Home  /  Daily Current Affairs  /  06-01-2025 / MeitY Releases Draft Digital Personal Data Protection Rules, 2025 

MeitY Releases Draft Digital Personal Data Protection Rules, 2025 

Last updated on January 6th, 2025 Posted on January 6, 2025 by NEXT IAS Current Affairs Team  96

Syllabus: GS2/Polity and Governance

Context

  • The government released the draft of Digital Personal Data Protection Rules, 2025 for public consultations.
    • Once notified, the Rules will enable the effective implementation of the Digital Personal Data Protection Act, 2023 (DPDP Act).

Key Highlights of the Draft Rules

  • Data Fiduciaries: All major tech companies including Meta, Google, Apple, Microsoft, and Amazon are expected to be classified as significant data fiduciaries.
  • Data Protection Officer: It is the person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise. “Data Principal” means the individual to whom the personal data relates.
    • The officer should be based in India; 
    • be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary.
  • Transparency: Data Fiduciaries must provide clear and accessible information about how personal data is processed, enabling informed consent. 
  • Restriction on flow of Data: The Union Government will specify the kind of personal data which can be processed by “significant data fiduciaries”
    • It is subject to the restriction that such personal data is not transferred outside the territory of India.
  • Rights to Citizens: Citizens are empowered with rights to demand data erasure, appoint digital nominees, and access user-friendly mechanisms to manage their data.
  • For Children: It allows tech companies to implement a mechanism for collecting “verifiable” parental consent before processing personal data of children.
  • Data Protection Board: The Board will function as a digital office, with a digital platform and app to enable citizens to approach it digitally and to have their complaints adjudicated.
  • Data Breach: In the event of a data breach, data fiduciaries will have to intimate impacted individuals without delay, including the measures implemented to mitigate risk.
    • The penalty for not being able to take enough safeguards for preventing a data breach could go as high as Rs 250 crore.
About Digital Personal Data Protection Act, 2023 
Background: In 2017, the Ministry of Electronics and Information Technology (MeitY) established the Justice B.N. Srikrishna Committee to develop a data protection framework for India. 
1. The first draft of the Data Protection Bill came out in 2018. 
2. After various rounds of amendment in 2019 and 2021, the bill was replaced with the Digital Personal Data Protection Bill, 2022. 
Scope: It applies to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.  It also applies to such processing outside India, if it is for offering goods or services in India.
Consent: Personal data may be processed only for a lawful purpose upon consent of an individual.  Consent may not be required for specified legitimate uses such as voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services.
Obligations for Data fiduciaries: To maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
Rights to Individuals: The right to obtain information, seek correction and erasure, and grievance redressal.
Exemptions: Government agencies can be exempted in the interest of specified grounds such as security of the state, public order, and prevention of offences.
Data Protection Board: To adjudicate on non-compliance with the provisions of the Act. The Data Protection Board (DPB) has civil court powers for personal data breach complaints. 
1. Board members will be appointed for two years and will be eligible for re-appointment.   
2. The central government will prescribe details such as the number of members of the Board and the selection process.  

Challenges in Implementation 

  • Breach of Right to Privacy: Exemptions to data processing by the State on certain grounds may violate the fundamental right to privacy.
  • Lack of Regulation in Data Processing: It does not regulate risks of harms arising from processing of personal data.  
  • Transfer of Data Abroad: It allows transfer of personal data outside India, which may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed.
  • Short Tenure of Data Protection Board Members: The members of the Data Protection Board will be appointed for two years and will be eligible for re-appointment.
    • The short term with scope for re-appointment may affect the independent functioning of the Board.

Significance

  • Empowering Citizens: The rules empower citizens by giving them greater control over their data. 
  • Enhanced Trust on Digital Platforms: Provisions for informed consent, the right to erasure and grievance redressal enhance trust in digital platforms. 
  • Maintain Fine Balance between Growth and Rights: Unlike restrictive global frameworks, these rules encourage economic growth while prioritizing citizen welfare.
  • Quick Grievance Redressal: The Data Protection Board’s digital office approach would ensure quick and transparent resolution of complaints. 

Source: IE

 
Previous article 358th Birth Anniversary of Guru Gobind Singh
Next article Public Health Nutrition Policies Need Novelty