The Ministry of Electronics and Information Technology (MeitY) released the draft rules today for the Digital Personal Data Protection (DPDP) Act, 2023, which was passed by Parliament last year. These draft rules, now open for public consultation until February 18, 2025, aim to provide a robust framework for data protection in India’s digital landscape.
The “Digital Personal Data Protection Rules, 2025” apply to all entities processing personal data within India and to those offering goods or services to individuals in India. The rules define the roles of data fiduciaries, data processors, and consent managers, laying out detailed accountability measures for each.
Data fiduciaries must ensure transparency and accountability in their data processing activities. This includes providing individuals with clear notices about:
Fiduciaries are also required to implement security measures, such as encryption, and conduct regular audits to prevent data breaches.
Consent is a central theme in the draft rules. Certified consent managers are tasked with managing user consent. These entities must ensure that individuals can provide, review, and withdraw consent easily. They are also required to maintain records of consent in machine-readable formats and ensure data processing methods prevent unauthorized access.
Data principals (individuals) are granted several rights, including the right to:
The rules also mandate that individuals be informed of any data breaches within a set time frame.
Entities classified as significant data fiduciaries face more stringent compliance requirements, such as conducting regular data protection impact assessments, audits, and algorithmic accountability checks. These entities must also ensure the hosting and transmission of sensitive data complies with Indian data sovereignty regulations.
For processing children’s data, verifiable parental consent is required. The rules also include provisions for individuals with disabilities, allowing legal guardians to act on their behalf.
The draft rules impose restrictions on the transfer of personal data outside India, allowing such transfers only to jurisdictions approved by the Central Government, in line with India’s push for data localization and sovereignty.
The draft outlines a clear framework for grievance redressal, with fiduciaries required to publicly list the contact details of their data protection officers. Individuals can file appeals with the Appellate Tribunal against decisions made by the Data Protection Board.
Penalties for non-compliance include failure to implement security measures or mishandling data breaches. Data fiduciaries are also required to disclose details of their stakeholders, such as promoters and directors, on their websites.
Exemptions are provided for certain data processing activities, such as for research, archival, or statistical purposes, provided adequate safeguards are in place. The rules also define a retention period for personal data—three years from the last interaction with the data fiduciary or from the commencement of the DPDP rules.
The draft rules are open for public consultation through the MyGov portal until February 18, 2025. MeitY has encouraged stakeholders to submit their suggestions publicly to ensure transparency. The final rules will be implemented in phases, with different sections taking effect at specified times.
Frankie Remruatdika Zadeng, the first Gen Beta baby born in India, was born in Aizawl,…
OYO has introduced a new policy in Meerut, Uttar Pradesh, barring unmarried couples from checking…
Kristen Fischer, an Instagrammer from the US, shared her struggles adapting to India's unique dinner…
The Commission for Air Quality Management (CAQM) has de-notified Stage-III GRAP measures in the Delhi-NCR…
In a significant move aimed at reshaping its check-in protocols, OYO, the Indian hospitality giant,…
For the first time in 40 years, Tata Motors has finally dethroned Maruti Suzuki, with…