India’s government has released the draft rules for its new Digital Personal Data Protection (DPDP) Act, a major step towards defining data privacy for over a billion people. Published on January 3 by the Ministry of Electronics and Information Technology (MeitY), these rules explain how the law will work in practice. Now, companies in India and abroad must get ready to follow this new legal framework, which will change how they handle personal information.
A Long Journey to Data Privacy
The path to India’s data privacy law was not a short one. The conversation started long ago, even before “data privacy” was a common term. It began with a 1962 court case where Kharak Singh challenged police surveillance, but the Supreme Court ruled that privacy was not a fundamental right.
The situation changed dramatically in 2017. Following public concern over the Aadhaar identification system, a nine-judge Supreme Court bench made a historic decision. It declared that privacy is a fundamental right under India’s Constitution. This ruling was the catalyst for creating a formal data protection law.
An earlier attempt, the Personal Data Protection Bill of 2019, was criticized for its strict rules and broad government exemptions. It was withdrawn in 2022, leading to the more balanced DPDP Act we have today.
What the New DPDP Rules Mean for You
The new rules create a clear system for protecting personal data and making businesses responsible for how they use it. They cover everything from how data is collected to when it must be deleted, giving individuals more power over their own information.
Some of the most important rules include:
- Clear Notification: Companies must tell you exactly what data they are collecting and why they need it.
- Stronger Security: All personal data must be encrypted when it is stored or sent.
- Deletion Policy: Your data must be erased after three years if your account is inactive.
- Individual Control: You have the right to ask for your data to be corrected or deleted and to challenge how it is being used.
Failure to follow these rules can lead to serious consequences. Companies could face fines of up to INR 200 crore ($23 million) for data breaches, especially if they do not inform users about them promptly.
The Controversy Around Government Exemptions
While the rules aim to protect citizens, one part has sparked debate. The draft rules give broad exemptions to government agencies, meaning they do not have to follow the same obligations as private companies. This has raised concerns about fairness and the potential for misuse of data.
Pankit Desai, CEO of Sequretek, pointed out the issue, stating, “Given the government’s significant role as a service provider in India’s digital ecosystem, this exemption creates a potential imbalance.”
Unlike in many Western countries, the Indian government is a massive player in the country’s digital infrastructure. This makes the exemptions a major point of criticism for those who want equal rules for everyone.
How Businesses Must Prepare for the Changes
For businesses, these new rules are a double-edged sword. On one hand, complying with the law can help build trust with customers. On the other hand, it presents a significant challenge, especially for companies that are not used to strict data protection standards.
Rama Krishna Gudipati of CloudSEK noted that the penalties are a crucial part of the act. He said, “The penalties add teeth to the law, ensuring that companies treat user data with the seriousness it deserves.“
Companies will need to make big changes. This could involve updating their systems, training staff on the new rules, and rethinking how they collect and use customer data. Small and medium-sized businesses may find this transition particularly difficult due to limited resources.
What Happens Next?
The Ministry of Electronics and Information Technology (MeitY) is currently asking for public feedback on the draft rules until February 18. After this period, the final rules will be published, and businesses will be given a transition period to comply.
This grace period will be essential for companies to align their operations with the new law. As businesses adapt, Indian citizens can look forward to having more control over their personal information, marking a new chapter for privacy in the digital age.
Frequently Asked Questions about India’s DPDP Act
What is the DPDP Act?
The Digital Personal Data Protection (DPDP) Act is India’s new law designed to protect the personal data of its citizens. It sets rules for how businesses and other organizations can collect, store, and use personal information.
When do the new data privacy rules come into effect?
The rules are currently in a draft stage, and the government has invited public feedback until February 18. After this, a transition period will be provided for businesses to become compliant before the law is fully enforced.
What are the main rights given to individuals under the DPDP rules?
Individuals have the right to be informed about data collection, request correction or deletion of their data, and control how it is used. They also have the right to be notified in case of a data breach.
What is the penalty for not complying with the DPDP Act?
Companies can face severe penalties for violations, including fines of up to INR 200 crore (approximately $23 million). Fines are particularly high for failing to protect user data or not reporting breaches.
Are government agencies exempt from the DPDP rules?
Yes, the draft rules grant certain exemptions to government agencies, which means they do not have to follow all the same obligations as private companies. This has become a point of major debate and concern among privacy advocates.
