Why in NEWS
The Ministry of Electronics and IT has released the Draft Digital Personal Data Protection (DPDP) Rules, 2025, seeking public feedback to operationalize the DPDP Act, 2023. Final rules are expected soon.
Key Concepts and Definitions
| Term | Definition |
|---|---|
| DPDP Act, 2023 | India’s first comprehensive law to safeguard digital personal data and individual privacy while enabling lawful data processing. |
| Data Principal | The individual whose personal data is being processed. |
| Data Fiduciary | Any entity that collects, stores, or processes personal data. |
| Significant Data Fiduciary | A large data-handling entity, identified by the government, with additional obligations. |
| Consent Manager | An Indian firm (worth ₹2 crore+) managing user consent across digital platforms. |
| DPBI | Data Protection Board of India – body to enforce the Act and resolve disputes. |
What the News is About
India’s government has invited feedback on the 2025 Draft Rules under the DPDP Act, aiming to ensure effective implementation of digital privacy safeguards. The Act follows the landmark 2017 Supreme Court ruling recognizing privacy as a fundamental right and aligns with international norms like the EU’s GDPR.
Key Features of DPDP Act, 2023
| Aspect | Details |
|---|---|
| Scope | Applies to digital personal data collected or processed in India and to foreign entities offering goods/services in India. |
| Consent Mechanism | Must be free, informed, and revocable. Mandatory for children (below 18) through guardians. |
| Rights of Individuals | Access, correction, deletion, grievance redressal, and post-death data nominee. |
| Obligations of Fiduciaries | Ensure data accuracy, notify breaches, delete data after purpose ends. |
| Significant Fiduciaries | Must appoint DPO, conduct audits and impact assessments. |
| Exemptions | For national interest, legal proceedings, start-ups, research, etc. |
| DPBI Role | Handle grievances, enforce rules, impose penalties. |
| RTI Amendment | Section 44(3) removes the “larger public interest” test, limiting access to personal data under RTI. |
Highlights of the Draft DPDP Rules, 2025
| Provision | Description |
|---|---|
| Cross-Border Data | Permitted based on government approval. |
| Data Retention | Allowed for 3 years after last interaction; 48-hour notice before erasure. |
| Digital-First Governance | Online consent and grievance systems for quicker redressal. |
| Graded Compliance | Lighter compliance for startups/MSMEs; stricter norms for tech giants. |
| Consent Managers | Centralized platforms to manage user consent securely. |
Key Concerns
| Concern | Explanation |
|---|---|
| Broad State Exemptions | May override privacy rights under vague “national interest” claims. |
| Missing Rights | No right to data portability or explicit protection from harm. |
| Global Data Flow Risks | Lack of defined safeguards for international data sharing. |
| Weak Enforcement of Harm Prevention | No direct redressal for misuse, fraud, or profiling. |
Way Forward
| Recommended Step | Purpose |
|---|---|
| Clarify vague terms in exemption clauses | To prevent misuse and ensure transparency. |
| Bilateral data-sharing treaties | For secure, accountable global data transfer. |
| Regulatory adaptability | To evolve with AI, big data, and emerging threats. |
| Global best practices | Align with GDPR and other modern standards. |
India’s Privacy Journey So Far
| Milestone | Significance |
|---|---|
| AK Gopalan Case (1950) | Rejected privacy as a right. |
| Kharak Singh Case (1962) | Early privacy relief without recognition. |
| A.P. Shah Panel (2011) | Proposed unified privacy law. |
| Srikrishna Committee (2017) | Suggested current privacy framework. |
| Puttaswamy Judgment (2017) | Recognized privacy as a fundamental right. |
Global Comparison
| Country/Region | Data Law Highlights |
|---|---|
| EU | GDPR ensures strong user rights and consent-based processing. |
| China | DSL & PIPL restrict data exports, enhance state control. |
| USA | Fragmented approach; sectoral regulations like HIPAA, COPPA. |
In a Nutshell
Mnemonic: P-R-I-V-A-C-Y
Protection of digital data
Rights for individuals
Impact assessments for big data handlers
Verifiable parental consent
Accountability via DPBI
Cross-border flow with conditions
Youth data safeguards (below 18)
Prelims Practice Questions
- Which of the following is not a right granted to Data Principals under the DPDP Act, 2023?
a) Right to correction
b) Right to data portability
c) Right to grievance redressal
d) Right to nominate in case of death - Significant Data Fiduciaries are required to:
a) Publish personal data online
b) Conduct data impact assessments
c) Share data with foreign governments
d) Disclose real-time user activity - Which of the following qualifies as exempt under the DPDP Act?
a) Private sector advertisement processing
b) Data used for research or archiving
c) Public sharing of health data
d) Personal data shared with media
Mains Practice Questions
- The DPDP Act, 2023 is a step towards data empowerment, but concerns over state overreach and limited user rights persist. Critically examine. (GS2 – Governance, 2023 PYQ on Right to Privacy)
- Compare the data protection frameworks of India, EU, and China. What lessons can India learn in striking a balance between data sovereignty and privacy? (GS2 – Comparative Policies)
Answers for Prelims
| Q | Answer | Explanation |
|---|---|---|
| 1 | b | Data portability is not included in the current Act. |
| 2 | b | SDFs must conduct periodic data protection impact assessments. |
| 3 | b | Research and archival purposes are exempt under the Act. |
