The Indian government has released draft Digital Personal Data Protection (DPDP) Rules for public consultation. The rules aim to enhance the Digital Personal Data Protection Act, 2023, giving citizens greater control over their personal data. Under the proposed rules, data fiduciaries must provide clear information on how personal data is processed, enabling informed user consent.
Citizens have the right to demand data erasure, appoint digital nominees, and use user-friendly mechanisms to manage their data. Companies in India will need to implement strict security measures like encryption, access control, and data backups to protect personal data. Key provisions of the DPDP Act include:
– Detecting and addressing breaches, maintaining logs
– Notifying the Data Protection Board (DPB) of data breaches within 72 hours
– Deleting personal data after three years, notifying individuals 48 hours prior
– Displaying contact details of a designated Data Protection Officer (DPO)
– Obtaining verifiable parental consent for processing data of children under 18 or persons with disabilities, with exemptions
– Conducting an annual Data Protection Impact Assessment (DPIA) and audit, reporting results to the DPB
– Following federal government requirements for cross-border data transfers
The draft rules also propose safeguards for citizens when government agencies process their data, ensuring lawful and transparent processing.
Organizations failing to safeguard digital data or notify the DPB of breaches could face penalties up to ₹250 crore (nearly $30 million). The Ministry of Electronics and Information Technology (MeitY) seeks public feedback on the draft regulations until February 18, 2025.
Draft data protection regulations unveiled
Submissions will remain confidential. The DPDP Act was enacted in August 2023 after several revisions since 2018. It follows a 2017 ruling by India’s top court reaffirming the right to privacy as a fundamental right.
The draft rules come after the Department of Telecommunications announced the Telecommunications (Telecom Cyber Security) Rules, 2024, to secure communication networks and impose strict data breach disclosure guidelines. Telecom companies must report security incidents to the government within six hours and share additional information within 24 hours. They must also appoint a Chief Telecommunication Security Officer (CTSO) who is an Indian citizen and resident.
However, the Internet Freedom Foundation (IFF) has criticized the “overbroad phrasing” of the rules and removal of the “traffic data” definition, warning of potential misuse. Public consultation on these rules remains open, with the government urging stakeholders to participate to ensure robust data protection and cybersecurity frameworks for India.
