India Publishes Draft DPDP Rules for Consultation

On 7 March 2024 the Ministry of Electronics and Information Technology (MeitY) opened consultation on the Digital Personal Data Protection Rules, 2024. The draft subordinate legislation operationalizes India's Digital Personal Data Protection Act, 2023 by detailing consent notices, data principal rights workflows, significant data fiduciary designations, and restrictions on cross-border transfers. Comments are due by 15 March 2024 before MeitY finalizes the rules. This regulatory milestone represents India's most full approach to personal data protection, establishing a framework expected to affect organizations processing data of over 1.4 billion Indian citizens and residents.

Legislative Context and Background

The Digital Personal Data Protection Act, 2023 (DPDP Act) received Presidential assent on 11 August 2023, culminating a multi-year legislative effort that began with the Justice B.N. Srikrishna Committee report in 2018.

The Act establishes India's first full personal data protection framework, replacing the fragmented approach under the Information Technology Act, 2000 and various sectoral regulations. The DPDP Rules operationalize the Act's principles by specifying detailed procedural requirements, timelines, and formats that data fiduciaries must follow. Unlike the European GDPR's directly applicable regulation model, India chose an Act plus Rules structure that provides flexibility for MeitY to adjust operational requirements without parliamentary amendment.

Consent Notice Requirements

Draft Rule 3 requires clear, itemised notices in English and at least one regional language that explain processing purposes, rights, and withdrawal mechanisms. Consent requests must be presented in standalone form, separate from other terms and conditions, and must identify each specific purpose for which consent is sought.

Data fiduciaries must provide granular options allowing data principals to consent to some purposes while declining others. The notice must describe categories of personal data to be collected, identify any third parties with whom data may be shared, explain data retention periods, and provide contact information for the organization's grievance redressal mechanisms. Withdrawal of consent must be as easy as providing consent, with fiduciaries implementing one-click withdrawal mechanisms where technically feasible.

Significant Data Fiduciary Obligations

Draft Rule 7 helps MeitY to classify entities as Significant Data Fiduciaries based on volume of data processed, sensitivity of data categories, and potential risk to data principal rights. Organizations designated as Significant Data Fiduciaries face improved obligations including mandatory appointment of a Data Protection Officer who must be a senior management employee resident in India, annual data protection audits by independent auditors, publication of audit findings, and full Data Protection Impact Assessments for high-risk processing activities.

The DPIA requirements extend to algorithmic systems that profile data principals or make automated decisions affecting their rights. Significant Data Fiduciaries must also establish internal grievance redressal mechanisms with specified response timelines and escalation procedures.

Cross-Border Transfer Restrictions

Draft Rule 8 restricts personal data exports to whitelisted jurisdictions that provide adequate protection and obliges controllers to maintain transfer registers. MeitY will publish a positive list of countries and territories to which transfers are permitted without additional safeguards.

Transfers to jurisdictions not on the approved list require contractual mechanisms ensuring equivalent protection, though the Rules do not specify approved contract clauses as in the EU model. Blacklisted jurisdictions where transfers are prohibited entirely may be designated based on national security, law enforcement cooperation, and human rights considerations. Organizations must maintain full records of all cross-border transfers including recipient identities, jurisdictions, purposes, and safeguards applied.

Children and Vulnerable Persons

Draft Rule 5 mandates verifiable parental consent flows for processing children's personal data and accommodations for disability access to rights portals. Data fiduciaries must implement age verification mechanisms before processing data of persons under 18 years, with improved requirements for processing data of children under certain age thresholds.

Verifiable parental consent must be obtained through mechanisms that reasonably confirm the consenting parent or guardian's identity. The Rules prohibit processing children's data for behavioral monitoring, targeted advertising, or any processing that could cause harm to the child's wellbeing. Accommodations for persons with disabilities must include accessible formats, alternative communication channels, and reasonable adjustments to consent and rights exercise mechanisms.

Data Principal Rights Implementation

The Rules specify procedures and timelines for data fiduciaries to respond to data principal rights requests. Fiduciaries must acknowledge requests within 48 hours and complete responses within timeframes specified for each right type. The right to access includes providing data in commonly used machine-readable formats. Correction requests must be processed promptly with notification to any third parties to whom incorrect data was disclosed. Erasure requests trigger requirements to delete or anonymize data and notify downstream processors. The Rules set up a central consent management framework through which data principals can view and manage consent provided to various fiduciaries.

Compliance Timeline and Transition

MeitY will finalize the Rules following the consultation period, with phased setup based on organization size and processing complexity. Large enterprises processing significant data volumes face earlier compliance deadlines, while small businesses receive extended timelines and potential exemptions. If you are affected, begin gap assessments against draft requirements, implement consent management platforms, establish data subject rights fulfillment workflows, and prepare cross-border transfer impact assessments pending final Rule publication.