Industry observers urge data fiduciaries to update technological infrastructure and consider onboarding on to the consent manager platform and integrating their data protection processes with such platform, as required by the draft Digital Personal Data Protection (DPDP) rules.
As stakeholders seek an extension of the consultation period on the draft Digital Personal Data Protection (DPDP) rules, 2025, experts have urged brands and tech platforms to evaluate existing data protection practices.
While the provisions of the DPDP Act are yet to be notified for enforcement, the draft rules that guide the implementation of several key provisions of the data law will come into effect in the coming months after the conclusion of the public consultation period.
As per the rules, data fiduciaries (or data controllers) are required to seek consent from data principals to collect and process personal data.
It also mandates that along with obtaining consent, a notice (in English and other official Indian languages) should be provided detailing the specific types of personal data collected, the purposes for processing such personal data, the rights of the data principal among other aspects.
Nishith Desai Associates argues that with the introduction of the concept of a consent manager, data fiduciaries will need to consider onboarding on to the consent manager platform and integrating their data protection processes with such platform. They will also need to revisit their notices to include the required information set out in the draft rules.
It also remarked that significant data fiduciaries (SDFs) that are in the practice of sharing personal data to entities situated abroad may be impacted by potential data localisation requirements enabled by the draft rules, which may require changes to the data sharing arrangement amongst corporate groups.
The Act also requires erasing personal data as soon as it is reasonable to assume that the specified purpose is no longer being served.
The draft prescribes specific time periods to ascertain the same, in the Third Schedule, for e-commerce entities, online gaming intermediaries and social media intermediaries.
According to the draft rules, data fiduciaries are also required to notify data principals at least 48 hours prior to erasure that their personal data will be erased if they does not log in to user account, approach the data fiduciary for performance of the specified purpose or exercise their rights.
Data fiduciaries will also be required to create automated processes to track the activity of the data fiduciary to determine the intimation period of 48 hours prior to erasure of personal data and then to erase data.
Nishtih Desai Associates highlighted that there is no clarity on why a timeline has only been prescribed for the said three classes, as opposed to other data fiduciaries, such as those in possession of large volumes of personal data.
The Act further requires data fiduciaries to provide data principals with notice prior to, or at the time of obtaining consent for processing their personal data.
The language of the notice must be clear and plain and is required to include, at the minimum: the specific purpose for processing; an itemised description of personal data being processed; and an itemised description of goods and services to be provided or used to be enabled by such processing.
Supratim Chakraborty, Partner, Khaitan & Co. notes that the draft rules require businesses to overhaul existing privacy notices that have been historically worded broadly, demanding greater granularity, detail, and transparency.
While no official template or model notice is provided, the requirement of an itemised description of personal data collected, and use cases envisaged make it clear that the notice should be sufficiently informative through clear and understandable descriptions of data practices with much greater specificity.
“This shift calls for a thorough review and update of existing privacy communications to meet the higher standards set by the Rules, pushing businesses to be more accountable in how they manage personal data,” he adds.
The Board
Draft rules include provisions on notice requirements, registration and functions of consent managers, security compliances, data breach notification procedures, parental consent for children’s data, redressal procedures, and the appointment and working of the Data Protection Board of India (DPB).
The draft specifies that the provisions relating to the Board will be operationalised upon the publication of the rules in the official gazette.
Nishith Desai Associates notes that it is likely that the provisions related to the Board will come into force first. Other provisions are likely to come into effect at a later date.
“The Government should ideally notify separate dates for operationalising the substantive provisions of the rules, for ease of compliance,” it said.
The Consent
The DPDP Act contemplates establishment of “consent managers” that offer data principals a platform to give, manage, review, and withdraw their consent provided to data fiduciaries. These consent managers are held accountable to the data principals for ensuring proper management of their consent.
Given the position of a consent manager is a novel concept under the Act, and its operational functionality is not tested under other data protection laws, one would have to wait and see how the practical nuances and implementation challenges play out, remarks Nishith Desai Associates.
The draft rules also require a data fiduciary to adopt appropriate technical and organisational measures to obtain verifiable consent of a parent for processing personal data of a child. This can be undertaken through: (i) reliable details of identity and age of the parent, already available with the data fiduciary19 or (ii) voluntary provision of such details or (iii) a virtual token mapped to such details, issued by an entity entrusted by law or the Government with the maintenance of such details, or a person appointed or permitted by such entity, including a Digital Locker service provider.
Nishith Desai Associates remarks that neither the DPDP Act nor the draft rules require the data fiduciary to investigate the ages of their users to ascertain if they are in fact not children or the relationship between child and purported parent and appear to rely upon self-identification by a user as a child, or by a parent, for compliances to trigger. However, it does not address a situation where there is no proactive identification by a child.
The Breach
Upon becoming aware of a personal data breach, the data fiduciary must without delay notify the affected data principals. It should also notify the DPB in two phases: Without delay, a description of the breach, including its nature, extent, timing, and impact must be provided to the Board; and within 72 hours of awareness, or a longer period if permitted by the Board, the data fiduciary must submit an updated and detailed description of the breach.
To this, experts argue that the timelines appear very difficult to comply with. Collating and sharing such information within a short timeline may pose significant compliance challenges.
On cross border data transfer, experts also argue that the rule could also empower the Central Government to impose conditionalities for countries which otherwise would not have been subject to any restrictions.
Further, it may potentially restrict entities in India/doing business in India from transferring the requested personal data to such foreign government body.