India has taken a significant step towards strengthening digital privacy by releasing the draft rules under the Digital Personal Data Protection (DPDP) Act, 2023. The draft rules, open for public consultation until February 18, 2025, aim to establish clear guidelines for handling personal data by entities operating within the country. This marks a milestone in India’s decade-long journey to introduce comprehensive data protection legislation, which began in 2011 with recommendations for a privacy law by an expert committee chaired by former Delhi High Court Chief Justice A.P. Shah.
One of the key provisions in the draft is the requirement for data fiduciaries, or entities that process personal data, to ensure transparency in their data collection and usage practices. Notices regarding data collection must be clear and separate from other content, empowering users to make informed decisions regarding their data. Furthermore, data fiduciaries will be obligated to provide accessible mechanisms for users to withdraw consent, as well as facilities to manage data access, correction, and deletion rights.
In addition to these transparency and consent management requirements, the draft rules also emphasize robust data security measures. These include mandates for encryption, pseudonymization, and masking of personal data, as well as maintaining logs to track access to ensure swift identification and prevention of unauthorized access. In the event of a data breach, fiduciaries must notify affected individuals promptly, and authorities must be informed within 72 hours of the breach’s discovery, enhancing accountability.
The draft rules also address cross-border data transfers, requiring compliance with conditions that protect Indian citizens’ sovereignty and security. Data processing for minors will require parental consent, and data fiduciaries must ensure that this consent is valid and verifiable. Additionally, the rules outline exemptions for research and statistical purposes, providing flexibility while ensuring adequate safeguards. The Ministry of Electronics and Information Technology (MeitY) has called for public feedback via the MyGov platform, demonstrating the government’s commitment to an inclusive and transparent rule-making process.
