Introduction
The draft Digital Personal Data Protection Rules aim to safeguard citizens’ rights for the protection of their personal data. These rules seek to operationalize the Digital Personal Data Protection Act, 2023 (DPDP Act), in line with India’s commitment to create a robust framework for protecting digital personal data.
Framed with simplicity and clarity, the rules are designed to empower citizens in a rapidly growing digital economy. They seek to protect citizens’ rights in accordance with the DPDP Act, while achieving the right balance between regulation and innovation, so that the benefits of India’s growing innovation ecosystem are available to all citizens and India’s digital economy. They also address specific challenges like unauthorised commercial use of data, digital harms and personal data breaches.ey features
Key features
The rules place citizens at the heart of the data protection framework. Data Fiduciaries must provide clear and accessible information about how personal data is processed, enabling informed consent. Citizens are empowered with rights to demand data erasure, appoint digital nominees, and access user-friendly mechanisms to manage their data.
The rules empower citizens by giving them greater control over their data. Provisions for informed consent, the right to erasure and grievance redressal enhance trust in digital platforms. Parents and guardians are empowered to ensure online safety for their children.Balance between innovation and regulation
Balance between innovation and regulation
India’s model strikes a unique balance between fostering innovation and regulation to protect personal data. Unlike restrictive global frameworks, these rules encourage economic growth while prioritizing citizen welfare. Stakeholders view this as a new global template for data governance.
The framework envisages lesser compliance burden for smaller businesses and startups. An adequate period would be provided so that all stakeholders, from small enterprises to large corporates, may transition smoothly to achieve compliance with the new law.Digital-first approach
Digital-first approach
The rules embrace a “digital by design” philosophy. Consent mechanisms, grievance redressal and the functioning of the Data Protection Board are all envisaged as “born digital”, to ensure Ease of Living and Ease of Doing Business. The Board will function as a digital office, with a digital platform and app to enable citizens to approach it digitally and to have their complaints adjudicated without their physical presence being required.
From processing complaints to interacting with Data Fiduciaries, workflows are optimised to ensure speed and transparency. This reflects India’s forward-looking approach to governance and builds trust between citizens and Data Fiduciaries.
Addressing stakeholder concerns
Businesses benefit from a pragmatic framework. Graded responsibilities cater to startups and MSMEs with lower compliance burden, while Significant Data Fiduciaries have higher obligations. Sector-specific data protection measures can complement the core personal data protection framework created by the Act and the rules.
The Data Protection Board’s digital office approach would ensure quick and transparent resolution of complaints. The Board is required to take into consideration factors such as the nature and gravity of default, efforts made to mitigate impact, etc., while imposing penalties for defaults. Further, Data Fiduciaries may voluntarily give undertakings at any stage of proceedings, which if accepted by the Board would result in dropping of the same. This balances the need to protect the rights of citizens, while providing a fair adjudicatory framework for those processing personal data.
Provisions for annual data protection impact assessments and audits for Significant Data Fiduciaries ensure effective arrangements to secure compliance.
Inclusive approach
The draft rules are based on wide ranging inputs gathered from various stakeholders and study of global best practices. They are grounded in the principles enshrined in the DPDP Act. The Ministry of Electronics and Information Technology has invited feedback/comments from the public and stakeholders till 18.02.2025 through MyGov platform, in line with the Government’s commitment to adopt an inclusive approach to law-making.
Awareness initiatives
Recognizing the importance of citizen engagement, the government plans a comprehensive awareness campaign. These initiatives will educate citizens about their rights and responsibilities under the new framework, fostering a culture of data responsibility.
Through these rules, India demonstrates leadership in shaping an equitable digital future. The draft rules are a testament to India’s commitment to ensuring protection of digital personal data of citizens while securing innovation-driven and inclusive growth.
Important Links
DT/KS
