Advertisment

Decoding the Digital Personal Data Protection (DPDP) Act

The MeitY released draft regulations for the DPDP Act last week. We decode its key provisions, developments, differences from earlier drafts, implications for businesses, and challenges foreseen.

author-image
Shamita Islur
New Update
Digital Personal Data Protection (DPDP) Act

The Ministry of Electronics and Information Technology (MeitY) has released draft regulations for the Digital Personal Data Protection (DPDP) Act on January 3. The draft introduces provisions for data handling, urging e-commerce platforms, social media platforms, and online gaming companies to delete users' personal data within three years after it is no longer required.

This draft is open to a public consultation period until February 18, allowing stakeholders to provide feedback through the MyGov portal. The proposed rules highlight user rights, data fiduciaries’ obligations, and frameworks for safeguarding personal information, underscoring India’s commitment to a comprehensive data protection regime.

Key provisions

The draft categorises various data fiduciaries and stipulates precise timelines for data retention and erasure. The Act includes several provisions to enhance transparency and give users greater control over their data. Some of the key aspects include:

Clear and simple notices

Organisations collecting data are referred to as Data Fiduciaries. They must provide clear, standalone notices to individuals (Data Principals). These notices should:

  • Clearly list the personal data being collected.
  • Explain why the data is being collected and how it will be used.
  • Detail the goods or services enabled by the data processing.
  • Include links to the organisation’s website or app.
  • Provide instructions on how individuals can withdraw consent, exercise their rights or file complaints.

Withdrawing consent and data erasure

The Act makes it easier for individuals to withdraw consent or request data deletion. If a Data Fiduciary doesn’t engage with an individual over a specified period, they are required to delete the user’s personal data unless needed for legal reasons. 

Platforms must notify users 48 hours before data deletion and give them the opportunity to log in or request data retention. Accounts linked to a principal user, including profiles, email addresses or phone numbers, fall within the rules’ domain. For consumers, this could lead to fewer intrusive calls or communications from websites or apps.

Data Protection Board (DPB)

The Act mandates the creation of a Data Protection Board (DPB), an online regulatory body. The DPB will investigate data breaches, enforce penalties and hold remote hearings. It can impose fines of up to Rs. 250 crore and will oversee compliance.

Additionally, organisations will need explicit government permission to transfer personal data outside India and minors under 18 years of age will require parental consent to access social media platforms.

What is the DPDP Act and why was it introduced?

The DPDP Act, enacted in August 2024, represents India’s most ambitious legislative effort to regulate personal data usage. The Act was born out of increasing concerns about data misuse and the growing need for digital privacy. It is India’s response to global data protection laws such as the EU’s General Data Protection Regulation (GDPR) and establishes principles like data minimisation, purpose limitation and consent-based processing, aiming to empower users while holding data fiduciaries accountable.

While India’s digital economy has grown exponentially with a surge in social media usage, the Supreme Court’s landmark judgment in 2017 by Justice K.S. Puttaswamy and Anr. v. Union of India and Ors. declaring privacy a fundamental right set the stage for the government to introduce comprehensive data protection legislation. The judgment declared that the right to privacy is part of the fundamental right to life in India and that the right to informational privacy is part of this right.

In 2019, the government introduced the Personal Data Protection (PDP) Bill, which underwent revisions and drafts. The bill was subjected to public consultation and debate and in 2023, a revised draft of the bill was integrated into the DPDP Act. This draft included significant provisions for data consent management, cross-border data transfers, data subject rights, and penalties for non-compliance (source).

The draft bill faced criticism for perceived ambiguities and lack of clarity on enforcement mechanisms. Many raised concerns about operational challenges, cross-border data transfers and compliance costs. Addressing these concerns, the MeitY refined the provisions and released the latest draft to bring greater clarity and precision to the Act’s implementation.

Key differences from the 2023 draft

Specific timelines for data erasure: Unlike the 2023 draft, the latest version specifies a three-year timeline for data deletion after its intended purpose is fulfilled.

Categorisation of Data Fiduciaries: The new draft distinguishes between different types of data fiduciaries, assigning tailored guidelines based on their operations.

Data Protection Board details: The current version elaborates on the establishment, appointment and functioning of the Data Protection Board.

Parental consent for minors: The new draft explicitly requires parental consent for minors, adding a layer of protection for children’s data.

The change in the guideline regarding parental consent likely came after the Australian government introduced a bill in Parliament to prohibit children under 16 from using social media platforms.

Implications for marketers and businesses

The new regulations will significantly impact marketers and data-driven industries. Marketers relying on consumer data for personalised campaigns will have to adapt to stricter data retention policies and ensure compliance with user consent requirements. Cross-border data transfers essential for global marketing campaigns, will require government approval, which could potentially slow operations.

Businesses will need to invest in data management systems to meet their compliance requirements. This includes implementing mechanisms to notify users about data collection, managing consent, and erasing data within timelines.

Challenges 

While the draft rules provide clarity, it poses certain challenges in the long run. This includes implementing mechanisms for timely data deletion and cross-border data transfer approvals which might strain resources for smaller businesses. Additionally, verifying parental consent for minors could create hurdles for social media and gaming platforms. Ensuring data privacy and fostering innovation remains a significant challenge. Moreover, multinational companies could face hurdles in aligning the DPDP Act with other international data protection laws.

While the draft for DPDP rules marks a significant step toward protecting consumer data, it needs to ensure that there’s a balance between user privacy and business needs. As the public consultation unfolds, the final rules will need to address the practical challenges. With the globe moving towards stringent social media use and social media giants coming under the scanner, India's approach to data protection will play a crucial role in shaping how brands approach consumers. 

 

DPDP bill Digital Personal Data Protection DPDP bill for advertising