Digital Personal Data Protection Act (DPDP) 2023 and Rules 2025

The DPDP Act, 2023 is India's legal framework for data protection, akin to Europe's GDPR and other international data protection laws. It aims to safeguard the online data of Indian citizens by establishing guidelines for data handling by companies, known as "data fiduciaries."

Key Provisions

• Data Handling Requirements:
  • Access control and encryption are mandatory.
  • Security audits are required for large firms labeled as "significant data fiduciaries."
• Consent Management:
  • Data principals must provide "informed" consent, detailing what data is collected and its use.
  • Users can erase, modify, or delete their data, and inactive data must be deleted after a certain period.
• Data Protection Officer: Large firms must appoint an officer to oversee compliance.
• Targeted Advertising: Restrictions are placed on advertising and data collection, especially concerning children, with exemptions for parental location tracking.
• Consent Manager: A framework is provided for users to manage data across multiple platforms.
• Data Breach Reporting: Breaches must be reported promptly.

Enforcement and Compliance

• Fines range from ₹10,000 to ₹250 crore for non-compliance.
• Firms are given up to 18 months to comply with the Act's requirements.
• Some provisions, like appointing a Data Protection Officer (DPO), will be mandatory after one year.

Data Protection Board of India (DPBI)

• The DPBI will oversee the implementation of the Act and function as a subordinate office of the Ministry of Electronics and Information Technology (MeitY).
• The board will consist of four members.

Amendments and Controversies

• Right to Information Act, 2005:
  • The DPDP Act amends Section 8(1)(j), removing the public interest clause for disclosing personal information, allowing more discretion for government entities.
  • Activists have resisted this change, arguing it limits transparency and could protect misconduct.
• Information Technology Act, 2000: An amendment is proposed but not yet enforced, raising concerns about potential misuse to hide official misconduct.