The Ministry of Electronics and IT (MeitY) notified the Data Protection Rules, paving the way for India's first privacy law.
The notification comes over two years after the Digital Personal Data Protection Act (DPDP Act) received presidential assent in August 2023.
Key protections like informed consent and data breach notifications will be implemented in 12-18 months.
The Data Protection Board of India (DPB) is now operational, along with amendments to the Right to Information (RTI) Act.
Detailed Insights:
The DPDP Act aims to protect citizens' digital data and ensure responsible data processing by entities.
The DPB will act as the key body to ensure compliance with the law; its head office will be in New Delhi and will have four members.
Data localization requirements mandate that certain personal data processed by significant data fiduciaries remain within India.
Significant data fiduciaries will be determined based on data volume, sensitivity, and potential impact on national interests.
Tech companies must implement mechanisms for obtaining verifiable parental consent before processing children's personal data.
In case of a data breach, data fiduciaries must promptly inform affected individuals about the nature, extent, and consequences of the breach.
The Act has faced scrutiny for granting exemptions to the government and diluting the RTI Act.
Key Concepts Involved:
Data Fiduciary: Any person who alone or in conjunction with other persons determines the purpose and means of processing personal data.
Data Principal: The individual to whom the personal data relates.
Data Localization: The practice of storing data on devices that are physically located within the borders of a specific country.
Right to Information (RTI) Act: An Act to provide for setting out the practical regime of right to information for citizens to secure access to information under the control of public authorities.