Draft Digital Personal Data Protection Rules, 2025 | 09 Jan 2025

Source: PIB 

Why in News? 

Recently, the Ministry of Electronics & IT has released draft Digital Personal Data Protection (DPDP) Rules, 2025 intended to safeguard citizens' right to protect their personal data. 

What are the Key Points about the Draft DPDP Rules, 2025? 

  • About: It is a set of rules that operationalize the Digital Personal Data Protection Act (DPDP Act), 2023, to protect citizens' digital personal data while fostering India’s digital economy and innovation. 
  • Data Transfer: The rules allow the transfer of certain personal data outside India, as approved by the government. 
  • Citizens at the Core: Citizens are granted rights to demand data erasure, appoint digital nominees, and have user-friendly mechanisms to manage their data by Data Fiduciaries. 
    • Entities such as social media platforms, e-commerce companies and online gaming platforms, etc, that collect and process an individual's personal data are data fiduciaries. 
  • Data Erasure: Data retention is allowed for up to three years from the last interaction with the Data Principal (Users) or the effective date of the rules, whichever is later. 
    • The Data Fiduciary must notify the Data Principal at least 48 hours before erasure. 
  • Digital-First Approach: The rules also prescribe a "digital by design" Data Protection Board of India (DPBI) for consent mechanisms and grievance redressal, for faster resolution of complaints and grievances online.  
  • Graded Responsibilities: Graded responsibilities cater to startups and MSMEs with lower compliance burden, while Significant Data Fiduciaries have higher obligations.  
    • Digital platforms with a large number of users such as Facebook, Instagram, YouTube, Amazon, Flipkart, Netflix, etc, will qualify as significant data fiduciaries. 
  • Consent Managers: The digital platform may also collect consent through consent managers. 
    • A Consent Manager handles the collection, storage, and use of user consent, mainly for data privacy and digital interactions. 
    • Consent Manager must be a company incorporated in India with sound financial and operational capacity, having a minimum net worth of two crore rupees.   
  • DPBI: Draft rules have spelt out a framework for setting up the DPBI that will have civil court powers for personal data breach complaints.

Note: In 2011, the Justice AP Shah Committee recommended privacy legislation, and in 2017, the Supreme Court, in the case of Justice KS Puttaswamy (Retd) vs Union of India, recognized privacy as a fundamental right. 

What are the Salient Features of the DPDP Act, 2023? 

  • Right to Data Protection: Empowers individuals to control their personal data, including rights to access, correction, and erasure. 
  • Data Processing and Consent: Requires explicit consent for data processing, with clear consent forms. 
  • Data Localisation: Sensitive data must be stored and processed within India for security and enforcement. 
  • Regulatory Authority: Establishes the DPBI for compliance and grievance handling. 
  • Data Breach Notification: Organisations must notify individuals and the DPBI of data breaches. 
  • Fines and Penalties: Strict penalties for non-compliance to enforce data protection standards. 

UPSC Civil Services Examination, Previous Year Question (PYQ) 

Prelims

Q. ‘Right to Privacy’ is protected under which Article of the Constitution of India? 

(a) Article 15 

(b) Article 19 

(c) Article 21 

(d) Article 29 

Ans: (c) 

Q. Right to Privacy is protected as an intrinsic part of Right to Life and Personal Liberty. Which of the following in the Constitution of India correctly and appropriately imply the above statement? (2018)

(a) Article 14 and the provisions under the 42ndAmendment to the Constitution. 

(b) Article 17 and the Directive Principles of State Policy in Part IV. 

(c) Article 21 and the freedoms guaranteed in Part III. 

(d) Article 24 and the provisions under the 44thAmendment to the Constitution. 

Ans: (c)