INDIA: Government publishes draft rules providing framework for new personal data protection regime.

The Indian Government has published the draft Digital Personal Data Protection Rules 2025 (“DPDP Rules”), intended to provide the implementation framework required under India’s Digital Personal Data Protection Act 2023 (“DPDPA”) which was passed into law in August 2023 and has been in suspended animation since. The DPDP Rules provide clarity on various implementational aspects of the DPDPA, and the current draft version has been published for a public consultation exercise, wherein stakeholders have been invited to provide their feedback and inputs until 18 February 2025.

The DPDPA (and the DPDP Rules) will be applicable to foreign data controllers as well, if such data controllers are processing the personal data of Indian data subjects in connection with providing goods and/or services to them. Important aspects of and requirements under the DPDP Rules to consider are:

1. Privacy notices will need to provide an itemized list of the personal data being processed with an itemized description of the goods or services or other such purpose of the processing. The notices need to be provided in English and all 22 languages listed in the Indian Constitution, at the option of the data subject. A clearly accessible link on the data controller’s website and/or app also needs to be provided through which data subjects can exercise the rights provided to them under the law.
2. Data controllers must put in place “reasonable security safeguards” to protect the personal data they process, including at the minimum, encryption, obfuscation and masking, controlled access to personal data and maintenance of access logs, backups of data to protect against loss or destruction, and the inclusion of adequate contractual provisions in contracts with data processors regarding such safeguards.
3. In the event of a personal data breach, data controllers are required to notify all affected data subjects of the nature, extent, timing and location of the breach, the consequences likely to arise from the breach, the risk mitigation and safety measures being taken by the data controller, and contact details of a person who can answer any questions the data subject may have of the data controller. In addition to this, within 72 hours of becoming aware of a breach, data controllers are required to notify the Data Protection Board of India (the regulatory authority to be set up under the DPDPA of any further information relating to the initial report, the facts and circumstances leading to the breach, risk mitigation and safety measures being implemented, findings relating to the person who caused the breach, and details of the intimation which has been provided to the affected data subjects.
4. As per the DPDPA, prior to processing the personal data of anyone under the age of 18 or a person with a disability, data controllers must seek consent from the parent or legal guardian as applicable for such processing. The DPDP Rules elaborate upon this requirement and prescribe that data controllers must adopt “appropriate technical and organisational measures” to ensure that verifiable consent of the parent/legal guardian is being taken, and must observe due diligence to verify the same, either by using reliable details of the parent/legal guardian’s age and identity already available to the data controller, or by voluntarily provided details of age and identity issued by a governmental authority.
5. In what seems like a departure from the cross-border data transfer provisions in the DPDPA (which allows only for the Government to blacklist certain countries to which personal data of Indian data principals may not be transferred), the DPDP Rules place an additional data localization requirement on significant data fiduciaries. As per the DPDP Rules, the Government may, on recommendation of a committee constituted by it, notify categories of personal data which would be restricted from being transferred outside India. It is likely that this provision in the DPDP Rules will be challenged during the public consultation exercise (and potentially in Indian courts if it is not revised before being passed into law) as it seems to go beyond the provisions of the DPDPA.

The DPDPA along with the DPDP Rules are expected to be put into force sometime this year, although specific timelines have not yet been provided. The Indian Government may also provide for a compliance period after putting the law in force to ensure that all data controllers have the necessary practices and procedures as required under the DPDPA and the DPDP Rules in place.

Under the DPDPA, all compliance obligations are placed on the data controller, and consequently, only data controllers may be liable for the considerable monetary penalties of up to approximately USD 29 million under the DPDPA. This, coupled with the DPDPA’s extraterritorial applicability, means that foreign franchisors and distributors doing business in India must take steps to ensure compliance with the provisions the law and ensure that their Indian partners do the same. Revisions to contractual terms may be required for such arrangements including changes to indemnity and liability caps, as well as execution of separate data processing addendums where necessary, to ensure that the Indian partner in its capacity as a data processor is compliant with the requirements of the DPDPA and to adequately protect the franchisor/distributor in the event of non-compliance.

Srijoy Das, IDI country Expert for agency and franchising in India

Shivalik Chandan