalism, which has been provided in other frameworks such as the EU GDPR. Schedule 7, Part A of the Rules mentions the list of companies that are allowed to engage in behavioral advertising, and which are not under the obligation to obtain the consent of a lawful guardian. Behavioral advertising refers to the tracking of any person’s activity over the Internet to deliver advertising targeted to the individual’s interest. The scope of such an exemption has been restricted for the interests of the safety of children and so forth. One hopes that such a narrow exemption is not misused by schools to infringe on the privacy of children. For example, continuous monitoring of the activities of children in school under the guise of ‘safety’ may also lead to infringement of privacy.

Role of the Consent Managers

One of the most positive developments in the Rules has been the expansion of the role of the Consent Managers. Though the primary Act did not specify in detail about the qualifications and duties of the Consent Managers, the Rules have provided the same in a clear and concise manner. For example, Schedule 1, Part B states that any Consent Manager shall be required to maintain a record of consent given to him, notice given by him, and sharing of personal data with the Data Fiduciary. It is good to note that Consent Managers have been given the task of managing consent given by Data Principals on various platforms interoperable. This means that Consent Managers will be allowed to manage consent given on different platforms by the Data Principal on a single Platform.

However, there has been criticism over the centralization of the Consent Managers and their control over the personal data of users. A centralized model of Consent Managers refers to a mechanism where the consent and all the personal information given by the Data Principal are stored on the Consent Managers’ platform. This is much needed, considering that the role of Consent Managers in India is different from how consent is managed and reviewed in advanced digital economies such as the USA or Europe. In advanced countries, users can store their information on a decentralized model where there is no third party involved. For example, a similar kind of model can be seen in the EU GDPR. Though such a model reduces the scope of interference and possible misuse by any third-party entity, using the model of a third-party intermediary in India can yield its own dividends.

In India, where most of the population is not digitally literate and there is little access to smartphones, these Consent Managers will play a pivotal role in ensuring that consent given to various platforms is managed and reviewed by the Consent Managers. This will reduce the onus on the Data Principals to manage consent in the case of a decentralized model, considering that most of the population is not aware of how a technology such as a blockchain operates.

Potential Shortcomings

It is surprising to note that neither the DPDP Act nor the DPDP Rules provide a clear definition of the meaning of critical personal data. Further, the Rules have not provided much detail regarding the transfer of personal data outside India. The Rules have almost reiterated the text in the DPDP Act, stating that the same will be regulated by the Central Government. The Rules state that the processing of personal data by any state instrumentalities continues to be unfettered except that such processing is to be carried out in a lawful manner, following reasonable safeguards, and ensuring accountability of persons.

Building upon the already stated provisions in the DPDP Act, these Rules ensure that the appointment and salary of the Data Protection Board is controlled by the Government itself. The Rules also miss out on a clear chance of defining standards for appointing a Data Protection Officer. Lastly, there is no lucidity in how an organization can register itself with the Data Protection Board to provide certification services and become officially recognized by the Board. This means that professionals will still have to rely on certification services offered by international organizations such as the International Association of Privacy Professionals (IAPP).

Further, there is ambiguity regarding the composition of the Appellate Tribunal and what will be the stipulated time within which it will dispose of cases. Rule 21 of the DPDP Rules only adds that it shall function as a digital office and that it shall not be bound by the Civil Procedure Code of 1908, which governs the law related to civil disputes in India. The Rules also missed out on the opportunity to precisely define the meaning of various privacy-enhancing technologies such as anonymization, pseudonymization and privacy by design. In contrast, other data protection laws such as the EU GDPR, Singapore’s Personal Data Protection Act, and California’s Consumer Privacy Act have several provisions related to the above-mentioned privacy-enhancing technologies which help to strengthen the privacy of users.

Changes required in the DPDP Rules for resolving ambiguities

The DPDP Rules were open for public comments until February 18th of this year. The foremost change that I would like to see is a change in the timeline for the reporting of data breaches. Rule 7 of the DPDP Rules states that any data breach shall be reported to the Data Principal within 72 hours of the occurrence of the event. It will be necessary to categorize the data breaches into different categories, such as high impact, medium impact, and low impact. This will help the Data Fiduciary respond to Data Principals effectively. For example, in the case of a major data breach where customer IDs stored in a big hospital with several branches are stolen, such a data breach will fall into a category of high impact, and the Data Fiduciary can be allowed to report the same within 5 days instead of the present mandate of 3 days (72 hours).

As the current Rules stand, there is no clarity on the transfer of personal data or sensitive personal data outside the country. It is also important to classify different kinds of mechanisms which can be used for the transfer of personal data. There are primarily two ways to do the same. The first one, which is called Adequacy Transfer, is based on the satisfaction that there is sufficient protection for data transfer outside the country. The second one, which is called Standard Contract Clauses, is a legally enforceable contract in which various rights such as data minimization, limitation period, accuracy and other aspects are provided.

A clarification is also required on additional obligations of the Significant Data Fiduciary (i.e., Rule 12), which is regarding “what information should not be stored or displayed which is likely to pose a risk for rights of the data principal.” It will be helpful to give certain useful illustrations or provide instances of storage of data in another schedule which should not be stored or displayed by an additional Significant Data Fiduciary.

It should also be mandatory for various institutions mentioned in the Fourth Schedule to obtain the consent of a lawful guardian before processing data that relates to creche facilities, schools, and hospitals, in order to reduce the harms emanating from behavioral advertising as stated above.

Further, one of the things that can be improved under the framework of the Consent Managers is the current requirement of having a net worth equal to two crores (equal to 228,961.40 US Dollars) or greater in order to become a Consent Manager. There must be relaxation in this aspect, since many startups would be interested in doing the work of a Consent Manager.

It is also crucial to add journalists under the exempted category in Rule 15 of the DPDP Rules to ensure that their right to freedom of speech and expression stands protected under Article 19 of the Constitution, which provides for the same to all the citizens of the country.

Lastly, these Rules must also clearly have provisions which define the scope of anonymization, pseudonymization and privacy by design in order to secure privacy of the users. Currently, Rule 6 states that companies are required to implement reasonable security safeguards to protect personal data. However, it is unclear as to which practices fall within ‘reasonable safety safeguards.’ Thus, incorporating provisions related to anonymization, pseudonymization and privacy by design will help to instill clarity for companies on how to implement these privacy-enhancing techniques.

A Way Forward

As the above discussion highlighted, the DPDP Rules have added some clarity to existing provisions such as the right of grievance redressal, the role of the Consent Managers, exemption to certain entities, and so forth. However, some of these Rules also remain ambiguous. These Rules are a welcome step towards moving ahead with India’s digital framework. However, some shortcomings need to be overcome to ensure that there is less scope for ambiguity and interpretation. As stated in the objectives of the Rules, these Rules should place citizens at the heart of the data protection framework. I hope to see a revised version of the Rules after public consultation that provides a clear and concise meaning to various provisions that have not been drafted properly.