In a major development to strengthen digital privacy, India has released draft data protection rules under the Digital Personal Data Protection Act, 2023, for public consultation. Open until February 18, these rules aim to establish clear and enforceable guidelines for handling personal data by entities operating within the country.
The release of these draft rules marks a significant milestone in India’s decade-long journey toward comprehensive data protection legislation. The groundwork for these regulations was laid in 2011 when an expert committee, chaired by former Delhi High Court Chief Justice A.P. Shah, recommended the introduction of a privacy law. Following years of revisions and debates, the legislation took shape as the Digital Personal Data Protection (DPDP) Act, 2023, and is now moving toward practical implementation.
The draft proposes a phased rollout. Rules governing the Data Protection Board—including its composition and responsibilities (Rules 16-20)—will take effect immediately. Other provisions, such as those detailing notice requirements, consent management, and government access to data, are scheduled for later enforcement.
Also read: India’s States Collaborate on Digital Growth and Cybersecurity at MeitY Summit
Key Takeaways from India’s Draft Data Protection Rules
The ministry of electronics and information technology (MeITY) on Friday evening released the draft of Digital Personal Data Protection Rules after sixteen months since the law was first notified in August 2023. Overall there are 22 points mentioned in the draft data protection rules but here are the top mandates in it:
- Data Fiduciary Obligations:
- Data fiduciaries (entities processing personal data) must ensure transparency in data collection and usage.
- Notices must be clear, simple, and separate from other content, enabling users to understand data usage and give informed consent.
- Consent Withdrawal and Rights Management:
- Mechanisms for users to withdraw consent must be as accessible as those for giving it.
- Data fiduciaries must facilitate the exercise of user rights under the Act, including access, correction, and data erasure.
- Security and Safeguards:
- Adequate technical measures such as encryption, pseudonymization, and masking must be employed to protect personal data.
- Logs must be maintained to track access to personal data, ensuring unauthorized access is swiftly identified and addressed.
- Data Breach Notifications:
- In the event of a data breach, fiduciaries must notify affected individuals promptly.
- Authorities must be informed within 72 hours of the breach being discovered.
- Processing Data of Minors:
- Data fiduciaries must verify parental consent for processing data of children under 18 years.
- Mechanisms must ensure the parental identity and consent are valid and verifiable.
- Exemptions for Research and Statistical Purposes:
- Certain provisions do not apply to personal data processing for research, archiving, or statistical analysis if done according to prescribed standards.
- Cross-Border Data Transfers:
- Cross-border data transfers will require compliance with government-specified conditions to protect the sovereignty and security of Indian citizens.
- Data Protection by Design:
- Fiduciaries must incorporate data protection principles in their systems and operations, ensuring user rights are upheld from the outset.
- Significant Data Fiduciaries:
- Identified based on volume and sensitivity of data processed, these fiduciaries face stricter requirements, including mandatory audits and impact assessments.
Public Participation Encouraged
The Ministry of Electronics and Information Technology (MeitY) has invited feedback from citizens, industry stakeholders, and civil society through the MyGov platform. This move shows the government’s commitment to a transparent rule-making process and aims to ensure that the new regulations address diverse perspectives.
The draft acknowledges emerging challenges in managing personal data, especially in light of global debates on AI-driven data processing, cross-border data flows, and surveillance concerns.
International and Domestic Implications
With the rise of digital services and an interconnected global economy, India’s data protection regime is expected to impact international businesses. Companies handling Indian residents’ data will need to comply with the local framework, ensuring their practices align with India’s stringent standards.
These rules also coincide with global trends. Nations worldwide are tightening data privacy regulations, reflecting increased awareness about the implications of unchecked data usage.
