Digital Personal Data Protection (DPDP) Rules 2025 and the DPDP Act 2023

The government floated the draft Digital Personal Data Protection (DPDP) Rules 2025 for public consultation.

What is the DPDP Act 2023?

• The Digital Personal Data Protection Act (DPDP) 2023 is a law passed by the Indian government to regulate how personal data of individuals is collected, processed, and protected in the digital world.
• The law mandates that companies and organizations (referred to as data fiduciaries) must obtain consent from individuals before collecting their data.
• The Act aims to protect citizens' personal data from misuse, ensuring transparency and accountability for organizations handling this data.

Why is the DPDP Act Necessary?

• As more services shift online, personal data is being increasingly digitized. While this offers convenience, it also exposes people to the risk of misuse, such as unauthorized data sharing or cybercrimes.
• The DPDP Act addresses these issues by enforcing stricter rules on how digital platforms collect, store, and use people's data. 

What are the DPDP Rules 2025?

• The DPDP Rules 2025 are the set of regulations developed to help implement the DPDP Act 2023.
• These rules provide the detailed processes and mechanisms for ensuring the Act’s provisions are properly followed.
• Key Features of the Draft DPDP Rules 2025:
• Data Protection Board (DPB): The draft rules outline the framework for setting up the Data Protection Board (DPB). The DPB will be responsible for adjudicating complaints and enforcing penalties related to violations of data protection rules. The DPB will operate digitally, making it easier for people to file complaints and track cases.
• Consent Management for Children's Data: The rules focus on the protection of children's data, requiring entities to obtain verifiable parental consent before processing a child's personal data. This will be enforced through technical and organizational measures.
• Cross-border Data Transfer: The draft rules allow for the transfer of personal data outside India, but only in specific cases approved by the government. The government will decide which data can be transferred and under what circumstances.
• Rights of Individuals: The rules ensure that individuals have control over their personal data. They can withdraw consent, update, or delete their data, and file complaints against entities that misuse their data.
• Data Fiduciaries and Consent Managers: Organizations that collect and process personal data, like social media platforms, e-commerce websites, and online gaming services, are called data fiduciaries. They are required to seek explicit consent from individuals before using their data.
  • Additionally, consent managers—third-party platforms that help collect and manage consent on behalf of users—are also part of the framework. For instance, platforms that manage financial data and health records may act as consent managers.
• Penalties for Violations: The DPDP Act 2023 provides a penalty mechanism for data fiduciaries who fail to comply with the law. Penalties can be as high as Rs 250 crore for serious violations. The severity of the penalty will depend on factors such as the nature of the violation, efforts made to prevent it, and the duration of the breach.
• Exemptions: Some exemptions apply under the DPDP Act. These exemptions include cases related to law enforcement activities, judicial functions, or performing regulatory functions that require the processing of personal data. Startups or entities engaged in research may also be granted certain relaxations.
• Filing Complaints: Citizens who believe their data rights have been violated can file complaints with the Data Protection Board (DPB), which will function digitally. Individuals will be able to file complaints online, and the Board will handle these cases remotely.
• Timeline for Implementation: While the DPDP Act 2023 was passed in August 2023, the rules are still under consultation. After the finalization of the rules, the government will take approximately two years to fully implement the Act, giving companies and organizations time to align their systems and processes with the new data protection requirements. 

Impact of the DPDP Act:

• The DPDP Act is aimed at improving transparency and accountability for digital platforms. It also gives individuals more control over their data, allowing them to make informed choices about how their personal information is used.
• The law will help safeguard citizens against the misuse of their personal data, whether through cybercrimes, unauthorized sharing, or breaches of privacy.