India’s New Digital Privacy Law: Billion-Dollar Fines and Strict Data Protection Rules Unveiled

India's New Digital Privacy Law: Billion-Dollar Fines and Strict Data Protection Rules Unveiled

India Unveils Draft Digital Personal Data Protection Rules: A Major Step Towards Data Privacy

The Indian government has released draft Digital Personal Data Protection (DPDP) Rules for public consultation, marking a significant advancement in data privacy regulation. The rules, designed to implement the Digital Personal Data Protection Act of 2023, introduce comprehensive measures for personal data protection.

Key Provisions:
– Companies must provide clear information about data processing and obtain informed consent
– Citizens gain rights to data erasure and digital nominee appointment
– Mandatory security measures including encryption and access control
– 72-hour breach notification requirement to Data Protection Board
– Three-year data retention limit with 48-hour deletion notice
– Appointment of Data Protection Officers
– Parental consent requirement for processing minors’ data
– Annual Data Protection Impact Assessment for significant data fiduciaries
– Regulated cross-border data transfers

Government Agency Requirements:
– Transparent and lawful data processing
– Compliance with legal and policy standards

Penalties:
– Violations can result in fines up to ₹250 crore ($30 million)

Implementation Timeline:
– Public feedback period open until February 18, 2025
– Builds on the 2017 Supreme Court privacy ruling

Related Developments:
– New Telecommunications Cyber Security Rules mandate six-hour breach reporting
– Appointment of Chief Telecommunication Security Officers
– Requirements for sharing traffic data with government

The draft rules represent India’s most comprehensive data protection framework to date, balancing individual privacy rights with organizational responsibilities.

Share This Article