DIGITAL PERSONAL DATA PROTECTION RULES, 2025

The government released the draft of Digital Personal Data Protection Rules, 2025 for public consultations. Once notified, the Rules will enable the effective implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act).

Key Highlights of the Draft Rules

  • Significant Data Fiduciaries: Major tech firms like Meta, Google, Apple, Microsoft, and Amazon will be classified as significant data fiduciaries.
  • Data Protection Officer: Must be based in India, report to the Board, and handle communications from individuals regarding their data.
  • Transparency: Data Fiduciaries must ensure clear, accessible information and informed consent for data processing.
  • Data Transfer Restrictions: Personal data specified by the government cannot be transferred outside India.
  • Citizen Rights: Includes data erasure requests, digital nominees, and user-friendly data management.
  • Children’s Data: Requires verifiable parental consent for processing children’s data.
  • Data Protection Board: Operates digitally to resolve complaints efficiently.
  • Data Breach: Mandatory notification to affected individuals; penalties up to ₹250 crore for inadequate safeguards.

About Digital Personal Data Protection Act, 2023

  • Background:
    • Initiated in 2017 by the Justice B.N. Srikrishna Committee; evolved from the 2018 Data Protection Bill to the 2022 Digital Personal Data Protection Bill.
  • Scope:
    • Covers processing of digital personal data collected online or digitized offline, within or outside India, if related to offering goods/services in India.
  • Consent:
    • Data processing requires individual consent, except for specified legitimate uses like voluntary sharing or state purposes (e.g., permits, licenses, benefits).
  • Data Fiduciary Obligations:
    • Ensure data accuracy, security, and deletion after its purpose is served.
  • Individual Rights:
    • Includes access to information, correction, erasure, and grievance redressal.
  • Exemptions:
    • Government agencies can be exempted for reasons like state security, public order, or crime prevention.
  • Data Protection Board (DPB):
    • Adjudicates non-compliance and data breach complaints with civil court powers.
    • Members serve two-year terms, eligible for re-appointment.
    • The central government defines Board composition and selection.

Challenges in Implementation

  • Privacy Concerns: State exemptions in data processing may breach the fundamental right to privacy.
  • Regulation Gaps: Lacks provisions to address risks from personal data processing.
  • Data Transfer: Permits transfer abroad without stringent evaluation of protection standards.
  • Board Tenure: Short two-year term with re-appointment scope may compromise the Board’s independence.

Significance

  • Citizen Empowerment: Grants individuals greater control over their data.
  • Enhanced Trust: Informed consent, data erasure rights, and grievance mechanisms build trust.
  • Balanced Approach: Promotes growth while safeguarding citizen rights.
  • Efficient Redressal: Digital-first approach ensures quick and transparent complaint resolution.

Leave a Reply