The Ministry of Electronics and IT has notified the long awaited data protection rules, moving India closer to a fully functional privacy law. This comes eight years after the Supreme Court recognised privacy as a fundamental right. The rules have been announced over two years after the Digital Personal Data Protection Act received the President’s assent in August 2023.
The law is now active, although only some sections are currently in force. Several key protections for citizens will take more time to be fully implemented. These include requirements for companies to seek informed consent from users before processing their personal data, to use personal data only for specified legitimate purposes, and to inform users about data breaches. These provisions will be enforced after eighteen months.
At present, the most significant element put into effect is the data protection board of India. It will act as the main adjudicatory body to ensure that organisations comply with the law. Another provisions now active is the amendment to the Right to Information Act, which will prevent the disclosure of personal information about public officials even when it serves a larger public interest.
The government has also announced that the data protection board will have four members and will be headquartered in New Delhi. A draft of the data protection rules was issued in January this year.
The Digital Personal Data Protection Rules 2025 state that the Central Government will identify the types of personal data that can be processed by significant data fiduciaries. This will only be allowed if such data and any related traffic data are not transferred outside India. A committee set up by the government will decide which data falls into this category.
An organisation will be classified as a significant data fiduciary depending on the volume and sensitivity of the personal data it handles, and the risks it may pose to the sovereignty and integrity of India, electoral democracy, security, and public order. Major global technology companies such as Meta, Google, Apple, Microsoft, and Amazon are expected to fall under this category.
The rules require technology companies to put in place a system for collecting verifiable parental consent before processing the personal data of children. The government has not proposed a specific method and has instead left it to companies to choose their own systems. This follows concerns raised by social media companies about the challenges in implementing such a provision.
In the case of a data breach, data fiduciaries will have to inform affected individuals without delay. They must share details of the breach including its nature, extent, timing, and location, along with the possible consequences for users and the steps taken to reduce risk. Penalties for failing to implement adequate safeguards could reach up to two hundred and fifty crore rupees.
The Data Protection Act has faced criticism for granting broad exemptions to the government while processing personal data on grounds such as national security, relations with other countries, and public order. It has also been questioned for allegedly weakening the RTI Act.
The rules require data fiduciaries to adopt reasonable security measures to protect personal data. These include encryption, access control, monitoring for unauthorised access, and maintaining data backups.
They must also provide clear and standalone notices to users before processing their data. These notices should include a list of the personal data being collected, a simple explanation of the purpose, and a clear description of the goods or services enabled by such data processing.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
