Highlights
- Social media platforms must obtain verifiable parental consent before allowing users under 18 to create accounts.
- Big Tech companies need to ensure user rights are respected by their algorithms.
- certain personal data must remain within India without transfer abroad.
- Penalties for violations are based on severity and company size aiming to protect small businesses.
- Larger corporations are accountable for requirements for algorithmic transparency and data protection assessments.
The government has unveiled the draft rules for the Digital Personal Data Protection (DPDP) Act and is seeking public feedback until February 18.
These rules expected to be tabled in Parliament during the monsoon session are set to impact both users and tech companies operating in India.
IT Minister Ashwini Vaishnaw explained the purpose of the draft rules and said, “Rules have to be within four walls of the Act. It is within the ambit of the Act passed by Parliament. These rules have been framed to ensure a balance between regulation and innovation while completely safeguarding the rights of citizens.”
Vaishnaw emphasised that the rules focus on protecting user privacy especially for children while also fostering innovation in the digital space.
Jaspreet Singh, Partner, Grant Thornton Bharat, says that by introducing stringent regulations for data collection, processing, and storage, the DPDPA Rules 2025 aim to strike a balance between technological progress and the right to privacy. “The act mandates transparency from data handlers, enforces consent-driven data usage, and imposes substantial penalties for data breaches and non-compliance. With its emphasis on accountability and user empowerment, the DPDPA Rules 2025 reaffirms the importance of data privacy as a fundamental right.”
“We foresee that businesses will face some complex challenges in managing consent as it forms the heart of the law. Maintaining consent artefacts and offering the option to withdraw consent for specific purposes could necessitate changes at the design and architecture level of applications and platforms. Further, organisations will need to invest in both technical infrastructure and processes to meet these requirements effectively. This includes relooking into data collection practices, implementing consent management systems, establishing clear data lifecycle protocols and percolating down these practices at an implementation level,” says Mayuran Palanisamy, Partner, Deloitte India.
“While the Act largely permits such transfers, apart from blacklisted jurisdictions, the draft rules hint at the possibility of additional oversight. A proposed committee may recommend that certain personal data be restricted from being transferred outside India, which adds a new dimension to the regulatory landscape that will be important for stakeholders to consider,” says Shreya Suri, Partner, IndusLaw.
The classification of data fiduciaries in the draft rules, which focuses on defining retention periods for data, seems to currently apply only to three categories of fiduciaries. “However, there are concerns among various stakeholders regarding the need for additional use cases, which have yet to be addressed. This leaves some important questions about data retention practices for certain types of data fiduciaries still unanswered.”
“These rules were highly anticipated, with the expectation that they would address implementation challenges, procedural gaps, and areas where the Act required further clarity. While the draft does attempt to cover some of these aspects, there is still significant ground to cover. I anticipate rigorous public consultations to gather comprehensive feedback, ensuring that the final version reflects the needs and perspectives of all stakeholders. Continued input and guidance from the government will be essential to drive effective implementation.”
“In the absence of further clarity, much of this is likely to be left to market practice and stakeholder discretion.”
“While the rules outline certain considerations for reasonable security practices, the lack of detailed guidance leaves room for varied interpretations. Stakeholders will likely adopt practices aligned with the nature and scale of their data processing, but further guidance from the government would be crucial to ensure consistency and compliance across the industry.”
“It seems the approach might rely on self-declaration by users, allowing them to indicate whether they are minors or adults. This could potentially lead to broader processing of parental or guardian data, which raises interesting considerations regarding the scale and scope of such data collection.”
Supratim Chakraborty, Partner, Khaitan & Co, added by requiring verifiable parental consent before processing such data, the Act and the draft rules aim to establish a higher standard of accountability for businesses. “This new legal mandate will require significant overhaul of existing data handling practices, including the integration of identity verification systems to authenticate the identity and age of parents or lawful guardians providing consent. Ensuring that the consenting individual is a legally identifiable adult adds a critical layer of accountability, reflecting the government’s commitment to safeguard the vulnerable groups.”
This shift will also demand investments in technology, operational diligence, and collaboration with trusted verification entities like Digital Locker service providers, says Chakraborty.
Shahana Chatterji, Partner, Shardul Amarchand Mangaldas & Co. said, “We welcome the release of the draft rules for public consultation, marking a significant step toward implementing the much-anticipated Digital Personal Data Protection (DPDP) Act. This initiative reflects the government’s commitment to fostering a robust framework for data protection in India. While the draft rules are a positive move, we believe there is an opportunity to further enhance operational clarity in certain areas, and we are confident that these discussions will lead to a balanced and practical regulatory framework.“
Key Highlights of the Draft Rules
Enhanced Child Protection Online
The draft rules require social media platforms like Facebook and Instagram to obtain verifiable parental consent before allowing users under 18 to create accounts. Platforms must validate both the parent’s identity and age to comply.
Data Localisation Requirements
Big Tech companies such as Google, Apple, Meta, Amazon and Microsoft must ensure their algorithms respect user rights. Additionally, the government can identify specific types of personal data that cannot be transferred outside India.
Key provisions include:
Rule 12 (3) – “A Significant Data Fiduciary shall observe due diligence to verify that algorithmic software deployed by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals.”
Rule 12(4) – “A Significant Data Fiduciary shall undertake measures to ensure that personal data specified by the Central Government on the basis of the recommendations of a committee constituted by it is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India.”
Graded Penalties for Breaches
The draft proposes penalties based on the severity of violations and the size of the company. This approach aims to safeguard small businesses while holding larger corporations accountable.
“We have also kept graded punishments to protect the interests of micro, small and medium enterprises. It is to save businesses that may be running their business using a single computer. However, Big Techs have higher obligations under the rules. Minor breaches will attract small penalties and big breaches will lead to higher penalties,” Vaishnaw stated.
Large tech companies will need to ensure algorithmic transparency and submit data protection impact assessments and audit reports to the Data Protection Board.
These draft rules aim to balance privacy protections for users with the need to encourage digital innovation, shaping the future of India’s tech ecosystem. Feedback from the public will play a crucial role in refining these rules before their implementation.
FAQS
Q1. What measures are being proposed to protect children online?
Answer. The draft rules require social media platforms like Facebook and Instagram to obtain verifiable parental consent before allowing users under 18 to create accounts. Platforms must validate both the parent’s identity and age to comply.
Q2. What are the data localization requirements for Big Tech companies?
Answer. Big Tech companies such as Google, Apple, Meta, Amazon and Microsoft must ensure their algorithms respect user rights. Additionally, the government can identify specific types of personal data that cannot be transferred outside India.
Q3. How will penalties for data breaches be determined?
Answer. The draft proposes penalties based on the severity of violations and the size of the company. This approach aims to safeguard small businesses while holding larger corporations accountable. Large tech companies need to ensure algorithmic transparency and submit data protection impact assessments and audit reports to the Data Protection Board.
Read More: India’s 5G Network Sees Decline in Download Speeds Amid Rising Data Consumption in 2023: OpenSignal