Privacy & Information Security Law Blog

Earlier this month, the Centre for Information Policy Leadership at Hunton submitted a response (the “Response”) to India’s Ministry of Electronics and Information Technology (“MeitY”) regarding the Draft Digital Personal Data Protection Rules 2025 (the “Draft Rules”), which were published on January 3, 2025. The Draft Rules provide greater detail on a number of statutory provisions of India’s Digital Personal Data Protection Act 2023 (the “Act”).

As detailed further in the Response, it is CIPL’s view that given the complexities involved for certain operational and technical requirements of the Draft Rules, MeitY should consider a staggered or phased implementation period, particularly with respect to Rule 10 (which addresses verifiable consent) and Rule 13 (which addresses consent managers).

CIPL included the following comments in its Response, among others:

• Rule 3 (notice): the notice requirements as drafted could be interpreted as requiring unwieldy and long notices that do not benefit the relevant individuals.
• Rule 4 (consent managers): the rule fails to address the interoperability of platforms maintained by different consent managers and to what extent such platforms must be interoperable with systems used by data fiduciaries.
• Rule 6 (security): the rule should be amended to provide organizations with a degree of flexibility to employ context-specific security safeguards, as opposed to setting a “minimum” requirement.
• Rule 7 (incident notification): the rule should require notification of a personal data breach only where the breach is material, i.e., where it is likely to result in significant harm to individuals.
• Rule 8 (retention and deletion): the rule should adopt accountability-based safeguards for data fiduciaries, such as risk assessments and privacy enhancing measures, to determine appropriate retention and deletion practices based on context.
• Rule 10 (verifiable consent): the rule requires further clarification on key terms, such as “identity” and “age,” and whether data fiduciaries may meet their compliance obligations based on self-declarations and supporting documents provided by individuals claiming guardianship.
• Rule 11 (children’s data exemptions): exemptions for processing children’s data should be broadened to include the personalization of services that do not otherwise have detrimental effects on children.
• Rule 12 (significant data fiduciary): MeitY should provide guidance establishing a clear threshold for an entity’s designation as a “Significant Data Fiduciary,” and modify the rule to either delete the reference to algorithmic software, or limit its coverage to address situations that pose significant risk.
• Rule 14 (international transfers): the rule should be amended to explicitly recognize lawful data transfer mechanisms that align with global standards—such as standard data protection clauses, binding corporate rules, certification mechanisms, or binding schemes such as Global Cross Border Privacy Rules—thereby ensuring that personal data remains protected while enabling India to remain an active participant in the global digital economy.

View CIPL’s full comments.