The Union government has released the draft Digital Personal Data Protection (DPDP) Rules, 2025 for public consultation until February 18.
- The rules are notified by the Ministry of Electronics and Information Technology and will enforce the provisions of the Digital Personal Data Protection Act, 2023.
Features of the Digital Personal Data Protection Draft Rules
- Informed Consent: The rules specify the nature of the personal data collection of the users by the data fiduciaries ie. the kind of data they’re collecting, the reason for collecting it and how the data will be processed.
- Digital by Design: Data Protection Board for consent mechanisms and grievance redressal, for faster resolution of complaints and grievances online.
- Exemption: The government and its agencies are exempted from certain compliances related to data for the purpose of providing subsidies and benefits. Data collected for “statistical” purposes is also exempt.
- Data Protection: A data fiduciary shall protect personal data in its possession by providing for technical and operational safeguards like, within 72 hours of a data breach, the data fiduciary should inform the the Data Protection Board of India (DPBI)
- Deletion: The user data of an inactive account should be deleted by an e-commerce provider, social media platform, or online gaming service after providing 48 hours of advance notice and time to stop deletion.
Enroll now for UPSC Online Classes
- Assessment and Audit: Significant data fiduciaries must periodically conduct a “Data Protection Impact Assessment” and an audit to ensure effective observance of the provisions of this Act
- Verifiable Parental Consent: Appropriate technical and organisational measures shall be adopted to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child
- Data Fiduciaries needs to rely on voluntarily provided details of identity and age or a virtual token mapped to the same, which is issued by an entity entrusted by law
- Consent Managers: Entities responsible for managing user consent must ensure accurate verification and provide users with a mechanism to withdraw consent. They must also maintain detailed records of all users who have given or withdrawn consent.
- Data Localization: As per this provision, certain personal data must be stored within India and cannot be transferred abroad. A government committee will determine which categories of data (e.g., health or financial data) cannot be transferred outside the country.
- Penalties and Enforcement: Non-compliance with the data protection rules can lead to penalties of up to ₹250 crore with repeat offenders facing suspension or cancellation of their licenses.
Inactive Social Media Accounts:
- Rule 8(1) of DPDP 2025: A Data Fiduciary shall erase inactive accounts if the Data Principal neither approaches such Data Fiduciary nor exercises her rights in relation to such processing or unless its retention is necessary for compliance with any law.
- Profiles of deceased persons may be deleted after prolonged inactivity under the Digital Personal Data Protection Rules, 2025.
- Nomination: A Data Principal shall have the right to nominate any other individual, who shall, in the event of their death or incapacity exercise the rights of the Data Principal on the account.
Existing Practices of Social Media Platforms:
- Meta’s Account Memorialisation Policy: Meta has a policy to memorialize an account of a deceased if a valid request is received in accordance with the wishes of relatives.
- The Policy is clearly mentioned in the help page for Facebook.
- Legacy Contact: Meta also allows a Legacy Contract to be added by a user when they are alive in order to pass on control in the event of their demise.
- Google’s Policy on Inactive Account:
- It allows users to designate who should have access to their information and whether their account should be deleted through,
- Setting up a timeout period for their account to become inactive
- Choosing up to 10 trusted contacts to notify if their account becomes inactive
- Deciding to share data with trusted contacts, including Google photos, Google Drive files, and Gmail
|
Concerns Regarding the DPDP Rules 2025
- Discretionary Powers: The Union Government and Data Fiduciaries are granted certain discretionary powers such as for determining exemptions, processing standards, data retention, data localisation etc, giving the Government excessive power without clear criteria.
- Oversight and Accountability: The DPDP Rules do not establish strong enforcement or oversight mechanisms as there is no explicit provision for independent audits or compliance monitoring.
- Also there is a failure to create a regulatory framework through an independent Data Protection Authority.
- Exemptions for State Processing: State and its agencies are allowed to process personal data for broad purposes, such as issuing subsidies, benefits, or services, under laws, policies, or public funds. However the scope and limits of such processing has not been specified creating room for potential misuse
- Universal Mandatory Registration: The Government asks for age verification to check the minor status of a person and may in future require every online user to verify their age through Government credentials resulting in potential mass surveillance with Government IDs linked to every user’s online credentials.
Check Out UPSC NCERT Textbooks From PW Store
About The Digital Personal Data Protection Act 2023
- Background: The Supreme Court recognized the right to privacy as a fundamental right under the Indian Constitution in the landmark case of Justice K.S. Puttaswamy vs. Union of India 2017
- Digital Personal Data Protection Act: In 2023, India enacted the Digital Personal Data Protection Act to safeguard personal data.
Features of Digital Personal Data Protection Act 2023
- Applicability: The processing of digital personal data within India applies to data collected in both digital and non-digital forms, or data that is digitized subsequently.
- Processing personal data outside India is applicable if it involves offering goods or services within India.
- Informed Consent: Personal data may only be processed for lawful purposes with the consent of the Data Principal, who can withdraw consent at any time.
- Data Protection Board of India (DPBI): The Central government establishes the DPBI with key functions including monitoring compliance, imposing penalties, directing data fiduciaries in case of data breaches, and hearing grievances.
- Rights and Duties of Data Principal: Data principals have the right to obtain information about processing, seek correction and erasure of personal data, grievance redressal, and the right to nominate a person to exercise rights in case of death or incapacity.
- Obligations of Data Fiduciaries: Data fiduciaries must ensure accuracy and completeness of data, implement reasonable security safeguards, inform DPBI and affected persons in case of a breach, and erase personal data when the purpose is met and retention is not necessary for legal purposes.
- Significant Data Fiduciaries (SDF): The Central Government may notify any data fiduciary as SDF based on factors like volume and sensitivity of data processed, risk to the rights of the data principal, potential impact on India’s sovereignty and integrity, security of the State, risk to electoral democracy, and public order.
- SDFs have additional obligations, including appointing a data protection officer and an independent data auditor, and undertaking impact assessments.
|
To get PDF version, Please click on "Print PDF" button.
PWOnlyIAS
