|
Rule Number / Heading |
Draft Rules Summary |
Final Rules Summary |
Difference (Added / Removed / Revised / Clarified) |
Impact Area |
|
Rule 1. Short title and commencement |
Provides a simple two-part commencement. Rules 3-15, 21, and 22 would come into force at a future date, and all others on publication. |
Establishes a detailed, four-part staggered implementation timeline:
• Immediate: Rules 1, 2, 17-21 (Board setup).
• 1 Year: Rule 4 (Consent Manager).
• 18 Months: Rules 3, 5-16, 22-23 (Core Fiduciary obligations)
|
Revised (Major). The Final Rules provide a detailed, phased compliance roadmap, which was absent in the Draft. This is a fundamental policy shift. |
Timelines |
|
Rule 2. Definitions |
Stated that all expressions have the meaning assigned in the Act. |
Adds specific definitions for (a) "Act," (b) "techno-legal measures," (c) "user account," and (d) "verifiable consent". |
Added. The Final Rules add four crucial definitions. "User account" is moved from Draft Rule 7. "Verifiable consent" is newly defined. |
Consent, Children, Rights |
|
Rule 3. Notice given by Data Fiduciary |
Notice must contain an "itemised description" of personal data and "the specified purpose of" processing. |
Notice must contain an "itemised description" of data and "the specified purpose or purposes of, and specific description of" processing. |
Revised (Clarified). Clarifies that a notice can cover multiple purposes, but each requires a specific description, reinforcing the bar against bundling. |
Consent, Rights |
|
Rule 4. Registration and obligations of Consent Manager |
Outlines the registration process, conditions (in First Schedule), and obligations (in First Schedule) for Consent Managers. |
Identical to the Draft. Outlines the registration process, conditions (in First Schedule), and obligations (in First Schedule) for Consent Managers. |
No Change. The framework for Consent Managers, including the high bar for registration, is unchanged. |
Consent Manager, Consent |
|
Rule 5. Processing... by State |
Specifies conditions for State processing of personal data for subsidies, benefits, etc., under Sec 7(b) of the Act. References standards in Second Schedule. |
Wording is slightly revised for clarity but the substance is identical. It removes the direct reference to Sec 7(b) from sub-rule (1), as it is implicit. References standards in Second Schedule. |
Revised (Minor Clarification). No substantive change. |
Government |
|
Rule 6. Reasonable security safeguards |
Mandates safeguards including encryption, obfuscation, masking, or virtual tokens. Requires log retention for one year. |
Mandates safeguards such as encryption, obfuscation, masking, or virtual tokens. Requires log retention for one year. Also adds "wherever applicable" to access control (1)(b) and processor contracts (1)(f). |
Revised (Clarified). The change from "through" to "such as" makes the list of security measures illustrative, not exhaustive. |
Breach, SDF |
|
Rule 7. Intimation of personal data breach |
Intimation to Data Principal must include "timing and location of its occurrence". Intimation to Board within 72 hours. Defines "user account" in sub-rule (3). |
Intimation to Data Principal must include "timing of its occurrence". Intimation to Board within 72 hours. Definition of "user account" is removed. |
Revised (Clarified).
• Removed: The impractical requirement to state the "location" of the breach in the notice to the Data Principal is removed.
• Moved: Definition of "user account" is moved to Rule 2(c).
|
Breach |
|
Rule 8. Time period for specified purpose... |
Governs erasure of data per Third Schedule when purpose is served. Requires 48-hour notice before erasure. |
Governs erasure per sub-rules (1) and (2) (identical to Draft).
Adds sub-rule (3): Mandates a minimum one-year retention of personal data, traffic data, and logs for purposes in Seventh Schedule, even after purpose is served
|
Added (Major). The addition of sub-rule 8(3) creates a new, mandatory data retention obligation that conflicts with the erasure obligation in 8(1). This is a fundamental change. |
Timelines, Government, Breach |
|
Rule 9. Contact information of person... |
Data Fiduciary must publish contact info of DPO or other person to answer questions. |
Identical to the Draft |
No Change. |
Rights |
|
Rule 10 (Draft). Verifiable consent for... child or... person with disability |
Bundles consent for children (verifying parent is an "identifiable adult") and persons with disability (verifying guardian is "appointed by a court...") into one rule. |
This rule only addresses "verifiable consent for... child". It simplifies the verification method for parents compared to the Draft. |
Revised (Major). The rule is split. Draft Rule 10 is bifurcated into Final Rule 10 (Children) and Final Rule 11 (Persons with disability). |
Children, Consent |
|
Rule 11 (Final). Verifiable consent for... person with disability |
(This was part of Draft Rule 10(2)). |
This is a new, standalone rule extracted from the Draft. It details the requirement to verify a lawful guardian is "appointed by a court of law, a designated authority or by a local level committee". |
Added (Structural). This new rule gives separate, detailed focus to the high verification bar for guardians of persons with disabilities. |
Rights, Consent |
|
Rule 11 (Draft) / Rule 12 (Final). Exemptions... for... child |
Draft Rule 11) Provides exemptions from Sec 9(1) and 9(3) of the Act for classes of Fiduciaries and purposes in Fourth Schedule. |
(Final Rule 12) Identical in substance to Draft Rule 11. |
No Change (Re-numbered). Rule is re-numbered due to the insertion of Final Rule 11. |
Children, Consent |
|
Rule 12 (Draft) / Rule 13 (Final). Additional obligations of Significant Data Fiduciary |
(Draft Rule 12) Requires annual DPIA and audit. Requires due diligence on "algorithmic software". |
(Final Rule 13) Requires annual DPIA and audit. Expands due diligence to "technical measures including algorithmic software". Adds sub-rule (5) defining the "committee" for localization recommendations. |
Revised (Clarified/Added).
• Scope of diligence is broadened.
• Procedural detail is added for the localization committee.
|
SDF, Government |
|
Rule 13 (Draft) / Rule 14 (Final). Rights of Data Principals |
(Draft Rule 13) Requires Fiduciaries to publish a "period" for grievance redressal. Defines "identifier" in sub-rule (5). |
(Final Rule 14) Mandates a grievance redressal period "not exceeding ninety days". Expands definition of "identifier" in sub-rule (5) to include "email address, mobile number". |
Revised (Major).
• Added: A mandatory 90-day SLA for grievance redressal.
• Revised: Definition of "identifier" is expanded, making it easier for users to make requests but harder for Fiduciaries to authenticate.
|
Rights, Timelines |
|
Rule 14 (Draft) / Rule 15 (Final). Processing of personal data outside India |
(Draft Rule 14) States cross-border transfers are subject to restrictions specified by the Central Government on making data available to a foreign State or entity. |
(Final Rule 15) Title changed to "Transfer... outside... India." Wording is slightly clarified, but the substance is identical to the Draft. |
Revised (Minor Clarification). No substantive change. The "negative list" approach is maintained. |
Cross-Border |
|
Rule 15 (Draft) / Rule 16 (Final). Exemption for research... |
(Draft Rule 15) Exempts processing for research, archiving, or statistical purposes if done per standards in Second Schedule. |
(Final Rule 16) Identical to Draft Rule 15. |
No Change (Re-numbered). |
Government |
|
Rule 16 (Draft) / Rule 17 (Final). Appointment of Chairperson and other Members |
(Draft Rule 16) Details the composition of the Search-cum-Selection Committees for the Board. |
(Final Rule 17) Identical to Draft Rule 16. |
No Change (Re-numbered). |
Government |
|
Rule 17 (Draft) / Rule 18 (Final). Salary, allowances... |
(Draft Rule 17) Specifies terms and conditions of service for Board members per Fifth Schedule. |
(Final Rule 18) Identical to Draft Rule 17. |
No Change (Re-numbered). |
Government |
|
Rule 18 (Draft) / Rule 19 (Final). Procedure for meetings of Board... |
(Draft Rule 18) Details Board procedures (quorum, voting, etc.). Sets a 6-month inquiry timeline (extendable by 3 months). |
(Final Rule 19) Identical to Draft Rule 18. |
No Change (Re-numbered). |
Government, Timeline |
|
Rule 19 (Draft) / Rule 20 (Final). Functioning of Board as digital office |
(Draft Rule 19) States Board will function as a digital office and may adopt "techno-legal measures" |
(Final Rule 20) Identical to Draft Rule 19 |
No Change (Re-numbered). |
Government |
|
Rule 20 (Draft) / Rule 21 (Final). Terms and conditions... of officers and employees of Board |
(Draft Rule 20) Specifies terms for Board staff per Sixth Schedule |
(Final Rule 21) Identical to Draft Rule 20, but removes the specific manner of appointment ("in such manner as the Central Government may... specify"). |
Revised (Minor). Minor simplification of appointment language |
Government
|
|
Rule 21 (Draft) / Rule 22 (Final). Appeal to Appellate Tribunal |
(Draft Rule 21) Details procedure for appeal to TDSAT, including digital filing and fees. States Tribunal will function as a digital office with "techno-legal measures". |
(Final Rule 22) Identical to Draft Rule 21, but simplifies digital filing language and removes specification of payment systems ("UPI or such other..."). |
Revised (Minor Clarification). No substantive change. |
Government |
|
Rule 22 (Draft) / Rule 23 (Final). Calling for information... |
(Draft Rule 22) Empowers Central Govt to call for info from Fiduciaries/intermediaries for purposes in Seventh Schedule, and to prohibit disclosure of such a request |
(Final Rule 23) Splits the Draft rule into two sub-rules for clarity: (1) power to call for info, and (2) power to prohibit disclosure (gag order). Substance is identical. Also adds definition of "intermediary" in sub-rule (3) |
Revised (Clarified). Better drafting for clarity. No substantive change to the government's power. |
Government |
|
First Schedule. Consent Manager |
(Parts A & B) Details conditions for registration (e.g., Rs. 2 Cr net worth) and obligations (e.g., data-blind, fiduciary capacity, conflict of interest). |
(Parts A & B) Identical to the Draft. |
No Change. |
Consent Manager |
|
Second Schedule. Standards for processing... by State |
Details standards for State processing (e.g., lawful, purpose limitation, accuracy, retention, security safeguards). |
Details standards for State processing. The only change is in point (d): Draft required "reasonable efforts to ensure the accuracy." Final requires "reasonable efforts to ensure the completeness, accuracy and consistency". |
Revised (Minor). Adds "completeness" and "consistency" to the data quality standard for State processing, slightly increasing the burden |
Government |
|
Third Schedule. Time period for erasure |
Lists classes of Fiduciaries (e-comm, gaming, social media) and mandates 3-year erasure period. Defines "social media intermediary" by reference to IT Act, 2000. |
Identical table and 3-year period. Note (c) is changed to define "social media intermediary" by reference to the IT (Intermediary Guidelines...) Rules, 2021. |
Revised (Clarified). The definition of "social media intermediary" is updated to harmonize with the IT Rules, 2021, providing greater legal certainty. |
SDF, Timelines |
|
Fourth Schedule. Exemptions for... child |
(Part A) Exempts certain Fiduciaries (e.g., clinical, educational) from parental consent. (Part B) Exempts certain purposes (e.g., state functions, email creation, blocking harmful information). |
(Part A) Identical to Draft. (Part B) Adds two new exemptions: 4. "For the determination of real-time location..." and 5. "For ensuring that any information, service or advertisement... is not accessible..." |
Added (Major). The Final Rules add significant new exemptions for processing children's data without parental consent, specifically for location tracking and blocking harmful ads/services. |
Children, Consent |
|
Fifth Schedule. Terms and conditions... of Board |
Details salary (Chairperson Rs. 4.5L, Member Rs. 4L), allowances, leave, etc., for Board members |
Identical to the Draft. |
No Change. |
Government |
|
Sixth Schedule. Terms and conditions... of Board staff |
Details terms for Board officers and employees (deputation, gratuity, leave, etc.). |
Identical to the Draft |
No Change. |
Government |
|
Seventh Schedule. Calling for information... |
Lists purposes for which Central Govt can call for info under Draft Rule 22 (e.g., security of State, SDF assessment) |
Lists identical purposes for Final Rule 23. Adds "and 8(3)" to the Schedule title, explicitly linking these government purposes to the new one-year retention mandate. |
Added (Major). The addition of the reference to Rule 8(3) is a critical change, providing the legal basis for the new retention mandate. |
Government, Breach, Timelines |
17 July 2026
by
CKonnect