New Delhi: The Ministry of Electronics and Information Technology (MeitY), on 3 January, has published the draft rules under the Digital Personal Data Protection (DPDP) Act, 2023, which was passed in the Parliament last year.
The long awaited DPDP rules are now open for public consultation until February 18. It aims to operationalize the Act’s provisions and ensure robust data protection mechanisms across the digital ecosystem in India.
Key Highlights of the Draft Rules
-
Applicability and Structure
The draft, titled “Digital Personal Data Protection Rules, 2025,” applies to personal data processing within India and to entities offering goods or services to individuals in India. The rules encompass data fiduciaries, data processors, and consent managers, establishing detailed accountability measures.
-
Obligations of Data Fiduciaries
According to DPDP Act rules, Data fiduciaries are required to ensure transparency in their operations by providing concise and comprehensible notices to data principals (individuals). These notices must include:
- Categories of personal data being processed.
- Purpose of processing.
- Mechanisms for withdrawing consent and exercising rights under the Act.
- Data fiduciaries must implement appropriate security measures, such as encryption and masking, to safeguard data. Regular audits and technical controls are mandated to prevent data breaches.
-
Consent and Consent Managers
Consent plays a central role in the draft rules for the DPDP Act. Consent managers, certified entities tasked with managing user consent, are obligated to:
- Enable individuals to provide, review, and withdraw consent for data processing.
- Maintain records of all consents in machine-readable formats.
- Ensure data processing methods do not allow unauthorized access to personal data.
The draft rules stipulate detailed eligibility and operational requirements for consent managers, including technical and financial capabilities.
-
Rights of Data Principals
Data principals are granted comprehensive rights, including:
- The right to access and correct their personal data.
- The right to erasure, subject to certain conditions.
- The right to grievance redressal through specified channels on fiduciaries’ websites or apps.
The DPDP rules also state that data principals must be informed about any data breaches within a specified timeframe.
-
Obligations for Significant Data Fiduciaries
Entities classified as significant data fiduciaries are subject to heightened compliance requirements. These include conducting periodic data protection impact assessments, audits, and algorithmic accountability checks. Hosting and transmission of sensitive personal data are restricted to ensure data sovereignty.
-
Provisions for Children and Persons with Disabilities
As per the DPDP rules, for processing children’s data, the draft rules necessitate verifiable parental consent. The rules also specify measures for individuals with disabilities, including provisions for legal guardians to act on their behalf.
-
Cross-Border Data Transfers
The draft imposes restrictions on transferring personal data outside India, except to trusted jurisdictions approved by the Central Government. This measure aligns with India’s emphasis on data localization and sovereignty.
-
Grievance Redressal and Appeals
The DPDP draft rules outline a clear framework for grievance redressal. Fiduciaries are required to publish the contact details of data protection officers prominently. Appeals against orders of the Data Protection Board can be filed digitally with the Appellate Tribunal.
-
Sanctions and Compliance
The draft includes stringent penalties for non-compliance, such as failure to implement security measures, improper handling of data breaches, and violation of data principal rights. Fiduciaries must also ensure transparency by disclosing stakeholders, including promoters and directors, on their websites.
-
Exemptions and Specific Use Cases
Specific exemptions are detailed for processing data for research, archival, or statistical purposes, provided appropriate safeguards are maintained. Public sector entities offering government services may process personal data in accordance with predefined standards.
Retention Period for Personal Data
The draft DPDP Act rules specify a clear timeline for retaining personal data under the Third Schedule. Data fiduciaries are required to retain personal data for three years from the date on which the Data Principal last interacted with the Data Fiduciary for the performance of the specified purpose or exercise of her rights, or from the commencement of the DPDP rules, whichever is later.
Public Consultation Process
The draft is open for feedback through the MyGov portal until February 18, 2025. MeitY has clarified that all objections and suggestions must be submitted publicly to ensure transparency. Suggestions sent privately will not be considered.
Once finalized, the rules will come into effect on dates specified for different sections. This phased implementation ensures sufficient time for entities to comply with the comprehensive framework.
The draft DPDP rules signify a significant step towards enhancing digital trust and data protection in India. Stakeholders across industries are expected to carefully evaluate these provisions and contribute to the consultation process.
Also Read –
Government Open to Introducing New Law for Artificial Intelligence: IT Minister
Discussion about this post