The government of India has come up with a draft to tighten the data protection laws of the country. The draft outlining the new guidelines has been released and will be open for public review until 18th February under Digital Personal Data Protection Rules (DPDP Rules), 2025, under the Digital Personal Data Protection Act, 2023.
The draft DPDP Rules, 2025, holds 22 provisions and 7 schedules, align with the 44 sections of the DPDP Act. The draft outlines key information, such as consent management, guidelines on notice requirements, security safeguards, how to handle personal data breaches, and considerations for data related to children and individuals with disabilities.
Here are a few key features of the proposed draft:
- Notice requirements for data fiduciaries: Data fiduciaries, i.e., the entity collecting the data, must provide clear, standalone notices to data principals, i.e., individuals whose data is being collected, which should include the purpose of collecting the agreed data, what data is being collected and the steps to manage/withdraw consent. The entity needs to ensure simplicity and transparency of data with its owner.
- Consent managers: The consent managers (third-party entity or platform) responsible for facilitating data principals in managing their consent must be an entity registered in India with a net worth of a minimum of INR 20 million. The draft also contains the guidelines for ownership or control transfer approvals, high security, and transparency standards, as well as using an interoperable platform for managing consent.
- Data processing by the state: The rights of the state and the data owner are well separated where the state can use the personal data to provide subsidies, benefits, services, certificates, licenses, or permits as defined by law or funded through public resources, but such usage needs to comply with standards outlined in Schedule II of the act, ensuring it is lawful, transparent, secure.
- Data breach notification: The data fiduciary in the event of facing a data breach needs to notify the DP Board within 72 hours of detection (or longer, if approved), sharing comprehensive information about the incident. Also, a notice must be released to impacted individuals promptly, providing details about the breach, its impact, and measures for mitigation.
- Accountability and compliance: Data fiduciaries would need to process personal data lawfully, limit its usage, and retain data only for as long as required or agreed. They will also need to publish grievance redressal mechanisms on their platforms.
- Data protection impact assessments (DPIAs): Significant data fiduciaries must carry out annual Data Protection Impact Assessments (DPIAs) to identify and mitigate risks associated with their data processing activities. Additionally, these evaluations ensure that the algorithms they use respect the rights of data principals.
- Data retention policies: The collected data will have to be held for a finite period of time, the draft laid out guidelines for Digital Entities like e-commerce platforms with over 20 million users, online gaming intermediaries with over 5 million users, and social media platforms with over 20 million users must delete user data after three years in case of user inactivity.
- Processing personal data outside India: Data fiduciaries handling data within India or providing goods or services to data principals outside India must adhere to the central government’s requirements for sharing such data with a foreign state or its entities.
- Exemptions for research and statistics: The draft provides an exemption for personal data used for research, archiving, or statistical purposes, as long as it adheres to the safeguards outlined in Schedule II. This allows essential data usage for academic and policy research while upholding protection standards.
The guidelines are the need of the hour as there were no clear guidelines on the protection and usage of individuals’ data by entities. The flaw was being misused by many applications by asking for more data than they actually need, but once the data protection guidelines are enforced, it would control such practices and avoid data misuse. Though some businesses might find these guidelines as a limitation, on a larger scale, the draft would act as a safeguard for individuals.
