Data Rules set to be rolled out by mid-2025

Context: The Government of India released the draft Digital Personal Data
Protection Rules, 2025, under the Digital Data Protection Act, 2023, outlining
provisions for data privacy, compliance, and processing mechanisms. The Bill
seeks to provide for the protection of personal data and the privacy of
individuals. The Members of Parliament from opposition parties objected to the
introduction of the proposed law and called for it to be referred to a
Parliamentary committee.

Key points

·       Overview: The Union
government is aiming at finalising and notifying the Digital Personal Data
Protection Rules, currently in a draft state, by the middle of the year.

·       Parental
consent for children's data: Verification required - social media
and online platforms must obtain verifiable parental consent before children
create accounts.

Identity
validation - Parents' age and identity must be validated through government-issued
identity proof.

·       Role
and responsibilities of data fiduciaries: Entities collecting and
processing personal data are categorised as "Data Fiduciaries." Significant
Data Fiduciaries (SDFs) are those processing high volumes or sensitive data,
impacting national sovereignty, security, or public order.

Ø  Data retention - Data can only
be retained for the duration of consent and must be deleted afterward.

Ø  Security
measures - Fiduciaries must ensure encryption, access control, and monitoring for
unauthorised access.

·       Data
localisation: Reintroduction - Localisation mandates
restrict transferring certain personal and traffic data outside India.

Oversight - A
government-formed committee will determine the categories of data restricted
from cross-border transfer.

·       Safeguards
for government data processing: Government agencies must
process citizen data lawfully, with specific safeguards outlined to address
concerns over exemptions for national security and public order.

·       Industry
and Expert Reactions: Ambiguity in security standards - Experts
have raised concerns about the lack of detailed guidance on security practices,
potentially leading to varied interpretations.

Data
localisation controversy - Global tech giants like Meta and Google have
expressed concerns over the implications of data localisation on service
delivery.

·       Penalties
and Enforcement: Fines - Non-compliance with safeguards or
failure to prevent data breaches can attract penalties of up to Rs 250 crore.

Consent manager
violations - Repeat violations by consent managers may lead to suspension or
cancellation of their registration.

·       Conclusion: The draft
Digital Personal Data Protection Rules, 2025, aim to strengthen India’s data
privacy framework while addressing challenges for businesses and individuals. The
reintroduction of data localisation and emphasis on consent management mark
significant developments, but clarity on implementation and compliance
mechanisms remains crucial.