The Indian government has released a draft of the Digital Personal Data Protection (DPDP) Rules, 2023, inviting public consultation on a framework designed to safeguard citizens’ digital privacy and provide greater control over personal data. These draft rules aim to operationalize the DPDP Act, which was passed in August 2023, following years of deliberation and amendments.
Citizens Gain New Digital Rights
At the heart of the draft rules lies a commitment to empowering individuals with robust rights to manage their personal data. According to the Press Information Bureau (PIB), citizens can now demand data erasure, appoint digital nominees, and access tools to control how their data is used. These rights are anchored in the principles of informed consent and transparency.
Under the proposed framework, data fiduciaries—entities that collect and process personal data—must ensure that users understand how their data is processed. This includes providing clear, accessible information about data handling practices. Users can demand the deletion of data that is no longer needed and must be notified 48 hours in advance of any planned erasure.
One unique provision allows users to appoint “digital nominees,” who can oversee the management of their data in cases of incapacitation or death, ensuring continuity and protection of personal information.
Stricter Accountability for Companies
The draft rules impose significant obligations on companies operating in India to enhance data protection measures. Businesses must adopt comprehensive security protocols such as encryption, access controls, and data backups to safeguard personal information. They are also required to report data breaches promptly, providing detailed accounts of the incident to the Data Protection Board (DPB) within 72 hours.
Other key compliance measures include:
- Annual audits and Data Protection Impact Assessments (DPIAs) for “significant” data fiduciaries.
- Parental or guardian consent for processing the data of minors and individuals with disabilities, with specific exemptions for healthcare, education, and safety services.
- A three-year limit for retaining personal data, with provisions to notify users before deletion.
Additionally, companies must display the contact details of their designated Data Protection Officer (DPO) prominently on their platforms, making it easier for users to address concerns or queries about data handling.
Cross-Border Data and Government Safeguards
Cross-border data transfers—a contentious issue in previous iterations of the Act—will be subject to new federal regulations. The government plans to define the categories of data that must remain within India’s borders, ensuring compliance with national security and economic considerations.
For federal and state government agencies, the draft rules introduce safeguards requiring transparent and lawful data processing aligned with policy standards. These provisions aim to balance citizen privacy with the government’s need for data in policy implementation and governance.
Penalties and Enforcement
Organizations that violate the proposed regulations face severe financial repercussions, with penalties reaching up to ₹250 crore (approximately $30 million) for failing to safeguard user data or notify the DPB of a breach. These stringent measures reflect the government’s resolve to establish accountability in data protection practices.
Telecom Cybersecurity Rules Raise Concerns
The draft DPDP rules arrive on the heels of new cybersecurity guidelines under the Telecommunications Act, 2023. These regulations mandate that telecom providers report security incidents within six hours and appoint an Indian Chief Telecommunication Security Officer (CTSO). However, privacy advocates have raised concerns about the vague language around “traffic data,” warning of potential misuse.
The Internet Freedom Foundation (IFF) has called for greater clarity, arguing that the lack of a clear definition could lead to excessive surveillance. Critics emphasize the need for safeguards to ensure the rules are not exploited to infringe on individual privacy rights.
Public Consultation Open Until February 2025
The Ministry of Electronics and Information Technology (MeitY) has opened the draft rules for public feedback until February 18, 2025. Submissions will remain confidential, encouraging citizens and stakeholders to provide candid input.
This public consultation marks a crucial phase in India’s journey toward establishing a comprehensive digital data protection framework. With the DPDP Act and related rules, the government seeks to build a regulatory environment that balances individual privacy with the economic and technological needs of the nation.
