India Publishes Draft Digital Personal Data Protection Rules for Public Feedback

<p>The Indian government has released a draft of the Digital Personal Data Protection &lpar;DPDP&rpar; Rules&comma; 2023&comma; inviting public consultation on a framework designed to safeguard citizens’ digital privacy and provide greater control over personal data&period; These draft rules aim to operationalize the DPDP Act&comma; which was passed in August 2023&comma; following years of deliberation and amendments&period;<&sol;p>&NewLine;<h2>Citizens Gain New Digital Rights<&sol;h2>&NewLine;<p>At the heart of the draft rules lies a commitment to empowering individuals with robust rights to manage their personal data&period; According to the Press Information Bureau &lpar;PIB&rpar;&comma; citizens can now demand data erasure&comma; appoint digital nominees&comma; and access tools to control how their data is used&period; These rights are anchored in the principles of informed consent and transparency&period;<&sol;p>&NewLine;<p>Under the proposed framework&comma; data fiduciaries—entities that collect and process personal data—must ensure that users understand how their data is processed&period; This includes providing clear&comma; accessible information about data handling practices&period; Users can demand the deletion of data that is no longer needed and must be notified 48 hours in advance of any planned erasure&period;<&sol;p>&NewLine;<p>One unique provision allows users to appoint &&num;8220&semi;digital nominees&comma;&&num;8221&semi; who can oversee the management of their data in cases of incapacitation or death&comma; ensuring continuity and protection of personal information&period;<&sol;p>&NewLine;<p><a href&equals;"https&colon;&sol;&sol;www&period;theibulletin&period;com&sol;wp-content&sol;uploads&sol;2025&sol;01&sol;India-Digital-Privacy-Data-Protection-Act&period;jpg"><img class&equals;"aligncenter size-full wp-image-56291" src&equals;"https&colon;&sol;&sol;www&period;theibulletin&period;com&sol;wp-content&sol;uploads&sol;2025&sol;01&sol;India-Digital-Privacy-Data-Protection-Act&period;jpg" alt&equals;"India Digital Privacy Data Protection Act" width&equals;"1159" height&equals;"746" &sol;><&sol;a><&sol;p>&NewLine;<h2>Stricter Accountability for Companies<&sol;h2>&NewLine;<p>The draft rules impose significant obligations on companies operating in India to enhance data protection measures&period; Businesses must adopt comprehensive security protocols such as encryption&comma; access controls&comma; and data backups to safeguard personal information&period; They are also required to report data breaches promptly&comma; providing detailed accounts of the incident to the Data Protection Board &lpar;DPB&rpar; within 72 hours&period;<&sol;p>&NewLine;<p>Other key compliance measures include&colon;<&sol;p>&NewLine;<ul>&NewLine;<li>Annual audits and Data Protection Impact Assessments &lpar;DPIAs&rpar; for &&num;8220&semi;significant&&num;8221&semi; data fiduciaries&period;<&sol;li>&NewLine;<li>Parental or guardian consent for processing the data of minors and individuals with disabilities&comma; with specific exemptions for healthcare&comma; education&comma; and safety services&period;<&sol;li>&NewLine;<li>A three-year limit for retaining personal data&comma; with provisions to notify users before deletion&period;<&sol;li>&NewLine;<&sol;ul>&NewLine;<p>Additionally&comma; companies must display the contact details of their designated Data Protection Officer &lpar;DPO&rpar; prominently on their platforms&comma; making it easier for users to address concerns or queries about data handling&period;<&sol;p>&NewLine;<h2>Cross-Border Data and Government Safeguards<&sol;h2>&NewLine;<p>Cross-border data transfers—a contentious issue in previous iterations of the Act—will be subject to new federal regulations&period; The government plans to define the categories of data that must remain within India’s borders&comma; ensuring compliance with national security and economic considerations&period;<&sol;p>&NewLine;<p>For federal and state government agencies&comma; the draft rules introduce safeguards requiring transparent and lawful data processing aligned with policy standards&period; These provisions aim to balance citizen privacy with the government’s need for data in policy implementation and governance&period;<&sol;p>&NewLine;<h2>Penalties and Enforcement<&sol;h2>&NewLine;<p>Organizations that violate the proposed regulations face severe financial repercussions&comma; with penalties reaching up to ₹250 crore &lpar;approximately &dollar;30 million&rpar; for failing to safeguard user data or notify the DPB of a breach&period; These stringent measures reflect the government’s resolve to establish accountability in data protection practices&period;<&sol;p>&NewLine;<h2>Telecom Cybersecurity Rules Raise Concerns<&sol;h2>&NewLine;<p>The draft DPDP rules arrive on the heels of new cybersecurity guidelines under the Telecommunications Act&comma; 2023&period; These regulations mandate that telecom providers report security incidents within six hours and appoint an Indian Chief Telecommunication Security Officer &lpar;CTSO&rpar;&period; However&comma; privacy advocates have raised concerns about the vague language around &&num;8220&semi;traffic data&comma;&&num;8221&semi; warning of potential misuse&period;<&sol;p>&NewLine;<p>The Internet Freedom Foundation &lpar;IFF&rpar; has called for greater clarity&comma; arguing that the lack of a clear definition could lead to excessive surveillance&period; Critics emphasize the need for safeguards to ensure the rules are not exploited to infringe on individual privacy rights&period;<&sol;p>&NewLine;<h2>Public Consultation Open Until February 2025<&sol;h2>&NewLine;<p>The Ministry of Electronics and Information Technology &lpar;MeitY&rpar; has opened the draft rules for public feedback until February 18&comma; 2025&period; Submissions will remain confidential&comma; encouraging citizens and stakeholders to provide candid input&period;<&sol;p>&NewLine;<p>This public consultation marks a crucial phase in India’s journey toward establishing a comprehensive digital data protection framework&period; With the DPDP Act and related rules&comma; the government seeks to build a regulatory environment that balances individual privacy with the economic and technological needs of the nation&period;<&sol;p>&NewLine;