The DPDP Act was enacted in August 2023 after years of deliberation and revisions, following a landmark 2017 ruling by India’s Supreme Court that recognised privacy as a fundamental right under the Constitution
The Indian government has released a draft version of the Digital Personal Data Protection (DPDP) Rules, inviting public consultation until February 18, 2025. These rules aim to operationalise the Digital Personal Data Protection Act, 2023, providing citizens with enhanced rights over their personal data and setting stringent compliance requirements for organisations operating in India.
According to a statement by the Press Information Bureau (PIB) on Sunday, the rules emphasise the importance of clear communication and consent. “Data fiduciaries must provide clear and accessible information about how personal data is processed, enabling informed consent,” the statement read. The rules also empower individuals to demand data erasure, appoint digital nominees, and access user-friendly mechanisms to manage their personal information.
Key Provisions for Citizen Rights & Corporate Responsibilities
The DPDP Rules propose significant measures to give citizens greater control over their personal data. These include options to provide informed consent for data processing, the right to request data deletion, and mechanisms to address grievances related to data misuse. Companies are required to adopt robust security measures, such as encryption, access controls, and regular data backups, to ensure data confidentiality and integrity.
The rules also mandate organisations to:
Report data breaches to the Data Protection Board (DPB) within 72 hours, detailing the events, mitigation actions, and, if possible, the identity of the individuals responsible.
Delete personal data that is no longer needed after three years, with prior notification to users 48 hours before the erasure.
Display contact details of a designated Data Protection Officer (DPO) on their websites or applications.
Obtain verifiable parental or guardian consent for processing personal data of minors or persons with disabilities, with exemptions for healthcare, education, safety, and transportation services.
Additionally, organisations deemed “significant data fiduciaries” must conduct annual Data Protection Impact Assessments (DPIAs) and audits, reporting the findings to the DPB.
For cross-border data transfers, the draft rules stipulate that specific categories of personal data must remain within India, with further details to be outlined by a specialised committee.
Safeguards & Penalties
The draft regulations propose safeguards for data processed by government agencies, requiring that such processing adhere to legal and policy standards while maintaining transparency.
Organisations that fail to safeguard personal data or notify the DPB of security breaches could face monetary penalties of up to ₹250 crore (USD 30 million).
Background & Recent Developments
The DPDP Act was enacted in August 2023 after years of deliberation and revisions, following a landmark 2017 ruling by India’s Supreme Court that recognised privacy as a fundamental right under the Constitution. The Act forms part of a broader effort to enhance digital governance and data security in the country.
This development comes just weeks after the Department of Telecommunications introduced the Telecommunications (Telecom Cyber Security) Rules, 2024. These regulations require telecom companies to report security incidents within six hours of detection and appoint a Chief Telecommunication Security Officer (CTSO), who must be an Indian citizen and resident.
However, concerns have been raised about potential overreach. The Internet Freedom Foundation (IFF) has criticised the removal of a clear definition for “traffic data” in the telecom rules, warning that the vague phrasing could lead to misuse.
Public Consultation
The Ministry of Electronics and Information Technology (MeitY) has called for public feedback on the draft DPDP Rules, assuring that submissions will remain confidential. This consultation process aims to refine the regulations to balance the interests of citizens, businesses, and government agencies, ensuring the effective protection of personal data while fostering a secure digital environment.
