Jakarta, INTI - India has taken a significant step towards securing digital data and ensuring privacy with the release of the draft version of the Digital Personal Data Protection (DPDP) Rules for public consultation. This initiative is part of the operationalization of the Digital Personal Data Protection Act, 2023, which seeks to give citizens more control over their personal data while imposing stringent guidelines on how organizations handle it.
In a statement released by India's Press Information Bureau (PIB), it was emphasized that the DPDP rules aim to ensure that data fiduciaries provide clear and accessible information to citizens about how their personal data is processed. This ensures that individuals can give informed consent, request data erasure, appoint digital nominees, and use user-friendly mechanisms to manage their data. The rules, which follow the passing of the DPDP Act in August 2023, will play a vital role in strengthening digital privacy protections in India.
Empowering Citizens and Holding Organizations Accountable
The DPDP Act's draft rules introduce a series of critical rights and responsibilities for citizens and organizations alike. These provisions empower citizens by giving them the right to:
- Request the erasure of personal data that is no longer necessary or relevant.
- Appoint a digital nominee to manage their data in specific circumstances.
- Access simple and accessible grievance redressal mechanisms in case their data is misused or breached.
On the other hand, organizations operating in India will be required to comply with a range of new obligations aimed at securing personal data. These include implementing robust security measures such as encryption, access controls, and data backups to safeguard the confidentiality, integrity, and availability of personal data.
One of the most notable aspects of the draft rules is the requirement for organizations to designate a Data Protection Officer (DPO). This individual will be responsible for addressing queries from users regarding how their personal data is processed. This is part of a broader strategy to ensure that organizations are held accountable for the management of personal data and that users have clear avenues to address their concerns.
Addressing Data Breaches and Accountability
A key feature of the DPDP rules is their provision for handling data breaches. In the event of a data breach, organizations will be required to report the incident to the Data Protection Board (DPB) within 72 hours, or longer if permitted. These reports must include detailed information on the events leading to the breach, the steps taken to mitigate the risk, and the identity of the individuals involved, where known.
Furthermore, organizations will be obliged to delete data that is no longer necessary after a three-year period and must notify the concerned individuals 48 hours prior to deleting such data. This provision aims to ensure that personal data is not kept indefinitely and is only retained for as long as necessary for legitimate business purposes.
Child and Disability Data Protection
In a bid to safeguard the personal data of children under the age of 18 and individuals with disabilities, the draft rules require organizations to obtain verifiable consent from parents or legal guardians before processing such sensitive data. However, exceptions are made for healthcare providers, educational institutions, and child care providers, who are permitted to process data for specific activities such as health services, educational activities, safety monitoring, and transportation tracking.
These provisions reflect a growing global consensus around the need to provide extra protections for vulnerable groups, particularly children and individuals with disabilities, in the context of digital data processing.
Risk Assessment and Annual Audits
Organizations deemed "significant" under the new rules will be required to conduct a Data Protection Impact Assessment (DPIA) and a comprehensive audit every year. The results of these audits must be reported to the Data Protection Board. This annual auditing process aims to ensure that organizations continuously assess and mitigate any potential risks to the personal data they process, keeping privacy at the forefront of their operations.
Moreover, the DPDP rules also set out provisions for cross-border data transfers. The Indian government is expected to specify which categories of personal data must remain within the country’s borders, and this will be determined by a specialized committee. These provisions aim to ensure that sensitive personal data is adequately protected when transferred outside India.
Cybersecurity Measures and Stricter Regulations
The DPDP Act comes in the wake of India's growing need for stronger cybersecurity measures. A few months earlier, the Department of Telecommunications (DoT) issued the Telecommunications (Telecom Cyber Security) Rules, 2024, which mandates telecom operators to report any security incidents affecting their networks or services to the federal government within six hours of detection. Telecom companies must also appoint a Chief Telecommunication Security Officer (CTSO) who must be an Indian citizen and a resident of India.
Telecommunication entities are also required to share traffic data, excluding message content, with the federal government in a specified format to ensure the protection of telecom networks and cybersecurity. However, there has been some controversy regarding the broad phrasing of these requirements, with the Internet Freedom Foundation (IFF) raising concerns that the removal of the definition of “traffic data” in the draft could lead to misuse of this data by the government.
Financial Penalties and Enforcement
Organizations that fail to protect individuals' digital data or that do not report security breaches to the DPB can face financial penalties of up to ₹250 crore (approximately $30 million). This represents a serious deterrent for organizations that might consider neglecting their responsibilities under the DPDP Act. The large monetary penalties reflect the government's commitment to enforcing the rules and ensuring that organizations take their data protection obligations seriously.
In addition to financial penalties, the draft rules require that all data processing by government agencies—whether at the federal or state level—be carried out in a manner that is lawful, transparent, and in accordance with legal and policy standards. This is particularly important given the potential for misuse of citizens' data by government entities.
Public Consultation and Future of Data Protection
The Ministry of Electronics and Information Technology (MeitY) has announced that it is seeking public feedback on the draft rules until February 18, 2025. The government has also assured that any submissions made during the consultation process will remain confidential. This public consultation is an important part of the process, ensuring that the rules are fine-tuned and take into account the concerns of various stakeholders, including civil society, tech companies, and privacy advocates.
The DPDP Act represents a significant milestone in India's data protection journey. It has been years in the making, with multiple drafts and revisions, and is finally expected to bring the country in line with global standards for data privacy. The Act’s introduction follows a landmark ruling by India’s Supreme Court in 2017, which affirmed the right to privacy as a fundamental right under the Constitution of India. This legal foundation has paved the way for stronger protections for citizens’ personal data in the digital age.
A New Chapter for Data Privacy in India
India’s draft rules on digital data protection represent a major step forward in securing personal data and strengthening the rights of citizens in the digital age. These regulations will hold organizations accountable for how they process and safeguard personal data, ensuring that privacy and security are prioritized in the digital ecosystem.
As the public consultation process moves forward, the rules are expected to evolve, with feedback from various sectors influencing the final version. With robust data protection laws now in place, India is poised to become a global leader in digital privacy and security, setting a new standard for how personal data is managed in the 21st century.