The Digital Personal Data Protection Rules, 2025, are a set of regulations formulated to implement the provisions of the Digital Personal Data Protection Act, 2023. These rules aim to provide a robust framework for safeguarding personal data in the digital age, ensuring that the processing of personal data is done with respect to the rights and privacy of individuals.
The draft, open for public feedback until February 18, 2025, outlines strict guidelines for data retention and user privacy.
Advertisements
Key Roles
- Data Fiduciaries:
- Entities or individuals that determine the purpose and means of processing personal data. They are responsible for ensuring data protection and compliance with the regulations.
- Data Principals:
- Individuals whose personal data is being processed. They have the right to access, correct, and delete their data and provide informed consent for its processing.
- Data Protection Board:
- A regulatory authority responsible for overseeing the implementation of the DPDP Act and adjudicating grievances related to data protection.
- Digital Nominees:
- Individuals designated by Data Principals to manage their personal data in the event of death or incapacitation.
Key Provisions
- Data Erasure:
- Inactive Accounts: Companies must delete accounts that are inactive for a certain period. This ensures that old data, which may be vulnerable to breaches, is not retained unnecessarily.
- Deceased Individuals: Companies must also delete accounts of deceased individuals unless a nominee is designated to manage such data.
- Informed Consent:
- Transparency: Data Fiduciaries (entities processing personal data) must provide clear and accessible information about their data processing activities. This enables individuals to make informed decisions about sharing their personal data.
- Consent Management: Consent must be obtained in a manner that is easy to understand, with the option for individuals to withdraw consent at any time.
- Data Localisation:
- Storage within India: Certain categories of personal data, particularly sensitive and critical personal data, must be stored within India. This ensures better control and security over such data, preventing it from being easily accessed by foreign entities.
- Digital Nominees:
- Data Management: Individuals can appoint digital nominees who will have the authority to manage their personal data in the event of their death or incapacitation. This provision ensures continuity and proper handling of personal data posthumously.
- Grievance Redressal:
- Data Protection Board: A dedicated body, the Data Protection Board, will be established to handle grievances related to data protection. This board will operate digitally, allowing citizens to file and resolve complaints online, thereby making the process more efficient and accessible.
Advertisements
Impact Analysis
- Enhanced Privacy:
- The rules significantly enhance the privacy of individuals by ensuring that their personal data is handled with utmost care and only for legitimate purposes. By mandating informed consent and providing individuals with greater control over their data, these rules strengthen the protection of personal privacy.
- Improved Data Security:
- The requirement for data localisation ensures that sensitive and critical personal data is stored within India, thereby enhancing data security. This reduces the risk of data breaches and ensures that data is subject to Indian laws and regulations.
- Accountability and Compliance:
- Data Fiduciaries are held accountable for their data processing activities. They must implement robust data protection measures and comply with the rules to avoid penalties. This promotes a culture of accountability and compliance within organizations.
- Empowerment of Individuals:
- By allowing individuals to appoint digital nominees and providing a transparent grievance redressal mechanism, the rules empower individuals to take control of their personal data and seek redressal in case of any violations.
Conclusion
The Digital Personal Data Protection Rules, 2025, under the DPDP Act, 2023, are a comprehensive set of regulations aimed at protecting the privacy and personal data of individuals in the digital era. By enforcing stringent data protection measures and ensuring transparency and accountability, these rules pave the way for a safer and more secure digital environment.
