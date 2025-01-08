The government floated draft Digital Personal Data Protection (DPDP) Rules 2025 last week for public consultation till February 18.

Here is an explainer of the draft DPDP Rules 2025:

What are the draft Digital Personal Data Protection Rules 2025?

The Digital Personal Data Protection (DPDP) Rules 2025 drafted by the government provides for the manner of implementation of the Digital Personal Data Protection Act, 2023. Rules are framed to operationalise Acts that have been passed by Parliament.

The draft rules are open for public comment for 45 days till February 18, 2025, and citizens can submit their comments on the MyGov website.

These rules have spelt out a framework for setting up the Data Protection Board (DPB) -- which will function in digital mode as per the DPDP Act 2023.

The rules have clarified the process to be undertaken for processing data of children where entities are required to adopt technical and organisational measures to ensure that verifiable consent of parents is obtained for processing the personal data of a child.

The rules provide for the transfer of personal data outside India, but only of certain as approved by the government from time to time.

The draft rules envisage a committee that may recommend restrictions on such transfer by a significant data fiduciary with respect to specified personal data.

What is the DPDP Act?

The Digital Personal Data Protection Bill 2023 was introduced in the Lok Sabha on August 3, 2023, and was passed in the Lower House on August 7, 2023.

Thereafter, it was introduced in the Rajya Sabha on August 9 and was passed on the same day. It became the Digital Personal Data Protection Act 2023 after the President's approval on August 11.

What is the need for the DPDP Act?

While digitisation using the personal data of individuals has transformed the delivery of services enhancing ease of living, it is also increasingly at risk of misuse. Therefore, it has become imperative that digitised personal data be protected.

The DPDP Act 2023, obligates data fiduciaries to protect personal data and makes them accountable. Digital platforms cannot collect only those data that are required for their functioning and providing services which users have opted for. For example, a user will not have to give a microphone or contact access to use a torch app on their mobile phone.

How will the DPDP Act 2023 help people?

The Act provides consent-based personal data processing by digital platforms.

This means digital platforms will have to inform and get consent from people in English or any of the 22 Indian languages listed in the Constitution, in the language of their choice.

They will also have to notify their users of the online links using which they may exercise their rights for withdrawing their consent, obtaining information regarding processing their data, updating and erasure of their data, grievance redressal, nomination and making a complaint to the DPB.

The digital platform may also collect consent through consent managers, an independent digital platform operated by a different entity.

Who are consent managers?

The Reserve Bank of India (RBI) has created an account aggregator framework under which apps like Finvu, OneMoney, CAMS Finserv, etc, share financial information based on consent and for specific purposes.

The National Health Authority of India has also set up a Health Information Exchange that empowers citizens to securely access and share their health records, ensuring that data exchange is driven by informed consent. Such platforms may work as consent managers if they are approved by the DPB.

Who are data fiduciaries?

Entities such as social media platforms, e-commerce companies and online gaming platforms, etc, that collect and process an individual's personal data are data fiduciaries. They can use such data only after the individual's consent for specified purposes.

Digital platforms with a large number of users such as Facebook, Instagram, YouTube, Amazon, Flipkart, Netflix, etc, will qualify as significant data fiduciaries.

Will the Act help in acting against spam calls?

Yes. While the Telecom Regulatory Authority of India (TRAI) has issued rules for action on spam or pesky calls, citizens can take recourse under the DPDP Act 2023 as well. The DPB can impose a monetary penalty on entities found processing personal data, without consent, in violation of the Act.

How can people file complaints?

The DPB will function as a digital office. It will operate through a digital platform and app to enable citizens to approach it digitally and have their complaints adjudicated without their physical presence.

The government has prepared the entire digital framework, the digital platform, and the entire processes for this.

What are the penalty provisions under the DPDP Act 2025?

The draft rules do not elaborate on the penalty but spell out a mechanism to set up a DPB that will levy penalties based on the nature of the breach as listed in the DPDP Act 2023.

The DPDP Act 2023 has provisions to impose penalties of up to Rs 250 crore on data fiduciaries. The Act provides for graded financial penalties in case of violation of the Act and the rules.

The quantum of penalty will depend on the nature, gravity, duration, type, repetitiveness, efforts made to prevent a breach, etc. Further, significant data fiduciaries have higher obligations under the Act and rules, while a lower compliance burden is envisaged for startups.

Moreover, the data fiduciary may at any stage in the proceedings voluntarily give an undertaking to the Data Protection Board, which, if accepted, would result in the dropping of proceedings.

When will the rules be rolled out?

The final rules will be placed before Parliament after the ongoing consultation process during the monsoon session. Thereafter, the government may take around two years to implement the DPDP Act 2023. All digital entities and consent managers will have time till then to check and put systems in place to comply with the Act.

What are the exemptions?

There are few exemptions from the provisions of the DPDP Act -- like performing judicial and regulatory functions under the law; enforcing legal rights and claims; preventing, detecting, investigating or prosecuting any offence; locating defaulters and their financial assets, etc.

There are some exemptions for certain data fiduciaries, including startups and performing research, etc.

Will the DPDP Act 2023 be of help to people who do not have access to digital technologies?

Yes. In case a person with no access to digital technology is impacted due to digital misuse of his personal data or details, the same recourse is available for that person as anyone who is digitally connected.

Under the DPDP Act 2023, the same recourse is available to both types of persons, irrespective of their access to digital technologies.

What is the timeline for filing a complaint?