Why in the News?

The Centre has notified major provisions of the Digital Personal Data Protection (DPDP) Act, 2023 under the DPDP Rules, 2025, operationalising India’s first comprehensive digital privacy law. The notification is a major shift from years of unregulated data collection where companies faced minimal obligations for consent, breach reporting, or user rights.

Key Features of the DPDP Rules, 2025:

• Phased Compliance: All entities receive 18 months; full compliance by May 2027 for large entities and SDFs.
• Consent Management: Consent must be explicit, purpose-specific, and revocable, managed through licensed Consent Managers (Indian-registered entities).
• Protection for Children & Persons with Disabilities: Requires verifiable parental consent for minors and lawful guardian consent for persons unable to provide consent.
• Transparency Obligations: Data Fiduciaries must publish Data Protection Officer (DPO) details and respond to access/deletion requests within 90 days.
• DPBI: Fully digital grievance-redressal and enforcement body monitoring compliance and imposing penalties.
• Enhanced Oversight for SDFs: Includes regular audits, data protection impact assessments, and appointment of independent DPOs.
• Exemptions: For activities related to national security, judiciary, law enforcement, and academic/statistical research.
• Cross-Border Transfers: Allowed under approved conditions; data localisation can be required for national interest.

What Counts as Personal Data and Who Can Process It

1. Digital Personal Data: Covers only digital data, including digitised versions of non-digital inputs.
2. Specified Categories: Government will determine kinds of data that can be processed by “significant data fiduciaries”, entities requiring higher safeguards due to volume/sensitivity.
3. Cross-border Transfer Rules: Transfers to certain jurisdictions may be restricted, with details notified separately.

Breach Reporting, Accountability and Penalties

1. Breach Notification Requirement: Mandatory reporting of personal data breaches to individuals and the Data Protection Board of India (DPBI).
2. Penalty Regime: Fines can go as high as ₹250 crore for inadequate safeguards, making the Act one of the strongest deterrent frameworks in India
3. Government Exemptions: Certain exemptions apply to government agencies processing data for national security or other notified purposes.
4. Past Controversies: Previous allegations involving the National Health Authority triggered scrutiny over exemptions, highlighting need for strong safeguards.

Key Concerns and Regulatory Gaps

1. Narrow scope (digital-only coverage): Limits protection by excluding non-digital personal data.
2. Broad government exemptions: Allows wide-ranging State access without strong necessity-proportionality safeguards.
3. Lack of independent regulator: Data Protection Board remains executive-controlled, reducing autonomy and accountability.
4. Vague “legitimate use” clauses: Enables processing without consent under broadly defined categories.
5. Weak child data safeguards: No explicit bar on profiling or behavioural targeting despite mandatory parental consent.
6. Uniform obligations for all fiduciaries: Absence of sensitive data classification under-protects high-risk sectors.
7. Unclear cross-border data transfer norms: Pending notifications create uncertainty for global data operations.
8. Delayed enforcement timeline: 12-18 month rollout slows effective protection and compliance.

Way Forward

1. Independent oversight mechanism: Reform Board appointments to ensure autonomy similar to global regulators.
2. Narrower exemptions with safeguards: Introduce necessity, proportionality, and audit requirements for government agencies.
3. Clearer child protection standards: Explicitly prohibit profiling, targeted ads, and manipulative algorithms for minors.
4. Higher safeguards for sensitive data: Introduce tiered protection for health, biometric, and financial data.
5. Transparent cross-border criteria: Notify clear principles for permitted and restricted jurisdictions.
6. Privacy-by-design compliance: Mandate encryption, data minimisation, and privacy impact assessments.
7. Capacity-building and templates: Provide model compliance tools, especially for MSMEs and public agencies.
8. Digital literacy and awareness: Enhance user understanding of consent rights and grievance mechanisms.

What is the Digital Personal Data Protection (DPDP) Act, 2023?

• Overview: India’s first comprehensive digital data protection law, enacted on 11 August 2023, governing how personal data is collected, processed, and stored.
• Seven Core Principles:

1. 1. Lawful Consent
   2. Purpose Limitation
   3. Data Minimisation
   4. Accuracy
   5. Storage Limitation
   6. Security Safeguards
   7. Accountability

• Applicability: Applies to all digital personal data processed in India, and to processors abroad if they offer goods/services to people in India.
• Rights of Data Principals (Individuals): Right to access, correct, update, erase, obtain grievance redressal, and nominate a representative for incapacity or death.
• Obligations of Data Fiduciaries: Must ensure accuracy, prevent misuse, report breaches, erase data after purpose is fulfilled, and maintain security safeguards.
• Significant Data Fiduciaries (SDFs): Must appoint a Data Protection Officer (DPO), conduct independent audits, and prepare Data Protection Impact Assessments (DPIAs).
• Exemptions: For functions involving sovereignty, security of the state, public order, judicial activities, and statistical/research purposes.
• Penalties: Fines up to ₹250 crore for major violations such as breach, unlawful processing, or failure to protect personal data.
• Global Alignment: Creates an Indian framework aligned with global standards such as the European Union General Data Protection Regulation (EU-GDPR), while remaining simpler and business-friendly.

Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024

Attend Now