Recently, the draft of Digital Personal Data Protection Rules 2025 has been drafted in order to provide necessary details and implementation framework of the Digital Personal Data Protection Act, 2023 (DPDP Act) 2023. The DPDP Act, 2023 (DPDP Act) had received the assent of the Hon’ble President on 11th August 2023.
Features of the Digital Personal Data Protection Act, 2023 1. Fairness- Organizations must use personal data in a way that is fair and transparent to the individuals involved. 2. Consent- Personal data can only be processed for a lawful purpose after the individual’s consent is obtained. 3. Data protection- Individuals have the right to obtain information about how their data is processed, and request corrections or erasure. |
Framework/Components of Digital Data Protection
1. Data principal- The individual whose personal data is being handled. For children, their parents or legal guardians are the data principals. For people with disabilities, their legal guardians are the data principals.
2. Data fiduciaries- The entity that determines how and why personal data is processed. It is also responsible for ensuring the data is accurate, secure, and is erased when it is no longer needed.
3. Data Protection Board (Board)- It functions as a digital office to oversee compliance and address grievances. The Act empowers Chairperson and Members to act on matters, with decisions made by majority vote.
Read More- Digital Personal Data Protection Bill, 2023: Explained, pointwise |
What are the salient features of Draft Digital Personal Data Protection Rules 2025?
Notice to be given by Data Fiduciary to Data Principal | Data Fiduciaries must provide Data Principals with clear and understandable notices for informed consent. The Notices must include- a description of personal data being processed, the purpose and services associated with the processing, and details for withdrawing consent, exercising rights, or filing complaints. |
Consent Management | Consent Requirements- Data processing requires prior, clear, and informed consent from Data Principals, which may be withdrawn at any time. Consent Manager Role- Consent Managers to facilitate granting, tracking, and withdrawal of consent. |
Obligations of Data Fiduciaries | Significant Data Fiduciaries (SDF): Additional obligations include- a. Annual Data Protection Impact Assessments and audits. b. Ensuring algorithms do not harm Data Principals’ rights. c. Restricting specific personal data transfers outside India. General Obligations: Maintain transparency in processing activities. Publish terms of service and grievance redressal mechanisms. |
Rights of Data Principals | Access and Erasure: Right to access personal data or request its erasure via mechanisms published by Data Fiduciaries. Grievance Redressal: Data Fiduciaries must respond to grievances within specified timeframes. Nomination: Data Principals can nominate individuals for exercising their rights in case of incapacity or death. Transparency: Fiduciaries must provide clear information about data collection, processing, and sharing practices. |
Processing of Personal Data Outside India | Condition for Transfer a. Transfers to foreign entities are subject to government-specified requirements. b. Restrictions apply to data critical for national interests, as determined by the government. |
Processing by State for Subsidies and Benefits | The State may process personal data under specific conditions for issuing subsidies, benefits, or services and must be linked to laws, policies, or public funds. |
Reasonable Security Safeguards | Data Fiduciaries must take adequate security measures, including: a. Encryption, obfuscation, and access control. b. Logs and monitoring to detect unauthorized access. c. Retention of logs and personal data for at least one year unless otherwise specified by law. d. Contractual safeguards when engaging Data Processors. |
Personal Data Breach Intimation | Data Fiduciaries must promptly inform affected Data Principals of breaches, detailing: a. The nature, extent, and consequences of the breach. b. Steps taken to mitigate risks. c. Contact information for queries. Breaches must also be reported to the Board within 72 hours or a longer period allowed. |
Erasure of Personal Data | a. Data Fiduciaries must erase personal data if the specified purpose is deemed no longer valid. b. Principals must be notified 48 hours before such erasure, allowing them to log in or otherwise interact to retain the data. |
Consent for Data of Children or Persons with Disabilities | a. Fiduciaries must obtain verifiable consent from parents or lawful guardians before processing a child’s data. b. Verification may involve identity checks through reliable details or tokens issued by authorized entities like Digital Locker service providers. |
Government Powers | a. Information Requests- The government may request data from Fiduciaries for purposes listed in the Seventh Schedule. b. Restrictions on Disclosure- Fiduciaries must seek prior written approval before disclosing sensitive data in cases affecting sovereignty, security, or public order. |
What are the advantages of the Digital Personal Data Protection Rules 2025?
The Digital Personal Data Protection Rules 2025 provide for a “LIGHT BUT TIGHT” framework.
L: Legal Certainty- Provides clear legal guidelines for businesses and individuals, reducing ambiguity and legal risks.
I: Increased Trust and Consumer Confidence- Builds trust between individuals and organizations by demonstrating a commitment to data privacy and security.
G: Global Competitiveness- Aligns with international data protection standards, facilitating cross-border data flows and fostering a competitive digital economy.
H: Harmonized Approach- Promotes consistency and predictability in data protection practices across different sectors and jurisdictions.
T: Technological Innovation- Drives innovation in privacy-enhancing technologies, such as data anonymization, differential privacy, and secure multi-party computation.
B: Business Benefits- Improves organizational security, reduces the risk of data breaches and their associated costs, and enhances brand reputation.
U: User Empowerment- Empowers individuals with control over their personal data, fostering a sense of agency and trust in the digital world.
T: Trustworthy Data Ecosystems- Fosters the development of trustworthy data ecosystems where data can be used responsibly and ethically for innovation and societal benefit.
T: Technological Advancement- Encourages the development of privacy-preserving technologies that enable innovation while respecting individual rights.
I: Improved International Relations- Facilitates smoother data flows and cooperation on data protection issues between countries.
G: Greater Global Interoperability- Enables seamless data flows across borders while ensuring adequate protection for individuals.
H: Harmonized Global Standards- Contributes to the development of harmonized global standards for data protection, reducing complexity for businesses operating internationally.
T: Thriving Digital Economy- Creates a level playing field for businesses, fostering innovation and competition in a data-driven economy.
What are the Challenges associated with this framework?
The rules does not provide for a “NOT SO LIGHT” framework.
N: New Technologies
a. Emergence of AI, IoT, and other disruptive technologies- These technologies present unique challenges for data protection, such as algorithmic bias, lack of transparency, and the potential for misuse.
b. Difficulty in keeping up with rapid technological advancements and agile and adaptable legal and regulatory framework.
T: Technological Limitations
a. Limitations of existing technologies- Challenges in implementing robust security measures to protect data from cyber threats like hacking, ransomware, and data breaches.
b. Difficulty in ensuring data privacy in decentralized environments like blockchain.
S: Social Impact
a. Digital Divide- Exacerbation of existing digital divides, impacting marginalized communities and limiting their access to digital services and opportunities.
b. Social Surveillance- Potential for misuse of data for mass surveillance and social control.
c. Impact on Human Rights- Potential for data protection measures to inadvertently restrict freedom of expression, association, and other fundamental rights.
O: Operational Challenges
a. Difficulties in implementing and enforcing data protection regulations within organizations.
b. Lack of awareness and training among employees on data protection best practices.
c. Challenges in identifying and mitigating data breaches effectively.
T: Transparency and Accountability
a. Lack of transparency in data processing practices, making it difficult for individuals to understand how their data is being used.
b. Difficulty in holding organizations accountable for data breaches and other violations of data protection laws.
I: International Cooperation
a. Challenges in coordinating data protection policies and enforcement across borders.
b. Navigating the complexities of international data transfers and compliance with foreign data protection laws.
G: Global Trends
a. Keeping pace with evolving global trends in data protection and adapting to international best practices.
b. Addressing the challenges posed by the increasing globalization of data flows.
H: Human Rights Considerations
Ensuring that data protection measures respect and protect fundamental human rights, including privacy, freedom of expression, and equality.
T: Trust and Confidence
Building and maintaining public trust in the data protection framework and the institutions responsible for its enforcement.
What Should be the Way Forward?
1. Awareness & Education- Continuously educate the public, businesses, and government officials on data protection rights, responsibilities, and best practices.
2. Data Protection Impact Assessments (DPIAs)- Promote the proactive use of DPIAs by organizations to identify and mitigate potential risks to privacy and data security.
3. Enforcement & Compliance- Robust enforcement mechanisms to ensure compliance with the DPDP Act. Strengthen the investigative and enforcement powers of the Data Protection Board, including the ability to impose meaningful penalties.
4. Quality Assurance- Ensure the quality and effectiveness of data protection measures through regular audits, inspections, and certifications. Develop and implement robust certification schemes for organizations that demonstrate compliance with data protection standards.
5. User-Centric Approach- Prioritize the needs and interests of individuals by empowering them with control over their personal data.
6. Adaptive Framework- The framework should be flexible and adaptable to the rapidly evolving digital landscape. Regularly review and update the DPDP Act and its implementing rules to address emerging challenges and technologies.
7. Technological Advancements- Leverage technology to enhance data protection, such as through the use of privacy-enhancing technologies like differential privacy and federated learning.
8. Evaluation & Continuous Improvement- Regularly evaluate the effectiveness of the DPDP Act and its implementation.
Read More- The Hindu UPSC Syllabus- GS 2- Governance |
Discover more from Free UPSC IAS Preparation Syllabus and Materials For Aspirants
Subscribe to get the latest posts sent to your email.