The Indian government has released draft Digital Personal Data Protection (DPDP) Rules for public consultation, marking a significant advancement in data privacy regulation. The rules, designed to implement the Digital Personal Data Protection Act of 2023, introduce comprehensive measures for personal data protection.
Key Provisions:
– Companies must provide clear information about data processing and obtain informed consent
– Citizens gain rights to data erasure and digital nominee appointment
– Mandatory security measures including encryption and access control
– 72-hour breach notification requirement to Data Protection Board
– Three-year data retention limit with 48-hour deletion notice
– Appointment of Data Protection Officers
– Parental consent requirement for processing minors’ data
– Annual Data Protection Impact Assessment for significant data fiduciaries
– Regulated cross-border data transfers
Government Agency Requirements:
– Transparent and lawful data processing
– Compliance with legal and policy standards
Penalties:
– Violations can result in fines up to ₹250 crore ($30 million)
Implementation Timeline:
– Public feedback period open until February 18, 2025
– Builds on the 2017 Supreme Court privacy ruling
Related Developments:
– New Telecommunications Cyber Security Rules mandate six-hour breach reporting
– Appointment of Chief Telecommunication Security Officers
– Requirements for sharing traffic data with government
The draft rules represent India’s most comprehensive data protection framework to date, balancing individual privacy rights with organizational responsibilities.