Context:

• The Ministry of Electronics and Information Technology (MeitY) has notified the Digital Personal Data Protection (DPDP) Rules, 2025.

Key Points:

• Notified by: Ministry of Electronics and Information Technology (MeitY)
• Basis: These rules provide the framework required to effectively implement the Digital Personal Data Protection Act, 2023.
• Objective: To ensure the protection of digital personal data of Indian citizens and to establish accountability for data-handling entities (Data Fiduciaries).
• Consent & Transparency: Processing of personal data must be based on clear and informed consent.
• Accountability: Data Fiduciaries will be responsible for ensuring data protection.

Key Parties:

• Data Principal: The individual whose personal data is being processed (i.e., user/citizen).
• Data Fiduciary: The entity (company or government body) that determines the purpose and means of processing personal data.
• Data Protection Board of India (DPBI): An independent regulatory and adjudicatory body established under this Act.

Major Provisions of the DPDP Rules, 2025

1. Consent and Notice:

• Clear Consent Notice: The Data Fiduciary must issue a clear, concise, and understandable notice informing the Data Principal about what personal data is being collected, for what purpose, and how consent may be withdrawn.
• Registration of Consent Managers: These will be Indian companies helping Data Principals manage their permissions. Registration with DPBI will be mandatory.

Protection of Children’s Data:

Special focus has been given to processing data of children (under 18 years):

• Verifiable Consent: Before processing a child’s personal data, the Data Fiduciary must obtain verifiable consent from a parent or lawful guardian.
• Prohibited Activities: Children’s data cannot be used for harmful purposes such as behavioural tracking or targeted advertising.
• Limited Exemptions: Exemptions are allowed for essential purposes such as health, education, and real-time safety.

Data Breach Notification:

• Immediate Notification: On becoming aware of a data breach, the Data Fiduciary must immediately inform affected individuals.
• Report to DPB: A detailed report containing the nature of the breach, its potential consequences, and actions taken for mitigation must be submitted to the Data Protection Board within 72 hours.

Rights of Data Principals & Duties of Data Fiduciaries:

• Right to Erasure and Correction: Data Principals may request correction or erasure of their personal data.
• Storage Limitation: Data Fiduciaries must delete personal data once the purpose for which it was collected has been fulfilled (unless retention is required by another law).

          – If no activity occurs for three years, the data must be erased, with prior notice provided 48 hours earlier.

• Grievance Redressal Mechanism: Every Data Fiduciary must publish clear contact details of a designated officer or Data Protection Officer (DPO) for user grievances.

Additional Obligations for Significant Data Fiduciaries (SDFs):

Entities processing large volumes of data must comply with stricter norms:

• Data Protection Impact Assessment (DPIA): Mandatory for SDFs at regular intervals.
• Independent Audit: They must undergo independent audits of their data protection systems.
• Appointment of DPO: A dedicated Data Protection Officer must be appointed.

Formation of the Data Protection Board (DPB):

• Digital Operations: DPB will function as a fully digital office.
• Online Complaints: Citizens can file complaints and track them via a dedicated digital platform and mobile app, ensuring transparency and efficiency.

Implementation Timeline:

• Immediate Effect: Rules related to the formation of DPB and the appeals process come into effect immediately.
•  After 12 months (November 2026):

           – Registration and obligations of Consent Managers will apply.

• After 18 months (May 2027):

          – Provisions related to consent, notice, data breach reporting, and other core obligations will take effect.

DPDP Act, 2023: Key Highlights

Key Points:

• • Passed: By Parliament on 11 August 2023.
• • Objective: To create a comprehensive framework for protection of digital personal data in India.
• • Basis: In line with the Puttaswamy judgment, which recognised privacy as a fundamental right.

Penalties under the DPDP Act, 2023:

• The Act imposes heavy monetary penalties for non-compliance by a Data Fiduciary.
• Failure to implement reasonable security safeguards may attract penalties up to ₹250 crore.
• Failure to report personal data breaches to the Board or affected individuals, and violations related to children’s data, may attract penalties up to ₹200 crore each.
• Any other violation of the Act or Rules by a Data Fiduciary may result in a penalty up to ₹50 crore.