India has finally outlined how its groundbreaking Digital Personal Data Protection (DPDP) Act will operate, setting the stage for a new era of data privacy for its citizens. The draft rules, released on January 3 by the Ministry of Electronics and Information Technology (MeitY), aim to enforce the rights and responsibilities defined in the DPDP Act. Businesses, both domestic and international, must now prepare to align their practices with this legal framework.
A History Marked by Privacy Battles
The road to India’s data privacy law has been long and marked by pivotal moments. Decades before terms like “data privacy” became part of the global lexicon, the issue of personal privacy surfaced in a court case involving Kharak Singh, a resident of Uttar Pradesh. In 1962, Singh challenged the police’s intrusive surveillance practices, arguing they infringed upon his constitutional rights.
However, India’s Supreme Court ruled that privacy was not a fundamental right. It wasn’t until 2017, when debates over the Aadhaar identification program sparked public outcry, that the tide shifted. A landmark ruling by a nine-judge Supreme Court bench declared privacy a fundamental right under India’s Constitution. This judgment paved the way for legislative action on data protection.
Following this, the Personal Data Protection Bill of 2019 emerged as India’s first attempt at comprehensive privacy legislation. However, its stringent restrictions and controversial provisions—such as limiting the export of sensitive personal data and broad exemptions for government use—drew criticism. The bill was eventually scrapped in 2022, leading to the more balanced DPDP Act.
Core Provisions of the DPDP Rules
The newly proposed DPDP rules introduce a framework aimed at safeguarding personal data while holding businesses accountable. They outline 22 provisions and seven schedules, covering everything from data collection to retention policies.
Key highlights of the DPDP rules include:
- Customer notification: Organizations must clearly inform individuals about the data being collected and its purpose.
- Data security: Encryption during storage and transmission is mandatory.
- Data retention limits: Personal data must be deleted after three years of inactivity.
- Data breach penalties: Companies could face fines of up to INR 200 crore ($23 million) for violations, including failing to notify users of breaches.
- Control for individuals: Individuals can dictate how their data is used, request its correction or deletion, and even challenge its use.
While these measures align with global best practices, some provisions have raised eyebrows.
The Debate Over Government Exemptions
One contentious aspect of the DPDP rules is the broad exemptions granted to government agencies. These agencies are not bound by several obligations imposed on private companies, raising concerns about accountability and fairness.
Pankit Desai, CEO of Sequretek, argues that this discrepancy warrants scrutiny. “Given the government’s significant role as a service provider in India’s digital ecosystem, this exemption creates a potential imbalance,” he notes.
India’s government, unlike those in Western nations where private enterprises dominate, is deeply intertwined with the country’s digital infrastructure. This unique dynamic amplifies the impact of government exemptions, making the issue a focal point for critics of the draft rules.
Challenges and Opportunities for Businesses
For businesses, the DPDP rules are both an opportunity to gain consumer trust and a challenge to ensure compliance. The law is explicit about penalties for non-compliance, with severe fines for breaches, particularly those involving children’s data.
Rama Krishna Gudipati of CloudSEK highlights the act’s emphasis on accountability. “The penalties add teeth to the law, ensuring that companies treat user data with the seriousness it deserves,” he says.
However, implementing these rules will require substantial changes for companies, particularly those unaccustomed to robust data protection frameworks. This could mean overhauling existing systems, training personnel, and possibly reevaluating business models.
Timeline and Next Steps
MeitY has invited feedback on the draft rules until February 18. Afterward, stakeholders will have a transition period to align their operations with the new law. This grace period is crucial for small and medium enterprises, which may lack the resources to adapt quickly.
While businesses prepare to adapt, citizens can look forward to greater control over their personal data. The DPDP Act and its accompanying rules signal a new chapter in India’s digital landscape, one that promises to balance innovation with individual rights.
