Administrative Rules under the Digital Personal Data Protection (DPDP) Act

The government has notified the administrative rules under the DPDP Act, marking India's move into a group of countries with a federal digital personal data privacy regime.

Implementation Road Map

• Companies and stakeholders have up to 18 months to comply with the new guidelines.
• Consent managers have up to 12 months to register.

Consent and Data Processing

• Data fiduciaries must seek specific, informed consent in clear language.
• Consent must describe the personal data to be processed and its purpose.

Cross-Border Data Transfer

• Allowed but must comply with the central government’s requirements.
• Contentious due to data localisation concerns from big tech firms.

User Rights and Data Fiduciary Obligations

• Users can withdraw consent and exercise rights under the Act.
• Data fiduciaries must notify users and the Data Protection Board (DPB) of breaches within 72 hours.

Data Protection and Breach Protocols

• Data must be protected with encryption, obfuscation, or similar methods.
• Logs and personal data must be retained for at least one year.

Inactive User Data Deletion

• Ecommerce and social media intermediaries with over 20 million users must delete inactive user data after three years, with a 48-hour notice.

Significant Data Fiduciary Requirements

• Platforms with over 5 million users must conduct annual audits and Data Protection Impact Assessments.

Timeline of Developments

• 2011 - Expert group on digital privacy law formed.
• 2017 - IT ministry forms panel.
• 2019 - Personal Data Protection Bill tabled.
• 2021 - Joint panel suggests 98 changes.
• 2022 - Bill withdrawn, fresh consultations proposed.
• 2023 - Digital Personal Data Protection Bill tabled, receives Parliament nod.