New Delhi, January 9, 2025 - The Indian government, through the Ministry of Electronics and Information Technology (MeitY), has released the draft Digital Personal Data Protection (DPDP) Rules, 2025, aiming to solidify the framework established by the Digital Personal Data Protection Act, 2023. This move marks a significant step towards implementing stringent data privacy regulations in India.
Key Highlights of the Draft DPDP Rules 2025:
- Notice and Consent: Data fiduciaries must provide clear notices regarding data collection and usage, ensuring individuals can give informed consent. There are strict guidelines on how consent should be managed, including the provision for data principals to withdraw consent as easily as they gave it.
- Security Safeguards: Emphasis on implementing robust security measures like encryption and pseudonymization to protect personal data. Data fiduciaries are required to report data breaches to the Data Protection Board of India (DPB) within 72 hours.
- Children's Data: Enhanced protections for children's data, mandating parental consent for processing data of individuals under 18, with mechanisms for age verification.
- Data Retention: A policy for data deletion after a defined period if no longer needed, with a notice period of 48 hours before erasure unless the individual opts out.
- Cross-Border Data Transfers: Restrictions on transferring personal data outside India, with exceptions based on government approval or compliance with specific conditions.
- Exemptions:The rules outline exemptions for data processing by government entities for security, law enforcement, and public interest, sparking debate over potential overreach.
- Penalties: While the DPDP Act had provisions for penalties, the draft rules are silent on this aspect, focusing instead on procedural compliance.
- Public Consultation: MeitY has opened the draft for public feedback until February 18, 2025, to refine the rules before they come into effect.
Reactions and Implications:
- Businesses: There's a concern over the compliance costs and the need for significant infrastructural changes to adhere to these rules. Significant data fiduciaries must conduct Data Protection Impact Assessments (DPIAs) annually.
- Privacy Advocates: The draft has been praised for enhancing individual privacy rights but criticized for vague definitions and governmental exemptions.
- Global Impact:The policy aims to align India's data protection regime with international standards, potentially affecting India's trade negotiations and digital economy.
- Public Sentiment:There's a mix of anticipation for better data protection and apprehension about the government's extensive control over personal data processing, especially with trends on X highlighting these concerns.
This draft represents India's latest attempt to balance privacy rights with the needs of a burgeoning digital economy, setting the stage for a nuanced debate on data governance in one of the world's largest democracies.