Shaping a Secure Digital Future: Analyzing India's DPDP Act 2023 Draft Rules

POSTED ON JANUARY 07, 2025 BY DATA SECURE

Introduction

fine

On August 11, 2023, India enacted the Digital Personal Data Protection Act, 2023 (DPDP Act), marking a significant step towards regulating the personal data of individuals. To operationalise the Act, the government released the DPDP Rules (Draft Rules) on January 3, 2025, for public consultation, with the deadline for feedback set for February 18, 2025. These Draft Rules offer a glimpse into the regulatory expectations for organisations and highlight several key features and challenges.

Read more about India DPDP Act 2023 Digital Personal Data Protection Act 2023 Bare Act (SECURED)

Breakdown of the Draft Rules

shaping3

Phased Implementation: The Draft Rules propose a phased timeline for implementation. Provisions related to the Data Protection Board (DPB) will be activated upon official notification, while core operational requirements, such as consent mechanisms and security measures, will follow later. This staggered approach aims to provide businesses sufficient time to align their operations with the new framework, although clarity on specific timelines remains crucial.

Consent Mechanisms: Under Rule 3, businesses must issue standalone, clear notices detailing how personal data will be handled. These notices must specify the types of data collected, the purpose of processing, and the outcomes enabled. They should also include links to withdrawal mechanisms and grievance redressal procedures, ensuring transparency and user empowerment.

Consent Managers (CM): Rule 4 introduces Consent Managers, entities that enable users to give, review, and withdraw consent for data processing. These managers must operate independently and register with the DPB, adhering to strict conditions to avoid conflicts of interest.

Government Data Processing: Government organizations are allowed to process personal data for delivering subsidies, benefits, and services. Such processing must be lawful, necessary, and secure, with provisions to inform individuals about how their data is used. Consent or legal authorization is required to process such data.

Security Measures: Data fiduciaries (DFs) are required to adopt robust security safeguards, including encryption and access controls. These measures must be contractually reinforced with data processors, necessitating a review of existing agreements to clearly define roles and responsibilities.

Data Breach Reporting: Rule 7 mandates that DFs notify affected individuals and the DPB immediately upon becoming aware of a data breach. Within 72 hours, they must provide detailed reports on the breach’s extent, impact, and containment measures. However, this requirement may lead to over-reporting, overwhelming authorities and causing unnecessary panic among users.

Data Retention: Certain fiduciaries, such as social media and e-commerce platforms, must erase personal data after three years unless required for legal compliance. Users must be notified 48 hours before such erasures, ensuring transparency and adherence to purpose limitation.

Children’s Data Processing: To process children’s data, fiduciaries must verify parental consent using reliable mechanisms, including digital tokens. Exemptions exist for essential services like healthcare and education. However, concerns about broad-based age verification remain.

Significant Data Fiduciaries (SDF): SDFs face additional obligations, such as annual Data Protection Impact Assessments (DPIAs), audits, and algorithm verification to ensure rights protection. These requirements, while essential, may impose a heavy compliance burden, particularly on smaller organizations.

Cross-Border Data Transfers: While the DPDP Act allows data transfers to most countries, Rule 12(4) introduces the possibility of data localization for specific categories. This reopens debates about the practicality and cost of storing data exclusively in India.

The DPB and Appeals Process: The DPB will oversee compliance and grievance resolution. A digital-first approach ensures that complaints can be filed and resolved online. Aggrieved parties can appeal DPB decisions through an Appellate Tribunal, which operates under the principles of natural justice.

Government Oversight and Exemptions: The government retains the power to requisition information from fiduciaries for specified purposes. Additionally, exemptions exist for data processing related to research and public policy, provided standards for lawful use and data governance are met.

Balancing Regulation and Innovation

shaping2

The Draft Rules reflect India’s ambition to create a global benchmark for data protection. They balance the need for regulation with the imperatives of fostering innovation. For instance, age tokens offer a privacy-preserving approach to age verification, showcasing a progressive model. The framework’s graded responsibilities cater to startups by reducing compliance burdens, while imposing stricter obligations on SDFs.

Moving Forward

Stakeholder engagement remains pivotal. Public consultation and feedback will help refine the rules, ensuring they address operational concerns while maintaining robust data protection standards. Awareness campaigns are planned to educate citizens about their rights and responsibilities, fostering a culture of data responsibility.

Through the DPDP Act and its accompanying Draft Rules, India is poised to establish a forward-looking data governance model. The framework’s digital-first approach underscores the nation’s commitment to protecting personal data while enabling economic growth in a rapidly digitizing world.

Read more about India Draft DPDP Act 2023 Rules Draft Digital Personal Data Protection Rules,2025 (English)

Read more abut the Explanatory Note Explanatory Note DPDP Rules 2025

We at Data Secure (www.datasecure.ind.in) can help you to understand EU GDPR and its ramifications and design a solution to meet compliance and the regulatory framework of EU GDPR and avoid potentially costly fines.

We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to India Digital Personal Data Protection Act 2023. For more details, kindly visit DPO India – Your outsourced DPO service (dpo-india.com).

For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or India DPDP Act 2023 and Secure Email transmission, kindly write to us at info@datasecure.ind.in or dpo@dpo-india.com.

For downloading the various Global Privacy Laws kindly visit the Resources page in DPO India