Digital Personal Data Protection Rules
Daily Current AffairsEnglish

Digital Personal Data Protection Rules

Context:

Recently, the Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection (DPDP) Rules, 2025, to enforce provisions of the Digital Personal Data Protection Act, 2023.

More on the News:.

  • The draft rules are open for public feedback until February 18, 2025. Submission will be confidential and held by MeitY.
  • These rules align with India’s commitment to creating a strong digital data protection framework, balancing regulation and innovation for inclusive benefits.

Key Highlights of the Rules:

Enhanced Control and Trust for Citizens:

  • The rules place citizens at the heart of the data protection framework. 
  • Citizens are empowered with rights to demand data erasure, appoint digital nominees, and access user-friendly mechanisms to manage their data.
  • Parents and guardians are empowered to ensure online safety for children, with specific measures targeting children’s data protection.

Data Fiduciaries’ Responsibilities:

  • Data Fiduciaries (organizations handling personal data) must provide clear and accessible information about how personal data is processed, allowing citizens to make informed consent decisions.
  • Entities collecting and processing personal data are categorised as “Data Fiduciaries.” Ex: – E-commerce, social media, and gaming platforms 
  • Significant Data Fiduciaries (SDFs) are those processing high volumes or sensitive data, impacting national sovereignty, security, or public order.
  • They are required to undergo annual Data protection impact assessments and audits (DPIA).
  • Data fiduciaries must store personal data only for the period during which consent is granted and must delete the data after that period.
  • On becoming aware of any personal data breach, the Data Fiduciary shall intimate about it to the affected Individual (person or company) and the Data Protection Board.

Data Protection Officer (DPO): 

  • It is the person appointed by the Data Fiduciary to handle communications from individuals (Data Principals) regarding their personal data.
  • The DPO must be based in India and report to the Board of Directors or a similar governing body of the Significant Data Fiduciary.

Functioning of Data Protection Board:

  • The Chairperson and members of the Board are appointed by the Central Government, following recommendations from a Search-cum-Selection Committee (Cabinet Secretary as the chairperson).
  • The Board (vested with the powers of a civil court) will function as a digital office, with a digital platform and app to enable citizens to approach it digitally and to have their complaints adjudicated without their physical presence being required.
  • The Data Protection Board’s digital office approach would ensure quick and transparent resolution of complaints. 
  • The Board is required to take into consideration factors such as the nature and gravity of default, efforts made to mitigate impact, etc., while imposing penalties for defaults. 
  • Data Fiduciaries may voluntarily give undertakings at any stage of proceedings to the board, which if accepted by the Board would result in the dropping of the same. 

Consent Management by Designated Entities:

  • Consent will be managed through “consent managers,” entities responsible for recording and managing individuals’ consent for data processing.
  • Consent manager is a third-party entity facilitating data principals (individuals) in managing consent. 
  • They operate interoperable platforms, ensuring transparency, security, and compliance, under the oversight of the Data Protection Board (DP Board).
  • The draft rules outline a process for suspending or cancelling the registration of consent managers in cases of repeated violations.
  • Data processing by digital platforms can only occur after obtaining explicit consent from individuals via these consent managers.

Balance Between Innovation and Regulation:

  • The rules aim to strike a balance between fostering innovation and ensuring personal data protection, unlike restrictive global frameworks.
  • The model encourages economic growth while prioritizing citizen welfare, seen as a new global template for data governance.
  • A lesser compliance burden is placed on smaller businesses and startups, with adequate time provided for stakeholders to transition to compliance.

Digital Personal Data Protection Act, 2023

  • It represents a significant step in protecting the fundamental right to informational privacy of Indians, a right upheld by the Supreme Court of India in the Justice K.S. Puttaswamy vs. Union of India (2017) case.
  • In 2017, the Ministry of Electronics and Information Technology (MeitY) set up the Justice B.N. Srikrishna Committee to create a data protection framework for India.
  • The Act applies to the processing of digital personal data within India, including data collected online or offline and then digitized. 
  • It also applies to data processing outside India if it involves offering goods or services to people in India.
  • Personal data can only be processed for legitimate purposes with the individual’s consent unless it is voluntarily shared by the individual or when the government processes data for permits, licenses, or services.
  • It grants individuals rights to access, correct, erase, and seek grievance redressal regarding their data.
  • The central government may exempt government agencies from the act’s provisions for reasons related to state security, public order, or crime prevention.
  • The act sets out obligations on Data Fiduciaries (those processing data) and outlines the rights and duties of Data Principals (individuals to whom the data pertains), including financial penalties for violations.
  • DPDP Act established the Data Protection Board of India (DPB), the country’s first regulatory authority dedicated to personal data privacy.
Shares: