Meity has drafted the Digital Personal Data Protection Rules, 2025 to facilitate the implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act). It aims to strengthen the legal framework for the protection of digital personal data by providing necessary details and an actionable framework. Stakeholder are invited to share feedback/comments on the draft Rules.
Please Click here to view Draft Digital Personal Data Protection Rules, 2025 and Click here to view Explanatory Note on Draft Digital Personal Data Protection Rules, 2025
In line with the SARAL framework, certain principles like simple language, unnecessary cross referencing, contextual definition, and illustrations etc. have been used while drafting the rules. The text of the Rules along with the simplified explanatory notes to enhance accessibility and understanding of the draft Rules is available on the Ministry’s website at https://www.meity.gov.in/data-protection-framework
The DPDP Act Does Not Prevent Spam Calls
In an interview with DD India, Ashwini Vaishnaw gave the example of insurance companies that share data with third parties, leading to citizens receiving unsolicited phone calls. He stated that the legal framework provides citizens with the right to protect their personal data.
It is important to note here that the DPDP Act does not require companies to inform users about third parties that they will be sharing the data with while obtaining consent. Further, the definition of processing also includes “sharing, disclosure by transmission, dissemination or otherwise making available.” This means that the legal framework proposed by the government does not necessarily prohibit data sharing with third parties.
Since companies don’t need to mention the third parties they share personal data with, there is no way for citizens to prevent companies from sharing their data with telemarketers while providing consent.
The DPDP Act does require Data Fiduciaries to share these details if a Data Principal requests it, after which they can identify the party responsible for unsolicited phone calls. However, citizens wouldn’t be able to prevent companies from sharing their data with telemarketers or even spammers, and may not file such requests until after they have already started receiving unsolicited phone calls.
Consent Notices in All Scheduled Languages:
Ashwini Vaishnaw stated in multiple interviews that companies would have to provide consent notices for data processing to users in all 22 languages mentioned in the Indian constitution. This attempt at inclusivity is commendable, as the 22 languages are spoken as a mother tongue 1.17 billion Indians. While this does leave out 230 million people, it is understandably impractical for consent notices to be provided in every Indian language. However, this attempt at inclusivity could introduce linguistic ambiguities as legal and technical terminologies may not translate perfectly, leading to misinterpretations.
The DPDP Act in Comparison With the GDPR:
In an interview with CNBC TV-18, the minister stated that he heard from international counterparts that the compliance burden of the General Data Protection Regulation (GDPR) killed the innovation ecosystem in Europe. “That will not happen, our innovation ecosystem will continue to grow with the proper framework,” he said.
Many people have argued that the GDPR places unreasonable compliance burdens on companies in the European Union (EU). The Center for Economic and Policy Research (CEPR) conducted a study and found out that companies saw an 8% reduction in profits and a 2% decrease in sales, following the GDPR.
These damages were predominantly borne by small and medium enterprises, with no evidence that tech giants like Facebook or Google saw any impact.
However, unlike the GDPR, the DPDPA does not allow for the use of publicly available personal data.
Parental Consent Under The DPDPA:
The Minister stated in an interview with NDTV that the platforms would have to seek consent from parents before processing the data of minors. For this, they would have to verify the age of the parent as well, which could be done with verified data points or virtual tokens of existing data on platforms like banks and schools.