Digital Transformation and Awareness regarding Data Protection and Privacy are on the rise in India. The government of India has formally released the Draft Digital Personal Data Protection Rules, 2025 soon after landmark legislation of the Digital Personal Data Protection Act, 2023. It is a crucial step in shaping the future of Data protection in India. The Digital Personal Data Protection Act, of 2023, is operationalised by these regulations, which seek to protect user privacy while permitting legitimate data processing.

The new guidelines lay down stricter rules and clearer information regarding data handling, consent management, and the handling of children's data. The rules also focus on cross-border data transfers and regulate the flow of sensitive personal data outside Indian borders.

Key Features

1. Rule 3 obligates the data fiduciary to provide notice to the data principal in plain clear language with all the necessary details for the processing of personal data. The particular personal data and the purpose for processing shall be informed by the data fiduciary. Moreover, notice must be provided to withdraw the consent easily through a mentioned communication link of the data fiduciary. The rule further deepens section 4 of the Digital Personal Data Protection Act regarding the obligations of data fiduciaries.
    
2. The Act mentioned Consent Manager and its registration; the rules further provide the conditions of registration of consent manager. Rule 4 read with Schedule I Part A requires a Consent Manager, a company must be incorporated in India with sufficient capacity and a net worth of no less than two crores. A certified platform is also needed to enable the Data Principal to give, manage, review, and withdraw her consent. Once the board is satisfied with the fulfilment of conditions of Part A of the first schedule, the applicant can be registered as a consent manager.
    
3. The state and its instrumentalities have been powered to process the personal data of the data principal to provide any subsidy, benefit, service, certificate, or licence. The second schedule also provides the standards for processing personal data under clause (b) of section 7 for the purpose as stated in Section 17(2)(b) of the Act, necessary for research, archiving, or statistical purposes.
    
4. The rules especially focus on reasonable security safeguards to be taken by Data fiduciaries to protect personal data. Measures are also taken regarding personal data breaches and intimation about the description of the breach, nature, consequence, and safety measures to the data principal and the board.
    
5. Schedule III mentions classes of data fiduciaries that need to erase the data of the data principal unless the data principal engages with the fiduciary in a specific time period. Additionally, the fiduciaries should mention contact details of a data protection officer for data principals, for any concern. Rule 13 of the draft mandates the fiduciaries to publish the details by which the principal can exercise their rights.
    
6. A safeguarding rule has been added regarding consent for processing the personal data of children and persons with disabilities. Verifiable consent of the parent or the guardian shall be obtained with reliable details of identity and age or a virtual token issued by the appropriate authority. However, Sub-section (1) and (3) of section 9 shall not apply to the personal data of a child in the case of fiduciaries mentioned in Part A of the fourth schedule.
    
7. Significant fiduciaries as designated in Section 10 of the Act will have additional obligations to take a Data Protection Impact Assessment and an audit once in twelve months, and the report of the same shall be submitted to the board.
    
8. The rules introduced provisions regarding cross-border transfers of personal data. The act permitted the transfer of data to trusted countries but the rules empowered the central government to further classify data and set additional requirements.
    
9. A search-cum-selection committee shall be formed for the appointment of the chairperson of the data protection board. Rules specify the appointment process, procedure, and functioning of board meetings and other terms of the Board.
    
10. Lastly, persons dissatisfied with the decision of the board may appeal to the appellate tribunal for resolution.

Analysis
The rules have filled many gaps that the Act had and have operationalized the Act in a formalized manner, especially regarding the commission of the Data Protection Board. However, the rules have failed to address specific penalties for data breaches. Similarly, exemption is granted to the Act for carrying out research, archiving or statistical purposes, yet the position of Artificial Intelligence tools based on data has not been cleared. The act also establishes a Data Protection Board formed by candidates recommended by the central government which raises questions on its independence and effectiveness.

To conclude, the rules have provided us with a clearer picture of the Act, yet it fails to address emerging issues of Artificial Intelligence. The prominent role of central government as found in the Act has still been maintained in the rules. The rules reflect our ambitions to meet global standards and practical implementations of the rules will ensure the same.