On January 3, the Ministry of Electronics and Information Technology released the draft rules for the Digital Personal Data Protection Act. These rules, eagerly awaited since the Act was passed in Parliament in August 2023, address key aspects such as personal data breaches, children’s data protection, and the consent manager framework. The government is now inviting feedback on the draft rules through the MyGov portal, with a submission deadline of 18 February 2025. Along the same lines, Gaurav Sahay, Practice Head – Technology and General Corporate, Fox Mandal and Associates LLP shares his inputs on the strengths, gaps, unique features and recommendation for improvement.
Strengths of the Digital Personal Data Protection Act
The framework’s emphasis on an interoperable platform and robust record-keeping for consents aligns seamlessly with global best practices. This ensures users retain control over their data while holding Data Fiduciaries and Consent Managers accountable. The mandated seven-year retention of consent records establishes a strong foundation for audit trails, fostering trust and ensuring compliance. By incorporating requirements for encryption, obfuscation, and access controls, the framework takes a proactive stance against prevailing cybersecurity threats.
The mandatory retention of logs related to unauthorized access for one year is a practical measure that supports investigations and helps prevent future incidents. Additionally, the specified timelines for notifying both Data Principals and authorities demonstrate a commitment to responsiveness and transparency in breach management. Requiring breach reports to include mitigation measures promotes proactive risk management and instils confidence in users.
The framework’s special attention to children’s data and health-related information reflects a thoughtful approach to the ethical and legal challenges associated with sensitive data. Keeping critical personal data within India underscores the country’s focus on data sovereignty and enhances national security. Lastly, the provision of easily accessible user rights and clear timelines for grievance redressal reinforces the user-centric nature of the framework, ensuring greater transparency and accountability.
Gaps that Need to be Addressed
The document employs broad and undefined terms such as “appropriate measures” and “reasonable security safeguards,” which could lead to varying interpretations and inconsistent enforcement. The stringent compliance requirements, including the implementation of consent management platforms and data localization mandates, may disproportionately burden smaller entities, escalating their operational and financial challenges. Although the framework places significant emphasis on data localization, it provides insufficient clarity on mechanisms for cross-border data transfers, such as adequacy agreements or binding corporate rules, which are critical for businesses with global operations.
The assumption that entities will adhere to the rules in good faith is optimistic, but the framework lacks a detailed approach to monitoring compliance and enforcing penalties for non-compliance effectively. Provisions aimed at preventing conflicts of interest among Consent Managers are commendable; however, their real-time monitoring and enforcement may prove complex and resource-intensive. Similarly, exemptions for purposes like research, archiving, and statistical analysis could potentially create loopholes for misuse unless accompanied by robust safeguards. While digital governance offers efficiency, it risks marginalizing users who lack digital literacy or access, particularly those in rural or underserved regions. Addressing these accessibility gaps is crucial to ensure inclusivity and equitable implementation.
Recommendations for Improvement
To eliminate ambiguity and promote uniform implementation, provide detailed guidelines for terms like “reasonable security safeguards” and “appropriate measures.” Introduce tiered compliance requirements tailored to the size and nature of entities, minimizing undue burdens on SMEs. Develop clear frameworks for international data transfers to align with global trade norms and data-sharing practices. Establish mechanisms for proactive compliance monitoring and implement proportionate penalties for violations to discourage non-compliance effectively.
To ensure inclusivity, incorporate alternative grievance redressal mechanisms that are accessible beyond digital platforms. Define stricter and more specific conditions for exemptions to prevent potential misuse under the pretext of research or statistical processing. Addressing these gaps will help the rules achieve a balanced approach, fostering innovation, ensuring robust compliance, and protecting individuals’ rights.
Unique Features of the Digital Personal Data Protection Act
Consent Managers are required to provide interoperable platforms enabling Data Principals to grant, manage, review, and withdraw consent while adhering to stringent data protection standards. They must maintain consent records for a minimum of seven years and ensure no conflicts of interest with Data Fiduciaries. Data Fiduciaries are obligated to implement robust safeguards, including encryption, access controls, monitoring, and data-backup measures, to protect against breaches. Logs for detecting unauthorized access must be retained for at least one year. The framework mandates detailed breach notification protocols, requiring timely intimation to affected Data Principals and the Board, along with reporting mitigation measures and potential impacts.
Special obligations include verifying parental consent for processing children’s data. Exemptions are provided for data processing by educational institutions, healthcare providers, and allied services within specific contexts. The framework also mandates that sensitive personal and traffic data remain within Indian territory, reinforcing data sovereignty principles. Both the Board and the Appellate Tribunal operate digitally, emphasizing techno-legal measures to eliminate the need for physical presence. Users are ensured easy access to rights, such as data access and erasure requests, through digital platforms with clearly defined timelines for grievance redressal. These provisions prioritize transparency, user control, and strong security while addressing the evolving demands of digital data governance.