[vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” top_padding=”21″ bottom_padding=”0″ text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” overflow=”visible” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none” gradient_type=”default” shape_type=””][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” column_position=”default” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1/1″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][vc_row_inner equal_height=”yes” content_placement=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” text_align=”left” row_position=”default” row_position_tablet=”inherit” row_position_phone=”inherit” overflow=”visible” pointer_events=”all”][vc_column_inner column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” overflow=”visible” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1/2″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][vc_column_text]

Are you doing business in India? If so, you need to prepare for big changes to the country’s data privacy laws. India’s Digital Personal Data Protection Act was enacted on August 11, 2023. As of May 2025, it is not yet fully implemented. But the publication of new Draft Rules should give organisations fresh guidance on how to prepare for the Act once it comes into effect – MEF CEO Dario Betti shares his thoughts.

The DPDP Act, 2023 is a law, its full implementation is pending the establishment of the Data Protection Board and the finalization and notification of the subordinate rules. The recent release of the Draft Rules in January 2025 and the public consultation process in February 2025 show a significant progress towards making the Act operational, but an official date for its full enforcement is yet to be announced.[/vc_column_text][/vc_column_inner][vc_column_inner column_padding=”padding-5-percent” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”left-right” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” overflow=”visible” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1/2″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid” column_padding_type=”default” gradient_type=”default”][image_with_animation image_url=”191607″ image_size=”full” animation_type=”entrance” animation=”Fade In” animation_easing=”default” animation_movement_type=”transform_y” hover_animation=”none” alignment=”” border_radius=”none” box_shadow=”none” image_loading=”default” max_width=”100%” max_width_mobile=”default”][/vc_column_inner][/vc_row_inner][vc_row_inner column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” text_align=”left” row_position=”default” row_position_tablet=”inherit” row_position_phone=”inherit” overflow=”visible” pointer_events=”all”][vc_column_inner column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” overflow=”visible” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1/1″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][vc_column_text]Here we analyse the latest developments introduced by the Draft Rules.

January 2025 a draft digital protection rules give higher visibility

[icon color=”Accent-Color” size=”small” image=”fa-quote-left”] The DPDP Act represents a significant legislative advancement in India, establishing a comprehensive framework for the processing of personal data. This primary legislation aims to uphold the fundamental right to privacy by mandating lawful and transparent data processing practices. A clear understanding of the key actors and salient developments outlined in these rules is imperative for organizations and individuals operating within the Indian digital ecosystem.”

The DPDP Act represents a significant legislative advancement in India, establishing a comprehensive framework for the processing of personal data. This primary legislation aims to uphold the fundamental right to privacy by mandating lawful and transparent data processing practices.

To facilitate the operationalization of the principles enshrined within the DPDP Act, the Draft Digital Personal Data Protection Rules were introduced on January 3rd, 2025, providing specific guidelines for implementation.

A clear understanding of the key actors and salient developments outlined in these rules is imperative for organizations and individuals operating within the Indian digital ecosystem.

Key Stakeholders Defined in the framework

The DPDP Act and the accompanying Draft Rules delineate the roles of critical entities involved in the processing of personal data:

• Data Fiduciary: A Data Fiduciary is any person, organization, or institution that determines the purpose and means of processing personal data. This encompasses a broad spectrum of entities, including financial institutions (e.g., commercial banks, insurance companies), search engines (e.g., Google, Safari, Microsoft Edge), social media platforms (e.g., Facebook, Instagram, WhatsApp), e-commerce platforms (e.g., Amazon, Flipkart), and streaming services (e.g., Hotstar, Netflix). Fundamentally, any entity that exercises autonomy in deciding the categories of personal data to be collected and the way of their utilization qualifies as a Data Fiduciary.
• Data Principal: A Data Principal as the individual to whom the personal data relates, including users of applications, subscribers to services, employees, and customers. In the context of minors or individuals with disabilities, the definition extends to their respective parents or lawful guardians. In essence, any natural person whose data is subject to processing by a Data Fiduciary is considered a Data Principal.
• Consent Manager: A new construct in the Act refers to Consent Managers: entities duly registered with the Data Protection Board with a primary function is to provide Data Principals with an accessible, transparent, and interoperable platform through which they can grant, manage, review, and withdraw their consent for the processing of their personal data.

New clarifications from the January 2025 draft rules.

The Draft Rules elaborate on several pivotal aspects of the DPDP Act, providing granular detail and establishing specific procedures for adherence:

1. Stipulation of Parental Consent for Minors:Recognizing the inherent vulnerability associated with the personal data of children, Section 10 of the Draft Rules mandates that Data Fiduciaries must obtain verifiable consent from a parent prior to processing any personal data pertaining to a child. The Rules prescribe specific mechanisms for verifying the identity and age of the consenting parent. Where the parent is an existing, verified user of the Data Fiduciary’s services, their extant data may be utilized for verification. In instances where the parent is not a registered user, verification must be conducted through a virtual token issued by an entity legally entrusted or by the Government, such as the token accessible via the DigiLocker application. This stringent requirement underscores the commitment to safeguarding the personal data of minors through the explicit consent and verified identity of their parents.
2. Stipulation of Consent of Lawful Guardian for Persons with Disabilities:Analogous to the provisions concerning minors, the Draft Rules emphasize the protection of the personal data of individuals with disabilities. Data Fiduciaries are obligated to secure verifiable consent from the lawful guardian before processing any personal data of such individuals. The stipulated verification procedures mirror those for parental consent, permitting the utilization of pre-existing verified data or verification through a government-issued virtual token, including that available through DigiLocker. This provision ensures that the personal data of individuals who may lack the capacity for independent informed consent is protected through the explicit consent of their legal representatives.
3. Restriction on International Transfer of Data:Section 14 of the Draft Bill confers upon the Central Government the authority to impose restrictions on the transfer of personal data to foreign states. Data Fiduciaries are mandated to comply with any conditions specified by the government concerning such transfers. This provision empowers the government to regulate the cross-border flow of personal data, potentially predicated on considerations of data protection standards and the geopolitical context of the recipient jurisdiction. Notably, an exception is provided for the processing of data for purposes of research, archiving, or statistical analysis, which are exempt from these international data transfer restrictions.
4. Conferment of Rights Upon Data Principals:The Draft Rules operationalize the rights afforded to Data Principals under the DPDP Act. Specifically, they establish the right of Data Principals to:

• • Withdrawal of Consent: Individuals retain the right to withdraw their previously granted consent for the processing of their personal data at any juncture.
  • Request for Erasure of Personal Data: Data Principals are entitled to request Data Fiduciaries to erase the personal data that they have previously provided.

5. Specification of Obligations of Data Fiduciaries:To enable Data Principals to effectively exercise their stipulated rights, the Draft Rules delineate specific obligations for Data Fiduciaries and Consent Managers. These entities are required to prominently publish on their websites or applications:

• • Comprehensive details regarding the mechanisms through which Data Principals can exercise their rights, such as the withdrawal of consent and the submission of data erasure requests.
  • Identifying particulars, such as usernames or account identifiers, to facilitate the accurate identification of Data Principals submitting such requests.
  • A robust grievance redressal mechanism for the efficient and effective resolution of any grievances raised by Data Principals concerning the processing of their personal data.

Furthermore, the Rules specify the requisites for the Notice provided by Data Fiduciaries to Data Principals at the point of data collection. The Notice must be:

• • Articulated in clear and unambiguous language, readily comprehensible to the Data Principal.
  • Include a precise and itemized description of the specific personal data being collected.
  • Clearly articulate the purpose(s) for which the personal data is being collected and processed.

[/vc_column_text][/vc_column_inner][/vc_row_inner][/vc_column][/vc_row][vc_row type=”in_container” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” scene_position=”center” text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” overflow=”visible” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none”][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” column_position=”default” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1/1″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][vc_row_inner column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” text_align=”left” row_position=”default” row_position_tablet=”inherit” row_position_phone=”inherit” overflow=”visible” pointer_events=”all”][vc_column_inner column_padding=”padding-3-percent” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”right” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” overflow=”visible” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”5/6″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid” column_padding_type=”default” gradient_type=”default”][vc_column_text]Data Fiduciaries are also obligated to provide Data Principals with a readily accessible communication link (e.g., a hyperlink on a website or an in-application feature) through which they can withdraw their consent and exercise their other rights as enshrined under the Act.

6. Provisions for the Processing of Personal Information by the State:Section 5 of the DPDP Act grants the State and its instrumentalities the authority to process the personal information of Data Principals for specific governmental functions. This includes the provision of subsidies, benefits, services, certificates, licenses, or permits. This provision acknowledges the legitimate imperative for governmental entities to process personal data for the efficient delivery of public services and welfare programs.

Next steps

If you are interested in the questions of how Data and Privacy are shaping business in India and others markets, join the Identity & Data Interest Group at MEF.[/vc_column_text][/vc_column_inner][vc_column_inner column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”left” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” overflow=”visible” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1/6″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][vc_text_separator title=”Dario Betti” title_align=”separator_align_left” color=”blue”][image_with_animation image_url=”72123″ image_size=”full” animation_type=”entrance” animation=”Fade In” animation_easing=”default” animation_movement_type=”transform_y” hover_animation=”none” alignment=”” border_radius=”none” box_shadow=”none” image_loading=”default” max_width=”100%” max_width_mobile=”default”][vc_column_text]

MEF CEO

[icon color=”Accent-Color” animation_speed=”Slow” size=”regular” icon_size=”” animation_delay=”” image=”fa-linkedin-square”] [icon color=”Accent-Color” animation_speed=”Slow” size=”regular” icon_size=”” animation_delay=”” image=”fa-envelope-square”] [icon color=”Accent-Color” animation_speed=”Slow” size=”regular” icon_size=”” animation_delay=”” image=”fa-share-square”][/vc_column_text][/vc_column_inner][/vc_row_inner][/vc_column][/vc_row][vc_row type=”full_width_background” full_screen_row_position=”middle” column_margin=”default” column_direction=”default” column_direction_tablet=”default” column_direction_phone=”default” bg_color=”#1074b1″ scene_position=”center” top_padding=”3″ text_color=”dark” text_align=”left” row_border_radius=”none” row_border_radius_applies=”bg” overflow=”visible” overlay_strength=”0.3″ gradient_direction=”left_to_right” shape_divider_position=”bottom” bg_image_animation=”none”][vc_column column_padding=”no-extra-padding” column_padding_tablet=”inherit” column_padding_phone=”inherit” column_padding_position=”all” column_element_direction_desktop=”default” column_element_spacing=”default” desktop_text_alignment=”default” tablet_text_alignment=”default” phone_text_alignment=”default” background_color_opacity=”1″ background_hover_color_opacity=”1″ column_backdrop_filter=”none” column_shadow=”none” column_border_radius=”none” column_link_target=”_self” column_position=”default” gradient_direction=”left_to_right” overlay_strength=”0.3″ width=”1/1″ tablet_width_inherit=”default” animation_type=”default” bg_image_animation=”none” border_type=”simple” column_border_width=”none” column_border_style=”solid”][/vc_column][/vc_row]