Context:
-
The Ministry of Electronics and Information Technology (MeitY) has notified the Data Protection Rules, operationalising the Digital Personal Data Protection Act, 2023 (DPDP Act).
-
This marks a decisive step towards India’s first comprehensive privacy law, nearly two years after the Act received Presidential assent in August 2023.
Key Highlights:
Legal & Governance Framework
-
Notification enables phased implementation of the DPDP Act.
-
Core safeguards like informed consent and mandatory data breach notification to be enforced within 12–18 months.
-
Amendments to the Right to Information (RTI) Act notified alongside the rules.
Institutional Mechanism
-
Data Protection Board of India (DPB) is now operational.
-
Head office in New Delhi
-
Comprises one Chairperson and four members
-
-
DPB will act as the primary enforcement and adjudicatory authority.
Data Localization & Compliance Requirements
-
Data localization norms mandate that certain categories of personal data be processed and stored within India.
-
Significant Data Fiduciaries (SDFs) to be notified based on:
-
Volume of data processed
-
Sensitivity of personal data
-
Potential impact on national interest and sovereignty
-
Children’s Data Protection
-
Mandatory verifiable parental consent before processing children’s personal data.
-
Higher compliance burden on digital platforms catering to minors.
Data Breach Obligations
-
In the event of a breach, data fiduciaries must:
-
Promptly inform affected individuals
-
Disclose nature, extent, and potential consequences of the breach
-
Concerns & Criticism
-
Act criticised for:
-
Granting broad exemptions to the government
-
Potential dilution of RTI Act transparency provisions
-
Relevant Prelims Points:
-
Issue: Absence of a comprehensive statutory framework for data privacy in India.
-
Causes:
-
Rapid digitisation
-
Rising data breaches and misuse of personal data
-
-
Government Initiative:
-
Digital Personal Data Protection Act, 2023
-
Notification of Data Protection Rules
-
-
Key Provisions:
-
Consent-based data processing
-
Data localization
-
Breach notification norms
-
-
Benefits:
-
Enhanced privacy protection
-
Greater accountability of tech companies
-
-
Challenges:
-
Government exemptions
-
Compliance costs for businesses
-
-
Impact:
-
Strengthens India’s digital governance architecture
-
Relevant Mains Points:
-
Key Definitions & Concepts:
-
Data Fiduciary: Entity determining purpose and means of data processing
-
Data Principal: Individual whose data is processed
-
Data Localization: Storage of data within national borders
-
-
Governance & Polity Dimensions:
-
Balances privacy as a fundamental right (Puttaswamy judgment) with state interests
-
Raises concerns about executive discretion and transparency
-
-
Science & Technology Aspect:
-
Regulates Big Tech and digital platforms
-
Impacts cross-border data flows and innovation
-
-
Way Forward:
-
Ensure independent functioning of DPB
-
Narrow government exemptions through safeguards
-
Harmonise RTI transparency with data protection goals
-
Build institutional capacity for effective enforcement
-
UPSC Relevance (GS-wise):
-
GS 2: Polity, Governance, Rights-based legislation
-
GS 3: Science & Technology, Digital Economy
-
Prelims: DPDP Act, Data Fiduciary, Data Localization, RTI