India’s Draft Data Protection Rules: Key Developments

Syllabus:

GS-2:

Government Policies & Interventions

GS-3:

E-GovernanceIT & Computers

Focus:

India’s Ministry of Electronics and Information Technology (MeitY) released the much-awaited Draft Digital Personal Data Protection (DPDP) Rules on January 3, 2025. This follows the passage of the DPDP Act, 2023, moving India closer to safeguarding digital personal data while balancing business needs and privacy concerns.

India's Draft Data Protection Rules: Key Developments

Key Points about the Draft DPDP Rules, 2025:

  • Operationalizing the DPDP Act, 2023: Aims to protect citizens’ digital data while supporting India’s digital economy.
  • Data Transfer: Allows certain personal data transfers outside India with government approval.
  • Citizens’ Rights: Grants citizens the right to data erasure, nomination, and easy management of their data.
  • Data Erasure: Retention allowed up to three years; data fiduciaries must notify users 48 hours before erasure.
  • Digital-First Approach: Establishes the Data Protection Board of India (DPBI) for online grievances and consent mechanisms.
  • Graded Responsibilities: MSMEs have lower compliance burdens; significant data fiduciaries have higher obligations.
  • Consent Managers: Manage user consent for data privacy, with strict financial requirements.
  • DPBI: A regulatory body with civil court powers to address data breaches.

Salient Features of the DPDP Act, 2023:

  • Right to Data Protection: Empowers individuals to control their personal data, with rights to access, correction, and erasure.
  • Data Processing and Consent: Explicit consent is required for data processing.
  • Data Localisation: Sensitive data must be stored and processed within India.
  • Regulatory Authority: Establishes the DPBI to handle compliance and grievances.
  • Data Breach Notification: Organizations must notify individuals and the DPBI of data breaches.
  • Fines and Penalties: Imposes strict penalties for non-compliance.

Introduction: India’s Digital Personal Data Protection (DPDP) Rules

  • Draft DPDP Rules released by the Ministry of Electronics and Information Technology (MeitY) on January 3, 2025.
  • This marks a key step in India’s regulation of digital personal data, following the passage of the DPDP Act, 2023.
  • Departure from earlier Personal Data Protection Bill, which faced criticism for being overly restrictive and hostile to industry interests.
  • Principles-based approach of the draft rules received a positive response from businesses and media.

Key Strengths of the DPDP Rules

Pragmatism and Flexibility

  • The draft rules provide a principles-based framework for notice and consent, as opposed to the cumbersome requirements of the GDPR (General Data Protection Regulation).
  • Focus on simplicity and clarity, helping to reduce issues like consent fatigue.
  • Unlike the GDPR, India’s rules avoid dictating specific processes for businesses and allow business autonomy in how they design apps and websites.

Empowering Users Without Burdensome Complexity

  • Outcomes-focused rather than prescriptive, empowering users without drowning businesses in complexity.
  • GDPR mandates strict guidelines for how entities should provide information, while India’s rules only require the publication of relevant information on apps and websites.

Handling Children’s Data

  • Stricter protection for children’s personal data.
  • Exceptions for educational institutions, mental health establishments, and child-care centres in certain cases like behavioral monitoring and tracking for tailored interventions.

Challenges and Concerns:

Data Localization and Cross-Border Data Flow

  • The draft rules introduce restrictions on cross-border data flows, adding complexity and ambiguity.
  • Data localization provisions could affect large enterprises, with potential localization mandates that exceed the original scope of the legislation.
  • Risk of regulatory arbitrage if smaller entities exploit relaxed rules.
  • Narrower sectoral approaches, like the Reserve Bank of India’s 2018 mandate for financial data localization, could prove more effective.

Ambiguities Around Business Data and User Requests

  • The rules do not address scenarios where businesses receive excessive information requests or provide clarity on reasonable fees for these requests.
  • Government access to sensitive business data raises concerns about trade secrets and protection from competitors.

Gaps and Areas Needing Further Clarity

  • The DPDP rules lack clarity regarding user verification for data processing requests and the potential access of sensitive business data by the government.
  • Data protection compliance is essential to avoid data breaches, which cost Indian businesses an average of ₹19.5 crore ($2.35 million) in 2024.
  • Procedural integrity in safeguarding trade secrets and sensitive information is not fully addressed.

Future Considerations and Improvements:

Moving Beyond Notice-and-Consent Models

  • The notice-and-consent framework, originating from the medical profession, is increasingly ineffective in environments like malls, airports, and beaches where individuals have little opportunity to provide consent.
  • Internet of Things (IoT), 5G, and artificial intelligence (AI) are facilitating unprecedented data collection and raise new privacy concerns.

Flexibility in Future Laws

  • India must design privacy frameworks that do not solely depend on consent but also consider new mechanisms for privacy protection.
  • Public consultations should refine the draft rules, focusing on maintaining flexibility and industry-specific accommodations to ensure balance between innovation, economic growth, and individual rights.

Conclusion

  • India’s DPDP rules mark significant progress but need fine-tuning to address gaps in data localization, business data protection, and cross-border data flow.
  • As data breaches continue to escalate, ensuring strong compliance will safeguard business reputation and continuity.

Source: The Hindu

Mains Practice Question:

Critically examine the Draft Digital Personal Data Protection (DPDP) Rules released by India. How do they differ from the European Union’s GDPR, and what are their strengths and weaknesses in protecting citizens’ privacy while ensuring business continuity? Discuss the implications for cross-border data flows and localization.

Associated Article:

https://universalinstitutions.com/draft-digital-personal-data-protection-rules-2025-unveiled