Source: X
New Year, New Rules! No prizes for guessing what we’re talking about. If you've been following us, you already know we’ve been sprinkling memes here and there in earlier editions, about how eagerly we have been waiting for *drumrolls* the draft Digital Personal Data Protection Rules, 2025 (Rules). And just like that, with the New Year (and, a slightly late Xmas gift) from the IT Ministry, we’re now setting sail towards the world of data protection compliance.
It’s been a rollercoaster, and with our tech policy friends and fam, we’re all on this ride together. So, after quickly exchanging a flurry of ‘sad-happy weekend to us!’ messages, followed by a collective sigh (yep, we’ve all been there), we put on our analysis hats and got to work. You can read our preliminary analysis here. Our partners Nehaa and Sreenidhi also spent some time unpacking and talking about the rules – specifically how they impact B2C businesses – and that recording is here.
Amidst the flood of information that has been doing the rounds, we’ve got your back by adding another one to the pile J. And so, this edition is laser-focused on the Rules.
We start by going back in time and refreshing the story surrounding the origins of the Rules — from the passing of the Act and the numerous events that delayed their launch in the past year. Then, we get into the weeds: spotlighting hot-cake issues, capturing some of the reaction and ‘wait, what’ moments. We round up with a share of some in-house expert takes on some of questions that we and the broader ecosystem have been grappling with. In case you have any specific queries for our team, shoot away! You can reach out to us at data@ikigailaw.com.
Even though this newsletter is all. about. data. — we will indulge ourselves a minor deviance to discuss a couple of important updates on AI and content moderation.
Let’s rewind it a bit
Back in 2012, visionary Justice A.P. Shah presented a report calling for better protection of individual’s privacy in India. But it took over a decade — after a Supreme Court ruling recognizing the right to privacy; the Srikrishna committee report exploring potential regulatory approaches; and not one, but several draft bills — for the Digital Personal Data Protection Act, 2023 (DPDP Act) to come to life in August 2023.
And we were told, the rules to operationalize this Act would be rolled out immediately after. But then, something hit the brakes. The hold up? Reportedly, there were industry concerns regarding how to technically operationalize verifiable parental consent. Oh, and the Ministry of Home Affairs had to give their stamp of approval as well. The result? Businesses found themselves stuck and restless — in a waiting game worse than Bengaluru’s traffic.
Finally, after what seemed like an eternity (at least to us), the IT Ministry doing its best rendition of ‘thank god its Friday’, released the Draft Rules for public consultation on January 3, 2025. Deadline to submit comments to this draft is February 18, 2025; so, if you want to get in your two cents, now's the time! (Psst: some have sought extension on this deadline, which reportedly might just be granted.)
Hot-cake issues
- The phased roll-out: The DPDP Rules will be enforced in phases. Upon coming into force, rules relating to the details of the Data Protection Board (Rules 16-20), will immediately come into effect. However, the rest of the rules (Rules 3-15 and 21-22), will see a more staggered timeline. Basically, there’s room to breathe — but only for a little while. Minister Vaishnaw has already shared that there will be a two-year transition period to help everyone shift to the new regime. Translation? You’ve got time, but you need to start working now. He shared that the goal is to have the final rules in-place by mid-2025 (in time for the monsoon session), so mark your calendars.
- Notice and consent: The Act and rules pretty much go hand-in-hand when it comes to these provisions. It says that privacy notices and consent requests must not only be in English, but also in all 22 scheduled languages of India. The notice must also include: what personal data you’re collecting, why you’re collecting it, how consumers can flex their rights, how to revoke consent, and how to file complaints with the Data Protection Board. On top of this, the data fiduciaries (DFs), i.e. those who determine how and why personal data is being processed, must ensure that it meets other requirements of being crystal clear, easy to digest, and, of course, totally unambiguous. And in 22 languages. Good luck y’all.
- Extra love and care for children’s data?: The DPDPA requires organizations to collect parents’ consent before processing a child’s data. Here’s where it gets interesting: instead of forcing everyone into a one-size-fits-all box, the Rules seemingly take a more flexible approach, clarifying that DFs can adopt ‘appropriate technical and organisational standards’ to take this consent (Rule 10). While generally this may rely on the nature of business and content accessible on a website or an application, there are questions over what counts as 'appropriate’? The IT Minister said that the Rules will evolve based on learnings from their implementation, and accordingly these provisions may be refined even after implementation. Others have raised concerns that this potentially means age-gating the entire internet. There are also exemptions offered to healthcare and educational institutions, and purposes like opening a user account, among others.