IT for Change submitted its feedback/comments on the draft Digital Personal Data Protection Rules, 2025 (DPDP Rules) released by the Ministry of Electronics and Information Technology. The key points of our feedback are outlined below.
1. Notice given by Data Fiduciary to Data Principal:
- To ensure that the principles of data minimization and purpose limitation in processing are adhered to, and to ensure free and fair consent for data processing, the notice given to the Data Principal should incorporate additional elements as detailed in our submission.
- The time period within which notices are to be issued in cases where consent has been given prior to the commencement of the Digital Personal Data Protection Act, 2023 (Act) should be prescribed.
2. Consent Managers (CMs):
- The Rules should ensure CMs act as responsible custodians by requiring them to demonstrate prior experience in data handling, undergo periodic security certifications, and prevent the harvesting of consent metadata for unintended purposes.
- Clarity on the techno-design elements of the Consent Management Platform (CMP) is essential to ascertain the extent to which the existing technological architecture can be utilized, and to ensure platform readiness.
3. Reasonable security safeguards:
To ensure meaningful personal data protection, the security safeguards must be robust and not left to interpretation. Minimum standards as to what constitutes reasonable security safeguards should be prescribed to help guide compliance.
4. Intimation of personal data breach:
In order to ensure compliance, the time period for intimation should be expressly prescribed.
5. Verifiable consent for the processing of personal data of a child or of a person with a disability who has a lawful guardian:
- An approach that underscores the decisional autonomy of persons with disabilities and equips them with the necessary support for informed decision-making should be adopted.
- By treating all persons under 18 as a monolithic category, the Rules fail to recognize the rights and agency of persons younger than 18. A rights-based approach, ensuring the child’s best interests should be adopted.
6. Additional obligations of Significant Data Fiduciary (SDF):
Rule 12 (3) requires that the SDF shall observe “due diligence” that the algorithmic software deployed by it is “not likely to pose a risk to the rights of Data Principals”. The vagueness in the terminology used may lead to circumvention and lack of compliance. Elements of a risk-based approach should be incorporated under the Rules to ensure a future-ready data protection framework.
7. Rights of the Data Principal:
- The manner in which data erasure requests may be made by the Data Principal should be prescribed.
- With respect to grievance redressal, Rule 13(3) provides that every Data Fiduciary and Consent Manager shall “publish the period under its grievance redressal system for responding to Data Principals’ grievances.” The determination of the time period should not be left to discretion, instead a reasonable time period should be prescribed to ensure effective realization of Data Principals’ rights.
8. Processing of personal data outside India:
Sufficient clarity is needed on the type of requirements that the Central Government may impose with respect to the transfer of personal data outside India.
9. Exemption from research, archiving, or statistical purposes:
Definition of the terms “research”, “archiving”, and “statistical” along with the eligibility criteria for such processing is required to avoid ambiguity about who can invoke this exemption.
10. Calling for information from a Data Fiduciary or intermediary:
The grounds for invocation should not be overly broad, and safeguards should be introduced incorporating, amongst others, data minimization requirements.
You can read the full submission here.