India releases draft rules to implement the Digital Personal Data Protection Act, 2023, focusing on user consent, data security, and governance.
The Ministry of Electronics and Information Technology (MeitY) has unveiled the Draft Digital Personal Data Protection Rules, 2025, marking a significant step towards enforcing the Digital Personal Data Protection Act, 2023. These rules aim to establish a robust framework for processing digital personal data, balancing individual privacy rights with lawful data processing needs.
Key Provisions of the Draft Rules
- Data Fiduciary Obligations
Data Fiduciaries—entities responsible for processing personal data—are required to provide clear and concise notices to individuals (Data Principals) before collecting their data. These notices must detail the specific personal data being collected and the explicit purposes for processing, ensuring transparency and informed consent.
- Consent Management
The draft rules introduce the role of Consent Managers, who will be registered entities responsible for obtaining, managing, and withdrawing consent on behalf of Data Principals. This framework empowers individuals to have greater control over their personal data and its usage.
- Data Processing by the State
Provisions are included to allow the processing of personal data by the State for issuing subsidies, benefits, and services. This ensures that governmental functions can be performed efficiently while adhering to data protection standards.
- Security Safeguards and Breach Notifications
Data Fiduciaries must implement reasonable security measures to protect personal data. In the event of a data breach, they are obligated to inform affected individuals promptly, providing details about the breach and measures taken to mitigate risks.
- Rights of Individuals
The draft rules outline the rights of Data Principals, including access to their data, correction or erasure of inaccurate data, and the ability to withdraw consent. These provisions aim to empower individuals in managing their personal information.
- Special Provisions for Children and Persons with Disabilities
Additional safeguards are proposed for processing the personal data of children and individuals with disabilities, ensuring their data is handled with the utmost care and protection.
- Establishment of the Data Protection Board
The draft rules propose the creation of a Data Protection Board responsible for adjudicating disputes related to data protection. The Board will function as a digital office, streamlining processes and ensuring efficient governance.
Public Consultation and Feedback
MeitY has invited feedback from stakeholders on the draft rules until February 18, 2025. The draft rules and explanatory notes are available on the Ministry’s website, encouraging public participation in shaping the final regulations.
Disclaimer: This blog has been written exclusively for educational purposes. The securities mentioned are only examples and not recommendations. This does not constitute a personal recommendation/investment advice. It does not aim to influence any individual or entity to make investment decisions. Recipients should conduct their own research and assessments to form an independent opinion about investment decisions.
Investments in the securities market are subject to market risks, read all the related documents carefully before investing.
