India seeks public feedback on digital data protection rules

Getting your Trinity Audio player ready...

India has invited feedback and comments on the draft ‘Digital Personal Data Protection Rules, 2025′ for consultation. Initiated under the Ministry of Electronics and Information Technology (MeitY), the Digital Personal Data Protection Act (DPDPA) aims to establish a comprehensive framework that allows its citizens greater control and privacy over their digital data while imposing stricter regulations on businesses that use it.

The draft rules are based on inputs gathered from various stakeholders and a study of global best practices. MeitY has invited feedback from the public and stakeholders until February 18, which is in sync with the government’s aim to adopt an inclusive approach to law-making.

“The draft Digital Personal Data Protection Rules aim to safeguard citizens’ rights for the protection of their personal data. These rules seek to operationalize the Digital Personal Data Protection Act, 2023 (DPDP Act), in line with India’s commitment to create a robust framework for protecting digital personal data,” MeitY said in a statement.

The Digital Personal Data Protection Act was introduced in August 2023 as India’s first-ever dedicated legislation for digital privacy, but its rules have yet to be notified. The Act is expected to improve data privacy for Indians and significantly impact global companies in the way they process personal data in India and transfer data to and from other countries. 

“Draft DPDP rules are open for consultation. Seeking your views,” said Electronics and Information Technology Minister Ashwini Vaishnaw.

“These draft rules will be finalised only after extensive consultation. Please do share your views,” Vaishnaw added.

Vaishnaw reportedly stated that the government plans to give the industry a two-year timeline to transition to the new law and ensure their systems comply.

The rules aim to empower citizens in a swiftly expanding digital economy. They are designed to safeguard citizens’ rights in sync with the DPDP Act, striking a balance between regulation and innovation. This ensures that the advantages of India’s flourishing innovation ecosystem are accessible to all citizens and contribute to the growth of the country’s digital economy. Additionally, they tackle key issues such as unauthorized commercial use of data, digital harms, and personal data breaches.

Less compliance burden for startups, small businesses

Given India’s status as the world’s most populated country and an emerging technology powerhouse, most global tech companies will be impacted. 

However, “The framework envisages lesser compliance burden for smaller businesses and startups,” MeitY stated. 

“Graded responsibilities cater to startups and MSMEs (Micro, Small and Medium Enterprises) with lower compliance burden, while significant data fiduciaries have higher obligations,” the ministry stated.

A data fiduciary is any entity that determines how your data is used.

The draft Digital Personal Data Protection rules place citizens at the heart of the data protection framework. MeitY said that data Fiduciaries must provide clear and accessible information about how personal data is processed, enabling informed consent. Citizens are empowered with rights to demand data erasure, appoint digital nominees, and access user-friendly mechanisms to manage their data.

MeitY stated that the rules empower citizens by giving them greater control over their data. Provisions for informed consent, the right to erasure, and grievance redressal enhance trust on digital platforms. Parents and guardians are empowered to ensure online safety for their children.

“The DPDP Act represents a crucial step towards ensuring data protection and digital privacy in India. By empowering individuals with greater control over their personal information and holding organisations accountable for data management, the act strives to create a safer and more secure digital environment,” a PricewaterhouseCoopers (PwC) report said.

Organizations handling large volumes of personal data, such as in financial services, telecommunications, healthcare, and retail, will be most affected, according to the PwC report. E-commerce and service sectors will need to update processes, systems, and technologies for handling personal data. E-commerce platforms collect extensive customer data, including transaction details and session information, which are often used to generate insights for growth. 

“The (DPDP Act) aims to provide guardrails that foster trust and transparency within these processes by ensuring that personal information is collected for legitimate use or that consent is sought from data principals if used otherwise,” the PwC report stated.

Watch: Exploring use cases for blockchain in India