India: Ministry of Electronics and Information Technology opened consultation on Digital Personal Data Protection Rules 2025 including data protection regulation

On 3 January 2025, the Ministry of Electronics and Information Technology opened a public consultation on the draft Digital Personal Data Protection Rules, 2025, until 5 March 2025. The rules implement the provisions under the Digital Personal Data Protection Act of 2023, focusing on establishing frameworks for the protection of personal data. It outlines the principles governing consent, data fiduciaries' responsibilities, and the security measures required to safeguard personal data. The measures include encryption, access control, and ensuring transparency in data collection. The rules contain provisions on the registration and obligations of consent managers. The rules also mandate that data principals have rights to access, correct, and erase their data, with some exceptions for research or statistical purposes. Additionally, data fiduciaries must erase personal data if no action is taken by the data principal within a specified period and ensure parental consent is obtained for children or individuals with disabilities. Furthermore, significant data fiduciaries are mandated to conduct regular Data Protection Impact Assessments and audits to mitigate risks to data privacy.