Context: The Ministry of Electronics and Information Technology has published the Draft Digital Personal Data Protection Rules, 2025 on January 3, 2025 for public consultation. The Draft Rules have evoked a mixed response, with criticism that the rules might go against the concept of privacy.
Relevance of the Topic: Prelims: Right to Privacy; Digital Personal Data Protection Act, 2023; Draft Digital Personal Data Protection Rules, 2025.
Right to Privacy in India
- Justice K.S. Puttaswamy vs. Union of India Case, 2017: In the landmark case, the Supreme Court held that Right to Privacy is a distinct and independent Fundamental Right under Article 21 of Indian Constitution.
- Privacy is essential to the dignity and autonomy of individuals, the Right ensures protection from state overreach.
- The SC held that the Right to Privacy was not absolute in nature. It may be restricted, but such restrictions must meet the three-fold requirement, to ensure that the restrictions are not arbitrary or excessive.
- Legality (Restrictions on privacy must be backed by an existing law. A mere Executive order or arbitrary action is insufficient).
- Need (Restrictions must serve a legitimate purpose of the state).
- Proportionality (Restrictions must not be excessive or disproportionate to the objective sought)
Digital Personal Data Protection Act, 2023
- The Digital Personal Data Protection Act received Presidential assent in August 2023.
- Need: Digitisation using the personal data of individuals has transformed the delivery of services enhancing ease of living, but it is also increasingly at risk of misuse. Therefore, it is imperative that digitised personal data be protected.
- The DPDP Act 2023, obligates data fiduciaries to protect personal data and makes them accountable.
- Digital platforms can collect only those data that are required for their functioning and providing services which users have opted for.
- E.g., Users will not have to give a microphone or contact access to use a torch app on their mobile phone.
- The Act 2023 has provisions to impose penalties of up to ₹250 crore on data fiduciaries. The Act provides for graded financial penalties in case of violation of the Act and the rules.
Key Terms:
- Data Principal: Individual to whom the personal data belongs to.
- Data Fiduciary: Entities such as social media platforms, e-commerce companies and online gaming platforms, etc. that collect and process an individual's personal data. They can use such data only after the individual's consent for specified purposes.
- Significant data fiduciaries: Digital platforms with a large number of users such as Facebook, Instagram, YouTube, Amazon, Flipkart, Netflix, etc.
Draft Digital Personal Data Protection Rules, 2025:
- Aim: To operationalise the Digital Personal Data Protection Act, 2023 and ensure robust protection and privacy of personal data in the digital realm.
Notable provisions of the Draft Rules are mentioned below
1. Notice for Consent:
- To obtain informed consent from a Data Principal, a Data Fiduciary must provide the Data Principal with a clear and standalone notice outlining- what data is to be collected, the purpose for the processing, and how consent can be withdrawn.
2. Consent Managers and Rights of Data Principals:
- Defined under the DPDP Act, a Consent Manager is registered with the Data Protection Board and serves as a single point of contact for Data Principals to give, manage, review, and withdraw consent through a transparent and secure platform.
- Data Fiduciaries and Consent Managers must clearly publish on their website or app the process for Data Principals to exercise their rights under the Act, including the right to request access to or deletion of their personal data.
3. Security Safeguards:
- Data Fiduciaries must implement adequate security measures to protect personal data, such as encryption, access control, monitoring for unauthorised access, and data backups.
- Contracts between Data Fiduciaries and Data Processors must also ensure that security measures are in place to prevent data breaches.
4. Data Breach Notification:
- In the event of a breach, Data Fiduciaries must promptly notify affected Data Principals, with explanation of the nature, extent, and timing of the breach.
- Within 72 hours, Data Fiduciaries must additionally notify the Data Protection Board of the breach.
5. Data Retention:
- Certain e-commerce entities, online gaming intermediaries, and social media platforms with a significant number of registered users in India must delete personal data within a specified period of time, unless the user actively maintains their account.
- Generally, these entities may only retain personal data for up to three years from the date of a user’s last interaction.
6. Processing Personal Data Of Children:
- A Data Fiduciary is required to adopt technical and organisational measures to ensure verifiable consent of parents is obtained for processing the personal data of a child.
- Certain Data Fiduciaries, such as healthcare providers or educational institutions, may be exempt from specific obligations, under defined conditions.
7. Data Protection Impact Assessments (DPIAs):
- If the Central Government identifies an entity as a Significant Data Fiduciary based on certain enumerated factors (including volume, sensitivity of data) that entity must conduct annual DPIAs to assess risks associated with their data processing activities.
8. Cross-Border Data Transfers:
- The rules provide for the transfer of personal data outside India, but only of certain as approved by the government from time to time.
- The draft rules envisage a committee that may recommend restrictions on such transfer by a significant data fiduciary with respect to specified personal data.
9. Penalty provisions:
The draft rules do not elaborate on the penalty but spell out a mechanism to set up a Data Protection Board that will levy penalties based on the nature of the breach as listed in the DPDP Act 2023.