FAQ | All you need to know about the draft Digital Personal Data Protection rules

The draft rules seek to protect citizens’ rights in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act), while achieving the right balance between regulation and innovation, so that the benefits of India’s growing innovation ecosystem are available to all citizens and India’s digital economy.

Both the DPDP Act and the draft rules are digital by design and envisage implementation in a digital way.

The Data Protection Board itself will function as a digital office and will be born digital, with a digital platform and app to enable citizens to approach it digitally and to have their complaints adjudicated without their physical presence being required.

.

Feedback/comments may be submitted through the MyGov portal at the link https://innovateindia.mygov.in/dpdp-rules-2025 any time till 18th February, 2025.

In addition, structured interaction for feedback with identified stakeholders, such as civil society, industry and government organisations, would also be organised to gather feedback.

All feedback/comments will be taken into consideration while finalising the rules.

The final rules as notified will also be placed before Parliament.

The draft rules aim to protect citizen’s rights without disrupting existing digital practices.

Further, adequate time will be given to all entities to adapt their systems to meet the requirements of this law.

Processing of digital data on the basis of consent given before the coming into force of the new law is permitted and such processing may continue while citizens are given notice regarding the same so that they may exercise their rights under the law.

While clear obligations have been cast on Data Fiduciaries to protect personal data in accordance with the law, prescriptions have been kept to a minimum and compliance burden has been kept low by enabling compliance through digital means.

While the entities will prepare themselves for compliance with the law during the period given for adapting their systems, widespread awareness initiatives will be undertaken to educate the citizens about their rights on their personal data.

Further, digital platforms will have to inform and take consent of people in English or any of the 22 Indian languages listed in the Constitution, in the language of their choice.

They will also have to notify their users of the online links using which they may exercise their rights for withdrawing their consent, obtaining information regarding processing of their data, update and erasure of their data, grievance redressal, nomination and making a complaint to the Data Protection Board.

The Data Fiduciary is required to adopt technical and organisational measures to ensure that verifiable consent of parent is obtained for processing personal data of a child.

The DPDP Act provides for graded financial penalties in case of violation of the Act and the rules.

The quantum of penalty would depend upon the nature, gravity, duration, type, repetitiveness, efforts made to prevent breach, etc.

Further, Significant Data Fiduciaries have higher obligations under the Act and rules, while a lower compliance burden is envisaged for startups.

Therefore, any penalty imposed for defaults would be fair and proportionate.

Moreover, the Data Fiduciary may at any stage in the proceedings may voluntarily give an undertaking to the Data Protection Board, which if accepted by the Board would result in the dropping of proceedings.

.

The DPDP Act and the draft rules do not mandate that all personal data be stored within India.

However, they provide that transfer of personal data outside India may be restricted for certain classes.

The draft rules envisage a committee that may recommend restriction on such transfer by a Significant Data Fiduciary in respect of specified personal data.

.