.png)
On January 3, 2025, the Ministry of Electronics and Information Technology (MeitY) introduced the draft Digital Personal Data Protection (DPDP) Rules, 2025. This initiative invites public feedback until February 18, 2025, via the MyGov portal, aiming to refine the rules to balance data protection with the needs of various stakeholders.
Key Provisions of the Draft Rules
Transparent Notices: Data Fiduciaries must provide clear, standalone notices to Data Principals (individuals), detailing the personal data collected, its purpose, and the services enabled by such processing. These notices should also explain how to withdraw consent, exercise rights, and lodge complaints, ensuring transparency and informed consent.
Role of Consent Managers: Authorized entities, known as Consent Managers, will help Data Principals manage their consent through interoperable platforms. These entities must be incorporated in India with a net worth of at least ₹2 crore. They are responsible for maintaining consent records and ensuring data security while avoiding conflicts of interest. Any change in ownership may require prior approval from the Data Protection Board.
State Processing of Data: The State and its instrumentalities can process personal data to provide subsidies, benefits, services, certificates, or licenses, in compliance with legal or policy requirements.
Security Measures: Data Fiduciaries must adopt robust security measures, including encryption, access control, and regular monitoring, to safeguard personal data.
Breach Notification: In the event of a personal data breach, Data Fiduciaries must promptly notify affected individuals, providing details of the breach, its impact, and suggested mitigation steps. They must also inform the Data Protection Board within 72 hours of detecting the breach.
Data Deletion: Entities, including e-commerce platforms and social media intermediaries, must delete user data after three years of inactivity unless the user actively maintains their account.
Annual Assessments: Significant Data Fiduciaries must conduct annual Data Protection Impact Assessments (DPIAs) to evaluate and mitigate risks associated with data processing activities.
Children's Data: Processing personal data of children requires verifiable consent from parents or legal guardians. Data Fiduciaries must implement measures to ensure consent is obtained from authorized individuals, prioritizing children's privacy.
Data Protection Board: The rules propose establishing a Data Protection Board to oversee data protection governance. This digital-first body will manage appointments, service conditions, and enforcement of data protection standards.
Exemptions for Research: Personal data processing for research, archiving, or statistical purposes is exempted under specific safeguards.
Implications for India's Data Protection Landscape
The DPDP Rules, 2025, represent a significant step in strengthening India's data protection framework. By emphasizing transparency, user consent, and accountability, these rules aim to foster trust in digital ecosystems while ensuring robust data protection measures. Both businesses and individuals must stay informed and prepared to adapt to these changes, ensuring a safer digital future for all. For businesses the draft rules would mean undertaking -
Enhanced Compliance Requirements: Businesses will need to ensure they comply with the new rules, which include providing clear notices to individuals about data collection and usage, obtaining explicit consent, and maintaining detailed records of data processing activities.
Increased Accountability: Organizations must demonstrate accountability by adopting robust security measures, conducting regular audits, and ensuring transparency in their data handling practices. This includes notifying individuals and the Data Protection Board in the event of a data breach.
Operational Adjustments: Companies, especially those classified as Significant Data Fiduciaries, will need to conduct annual Data Protection Impact Assessments (DPIAs) to identify and mitigate risks associated with their data processing activities.
Data Management Practices: Businesses must implement mechanisms to delete user data after three years of inactivity, unless the user actively maintains their account. This requires efficient data management systems to track and manage user activity.
Consent Management: Organizations will need to work with Consent Managers to facilitate the management of user consent through interoperable platforms. This involves ensuring that these entities are incorporated in India and meet the required net worth criteria.
Children's Data Protection: Companies processing personal data of children must obtain verifiable consent from parents or legal guardians and implement measures to prioritize children's privacy.
Cross-Border Data Transfers: Businesses involved in cross-border data transfers must ensure that the receiving country provides an adequate level of data protection or that specific contractual clauses are in place to safeguard the data.
Potential Costs: Implementing these new measures may involve additional costs for businesses, including investments in technology, training, and compliance management systems.
Overall, while the DPDP Rules, 2025, aim to enhance data protection and build trust in digital ecosystems, businesses will need to adapt their operations and practices to meet these new requirements. This proactive approach to data protection can ultimately benefit businesses by fostering greater consumer trust and confidence in their services.
Follow Global Lawyers Association for more news and updated from International Legal Industry.
Comments