Draft Digital Personal Data Protection Rules, 2025 (Draft Rules) under the Digital Personal Data Protection Act, 2023 (DPDPA) attempts to further the right of Data Principals. Data Principal is essentially a person whose personal data is being processed by a Data Fiduciary, which is the organization that collects the data.
The new rules provide a framework for the same under Rule 13, imposing additional obligations on Significant Data Fiduciaries in order to secure the said rights from big corporations and enforces restrictions on the international processing of data. Following is a detailed analysis.
Rights of Data Principals
The DPDPA, under Sections 11 to 14 provide for the rights of Data Principals with respect to their personal data namely, “the right to access information”, “the right to correction and erasure”, “the right of grievance redressal” and “the right to nominate”.
The Draft Rules provide under Rule 13, to enable the exercise of the rights of the Data Principal the mandate for the Consent Manager and the Data Fiduciary to publish on their relevant platforms the mannerism via which a request for such exercise may be made, and the particulars required to confirm the identity of the Data Principal under its terms of service. The period under the system establish for responding to the grievance must be provided as well, implementing appropriate organizational and technical measures.
The “right to nominate” in order to secure the personal data of the Data Principal in the instance of a mishap, shall extend to one or more nominees being provided by the Data Principal whose details, the particulars of which shall be published by the Data Fiduciary may be provided.
In order to secure the “the right to correction and erasure” of the Data Principal, the Draft Rules provide that a request may be made to the Data Fiduciary to whom consent had previously been provided to process the data in question, by providing the details and using the means published by the Fiduciary in order to exercise such right. This provision provides ease to the Data Principal by giving individuals control over their personal data, as well as ways in which Data Fiduciaries must act in order to be transparent and accountable. Rule 3 also states that the Data Principal must exercise their rights in a manner comparable to which they provided their consent, thus providing user-friendly mechanisms to facilitate these rights.
Significant Data Fiduciaries
In order to secure the rights of Data Principals from conglomerates, the Draft Rules have provided stricter guidelines for entities classified as ‘Significant Data Fiduciaries’ as defined under Section 2(z) of the DPDPA read with section 10. The DPDPA places onerous obligations on such Significant Data Fiduciaries as a result of the privacy risks associated with their extensive processing of sensitive personal data. Significant Data Fiduciaries have the responsibility of carrying out duties such as audits, impact assessments and any other measures as may be prescribed under law.
Under the Draft Rules, the Significant Data Fiduciaries are mandated to conduct an audit and a “Data Protection Impact Assessment” every 12 (twelve) months from the date on which it is notified or date of inclusion in the class of the same. However, the time period of such regulatory audit or assessment under the Draft Rules might benefit if reduced in order to uncover irregularities and correct the same within an appropriate timeframe. A report of the audio and assessment is required to be furnished to the Data Protection Board by the person conducting such audit and assessment with significant observations. The term being vague, could create room for error or misuse of the provision to conceal concerning details.
Due diligence is also a requirement under the Draft Rules to be undertaken by the Significant Data Fiduciary to verify the algorithmic software as adopted by it for the purposes of uploading, publishing, hosting, displaying, updating, storing, modifying, transmitting or sharing for such data processed by it to ensure that the same is not likely to pose a risk to the rights as provided in the initial section of this article. A committee shall be constituted to provide recommendations for the measures to be undertaken to ensure the personal data is processed subject to the restriction that the same is not transferred outside the country, unless the requirements as and when prescribed by the Central Government are met as under Rule 14.
The penalty for non-compliance by the Significant Data Fiduciary as under Schedule I of the DPDPA may extend to INR 150,00,00,000/- (Indian Rupees One Hundred and Fifty Crore only). Therefore, the measures to be undertaken impose significant importance in order to protect the Data Principals.
In summation, the rights provided to Data Principals under the Draft Rule, while attempted to be protective, could be more comprehensively and definitely defined. While the fear of penalty remains, there are various loopholes as provided by the open-ended provisions to protect the Data Fiduciaries from liability.
Authors: Malaika Karia & Dev Agarwal