Draft Digital Personal Data Protection Rules

  Technology   Jan 10, 2025   10  Add to Reading List
Draft Digital Personal Data Protection Rules

Draft Digital Personal Data Protection Rules

The Ministry of Electronics and IT has introduced the draft Digital Personal Data Protection (DPDP) Rules, 2025, aimed at safeguarding citizens' personal data and promoting India’s digital economy.

Key Features of the Draft DPDP Rules, 2025:

  1. Objective: These rules operationalize the DPDP Act, 2023, ensuring personal data protection and fostering innovation in the digital ecosystem.
  2. Cross-Border Data Transfer: Approved personal data transfers to specific countries will be allowed.
  3. Citizen Empowerment: Users (Data Principals) can request data erasure, appoint digital nominees, and manage their data through user-friendly mechanisms.
  4. Data Fiduciaries: Entities like social media, e-commerce, and gaming platforms are obligated to handle user data responsibly. Retention is limited to three years from the last user interaction or rule enforcement.
    • Notification: Data Fiduciaries must notify users 48 hours before data erasure.
  5. Digital Protection Board of India (DPBI): A "digital-first" board will address grievances and oversee consent mechanisms online for faster dispute resolution.
  6. Graded Responsibilities: Startups and MSMEs have lighter compliance requirements, while large platforms (e.g., Facebook, Amazon) classified as Significant Data Fiduciaries face stricter obligations.
  7. Consent Managers: Platforms can use India-incorporated consent managers to manage user permissions. These entities must have a minimum net worth of ₹2 crores.
  8. DPBI’s Powers: The DPBI will act as a regulatory body with civil court powers to handle data breach complaints.
Salient Features of the DPDP Act, 2023:
  • Privacy Rights: Individuals can control their data with access, correction, and deletion rights.
  • Consent-Based Processing: Explicit user consent is required for data usage, supported by clear consent forms.
  • Data Localization: Sensitive data must remain stored and processed within India.
  • Regulatory Oversight: The DPBI ensures compliance and grievance redressal.
  • Data Breach Notifications: Breaches must be promptly reported to affected individuals and the DPBI.
  • Penalties: Non-compliance attracts stringent penalties to enforce data protection standards.
The draft rules align with earlier recommendations, including the 2011 Justice AP Shah Committee report and the Supreme Court's 2017 ruling affirming privacy as a fundamental right.
Click Here to Visit