On January 3, 2025, India’s Ministry of Electronics and Information Technology ("MeitY") released the Draft Digital Personal Data Protection Rules, 2025 ("Draft Rules") for public comment. The primary aim of these Draft Rules is to operationalize the 2023 Digital Personal Data Protection Act (the "Act") and ensure robust protection and privacy of personal data in the digital realm. Below, we highlight the most notable provisions of the Draft Rules.

• Notice for Consent: To obtain informed consent from a Data Principal, a Data Fiduciary must provide the Data Principal with a clear and standalone notice outlining what data is to be collected, the purpose for the processing, and how consent can be withdrawn. 
• Consent Managers and Rights of Data Principals: Defined under the DPDP Act, a Consent Manager is registered with the Data Protection Board and serves as a single point of contact for Data Principals to give, manage, review, and withdraw consent through a transparent and secure platform. Data Fiduciaries and Consent Managers must clearly publish on their website or app the process for Data Principals to exercise their rights under the Act, including the right to request access to or deletion of their personal data.
• Security Safeguards: Data Fiduciaries must implement adequate security measures to protect personal data, such as encryption, access control, monitoring for unauthorized access, and data backups. Contracts between Data Fiduciaries and Data Processors must also ensure that security measures are in place to prevent data breaches.
• Data Breach Notification: In the event of a breach, Data Fiduciaries must promptly notify affected Data Principals, including an explanation of the nature, extent, and timing of the breach. Within 72 hours, Data Fiduciaries must additionally notify the Data Protection Board of the breach, including the events that led to the breach, actions taken to mitigate risks, and the identity of the individual responsible, if known.
• Data Retention: Certain e-commerce entities, online gaming intermediaries, and social media platforms with a significant number of registered users in India must delete personal data within a specified period of time unless the user actively maintains their account. Generally, these entities may only retain personal data for up to three years from the date of a user’s last interaction.
• Processing Personal Data Of Children: A Data Fiduciary must implement measures to ensure that the person providing consent for a child’s data processing is the child’s parent or legal guardian, and that the parent or guardian is identifiable. Certain Data Fiduciaries, such as healthcare providers or educational institutions, may be exempt from specific obligations when processing children’s data, under defined conditions.
• Data Protection Impact Assessments (DPIAs): If the Central Government identifies an entity as a Significant Data Fiduciary based on certain enumerated factors, including volume and sensitivity of the data processing, that entity must conduct annual DPIAs to assess risks associated with their data processing activities.
• Cross-Border Data Transfers: Data Fiduciaries processing data within India, or in connection with providing goods or services to Data Principals from outside India, must adhere to any requirements established by the Central Government regarding the transfer of personal data to foreign states or their entities.