The Indian government has proposed the rules regarding the Digital Personal Data Protection Act of 2023 and the public has been invited to give inputs till February 18, 2025. These rules are expected to put into practice the Digital Personal Data Protection Act of 2023 provisions in the country. To to regulate the protection of personal data in a digital format by being more accountable and transparent to data fiduciaries including social media and e-commerce companies.
Data Protection Board (DPB):
The Data Protection Board (DPB) shall work digitally to respond to complaints/remain compliant.
For violations, it can impose penalties of up to ₹250 crore.
Children’s Data Protection:
Organizations must be required to take parents' concerns before processing the data of their children.
Data Transfers Outside India:
The draft allows the transfer of personal data to certain countries that the government can identify.
Consent Management:
Thus, consent to the usage of data must also be gained in as simple language as possible, in any of the 22 communicating languages that are recognized in India.
The consent managers, and third-party services authorized by the DPB, will enable this process.
Penalties:
Information regarding fines that depend on the level of transgression and recursion is provided in the DPDP Act 2023 for students.
Spam Calls and Data Misuse:
The DPDP Act also allows citizens to get remedies for data misuse, such as spam calls.
People can also choose not to allow their data to be processed by any organization and in addition to that, no data of a person should be processed without his or her permission. It should also be formal, informed, and unilateral.
Appropriate security to the Data Privacy Act personal information are encryption, storage, and control access requirements to avoid infringements on personal data ownership.
It becomes mandatory for organizations to give information about how the data has been collected, and processed and further how it will be utilized in easy format.
The data collected about data subjects have rights which include the right of access, right to rectification, right to erasure, and right to restriction of processing respectively.
Other countries like the EU in its Data Protection Regulation Act or the USA under its California Consumer Privacy Act have even set high bars on data protection. They also required similar laws to cover their privacy and security just as the Indian counterpart did.
Non-compliance will be addressed by the Data Protection Board of India The Data Protection Board of India has been raised A of its independence.
The Bill concerns personal data processed about an organization’s functioning, through the internet or other computer media, processed whether the data was originally collected online or on paper where data on paper is transferred to electronic media and data processed in any country that targets consumers in India.
It makes data fiduciaries use reasonable security measures for data, for the accuracy of data for the purpose it served.
However consent is a key idea, and exemptions for government data processing may be adverse to privacy.
The exemptions in national security may increase the number of data collected from the public and thus a violation of privacy.
Still, the Bill doesn’t contain regulations on data portability, as well as the right to be forgotten.
Cross-border transfers of personal data require enhanced protection measures for satisfactory privacy-protecting mechanisms.
India is still far behind in the enforcement of specific legal data protection standards that meet international standards.
The currently implemented Information Technology Act, of 2000 has inadequate provisions for and implementation of the newer issues related to IT like e-commerce, cyber defamation, online scams, etc.
Cases like Shreya Singhal v/s Union of India (2015) and Justice K.S. Puttaswamy (retired) v/s Union of India (2017), the Courts have further strengthened the constitutional right to privacy.
The Act aims to regulate the protection of personal data in a digital format by being more accountable and transparent to data fiduciaries including social media and E-commerce companies. It requires the platform to collect minimal data and grants an individual the right to give ‘consent’ or ‘withdraw’ consent, or ‘port’ data.
After public participation and stakeholder approval, the above draft rules will be presented to Parliament as a paper. The enactment will now take two years before it is fully implemented to allow the entities to come to terms with the provisions of the Act. These rules go hand in hand with the principles formulated by the government to protect personal data, gain digital trust, and provide digital services to the citizens in a digital world.
The implementation of the Digital Personal Data Protection Act 2025 is expected to reshape data governance in India, ensuring more transparency, accountability, and protection of personal data in the digital era.