The Ministry of Electronics and Information Technology (MeitY) released the draft rules today for the Digital Personal Data Protection (DPDP) Act, 2023, which was passed by Parliament last year. These draft rules, now open for public consultation until February 18, 2025, aim to provide a robust framework for data protection in India’s digital landscape.
Key Aspects of the Draft Rules
Breaking : MEITY issued draft rules for the personal digital data Protection act DPDP rules pic.twitter.com/3NsE7YAOEt
— Aseem Manchanda (@aseemmanchanda) January 3, 2025
Applicability and Structure
The “Digital Personal Data Protection Rules, 2025” apply to all entities processing personal data within India and to those offering goods or services to individuals in India. The rules define the roles of data fiduciaries, data processors, and consent managers, laying out detailed accountability measures for each.
Responsibilities of Data Fiduciaries
Data fiduciaries must ensure transparency and accountability in their data processing activities. This includes providing individuals with clear notices about:
- The types of personal data being processed.
- The purposes for processing the data.
- How individuals can withdraw consent or exercise their rights.
Fiduciaries are also required to implement security measures, such as encryption, and conduct regular audits to prevent data breaches.
Consent and Consent Managers
Consent is a central theme in the draft rules. Certified consent managers are tasked with managing user consent. These entities must ensure that individuals can provide, review, and withdraw consent easily. They are also required to maintain records of consent in machine-readable formats and ensure data processing methods prevent unauthorized access.
Rights of Data Principals
Data principals (individuals) are granted several rights, including the right to:
- Access and correct their personal data.
- Request the erasure of their data under certain conditions.
- File grievances through specified channels.
The rules also mandate that individuals be informed of any data breaches within a set time frame.
Significant Data Fiduciaries
Entities classified as significant data fiduciaries face more stringent compliance requirements, such as conducting regular data protection impact assessments, audits, and algorithmic accountability checks. These entities must also ensure the hosting and transmission of sensitive data complies with Indian data sovereignty regulations.
Protection for Children and Disabled Persons
For processing children’s data, verifiable parental consent is required. The rules also include provisions for individuals with disabilities, allowing legal guardians to act on their behalf.
Cross-Border Data Transfers
The draft rules impose restrictions on the transfer of personal data outside India, allowing such transfers only to jurisdictions approved by the Central Government, in line with India’s push for data localization and sovereignty.
Grievance Redressal and Appeals
The draft outlines a clear framework for grievance redressal, with fiduciaries required to publicly list the contact details of their data protection officers. Individuals can file appeals with the Appellate Tribunal against decisions made by the Data Protection Board.
Sanctions and Compliance
Penalties for non-compliance include failure to implement security measures or mishandling data breaches. Data fiduciaries are also required to disclose details of their stakeholders, such as promoters and directors, on their websites.
Exemptions and Retention Period
Exemptions are provided for certain data processing activities, such as for research, archival, or statistical purposes, provided adequate safeguards are in place. The rules also define a retention period for personal data—three years from the last interaction with the data fiduciary or from the commencement of the DPDP rules.
Public Consultation Process
The draft rules are open for public consultation through the MyGov portal until February 18, 2025. MeitY has encouraged stakeholders to submit their suggestions publicly to ensure transparency. The final rules will be implemented in phases, with different sections taking effect at specified times.
