The Indian government has submitted a draft of the Digital Personal Data Protection (DPDP) Rules through which they seek to address various issues in India, with the aim of bolstering data privacy and security throughout the country. These rules are aimed at enforcing the Digital Personal Data Protection Act, 2023, which was enacted on November 18, 2022, and gives citizens greater authority over their data. Some key provisions are the right to request for data erasure, access certain data held by others, and control data consent using user-friendly tools.
The new guidelines set forth will place an obligation on the companies in India to secure personal data through appropriate measures. This involves the use of encryption, `make access controls, and perform data saving activities on a regular basis and retention of data. Further, for the businesses, there is a requirement that centralized mechanisms are set for breach detection and a detailed report to the DPB is sent within 72 hours of the breach. Non-compliance with these requirements would attract severe penalties, including the possibility of a fine of #250 crore (about $30 million) or $250 million dollars.
Furthermore, under the DPDP Rules, conditions will be provided for the transfer of personal data outside India. A specialized committee would then determine the conditionality and areas of different types of data to remain in India.
The same set of rules comes with forth safeguards for such processes of data collection through any government agency which are under the law and the transparent and lawful provisions of processes. Data processing by Indian government agencies will additionally be compliant with the provisions of standards and policies established by law.
Penalties and Accountability
For the misuse of personal data or the failure to meet data protection and breach reporting requirements, organizations shall adhere to hefty financial penalties. The draft rules state that penalties for failure will reach as high as ₹250 crore. Companies would also be required to display the contact information of a Data Protection Officer (DPO) on their platforms.
Public Consultation and Feedback
The Ministry of Electronics and Information Technology (MeitY) invites views from the public on the draft up to February 18, 2025. The focus of the public consultation is to make the draft comprehensive and effective to make citizens’ lives secure in terms of their privacy and data. The feedback collected at this stage will be evaluated before final regulations come into effect.
Completion of Previous Initiatives
This initiation of the DPDP Rules also coincides with the very recent announcement of the Telecommunications (Telecom Cyber Security) Rules, 2024, memorializing the Telecommunications Act, 2023 concerning the communication networks, which now is to secure the communication networks and institute stringent data breach reporting protocols. Under those regulations, telecommunications companies will have to report any security incidents affecting their network within six hours and submit other details within 24 hours following the reporting of that incident. The other obligation imposed on telecom companies is to appoint a Chief Telecommunication Security Officer (CTSO), who has to be an Indian citizen and resident, to oversee the network security of their services.
These rules garner a lot of applause in the sense that they comprehensively address very sharp issues within the ambit of cybersecurity legislation, but they have also garnered a lot of sharp criticism. The Internet Freedom Foundation (IFF) raised concern over the very vast language used in some provisions of the draft; in particular, there was an exclusion of the definition of “traffic data,” making it liable to misuse.
Conclusion
DPDP rules are indeed one of the most historical sightings in India’s pathway to digitalize privacy protection and address concerns regarding misuse and security of data. The government has deliberately framed rules on transparency and rights of users, along with stringent security requirements, with the ultimate aim of developing an increasingly safe digital environment for every citizen alike. As consultation progresses, bilateral agreements are likely to impute distinct consequences for businesses operating in India, especially those working with highly sensitive personal data.