The Ministry of Electronics and Information Technology (MeitY) has released the much-anticipated draft rules for the Digital Personal Data Protection (DPDP) Act, 2023. Passed by Parliament in August last year, the Act is a landmark step toward safeguarding personal data in India. The draft rules, unveiled on 3 January, are open for public consultation until 18 February 2025 via the MyGov portal.
The DPDP Act, designed to provide robust safeguards against misuse of personal data, has been eagerly awaited by the industry for clarity on compliance and operational responsibilities. The draft rules outline key provisions, including mechanisms for data protection, user rights, and establishing a regulatory framework.
What Does This Means for India?
The draft rules move India closer to joining the global league of nations with comprehensive data protection frameworks. They mandate explicit consent for data processing, set conditions for cross-border data transfers, and require stringent measures for handling breaches.
Provisions for minors’ data and guidelines for the Data Protection Board (DPB) highlight the government's intent to balance user privacy with operational flexibility for businesses.
The regulations address crucial aspects such as data collection notifications, a consent management framework, and safeguards for processing children's personal information.
What Do The Draft Rules Say?
The draft rules provide comprehensive guidelines to strengthen data protection in India. They focus on enhancing user consent mechanisms, safeguarding children's data, establishing a regulatory body for oversight, and setting clear protocols for data breaches and cross-border data transfers.
The draft rules state that a data fiduciary must employ measures to verify a parent's consent to process the personal data of children or persons with disabilities who have lawful guardians.
“A Data Fiduciary, while obtaining verifiable consent from an individual identifying herself as the lawful guardian of a person with a disability, shall observe due diligence to verify that such guardian is appointed by a court of law, a designated authority or a local level committee, under the law applicable to guardianship,” it stated.
Data Protection Board (DPB): A regulatory authority proposed to operate as a digital office, the DPB will conduct remote hearings and hold powers to investigate breaches and impose penalties. It will oversee the implementation of data protection measures and clarify the roles and service conditions for the chairperson and board members.
User rights: Individuals, termed Data Principals, can request access to or erasure of their personal data. Companies, referred to as Data Fiduciaries, must comply with strict timelines for addressing user requests and resolving grievances.
Consent management: The draft outlines a robust consent framework. Consent managers responsible for facilitating and managing user permissions must register with the DPB and meet a minimum net worth requirement of Rs 12 crore.
Children’s data: Special provisions ensure parental consent verification for processing children’s data, utilising government-issued IDs or digital tokens linked to identity services like DigiLocker. Exemptions are provided for educational and child welfare organisations under specific conditions.
Data breaches and notifications: Data Fiduciaries are required to notify affected users of breaches and implement mitigation measures. These measures aim to enhance transparency and trust between users and organisations.
Retention and erasure: Clear timelines have been established for the retention and erasure of personal data, particularly when user consent is withdrawn or the purpose of processing is fulfilled.
For cross-border data transfers, the draft rules mandate that significant data fiduciaries implement measures to ensure that personal data, specified by the Central Government based on a committee's recommendations, is processed with the restriction that neither the personal data nor the associated traffic data are transferred outside India.
Industry experts view the draft rules as a significant step toward aligning India’s data protection framework with global standards. With detailed guidelines on operationalising the DPDP Act, the government seeks to balance user privacy rights with the digital economy's growth.
For stakeholders, the release offers an opportunity to influence the implementation of a critical law that will shape India's data governance landscape. However, according to MeitY, individual submissions will be kept confidential, and the department will only publish a summary of inputs after finalising the process.