Introduction
The introduction of the Draft Data Protection Rules 2025 (“Draft Rules”) under the Digital Personal Data Protection Act, 2023 (“DPDPA”) marks a significant step in India’s data protection journey.
In the previous part of the article, we looked at the provisions and rules related to the protection of Children’s Data, intimation of personal data breach, timelines of such intimation, government’s oversight and implementation challenges corresponding them.
For this part, we shall discuss the Data retention policies and classes of data fiduciaries defined by the government, elucidating more on the exemptions and powers of the Government in the Rules.
Understanding the Data Retention Framework in the Draft Rules
The Draft Rules, as outlined in Rule 8, introduce precise timelines for retaining personal data. Social media intermediaries with over 20 million users and online gaming intermediaries with over 5 million users are required to erase personal data after three years of user inactivity. This obligation is complemented by Rule 8(2), which mandates a 48-hour advance notification to users, allowing them to act before their data is erased. These measures aim to operationalize the “data minimization” principle emphasized in Section 9 of the Data Protection Act 2023.
In comparison, the European Union’s GDPR focuses on retaining personal data only as long as necessary for the purposes for which it was collected. While this provides flexibility, it lacks a mandatory notification mechanism like that in the Draft Rules. The Indian approach, although more prescriptive, enhances transparency and user awareness. However, the operational burden placed on businesses, especially smaller fiduciaries, remains a significant challenge. This divergence highlights the need to balance user-centric policies with practical implementation.
Another key consideration is the exception for retaining data to meet legal obligations or ensure compliance. While this aligns with global norms, the notification requirement in India’s framework provides a unique safeguard for users, making data retention more participatory. The framework also explicitly addresses scenarios involving unused user accounts and inactive interactions, specifying processes for data erasure. Such explicit detailing, while commendable, could introduce administrative complexities, particularly for smaller entities or those handling diverse user bases.
Furthermore, the Draft Rules emphasize a structured process for data retention audits. Entities are expected to periodically review stored data to ensure that it is retained only for specified and lawful purposes. This periodic review not only aligns with global best practices but also reinforces accountability among data fiduciaries. Striking a balance between these safeguards and the administrative complexity they introduce will be essential for the Draft Rules’ success
Significant Data Fiduciaries: Accountability and Oversight
The concept of Significant Data Fiduciaries (SDFs), as defined in Rule 12, reflects the Draft Rules’ emphasis on accountability for entities managing vast or sensitive personal data. SDFs are required to conduct annual Data Protection Impact Assessments (DPIAs) and audits, as well as ensure that their algorithms, under Rule 12(3), do not infringe upon the rights of data principals. This proactive approach aims to mitigate risks associated with large-scale data processing and enhance trust among users.
Despite these measures, the absence of clear criteria for SDF classification creates ambiguity. Section 2(z) and 10 of the Data Protection Act 2023 introduced the concept but left the specifics to subsequent rules, resulting in operational uncertainties. Singapore’s data protection Act offers a useful comparison, categorizing organizations based on data processing volume and sensitivity. Adopting similar criteria could ensure that India’s framework is both predictable and equitable.
The emphasis on algorithmic accountability marks a progressive step in recognizing the risks posed by automated decision-making systems. However, without detailed guidelines, businesses may struggle to assess compliance effectively. This could lead to uneven enforcement and potential litigation. Aligning the Draft Rules with global best practices by incorporating risk-based obligations would strengthen their effectiveness while maintaining proportionality.
The SDF framework is a recognition of the disproportionate influence large-scale data handlers wield in digital ecosystems. Entities processing large volumes of sensitive personal data inherently pose greater risks to data security and privacy, necessitating heightened oversight. The inclusion of obligations such as algorithmic audits reflects an understanding of the evolving risks posed by artificial intelligence and machine learning technologies. However, without defined thresholds for classification as an SDF, organizations may face uncertainty, leading to challenges in early compliance readiness. Addressing this gap through precise criteria and risk-based assessments could enhance the Draft Rules’ efficacy.
Government Powers: Balancing Sovereignty and Privacy
The Draft Rules, under Rule 5, empower the central government to access personal data for purposes such as national security, sovereignty, and legal compliance. Schedule II outlines safeguards for processing data in these contexts, emphasizing lawful and secure practices. However, these provisions operationalize the exemptions granted in Section 18 of the Data Protection Act 2023 without introducing robust oversight mechanisms.
Internationally, the GDPR permits restrictions on data processing for public security or defense but mandates that these measures be necessary and proportionate. India’s rules appear less stringent in enforcing proportionality, raising concerns about potential overreach. Establishing an independent oversight body, akin to the GDPR’s Data Protection Authorities, could address these concerns while ensuring transparency and accountability.
Moreover, the Draft Rules allow government agencies to process personal data to provide public benefits, such as subsidies and services. While this aligns with the intent of public welfare, it underscores the need for stringent checks to prevent misuse. Transparent reporting and periodic audits could mitigate risks and enhance public confidence in data governance.
Penalties and Enforcement Mechanisms under the Draft Rules and DPDPA
The Digital Personal Data Protection Act, 2023, along with the Draft Rules 2025, introduces a robust penalty framework to ensure compliance with data protection norms. Section 25 of the DPDPA sets out significant penalties for non-compliance, which are designed to act as both deterrents and corrective mechanisms. For instance, entities failing to prevent data breaches or meet data fiduciary obligations could face fines up to ₹250 crores, depending on the severity and impact of the violation.
An innovative aspect of the enforcement mechanism mentioned in the rules especially in Rule 13 (Rights of Data Principal). This asks for an inclusion of grievance redressal provisions, allowing data principals to approach data fiduciaries for unresolved issues. The rules also further enforce what is given in Section 27 of the Principal Act, where a data principal can directly send a complaint to the board, for an effective resolution of the issues related to personal data breaches. While the intent behind the mechanism is commendable, its implementation and capacity to tackle various complaints would be a thing to look forward to.
The Data Protection Board also has the authority to mandate rectifications, including re-audits and compliance reviews, to prevent future violations. This dual approach of punitive and corrective enforcement strengthens the regulatory regime and encourages fiduciaries to adopt proactive compliance measures.
Conclusion
The Draft Data Protection Rules 2025 build on the foundation of the DPDPA by introducing operational clarity and detailed compliance measures. By emphasizing data retention audits, heightened accountability for Significant Data Fiduciaries, and safeguards for government access, the rules reflect India’s commitment to robust data protection. However, further refinements, such as more stringent oversight and enhanced support for smaller entities, can ensure that the framework balances privacy with innovation and operational feasibility. Collaborative efforts and periodic reviews will be pivotal in making this regulatory regime a cornerstone of India’s digital economy.
(This post has been authored by Yash Bhatnagar, an Editor at The Contemporary Law Forum)
CITE AS: Yash Bhatnagar, ‘India’s Draft Data Protection Rules 2025: An analytical primer of what lies ahead in the Indian Privacy Paradigm: Part 11’ (The Contemporary Law Forum, 10 January 2025) <https://tclf.in/2025/01/10/indias-draft-data-protection-rules-2025-an-analytical-primer-of-what-lies-ahead-in-the-indian-privacy-paradigm-part-11/>date of access