The Union government has released the draft Digital Personal Data Protection (DPDP) Rules, 2025, last week, which will enforce provisions of the Digital Personal Data Protection Act, 2023. Here is a full explainer of the draft DPDP rules 2025:
What Is The Draft Digital Personal Data Protection Rules 2025?
The Digital Personal Data Protection (DPDP) Rules 2025 drafted by the government outlines the manner of implementation of Digital Personal Data Protection Act of 2023. Rules are established to operationalize Acts that have been passed by the parliament.
The draft rules are open for public feedback for 45 days until 18 February, 2025, and citizens can submit their comments on the MyGov website.
The rules specify the nature of the notice that data fiduciaries must provide users when collecting their data: what data they’re collecting, why they’re collecting it, and “a fair account of the details necessary to enable the Data Principal to give specific and informed consent for the processing of the personal data”.
The draft rules have clarified the process to be undertaken for processing data of children where entities are required to adopt technical and organizational measures to ensure that verifiable consent of parents is obtained for processing the personal data for child.
What Is The Digital Personal Data Protection Act?
The Lower House passed the Digital Personal Data Protection Bill 2023 on August 7, 2023, after it was introduced in the Lok Sabha on August 3, 2023.
Thereafter, on August 9, it was presented to the Rajya Sabha and approved on the same day. On August 11 it was approved by the President and became the Digital Personal Data Protection Act 2023.
Need For The DPDP Act
Although digitization using individual’s personal data has revolutionized service delivery and improved living standards, it is also becoming more and more vulnerable to abuse. As a result, protecting digital personal data has become essential.
Data fiduciaries are held accountable and required to protect personal data by the DPDP Act 2023. Digital platforms are unable to gather only information necessary to operate and deliver services that consumers have chosen. For instance, a person can utilize a torch app on their phone without granting access to a microphone or contact.
In What Ways Would The DPDP Act 2023 Benefit Individuals?
The Act permits digital platforms to process personal data with consent.
This implies that digital platforms must notify users and obtain their agreement in either English or any of the 22 languages specified in the Constitution, depending on the user’s preferred language.
Additionally, they must inform their users of the web connections that allow them to exercise their rights to withdraw consent, seek information about how their data is processed, update and erase their data, file a grievance, nominate someone, and file a complaint with the DPB.
Consent managers, a separate digital platform run by a different organization, may also be used by the digital platform to gather consent.
Who Are Consent Managers?
The Reserve Bank of India (RBI) has established an account aggregator architecture that allows apps such as Finvu, OneMoney, CAMS Finserv, and others to communicate financial data with one other with permission and for designated uses.
A Health Information Exchange has also been established by the National Health Authority of India, enabling citizens to safely access and exchange their medical records while guaranteeing that informed consent drives data interchange. These sites could serve as consent managers if the DPB gives their approval.
Who Are Data Fiduciaries?
Data fiduciaries are organizations that gather and handle a person’s personal information, such as social media sites, online retailers, gaming platforms, etc. They can only use such data for specific reasons with the individual’s agreement.
Large-scale digital platforms like Facebook, Instagram, YouTube, Amazon, Flipkart, Netflix, and others will be considered important data custodians.
Children’s Data
Prior to processing any child’s personal data, the regulations provide that “appropriate technical and organizational measures [must be adopted] to ensure that verifiable consent of the parent is obtained.”
Will The Act Aid In Combating Unsolicited Calls?
Indeed. Citizens may also take action under the DPDP Act 2023, even though the Telecom Regulatory Authority of India (TRAI) has issued regulations for dealing with spam or annoying calls. Entities found to be processing personal data without authorization in breach of the Act may be subject to a financial penalty from the DPB.
How Can People File Complaints?
The DPB will operate as an online office. It will function via an app and digital platform, allowing residents to contact it virtually and have their grievances resolved without having to be there in person.
For this, the government has set up the complete digital platform, the full digital framework, and all of the procedures.
What Are The DPDP Act 2025’s Punishment Provisions?
The draft regulations provide a procedure for establishing a DPB that will impose fines in accordance with the type of violation specified in the DPDP Act 2023, but they do not go into detail on the penalty.
Data fiduciaries may face fines of up to Rs 250 crore under the DPDP Act 2023. Graded financial penalties are provided under the Act in the event that the regulations and the Act are broken.
The type, severity, length, repetition, efforts to prevent a breach, and other factors will determine the amount of the penalty. Furthermore, the Act and its regulations impose greater requirements on big data fiduciaries, whereas startups are expected to face less of a compliance burden.
Additionally, the data fiduciary may voluntarily submit an undertaking to the Data Protection Board at any point during the proceedings; if approved, this would lead to the proceedings being dropped.
When Will The Regulations Go Into Effect?
Following the current consultation process during the monsoon session, the final rules will be presented to Parliament. The government may then take about two years to put the DPDP Act 2023 into effect. Until then, all consent managers and digital businesses will have time to review and implement mechanisms that comply with the Act.
What Are The Exemptions?
The DPDP Act’s requirements are subject to a few exceptions, such as carrying out legal judicial and regulatory duties, enforcing legal rights and claims, preventing, discovering, investigating, or prosecuting any offenses, identifying defaulters and their financial assets, etc.
Some data fiduciaries, such as startups and research projects, are excluded from this rule.
Will Those Without Access To Digital Technology Benefit From The DPDP Act 2023?
Indeed. If someone without access to digital technology is affected by the misuse of his personal information, they have the same options as everyone else with digital connections.
Regardless of whether they have access to digital technology or not, both categories of people have the same recourse under the DPDP Act 2023.
How Long Does It Take To File A Complaint?
As of right now, the DPDP Act 2023 has no deadline for complaints.
Read Also: India To Mandate Parents’ Consent For Children Below 18 Joining Social Media: Draft Rules