The Union government has released Draft Digital Personal Data Protection (DPDP) Rules 2025, focusing on data privacy, compliance, and processing mechanisms. The rules require parental consent, data fiduciaries, robust consent management, data localisation, breach reporting, and government data processing safeguards. Challenges include platform redesign, data collection, storage, and lifecycle practices overhaul.
Copyright infringement not intended
Picture Courtesy: THE HINDU
The Union government has released draft Digital Personal Data Protection (DPDP) Rules 2025 to enforce the Digital Personal Data Protection Act 2023 to focus on data privacy, compliance, and mechanisms for processing personal data.
Parental consent for children's data: Platforms must obtain verifiable parental consent before children create accounts. Parents' age and identity must be validated through government-issued identity proof. However, health, education, and daycare institutions are exempt from this requirement.
Role and responsibilities of data fiduciaries: Entities collecting and processing personal data are termed "Data Fiduciaries." Significant Data Fiduciaries (SDFs) are those processing large volumes or sensitive data affecting national security, sovereignty, or public order. They must ensure encryption, access control, and monitoring of data, and retain data only for the duration of consent.
Consent management: Entities must manage consent records robustly. Data fiduciaries must provide grievance redressal mechanisms and allow users to withdraw consent.
Data localisation: The rules require the localisation of certain personal and traffic data, limiting its transfer outside India. A government committee will oversee which data is restricted from cross-border transfer.
Data breach reporting: Data fiduciaries must report breaches promptly to users and the Data Protection Board, including details like the nature of the breach and mitigation measures. All breaches, minor or major, must be reported.
Safeguards for government data processing: Government agencies must process citizen data lawfully, with specific safeguards for national security and public order exemptions.
The requirement for robust consent records and mechanisms for users to opt-out might require businesses to redesign platforms and systems.
Organizations may need to maintain data collection, storage, and lifecycle practices to comply with the new rules.
Experts have raised concerns about the lack of clear security guidelines, which could lead to inconsistent interpretations and practices.
Global tech companies like Meta and Google have expressed worries about the implications of data localisation, arguing it could affect service delivery.
Data fiduciaries, who fail to prevent data breaches or violate safeguards can face fines of up to Rs 250 crore.
Consent managers who frequently violate rules may face suspension/cancellation of their registration.
The draft Digital Personal Data Protection Rules 2025, aims to strengthen the data privacy framework by managing the growing challenges related to data protection. The reintroduction of data localisation and focus on consent management are significant, however, clarity on implementation and compliance mechanisms will be important for businesses and individuals to modify effectively.
Must Read Articles:
DIGITAL PERSONAL DATA PROTECTION BILL 2023
Source:
|
PRACTICE QUESTION Q.Critically analyze the need to balance national security and individual privacy in government surveillance programs. (150 words) |
© 2025 iasgyan. All right reserved