The Digital Personal Data Protection (DPDP) Rules, 2025 were notified this week, initiating the Data Protection Board of India (DPBI) formation and a legal framework for online data protection.
The DPDP Act, 2023, passed in August 2023, establishes guidelines for companies ("data fiduciaries") on handling user data ("data principals") in India.
The Act mandates informed consent, user rights to erase or modify data, and data deletion after inactivity, with fines for non-compliance ranging from ₹10,000 to ₹250 crore.
An amendment to the Right to Information Act, 2005, now in force, has sparked controversy for potentially limiting access to public information in the public interest.
Detailed Insights:
The DPDP Act, 2023 is modeled after data protection regimes like Europe’s GDPR and Singapore’s Personal Data Protection Act, 2012, setting baselines for data handling, including access control, encryption, and security audits.
Data fiduciaries must obtain informed consent from users, providing a summary of collected data and its intended use, while users gain rights to modify or delete their data.
The framework includes a "Consent Manager" to enable users to manage their data across multiple platforms, similar to smartphone permission settings, enhancing user control.
While the Act was notified over two years ago, the MeitY is allowing firms up to 18 months for compliance, with some requirements like appointing a Data Protection Officer (DPO) taking effect in one year.
The DPBI, a subordinate office of MeitY with four members, will oversee the Act's implementation, while the amendment to the Right to Information Act, 2005 is now in effect.
The amendment to Section 8(1)(j) of the Right to Information Act, 2005 removes the public interest carve-out, potentially restricting citizens' access to public records and hindering social audits.
Key Concepts Involved:
Data Fiduciary: An entity that processes personal data.
Data Principal: The individual to whom the personal data relates.
Informed Consent: Agreement given by a user after understanding how their data will be used.
Data Protection Officer (DPO): An individual responsible for overseeing data protection compliance within an organization.