MeitY Releases Draft Digital Personal Data Protection Rules, 2025 

Syllabus: GS2/Polity and Governance

Context

• The government released the draft of Digital Personal Data Protection Rules, 2025 for public consultations.
  • Once notified, the Rules will enable the effective implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act).

Key Highlights of the Draft Rules

• Data Fiduciaries: All major tech companies including Meta, Google, Apple, Microsoft, and Amazon are expected to be classified as significant data fiduciaries.
• Data Protection Officer: It is the person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise. “Data Principal” means the individual to whom the personal data relates.
  • The officer should be based in India; 
  • be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary.
• Transparency: Data Fiduciaries must provide clear and accessible information about how personal data is processed, enabling informed consent. 
• Restriction on flow of Data: The Union Government will specify the kind of personal data which can be processed by “significant data fiduciaries”
  • It is subject to the restriction that such personal data is not transferred outside the territory of India.
• Rights to Citizens: Citizens are empowered with rights to demand data erasure, appoint digital nominees, and access user-friendly mechanisms to manage their data.
• For Children: It allows tech companies to implement a mechanism for collecting “verifiable” parental consent before processing personal data of children.
• Data Protection Board: The Board will function as a digital office, with a digital platform and app to enable citizens to approach it digitally and to have their complaints adjudicated.
• Data Breach: In the event of a data breach, data fiduciaries will have to intimate impacted individuals without delay, including the measures implemented to mitigate risk.
  • The penalty for not being able to take enough safeguards for preventing a data breach could go as high as Rs 250 crore.

Challenges in Implementation 

• Breach of Right to Privacy: Exemptions to data processing by the State on certain grounds may violate the fundamental right to privacy.
• Lack of Regulation in Data Processing: It does not regulate risks of harms arising from processing of personal data.  
• Transfer of Data Abroad: It allows transfer of personal data outside India, which may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed.
• Short Tenure of Data Protection Board Members: The members of the Data Protection Board will be appointed for two years and will be eligible for re-appointment.
  • The short term with scope for re-appointment may affect the independent functioning of the Board.

Significance

• Empowering Citizens: The rules empower citizens by giving them greater control over their data. 
• Enhanced Trust on Digital Platforms: Provisions for informed consent, the right to erasure and grievance redressal enhance trust in digital platforms. 
• Maintain Fine Balance between Growth and Rights: Unlike restrictive global frameworks, these rules encourage economic growth while prioritizing citizen welfare.
• Quick Grievance Redressal: The Data Protection Board’s digital office approach would ensure quick and transparent resolution of complaints. 

Source: IE