Explainer: What you need to know about the Digital Personal Data Protection Act 2025

The government floated draft Digital Personal Data Protection (DPDP) Rules 2025 last week for public consultation till February 18. Here is an explainer of the draft DPDP Rules 2025:

What are the draft Digital Personal Data Protection Rules 2025?  

The Digital Personal Data Protection (DPDP) Rules 2025, drafted by the government, provide for the manner of implementation of the Digital Personal Data Protection Act, 2023. Rules are framed to operationalise Acts passed by Parliament.

The draft rules are open for public comment for 45 days till February 18, 2025, and citizens can submit their comments on the MyGov website.

These rules have spelt out a framework for setting up the Data Protection Board (DPB) — which will function in digital mode as per the DPDP Act 2023.

The rules have clarified the process for processing children’s data. Entities are required to adopt technical and organisational measures to ensure that the verifiable consent of parents is obtained for processing a child’s personal data.

The rules provide for transferring personal data outside India, but only certain data are required as approved by the government from time to time.

The draft rules envisage a committee that may recommend restrictions on the transfer of specified personal data by a significant data fiduciary.

What is the DPDP Act?  

The Digital Personal Data Protection Bill 2023 was introduced in the Lok Sabha on August 3, 2023, and was passed in the Lower House on August 7, 2023.

The bill was introduced in the Rajya Sabha on August 9 and passed on the same day. After the President’s approval on August 11, it became the Digital Personal Data Protection Act 2023.

What is the need for the DPDP Act?  

While digitisation using individuals’ personal data has transformed the delivery of services, enhancing ease of living, it is also increasingly at risk of misuse. Therefore, it has become imperative that digitised personal data be protected.

The DPDP Act 2023 obligates data fiduciaries to protect personal data and holds them accountable. Digital platforms can collect only those data that are required for their functioning and providing services that users have opted for. For example, a user will not have to give a microphone or contact access to use a torch app on their mobile phone.

How will the DPDP Act 2023 help people?

The Act provides consent-based personal data processing by digital platforms.

This means digital platforms will have to inform and get consent from people in English or any of the 22 Indian languages listed in the Constitution, in the language of their choice.

They will also have to notify their users of the online links using which they may exercise their rights to withdraw their consent, obtain information regarding processing their data, update and erase their data, grievance redressal, nomination, and complaint to the DPB.

The digital platform may also collect consent through consent managers, an independent digital platform operated by a different entity.

Who are consent managers?  

The Reserve Bank of India (RBI) has created an account aggregator framework under which apps like Finvu, OneMoney, CAMS Finserv, etc, share financial information based on consent and for specific purposes.

The National Health Authority of India has also set up a Health Information Exchange that empowers citizens to securely access and share their health records, ensuring that data exchange is driven by informed consent. If approved by the DPB, such platforms may work as consent managers.

Who are data fiduciaries?

Entities such as social media platforms, e-commerce companies, online gaming platforms, etc., that collect and process an individual’s personal data are data fiduciaries. They can use such data only after the individual’s consent for specified purposes.

Digital platforms with many users, such as Facebook, Instagram, YouTube, Amazon, Flipkart, and Netflix, will qualify as significant data fiduciaries.

Will the Act help in acting against spam calls?  

Yes. While the Telecom Regulatory Authority of India (TRAI) has issued rules for dealing with spam or pesky calls, citizens can also seek recourse under the DPDP Act 2023. The DPB can impose a monetary penalty on entities found processing personal data without consent in violation of the Act.

How can people file complaints?  

The DPB will function as a digital office. It will operate through a digital platform and app to enable citizens to approach it digitally and adjudicate their complaints without their physical presence.

The government has prepared the entire digital framework, platform, and processes for this.

What are the penalty provisions under the DPDP Act 2025?  

The draft rules do not elaborate on the penalty but spell out a mechanism to set up a DPB that will levy penalties based on the nature of the breach, as listed in the DPDP Act 2023.

The DPDP Act 2023 has provisions to impose penalties of up to ₹250 crore on data fiduciaries. The Act provides for graded financial penalties in case of violation of the Act and the rules.

The quantum of penalty will depend on the nature, gravity, duration, type, repetitiveness, efforts made to prevent a breach, etc. Further, significant data fiduciaries have higher obligations under the Act and rules, while startups are envisaged to have a lower compliance burden.

Moreover, the data fiduciary may voluntarily give an undertaking to the Data Protection Board at any stage in the proceedings, which, if accepted, would result in the dropping of proceedings.

When will the rules be rolled out?

The final rules will be placed before Parliament after the ongoing consultation process during the monsoon session. Thereafter, the government may take around two years to implement the DPDP Act 2023. All digital entities and consent managers will have time till then to check and put systems in place to comply with the Act.

What are the exemptions?

There are few exemptions from the provisions of the DPDP Act — like performing judicial and regulatory functions under the law; enforcing legal rights and claims; preventing, detecting, investigating or prosecuting any offence; locating defaulters and their financial assets, etc.

There are some exemptions for certain data fiduciaries, including startups and performing research, etc.

Will the DPDP Act 2023 be of help to people who do not have access to digital technologies?

Yes. If a person without access to digital technology is impacted by digital misuse of his personal data or details, the same recourse is available for that person as for anyone who is digitally connected.

Under the DPDP Act 2023, the same recourse is available to both types of persons, irrespective of their access to digital technologies.

What is the timeline for filing a complaint?

There is no time limit for filing complaints under the DPDP Act 2023 as of now.

Related Content

Nabard’s data-driven push for climate-resilient agriculture

Industrial growth rose to 5.2 per cent in November

Industrial growth rose to 5.2 per cent in November

Leave a Comment

Stay updated with Win99Update for the latest in tech, online earning, and digital trends. Explore practical tips and insights to thrive in the digital world.

Categories

Tech Trends

Science & Space

Finance Tips

Cryptocurrency

Online Earning

Health & Fitness

Quakes Links

About Us

Contact Us

Piracy Policy

Terms and Conditions

Contact Us

Phone: +91 9090909099

Email: info@example.com

© Win99update.com • All rights reserved