How The Draft DPDP Rules 2025 Aim To Protect The Data Of Citizens | Explained

Here is an explainer of the draft DPDP 🌳Rules 2025:

What are the draft Digital Personal Data Protection Rules 2025?

The Digital Personal Data Protection (DPDP) Rules 2025 drafted by the government provides for the manner ofꦫ implementation of the Digital Personal Data Protection Act, 2023. Rules are framed to operationalise A꧙cts that have been passed by Parliament.

The draft rules are open for ꧂public comment for 45 🦩days till February 18, 2025, and citizens can submit their comments on the MyGov website.

These rules have spelt out a framework for setting up the Data Protection Board (DPB) -- which will function in digital mode as per th🧜e DPDP🐼 Act 2023.

The rules have clarified the process to be undertaken for processing data of children where entities are required to adopt technical and organisational measures to ensure that verifiable consent of parents is obtained for processing the personal d🍬ata of a child.

The rules provide for the transfer of personal data outside India, but only of certain as approved by the government from 🥀time to time.

The draft rules envisage a committee that may recommend restrictions on such trans🍸fer by a sig☂nificant data fiduciary with respect to specified personal data.

What is the DPDP Act?

The Digital Personal Data Protection Bill 2023 was introduced in the Lok Sabha on August 3, 2023🍌, and was passed in the Lower House on August 7, 2023.

Thereafter, it was introduced in the Rajya Sabha on August 9 and was passed on the same day. It became th꧒e Digital Personal Data Protection Act 2023 after the President's approval on August 11.

What is the need for the DPDP Act?

While digitisation using the personal data of individuals has transformed the delivery of services enhancing ♏ease of living, it is also increasingly at risk of misuse. Therefore, it has become imperative that digitised personal data be protected.

The DPDP Act 2023, obligates data fiduciaries to protect personal data and makes them accountable. Digital platforms cannot collect only those data that are required for theiꦡr functioning and providing services which users have opted for. For example, a user will not have to give a microphone or contact access to use a torch app on their mobile phone.

How will the DPDP Act 2023 help people?

The Act provid⛦es consent-based personal data procꦺessing by digital platforms.

This means digital platforms will have to inform and get consent from people in English or any of the 22 Indian languages listed in the Constitution, in the language of 👍their choice.

They will also have to notify their users of the online links using which they may exercise their rights for withdraw💧ing their consent, obtaining information regarding processing their data, updating and erasure of their data, grievance redressal, nomination and making a complaint to the DPB.

The digital platform may also colle🦄ct consent through consent managers, an independent digital platform oper𒐪ated by a different entity.

Who are consent managers?

The Reserve Bank of India (RBI) has created an account𒀰 aggregator framework under which apps like Finvu, OneMoney, CAMS Finserv, etc, share financial information based on consent and for specific purposes.

The National Health Authority of India has also set up a Health Information Exchange that empowers citizens to securely access and share their health records, ensuring that data exchange is driven 𒆙by informed consent. Such platforms may work as consent managers if they are approved by the DPB.

Who are data fiduciaries?

Entities such as social media platforms, e-commerce companies and online gaming platforms, etc, that collect and process an individual's personal data are data fiduciaries. They can use such data only aft🀅er the individual's consent for specified purposes.

Digital platforms with a large number of users such as Facebook, Instagram, YouTube, Amazon, Flipkart, Netflix, etc, will qu💜alify as significant data fiduciaries.

Will the Act help in acting against spam calls?

Yes. While the Telecom Regulatory Authority of India (TRAI) has issued rules for action on spam or pesky calls, citizens can take recourse under the DPDP Act 2023 as well. The DPB can impose a monetary penalty on entities found processing personal data, wiꦉthout consent, in viola🧔tion of the Act.

How can people file complaints?

The DPB will function as a digital office. It will operate through a digital platform and app to enable citizens to approach it digitally and have their complaints adjudicated wꩲithout their physical presence.

The govern🏅ment has prep🤪ared the entire digital framework, the digital platform, and the entire processes for this.

What are the penalty provisions under the DPDP Act 2025?

The draft ruleܫs do not elaborate on the penalty but spell out a mechanism to set up a🤪 DPB that will levy penalties based on the nature of the breach as listed in the DPDP Act 2023.

The DPDP Act 2023 has provisions to impose penalties of up to Rs 250 crore on ܫdata fiduciaries. The Act provides for graded financial penalties in case of violation of the Act and the rules.

The quantum of penalty will depend on the nature, gravity, duration, type, repetitivenes😼s, efforts made to prevent a breach, etc. Further, significant data fiduciaries have higher obligations under the Act and rules, while a lower compliance burden is envisaged for startups.

Moreover, the data fiduciary may at any st♏age in the proceedings voluntarily give an undertaking to the Data Protection Board, which, if accepted, would result in the dro꧑pping of proceedings.

When will the rules be rolled out?

The final rules will be placed before Parliament after the ongoing consultation process during the monsoon session. Thereafter, the government may take arou♚nd two years to implement the DPDP Act 2023. All digital entities and consent managers will have time till then to check and put systems in place to comply with the Act.

What are the exemptions?

There are few exemptions from the provisions of the DPDP Act -- like performing judicial and regulatory functions under the law; e🐷💟nforcing legal rights and claims; preventing, detecting, investigating or prosecuting any offence; locating defaulters and their financial assets, etc.

There are some exemptions for certain data fiduciaries, including startups andꦰ performing resear♚ch, etc.

Will the DPDP Act 2023 be of help to people who ▨do not have access to di🅰gital technologies?

Yes. In case a persꦇon with no access to digital technology is impacted due🐷 to digital misuse of his personal data or details, the same recourse is available for that person as anyone who is digitally connected.

Under the DPDP Act 2023, the same rဣe🦩course is available to both types of persons, irrespective of their access to digital technologies.

What is the timeline for filing a complaint?

There is no time limit for filing complaints under the DPDP Act 2023 as 🌞of now.