The government floated the draft Digital Personal Data Protection (DPDP) Rules 2025 last week for public consultation until 18 February.
What are the draft Digital Personal Data Protection Rules 2025?
The Digital Personal Data Protection (DPDP) Rules 2025, drafted by the government, outline the implementation of the Digital Personal Data Protection Act, 2023. These rules are designed to operationalise the Act passed by Parliament.
The draft rules are open for public comments for 45 days until 18 February 2025, and citizens can submit their inputs via the MyGov website. The rules establish a framework for the Data Protection Board (DPB), which will operate digitally as mandated by the DPDP Act 2023.
Additionally, the draft rules define the process for handling children’s data, requiring entities to adopt technical and organisational measures to ensure the verifiable consent of parents before processing a child’s personal data.
The draft also allows for the transfer of personal data outside India, subject to government approval. A committee may be formed to recommend restrictions on such transfers by significant data fiduciaries for specified personal data.
What is the DPDP Act?
The Digital Personal Data Protection Bill 2023 was introduced in the Lok Sabha on 3 August 2023 and passed by the Lower House on 7 August 2023. It was introduced in the Rajya Sabha on 9 August and passed the same day. The Bill became the Digital Personal Data Protection Act 2023 after receiving the President’s assent on 11 August.
Why is the DPDP Act necessary?
While the digitisation of personal data has improved service delivery and eased daily life, it is increasingly at risk of misuse. Protecting digitised personal data has thus become essential.
The DPDP Act 2023 obligates data fiduciaries to safeguard personal data and ensures accountability. Digital platforms may collect only the data required to perform their functions and deliver services opted for by users. For instance, a torch app cannot request access to a microphone or contacts.
How will the DPDP Act 2023 benefit people?
The Act ensures consent-based processing of personal data. Digital platforms must inform users and obtain their consent in English or any of the 22 Indian languages recognised by the Constitution. Users can withdraw consent, access information on data processing, request data updates or erasure, and address grievances via provided online links.
Digital platforms may also use consent managers, independent entities operating digital platforms approved by the DPB.
Who are consent managers?
Consent managers are platforms authorised to manage users’ consent. For example, the Reserve Bank of India (RBI) has established an account aggregator framework where apps like Finvu and CAMS Finserv share financial information based on consent. Similarly, the National Health Authority of India has created a Health Information Exchange to enable secure access and sharing of health records.
Who are data fiduciaries?
Data fiduciaries include entities like social media platforms, e-commerce websites, and online gaming companies that collect and process personal data. These platforms can process data only with users’ consent for specific purposes.
Platforms with a significant user base, such as Facebook, Amazon, and Netflix, are categorised as significant data fiduciaries and have greater obligations.
Will the Act address spam calls?
Yes, citizens can take action against spam calls under the DPDP Act 2023. The DPB can impose penalties on entities processing personal data without consent or in violation of the Act.
How can people file complaints?
The DPB will function entirely digitally. Citizens can file complaints and have them resolved online without needing to be physically present.
What are the penalties under the DPDP Act 2025?
The draft rules outline a mechanism for the DPB to levy penalties based on the DPDP Act 2023. The Act allows fines of up to ₹250 crore for breaches, with penalties determined by factors such as the severity and duration of the breach and the efforts made to prevent it.
Startups and small entities face lower compliance burdens, while significant data fiduciaries are subject to stricter requirements. Data fiduciaries can voluntarily provide undertakings to the DPB, potentially halting proceedings.
When will the rules be implemented?
The final rules will be presented to Parliament after the public consultation process, likely during the monsoon session. The government may take up to two years to implement the DPDP Act 2023, giving digital entities time to comply.
Are there any exemptions?
Exemptions include activities such as performing judicial and regulatory functions, enforcing legal rights, preventing or prosecuting offences, and conducting research. Startups and entities involved in research may also receive exemptions.
Will the Act assist non-digital individuals?
Yes, individuals without access to digital technology will have the same recourse as digitally connected individuals for issues involving personal data misuse.
Is there a timeline for filing complaints?
Currently, there is no time limit for filing complaints under the DPDP Act 2023.
Follow us
