Please wait while the page is loading...
02 February 2025
On January 3, 2025, India’s Ministry of Electronics and Information Technology released the draft Digital Personal Data Protection Rules, 2025 (Rules).
The Rules will serve to help facilitate the implementation of the Digital Personal Data Protection Act, 2023 (Act).
The Ministry of Electronics and Information Technology welcomes any feedback from the public and stakeholders regarding the Rules until February 18, 2025.
-content_original.JPG)
Rohan Swarup | Associate Partner @ Singh & Singh, New Delhi
For Rohan Swarup, associate partner at Singh & Singh in New Delhi, the draft Digital Personal Data Protection Rules, 2025 are a step in the right direction, in line with the objectives of the Act. ”[The Rules] provide clarity on some of the more vague aspects covered by the Act such as the form and manner of giving notice to the Data Principal, the baseline of what constitutes ‘reasonable security safeguards,’ as well as the manner in which the State can request for information for providing subsidies and benefits,” he said.
However, he added there remain a few provisions in the draft Rules which are broad and thus lack clarity.
One of these is Rule 5 which allows any instrumentality of the State to process personal data to provide a Data Principal with any subsidy, service, certificate, license or permit using public funds. “While the Second Schedule has been added to specify the standards for processing personal data by the State and its instrumentalities, it does not change the fact that the State can virtually include any government activity in the ambit of this Rule. There is no requirement of consent of the Data Principal in this Rule,” Swarup explained.
Furthermore, Rule 5 isn’t clear about whether the Data Principal is required to have applied for the benefit or subsidy in the first place. “Given that nearly all benefits, services etc. are issued under law or policy and nearly all of them make use of public funds, this Rule lacks adequate safeguards and permits the State nearly unfettered access to process personal data,” Swarup stated.
Another provision that calls for greater clarity is Rule 8, according to Swarup. Rule 8 provides the time limit during which certain classes of Data Fiduciary can retain personal data provided for a specific purpose but which is no longer being served. Read with the Third Schedule, Rule 8 prescribes three types of intermediaries who can retain personal data for three years, beginning from the time the Data Principal last approached the concerned Data Fiduciary for the performance of the specified purpose. These intermediaries are: social media intermediary, online gaming intermediary and ecommerce intermediary.
For Swarup, keeping these three types of intermediaries at par is strange. “In my view, online gaming intermediaries and ecommerce intermediaries should be given a shorter period of time to retain personal data as compared to a social media intermediary given that Data Principals often make financial transactions on ecommerce and online gaming intermediary platforms for which they often provide personal data,” Swarup opined.
He also mentioned Section 36 of the Act, which empowers the Central Government to call for information from Data Fiduciaries and intermediaries, and Rule 22 of the draft Rules. Under this Rule, the State can call for this information referred to in the Act’s Section 36 for purposes specified in the Seventh Schedule through the authorized person. Among the purposes specified are those serving the interest of sovereignty and integrity of India or security of the State, performance of any function under any law for the time being in force, among others.
Swarup claimed this provision can be misused. “The provision does not appear to have any oversight mechanism built in, and I am of the view that the demand of the State instrumentalities for personal data might be met with judicial challenges,” he said.
“There is a need for more in-built guardrails in the draft Rules or the Act which ensure that the powers granted to the State are kept balanced with the rights of individuals. There is also a pressing need to make individuals aware of their rights granted under the Act,” Swarup pointed out.
To provide your feedback on the draft Digital Personal Data Protection Rules, 2025, click here.
- Espie Angelica A. de Leon
