IT Ministry notifies draft rules on data protection law

Why in the NEWS?

• The IT Ministry of India has notified draft rules on the Digital Personal Data Protection Rules.

Key Points:

• IT Ministry has sought feedback on these rules by February 18, 2025.
• These rules clarify the tentative conditions for implementing the Digital Personal Data Protection Act (DPDP).
• The Act was passed by the Indian Parliament in 2023 and aims to protect personal data, especially on digital platforms, thereby safeguarding the privacy of citizens.
• The draft rules are open for public feedback until February 18.  
• “The submissions will be held in fiduciary capacity in MeitY and shall not be disclosed to any one at any stage,” the Ministry of Electronics and Information Technology said on the MyGov portal, where it is accepting submissions from stakeholders.

Key objectives of the Digital Personal Data Protection Act:

• Protection of personal data: 
  • To set rules and provisions for collecting, using and storing personal data of citizens.
• Consent and rights: 
  • To inform individuals about the collection and use of their data and obtain their consent.
• Reporting of data breach: 
  • If a data breach occurs, it will be reported to the government and affected individuals as soon as possible.
• Security measures: 
  • Companies and organizations will have to implement security measures to protect data.

Key points of the draft rules:

• Consent and rights:
  • It will be ensured that the data of individuals can be collected only with their consent.
  • Users will have the right to withdraw their consent and request deletion of their data at any time.
• Data processing:
  • Personal data will be processed only for the purpose approved by the individuals. 
  • Data will be used only for authorized purposes.
• Data security:
  • Companies will have to implement technical and organizational measures to protect personal data.
  • In case of a data breach, companies will be obliged to immediately notify affected individuals and the government.
• Responsibilities of Companies:
  • Companies must present their data security practices transparently and comply with data protection regulations.
  • They must ensure that they have adequate data security measures in place.
• Data encryption and security measures:
  • Companies will need to encrypt data so that even if the data gets hacked, it remains safe for users.
  • Ensuring that data can only be accessed by authorized persons.
• Sensitive Data:
  • Sensitive data (e.g., health, financial information) will be provided special protection.
  • This may require special permission.
• Data Protection Authority:
  • An independent Data Protection Authority will be established, whose job will be to monitor the rules and regulations and take action on data breaches.
  • This authority will investigate data processing activities to ensure data security.
• Regulation and Penalties:
  • If an organization violates the rules, it may face heavy fines and penalties. The penalty will depend on the severity and nature of the violation.
  • Companies may face a large amount of fines in case of a data breach.

Significance of Draft Rules

• Digital India Mission: 
  • This draft will help achieve the goals of the Digital India Mission, including boosting the digital economy and ensuring digital security of citizens.
• Building trust:
  • This draft will help in increasing trust in digital services among citizens.
• Conformity with International Standards: 
  • This draft is in line with international data security standards, which will help India become a significant player in the global digital economy.