Skip to Content
CKonnect
  • Home
  • CourseKonnect
    • e-learning
    • Udemy
    • learning (Old LMS)
  • Career
    • Life @CKonnect
    • All Jobs
  • Knowledge Base
    • PrivacyReads
    • Community
    • Newsletters
    • Priv ToolKit
  • Stay Tuned
    • ComplyKonnect
    • E-PrivJournals
    • Priv-Books
  • Connects
    • 1:1
  • Contact Us
CKonnect
    • Home
    • CourseKonnect
      • e-learning
      • Udemy
      • learning (Old LMS)
    • Career
      • Life @CKonnect
      • All Jobs
    • Knowledge Base
      • PrivacyReads
      • Community
      • Newsletters
      • Priv ToolKit
    • Stay Tuned
      • ComplyKonnect
      • E-PrivJournals
      • Priv-Books
    • Connects
      • 1:1
  • Contact Us

Comparision Draft and Final Rules

  • All Blogs
  • Digital Personal Data Act, 2023
  • Comparision Draft and Final Rules
  • 17 July 2026 by
    Comparision Draft and Final Rules
    CKonnect

    Rule Number / Heading

    Draft Rules Summary 

    Final Rules Summary

    Difference (Added / Removed / Revised / Clarified)

    Impact Area

    Rule 1. Short title and commencement

    Provides a simple two-part commencement. Rules 3-15, 21, and 22 would come into force at a future date, and all others on publication.

    Establishes a detailed, four-part staggered implementation timeline:


    • Immediate: Rules 1, 2, 17-21 (Board setup).


    • 1 Year: Rule 4 (Consent Manager).


    • 18 Months: Rules 3, 5-16, 22-23 (Core Fiduciary obligations)

     

    Revised (Major). The Final Rules provide a detailed, phased compliance roadmap, which was absent in the Draft. This is a fundamental policy shift.

    Timelines

    Rule 2. Definitions

    Stated that all expressions have the meaning assigned in the Act.

    Adds specific definitions for

    (a) "Act,"

    (b) "techno-legal measures," (c) "user account,"           and

     (d) "verifiable consent".

    Added. The Final Rules add four crucial definitions. "User account" is moved from Draft Rule 7. "Verifiable consent" is newly defined.

    Consent, Children, Rights

    Rule 3. Notice given by Data Fiduciary

    Notice must contain an "itemised description" of personal data and "the specified purpose of" processing.

    Notice must contain an "itemised description" of data and "the specified purpose or purposes of, and specific description of" processing.

    Revised (Clarified). Clarifies that a notice can cover multiple purposes, but each requires a specific description, reinforcing the bar against bundling.

    Consent, Rights

    Rule 4. Registration and obligations of Consent Manager

    Outlines the registration process, conditions (in First Schedule), and obligations (in First Schedule) for Consent Managers.

    Identical to the Draft. Outlines the registration process, conditions (in First Schedule), and obligations (in First Schedule) for Consent Managers.

    No Change. The framework for Consent Managers, including the high bar for registration, is unchanged.

    Consent Manager, Consent

    Rule 5. Processing... by State

    Specifies conditions for State processing of personal data for subsidies, benefits, etc., under Sec 7(b) of the Act. References standards in Second Schedule.

    Wording is slightly revised for clarity but the substance is identical. It removes the direct reference to Sec 7(b) from sub-rule (1), as it is implicit. References standards in Second Schedule.

    Revised (Minor Clarification). No substantive change.

    Government

    Rule 6. Reasonable security safeguards

    Mandates safeguards including encryption, obfuscation, masking, or virtual tokens. Requires log retention for one year.

    Mandates safeguards such as encryption, obfuscation, masking, or virtual tokens. Requires log retention for one year. Also adds "wherever applicable" to access control (1)(b) and processor contracts (1)(f).

    Revised (Clarified). The change from "through" to "such as" makes the list of security measures illustrative, not exhaustive.

    Breach, SDF

    Rule 7. Intimation of personal data breach

    Intimation to Data Principal must include "timing and location of its occurrence". Intimation to Board within 72 hours. Defines "user account" in sub-rule (3).

    Intimation to Data Principal must include "timing of its occurrence". Intimation to Board within 72 hours. Definition of "user account" is removed.

    Revised (Clarified).


    • Removed: The impractical requirement to state the "location" of the breach in the notice to the Data Principal is removed.


    • Moved: Definition of "user account" is moved to Rule 2(c).

     

    Breach

    Rule 8. Time period for specified purpose...

    Governs erasure of data per Third Schedule when purpose is served. Requires 48-hour notice before erasure.

    Governs erasure per sub-rules (1) and (2) (identical to Draft).


    Adds sub-rule (3): Mandates a minimum one-year retention of personal data, traffic data, and logs for purposes in Seventh Schedule, even after purpose is served

     

    Added (Major). The addition of sub-rule 8(3) creates a new, mandatory data retention obligation that conflicts with the erasure obligation in 8(1). This is a fundamental change.

    Timelines, Government, Breach

    Rule 9. Contact information of person...

    Data Fiduciary must publish contact info of DPO or other person to answer questions.

    Identical to the Draft

    No Change.

    Rights

    Rule 10 (Draft). Verifiable consent for... child or... person with disability

    Bundles consent for children (verifying parent is an "identifiable adult") and persons with disability (verifying guardian is "appointed by a court...") into one rule.

    This rule only addresses "verifiable consent for... child". It simplifies the verification method for parents compared to the Draft.

    Revised (Major). The rule is split. Draft Rule 10 is bifurcated into Final Rule 10 (Children) and Final Rule 11 (Persons with disability).

    Children, Consent

    Rule 11 (Final). Verifiable consent for... person with disability

    (This was part of Draft Rule 10(2)).

    This is a new, standalone rule extracted from the Draft. It details the requirement to verify a lawful guardian is "appointed by a court of law, a designated authority or by a local level committee".

    Added (Structural). This new rule gives separate, detailed focus to the high verification bar for guardians of persons with disabilities.

    Rights, Consent

    Rule 11 (Draft) / Rule 12 (Final). Exemptions... for... child

    Draft Rule 11) Provides exemptions from Sec 9(1) and 9(3) of the Act for classes of Fiduciaries and purposes in Fourth Schedule.

    (Final Rule 12) Identical in substance to Draft Rule 11.

    No Change (Re-numbered). Rule is re-numbered due to the insertion of Final Rule 11.

    Children, Consent

    Rule 12 (Draft) / Rule 13 (Final). Additional obligations of Significant Data Fiduciary

    (Draft Rule 12) Requires annual DPIA and audit. Requires due diligence on "algorithmic software".

    (Final Rule 13) Requires annual DPIA and audit. Expands due diligence to "technical measures including algorithmic software". Adds sub-rule (5) defining the "committee" for localization recommendations.

    Revised (Clarified/Added).


    • Scope of diligence is broadened.


    • Procedural detail is added for the localization committee.

     

    SDF, Government

    Rule 13 (Draft) / Rule 14 (Final). Rights of Data Principals

    (Draft Rule 13) Requires Fiduciaries to publish a "period" for grievance redressal. Defines "identifier" in sub-rule (5).

    (Final Rule 14) Mandates a grievance redressal period "not exceeding ninety days". Expands definition of "identifier" in sub-rule (5) to include "email address, mobile number".

    Revised (Major).


    • Added: A mandatory 90-day SLA for grievance redressal.


    • Revised: Definition of "identifier" is expanded, making it easier for users to make requests but harder for Fiduciaries to authenticate.

     

    Rights, Timelines

    Rule 14 (Draft) / Rule 15 (Final). Processing of personal data outside India

    (Draft Rule 14) States cross-border transfers are subject to restrictions specified by the Central Government on making data available to a foreign State or entity.

    (Final Rule 15) Title changed to "Transfer... outside... India." Wording is slightly clarified, but the substance is identical to the Draft.

    Revised (Minor Clarification). No substantive change. The "negative list" approach is maintained.

    Cross-Border

    Rule 15 (Draft) / Rule 16 (Final). Exemption for research...

    (Draft Rule 15) Exempts processing for research, archiving, or statistical purposes if done per standards in Second Schedule.

    (Final Rule 16) Identical to Draft Rule 15.

    No Change (Re-numbered).

    Government

    Rule 16 (Draft) / Rule 17 (Final). Appointment of Chairperson and other Members

    (Draft Rule 16) Details the composition of the Search-cum-Selection Committees for the Board.

    (Final Rule 17) Identical to Draft Rule 16.

    No Change (Re-numbered).

    Government

    Rule 17 (Draft) / Rule 18 (Final). Salary, allowances...

    (Draft Rule 17) Specifies terms and conditions of service for Board members per Fifth Schedule.

    (Final Rule 18) Identical to Draft Rule 17.

    No Change (Re-numbered).

    Government

    Rule 18 (Draft) / Rule 19 (Final). Procedure for meetings of Board...

    (Draft Rule 18) Details Board procedures (quorum, voting, etc.). Sets a 6-month inquiry timeline (extendable by 3 months).

    (Final Rule 19) Identical to Draft Rule 18.

    No Change (Re-numbered).

    Government, Timeline

    Rule 19 (Draft) / Rule 20 (Final). Functioning of Board as digital office

    (Draft Rule 19) States Board will function as a digital office and may adopt "techno-legal measures"

    (Final Rule 20) Identical to Draft Rule 19

    No Change (Re-numbered).

    Government

    Rule 20 (Draft) / Rule 21 (Final). Terms and conditions... of officers and employees of Board

    (Draft Rule 20) Specifies terms for Board staff per Sixth Schedule

    (Final Rule 21) Identical to Draft Rule 20, but removes the specific manner of appointment ("in such manner as the Central Government may... specify").

    Revised (Minor). Minor simplification of appointment language

    Government

     

     

     

                  

    Rule 21 (Draft) / Rule 22 (Final). Appeal to Appellate Tribunal

    (Draft Rule 21) Details procedure for appeal to TDSAT, including digital filing and fees. States Tribunal will function as a digital office with "techno-legal measures".

    (Final Rule 22) Identical to Draft Rule 21, but simplifies digital filing language and removes specification of payment systems ("UPI or such other...").

    Revised (Minor Clarification). No substantive change.

    Government

    Rule 22 (Draft) / Rule 23 (Final). Calling for information...

    (Draft Rule 22) Empowers Central Govt to call for info from Fiduciaries/intermediaries for purposes in Seventh Schedule, and to prohibit disclosure of such a request

    (Final Rule 23) Splits the Draft rule into two sub-rules for clarity: (1) power to call for info, and (2) power to prohibit disclosure (gag order). Substance is identical. Also adds definition of "intermediary" in sub-rule (3)

    Revised (Clarified). Better drafting for clarity. No substantive change to the government's power.

    Government

    First Schedule. Consent Manager

    (Parts A & B) Details conditions for registration (e.g., Rs. 2 Cr net worth) and obligations (e.g., data-blind, fiduciary capacity, conflict of interest).

    (Parts A & B) Identical to the Draft.

    No Change.

    Consent Manager

    Second Schedule. Standards for processing... by State

    Details standards for State processing (e.g., lawful, purpose limitation, accuracy, retention, security safeguards).

    Details standards for State processing. The only change is in point (d): Draft required "reasonable efforts to ensure the accuracy." Final requires "reasonable efforts to ensure the completeness, accuracy and consistency".

    Revised (Minor). Adds "completeness" and "consistency" to the data quality standard for State processing, slightly increasing the burden

    Government

    Third Schedule. Time period for erasure

    Lists classes of Fiduciaries (e-comm, gaming, social media) and mandates 3-year erasure period. Defines "social media intermediary" by reference to IT Act, 2000.

    Identical table and 3-year period. Note (c) is changed to define "social media intermediary" by reference to the IT (Intermediary Guidelines...) Rules, 2021.

    Revised (Clarified). The definition of "social media intermediary" is updated to harmonize with the IT Rules, 2021, providing greater legal certainty.

    SDF, Timelines

    Fourth Schedule. Exemptions for... child

    (Part A) Exempts certain Fiduciaries (e.g., clinical, educational) from parental consent. (Part B) Exempts certain purposes (e.g., state functions, email creation, blocking harmful information).

    (Part A) Identical to Draft. (Part B) Adds two new exemptions: 4. "For the determination of real-time location..." and 5. "For ensuring that any information, service or advertisement... is not accessible..."

    Added (Major). The Final Rules add significant new exemptions for processing children's data without parental consent, specifically for location tracking and blocking harmful ads/services.

    Children, Consent

    Fifth Schedule. Terms and conditions... of Board

    Details salary (Chairperson Rs. 4.5L, Member Rs. 4L), allowances, leave, etc., for Board members

    Identical to the Draft.

    No Change.

    Government

    Sixth Schedule. Terms and conditions... of Board staff

    Details terms for Board officers and employees (deputation, gratuity, leave, etc.).

    Identical to the Draft

    No Change.

    Government

    Seventh Schedule. Calling for information...

    Lists purposes for which Central Govt can call for info under Draft Rule 22 (e.g., security of State, SDF assessment)

    Lists identical purposes for Final Rule 23. Adds "and 8(3)" to the Schedule title, explicitly linking these government purposes to the new one-year retention mandate.

    Added (Major). The addition of the reference to Rule 8(3) is a critical change, providing the legal basis for the new retention mandate.

    Government, Breach, Timelines

     By Naukhaiz Aftab

    in Digital Personal Data Act, 2023
    Share this post
    Our blogs
    • Where Privacy Meets Tech
    • Templates That Work: Built for Real Privacy Teams
    • The Privacy Perspective: Insights from the Real World
    • CKonnect Stories
    • e-learning from CourseKonnect
    • Privacy Team Pulse
    • Our blog
    • Digital Personal Data Act, 2023
    Children’s Data & Parental Consent Requirements
    Follow us

    Privacy Notice ​​Refund Policy

     Terms & Conditions

        ​    connect@ckonnect.co.in

    How can we help?

    konnect with us

    Website Logo

    Respecting your privacy is our priority.

    Allow the use of cookies from this website on this browser?

    We use cookies to provide improved experience on this website. You can learn more about our cookies and how we use them in our Cookie Policy.

    Allow all cookiesOnly allow essential cookies