In an era defined by rapid technological advancement and data-driven decision-making, governments worldwide are revisiting their data protection frameworks to address emerging challenges. India, recognizing the importance of personal data protection, enacted the Digital Personal Data Protection Act (DPDP Act) in 2023. The subsequent release of the Draft DPDP Rules last week provide a roadmap for operationalizing the Act, setting the stage for transformative regulatory changes in 2025.
This article explores the nuances of the new Data Rules, focusing on their implications for businesses, individuals, and governance structures.
The Draft Rules outline a phased approach to implementation. Provisions related to the Data Protection Board (DPB) in accordance to Rules 16-20 will come into effect immediately upon notification, while key operational requirements under Rules 3-15, 21 and 22 will follow without a fixed timeline. This staggered approach allows organizations to adapt gradually, although clarity on specific deadlines remains crucial.
A cornerstone of the DPDP Act and Rules is its emphasis on consent and transparency. Businesses are required to issue clear, standalone notices detailing the types of personal data
collected, its purpose, and related processes as per Rule 3. These notices must provide:
• Information on how consent can be withdrawn.
• Links to grievance redressal mechanisms.
• Instructions for lodging complaints with the DPB.
Achieving the balance between transparency and operational efficiency will be key for businesses.
Consent Managers (CMs) are introduced to streamline consent management. Acting as intermediaries between Data Fiduciaries (DFs) given under Rule 4 and First Schedule and individuals, CMs ensure that consent is given, managed, and withdrawn in a secure and transparent manner. To operate, CMs must register with the DPB and adhere to stringent operational guidelines, ensuring independence and avoiding conflicts of interest.
The Rule 5 and Second Schedule also address how government bodies may process personal data. Such processing is limited to providing subsidies, services, or permits and must adhere to lawful and necessary principles. Here, individuals consent to receive such benefit becomes really important. Key safeguards to be followed by government include:
• Limited data retention.
• Robust security measures.
• Transparency regarding data usage.
Data security is a pivotal component of the Draft Rules. Organizations must implement advanced safeguards such as encryption, virtual token mapping, and access controls. These measures extend to contractual agreements with data processors, underscoring the importance of defining roles and responsibilities clearly.
Timely reporting of data breaches is mandated under Rule 7. DFs must notify both the affected individuals and the DPB upon discovering a breach, followed by a detailed report within 72 hours. The report should include:
• Date and time of the breach.
• Scope and potential impact.
• Containment measures.
The absence of a graded system for breach severity raises concerns about over-reporting and administrative burden.
Data Fiduciaries are required to erase personal data after three years, except for data needed for user accounts or token-based services. Businesses must notify individuals 48 hours before erasure and retain data only for legal compliance in accordance to Rule 8 and Third Schedule. This necessitates robust data management systems to ensure compliance with retention timelines.
To ensure parental consent, DFs must establish reliable systems to verify the identity of parents or guardians. They are granted flexibility in choosing their verification method, whether by leveraging existing information already in their possession or by utilizing government- authorized digital tokens. While this approach allows businesses to tailor verification processes to their needs, it raises concerns about the broader implications of age verification. Additionally, certain entities such as healthcare providers, educational institutions (broadly defined to potentially include edtech platforms), and essential service providers—are exempt from both the requirement to obtain parental consent and the restrictions on tracking and behavior monitoring of children. However, this exemption may not serve as a universal safeguard. Businesses operating in these sectors are advised to adopt a risk-based approach to age verification, tracking, and behavioral monitoring to minimize potential harm as outlined in Rules 10, 11, and the fourth Schedule.
Significant Data Fiduciaries (SDFs) face additional compliance requirements, including annual Data Protection Impact Assessments (DPIAs) and audits. SDFs must also verify that their algorithmic systems do not pose risks to individuals’ data rights. While these measures enhance accountability, they also pose implementation challenges.
The Draft Rules revisit the contentious issue of data localization. A government committee will determine which data must remain within India in accordance with Rule 12(4), while specific requirements will regulate cross-border data sharing as per Rule 14. This marks a shift from the DPDP Act’s broader allowance for international data transfers.
Individuals, termed Data Principals, can exercise rights to access, correct, or erase their personal data through clearly outlined mechanisms. The Rules obligate DFs and CMs to provide transparent, accessible processes, reinforcing user empowerment in accordance to Rule 13.
The DPB’s governance structure involves specialized search and selection committees to appoint members. Members are expected to possess expertise in data governance, law, or technology, ensuring informed decision-making given under Rule 16-20
Aggrieved parties may appeal DPB decisions through a digital tribunal. Guided by principles of natural justice, the tribunal offers flexibility in its procedures, including summoning individuals and waiving fees.
Certain data processing activities, such as those for research, archiving, or statistical purposes, are exempt under Rule 15. These exemptions require adherence to lawful and responsible data governance standards, ensuring ethical data usage.
The new Data Rules of 2025 signal a pivotal shift in India’s data protection landscape. By establishing robust frameworks for consent, security, and accountability, they aim to balance innovation with privacy. However, the path to implementation is fraught with challenges, from operationalizing consent mechanisms to navigating cross-border data transfer requirements. As businesses and stakeholders prepare for these changes, active engagement with regulatory consultations and investments in compliance infrastructure will be crucial. The DPDP Rules
provide an opportunity to set new benchmarks in data governance, fostering trust and resilience in the digital economy.
The Delhi High Court has issued an injunction prohibiting any unauthorized use, disclosure, or publication of sensitive and confidential data belonging to Niva Bupa Health Insurance Company Limited by an unidentified data thief. The court's directives aim to safeguard the privacy rights of customers and prevent misuse of their personal data following a ransomware attack on the company.
Senior Advocate Mr. Pradeep K. Bakshi, along with the team from White & Brief Advocates & Solicitors, represented Niva Bupa. During the course of arguments, Mr. Bakshi informed the court that the company's robust security systems had been compromised in a targeted ransomware attack aimed at extortion. He further submitted that the data breached included personal details such as names, identity proofs, addresses, policy details, and mobile numbers—information collected as part of regulatory compliance.
The Plaintiff established a strong prima facie case for interim relief, arguing that the breach had the potential to cause significant damage to both the company and its customers.
While passing the injunction Order, Justice Manmeet Pritam Singh Arora emphasised the potential risks arising from unauthorized access to sensitive data, such as identity theft, financial fraud, privacy violations, and unauthorized transactions. Recognizing the severity of the breach, the court underlined the critical need to protect personal information and issued an order for the immediate removal of any leaked data by intermediaries and platforms within 24 hours of notification by the Plaintiff.
To mitigate the potential harm, the court issued a series of directives, including:
1. Restraining Order: The "John Doe" defendant is strictly prohibited from using, copying, publishing, or disclosing Niva Bupa's confidential information on any platform.
2. Action by ISPs and Platforms: Internet service providers and intermediaries have been directed to block and remove all unauthorized content, accounts, and domains associated with the misuse of the Plaintiff's trademarks and data.
3. Investigation Support: Defendants Nos. 1 to 6 have been instructed to provide all available information regarding Defendant No. 7, including digital footprints, to aid the ongoing investigation.
The team from White & Brief Advocates & Solicitors, comprised of Partner Mr. Mohit Bakshi and Associate Mr. Akshaja Singh.
This judgment reaffirms the importance of customer data privacy in the digital age and serves as a crucial step in combating unauthorized data breaches and ransomware attacks.
The influence of technology and the internet in our daily lives is greater than it was earlier and this scenario is here to grow manifold with the advent of AI. During the course of our lives, we share personal information online through various social media and online platforms to connect personally and professionally. The price that we pay while availing the digital services is in the form of our personal information which raises valid concerns surrounding data privacy and protection.
Right to Privacy allows you to keep your personal information confidential. Data protection refers to the measures and practices that ensure your personal data is safeguarded against data theft and misuse.
Your personal information includes details like your name, address, phone number, financial data, and health record, this data can be misused by cyber criminals for identity theft or other financial scams. With the introduction of AI, various new areas of crimes have emerged using Deep Fake technology. Hence, protecting your data has become more important than it ever was. Privacy laws and data security regulations empower you with ownership over your personal information and restrict any unauthorized use.
There have been various instances wherein an individual’s personal data was subjected to various malicious uses by private entities. This data is sometimes taken without even the owner’s consent. The Cambridge Analytica Scandal in 2018 brought widespread attention to the issue of data privacy and misuse of data. It exposed that the personal information of Facebook users was collected without their consent for political advertising. In a similar incident in 2021, the Pegasus Spyware Case came into light wherein, it was alleged that Pegasus Spyware is used for illegal surveillance on journalists, activists, and politicians. This incident again highlighted the importance of data privacy.
The courts in various instances came to the rescue of people who were the victims in the hands of private entities. The personal data was either taken without their consent or through complicated interfaces wherein users did not even understand that they have given consent and for what purpose. This left the data subjects in a vulnerable position without any recourse. In such situations, judicial intervention provided appropriate remedy to the data subjects. It also ensured that the entities using personal data are not taking advantage of the data subject’s innocence or lack of technical knowledge.
In the case of Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors. AIR 2017 SC 4161, Supreme Court confirmed that privacy is a fundamental right under the Indian Constitution, paving the way for stronger regulations to safeguard personal information.
In another notable case, WhatsApp LLC & Anr. v Competition Commission of India, LPA 163/2021, the Delhi High Court ruled that WhatsApp's updated privacy policy violated IT Act and rules and the judgement allowed users to opt out from providing forced consent. This case highlighted the importance of transparent and responsible data management practices.
The Information Technology Act, 2000: The Information Technology Act of 2000 sets out rules for electronic governance and oversees how personal data is handled. It also includes penalties for cybercrimes such as hacking and data theft.
The Digital Personal Data Protection Act, 2023: The Digital Personal Data Protection Act of 2023 has established a strong data protection law in India. It outlines individual rights regarding personal data, creates a Data Protection Authority, and places responsibilities on data fiduciaries. The 2023 act permits personal data to be used for any legal purpose. Entities that collect, store, and process digital personal data (‘Data fiduciaries’) and have specific responsibilities of:
(a) maintaining security measure;
(b) ensuring accuracy and completeness of personal data;
(c) reporting data breaches to the Data Protection Board of India (DPB) in a prescribed manner;
(d) deleting data upon consent withdrawal or when the specified purpose expires;
(e) appointing a data protection officer and establishing grievance redress systems; and
(f) obtaining parental/guardian consent for children/minors under eighteen years of age.
The Aadhaar Act, 2016: The Aadhaar Act, 2016 dictates how the Aadhaar unique identification system is used and lays down guidelines for gathering, storing, and using biometric data. The Supreme Court in Aadhar Judgement found that the Aadhaar Act was constitutional to the extent of using Aadhar for verifying an individual's identity to receive government-funded benefits like subsidies. However, private entities cannot use Aadhaar data without an individual's consent for any other purpose.
Consent: When it comes to your personal data, companies and organizations are required to ask for your clear permission before they gather and handle it.
Purpose Limitation: Your data can only be used for the specific reason it was collected for or permitted for, and not for anything else.
Data Minimization: Additionally, only the necessary amount of data should be collected, and once the purpose is met, it should be removed.
Access and Correction: You also have the right to see and correct any inaccuracies in your personal data that the organizations holds.
Data Portability: Furthermore, you can move your personal data from one service provider to another in a standard format.
Right to Be Forgotten: You have the right to get your personal data removed or deleted from an organization's records under certain circumstances.
Be Cautious with Personal Information: When sharing personal information online, be cautious and think carefully about what you disclose, especially on social media platforms.
Use Strong Passwords: To protect your accounts, create strong, unique passwords for each account, especially banking and investment related information and consider using two-factor authentication if possible.
Keep Software Updated: Keep your operating systems, applications, and antivirus software up to date to prevent data security breaches.
Be Vigilant Against Phishing Attempts: Do not reply or provide personal information to unsolicited emails, messages, or calls requesting personal information.
Privacy and data protection are fundamental rights in the digital age. In a country like India where the majority of the population may not be technically-informed, it becomes even more dangerous to protect personal information. Many people might not be aware enough to understand their personal data being used for unintended purposes. The Internet has reached various parts of the country, with internet access and mobile usage, the issue of personal data protection has become more crucial than before. By understanding your rights and the laws that protect them, you can take steps to safeguard your personal information and maintain control over your data.