NEW DELHI: The Union government of India has released the draft rules for the Digital Personal Data Protection (DPDP) Act, 2023, marking a significant step in strengthening data privacy. The rules, unveiled on January 3, 2025, are designed to enforce provisions of the Act, which aims to protect users' personal data from misuse. While the DPDP Act was passed over a year ago, these rules, which will implement the Act's provisions, are now open for public consultation.

Stakeholders can submit their feedback on the draft rules until February 18, 2025. The Ministry of Electronics and Information Technology (MeitY) has invited feedback through the MyGov portal. The submissions will remain confidential and will be held in fiduciary capacity.

The draft rules outline clear guidelines for data fiduciaries—entities that collect and handle personal data. These entities must inform users about the data they are collecting, the reasons for collecting it, and provide details necessary for users to give informed consent. The rules also emphasize transparency and the need for data fiduciaries to ensure that users fully understand the implications of sharing their data.

One key provision in the draft is the registration of consent managers. These managers will facilitate the process of obtaining user consent for data collection in a structured format. The rules also allow government bodies and their agencies to collect data for specific purposes, such as distributing subsidies and benefits, as long as certain standards are met. Additionally, data collected for statistical purposes is exempt from some of the protections.

To protect users' personal data, the rules mandate that data fiduciaries take reasonable security measures to prevent breaches. If a data breach occurs, it must be reported to the Data Protection Board of India (DPBI) within 72 hours. The DPBI is expected to be established soon.

Moreover, the draft rules require that when users stop using services such as e-commerce platforms, social media, or online gaming for a prolonged period, their data should be deleted. Data fiduciaries must notify users 48 hours in advance before data deletion, allowing users time to prevent it.

Data fiduciaries are also required to provide contact details for their data protection officer on their websites. Larger data fiduciaries must regularly conduct Data Protection Impact Assessments and audits to ensure compliance with the Act.

These new rules are a crucial step in enhancing digital privacy and securing personal data in India. As the consultation period continues, the government aims to refine these guidelines based on public input.