Syllabus: Government policies and interventions for development in various sectors and issues arising out of their design and implementation.
Context: Central government notified major provisions of Digital Personal Data Protection Act 2023 and DPDP Rules 2025, addressing data privacy protection with compliance deadlines until 2027.
Digital Personal Data Protection (DPDP) Act, 2023
About the Act
- The Act creates a comprehensive framework for protection and processing of digital personal data.
- It regulates obligations of Data Fiduciaries and rights of Data Principals.
- Introduces Consent Managers registered with the Data Protection Board of India (DPBI).
- Enables a transparent platform for giving, reviewing, and withdrawing consent.
- Provides financial penalties for violating duties or obligations.
Applicability
- Applies to processing of digital personal data collected in digital or digitised form within India.
- Covers data processed abroad if linked to goods or services offered in India.
- Not applicable to personal or publicly available data.
Consent Framework
- Data processing requires lawful purpose and valid consent, with withdrawal rights.
- Consent is not required for legitimate uses, including government services or medical emergencies.
- For minors and disabled persons, consent must come from parents or guardians.
Data Protection Board of India
- DPBI is established by the Centre to monitor compliance and impose penalties.
- Handles complaints, directs corrective action, and functions with two-year renewable terms.
- Appeals lie with TDSAT.
Rights and Duties of Data Principals
- Rights include information access, correction, erasure, grievance redress, and nomination.
- Prohibits false complaints, with penalties up to ₹10,000.
Obligations of Data Fiduciaries
- Must ensure data accuracy, maintain security, and report breaches.
- Erasure is mandatory when the purpose is fulfilled.
Significant Data Fiduciaries
- Government may notify SDFs based on data volume, sensitivity, sovereignty risks, and public order.
- SDFs must appoint Data Protection Officers, auditors, and conduct impact assessments.
Parental Consent & Restrictions
- Requires verifiable parental consent for children’s data.
- Prohibits harmful processing and targeted advertising for children under 18.
Exemptions
- Exemptions apply for security, sovereignty, public order, research, judicial functions, and start-ups.
- Certain State agencies may be exempt except for data security obligations.
Issues
- Broad State exemptions may violate privacy rights.
- Missing rights: data portability and right to be forgotten.
- Unrestricted cross-border transfers raise oversight concerns.
- Limited definition of harms such as identity theft or discrimination.
- DPBI’s short tenure raises concerns about independence.
Way Forward
- Adopt global best practices for cross-border data governance.
- Enable bilateral data-transfer agreements.
- Establish AI-privacy task force for adaptive regulation.
- Clearly define terms like sovereignty and specify the exemption procedure.
DPDP Rules 2025
- Phased Compliance Timeline: Data Fiduciaries are given time till November 2026 to meet core obligations such as appointing a Data Protection Officer and setting up data-governance systems.
- Consent Manager Activation: The framework enabling Consent Managers to process correction, erasure, and withdrawal requests on behalf of users becomes operational from November 2026.
- Operationalisation of DPBI: Rules formalise the four-member Data Protection Board of India, empowered to conduct inquiries, issue directions, and impose penalties.
- SDF Compliance by 2027: Large tech firms designated as Significant Data Fiduciaries must meet enhanced requirements — audits, DPO appointment, and impact assessments — by May 2027.
- Stricter Parental Consent: Rules tighten mechanisms for verifiable parental consent for processing children’s data, raising industry concerns.
- Tighter Breach Deadlines: Rules mandate short response and disclosure timelines for data breaches.
- Cross-Border Data Transfer Framework: Rules highlight the need for future mechanisms to enable global data transfers, emphasising interoperability.
Q- “Consent and purpose limitation are the twin pillars of the DPDP framework.” Elaborate. (10 Marks)