India is set to introduce updated regulations that will guide how businesses, both domestic and international, handle the personal data of Indian citizens. These rules follow the enactment of the Digital Personal Data Protection (DPDP) Act, which was passed in 2023, and are aimed at providing citizens with greater control over their data.
The DPDP Act defines key privacy rights for individuals, including the right to access, update, correct, challenge, port, and erase their data, along with specific safeguards for children’s data. The law also outlines the responsibilities of organizations in securing user data, maintaining its accuracy, and limiting its use. However, the full implementation of these provisions has been on hold pending the release of detailed implementation guidelines.
On January 3, 2025, the Ministry of Electronics and Information Technology (MeitY) released the draft of the DPDP Rules. These rules are designed to support the implementation of the DPDP Act by providing businesses with a clear framework for compliance. The draft rules contain 22 provisions and seven schedules that address data privacy obligations and the penalties for non-compliance.
Industry experts, such as Pankit Desai, CEO of Sequretek, have highlighted the significance of these new regulations, emphasizing that India’s rapidly growing digital infrastructure necessitated stronger privacy protections for citizens. The DPDP Act is seen as a critical step towards enhancing the digital safety of Indian citizens.
Historical Context of Privacy in India
India’s approach to privacy rights has evolved significantly over the years. In 1962, a landmark Supreme Court case involving surveillance led to the conclusion that privacy was not a fundamental right under the Indian Constitution. However, this position changed in 2017 when the Supreme Court ruled that privacy is indeed a fundamental right, following a challenge to the government’s Aadhaar project. This ruling laid the groundwork for subsequent data protection legislation.
In 2019, the Personal Data Protection Bill was introduced but later withdrawn due to concerns over its scope and the balance it struck between regulation and government authority. It was succeeded by the DPDP Act, which seeks to address these concerns while providing clearer guidelines for data protection.
Key Aspects of the DPDP Rules
The draft DPDP rules mirror common industry standards. They require companies to notify individuals about the data they collect and ensure data is encrypted both at rest and in transit. The rules also specify that data should be deleted after three years of inactivity.
One of the most notable aspects of the new rules is the enhanced control granted to individuals over their personal data. Citizens will have the authority to determine when, how, where, and for what purposes their data is used. Additionally, companies face substantial penalties for failing to meet these obligations, with fines reaching up to INR 200 crore (approximately $23 million) for violations such as failing to report data breaches or mishandling children’s data.
However, some provisions have raised concerns. The continued exemptions for government agencies from certain aspects of the rules have drawn criticism. Critics argue that this could undermine fairness and accountability, especially considering the government’s central role in India’s digital infrastructure.
Next Steps
The public consultation period for the draft DPDP Rules ends on February 18, 2025. Following this, MeitY has indicated that an adequate transition period will be provided to allow businesses of all sizes to comply with the new regulations. Once finalized, the rules will mark a significant milestone in India’s efforts to protect data privacy and ensure the security of its citizens’ personal information in the digital age.
Catch the latest in supply chain news on The Supply Chain Report. Visit ADAMftd.com for free international trade tools.
#IndiaDataPrivacy #DataPrivacyRules #DigitalPrivacy #TechRegulations #DataProtection #NationalPrivacyLaws #IndiaTechPolicy
