Digital Personal Data Protection Rules – What Are They?
The Digital Personal Data Protection Rules are the set of subordinate legislations framed by the Central Government under the DPDP Act, 2023.
These rules provide detailed procedures for:
-
How personal data is collected, processed, stored, and deleted
-
Duties of Data Fiduciaries (companies/government departments)
-
Rights of data principals (individuals)
-
Establishment and functioning of the Data Protection Board of India (DPBI)
-
Grievance-redressal timelines
-
Penalties and adjudication procedures
In short:
👉 The Act gives the framework,
👉 The Rules explain HOW it will be implemented.
Key Features of the Digital Personal Data Protection (DPDP) Act, 2023
1. Applicability
-
Applies to personal data collected in digital form or digitised later.
-
Applies to government and private entities, including foreign companies handling Indian data.
-
Does not apply to offline personal data unless digitised.
2. Definitions
-
Data Principal – the person whose data is collected.
-
Data Fiduciary – the entity collecting/processing data (govt/company).
-
Significant Data Fiduciary – large entities with high volume/sensitive data risk.
3. Lawful Purpose & Consent
Personal data can be processed only when:
-
Clear consent is taken (free, specific, informed).
-
Notice must state: purpose, storage, rights, grievance officer.
-
Consent must be as easy to withdraw as it is to give.
4. Processing for ‘Legitimate Uses’
Some situations don’t require explicit consent, such as:
-
Government benefits/subsidies
-
Medical emergencies
-
Court orders
-
Public interest functions
5. Rights of Data Principal
-
Right to Access (what data is collected & why)
-
Right to Correction & Erasure
-
Right to Grievance Redressal
-
Right to Nominate a person in case of death/incapacity
-
Right to Withdraw Consent
6. Duties of Data Principal
-
Not to file false complaints
-
Not to impersonate others
-
Provide accurate information when required
7. Obligations of Data Fiduciaries
-
Ensure data security, encryption, safeguards
-
Maintain accuracy of data
-
Delete data when purpose ends
-
Appoint Data Protection Officer (for Significant Data Fiduciaries)
-
Conduct Data Protection Impact Assessments
8. Data Transfers
-
Cross-border transfers allowed except to blacklisted countries (to be notified).
9. Penalties
Up to ₹250 crore per violation for breaches like:
-
Failing to prevent data leak
-
Failing to erase or protect data
-
Not informing users about breaches
10. Data Protection Board of India (DPBI)
-
An independent adjudicatory body
-
Handles complaints, breaches, penalties
-
Acts like a “digital regulator”
Relation to the Right to Information (RTI) Act, 2005
The DPDP Act impacts RTI in the following ways:
1. Strengthening Privacy under Section 8(1)(j) of RTI
RTI Act already avoids disclosure of:
“Personal information which has no relationship to public activity or interest.”
DPDP further reinforces privacy protection, making disclosure of personal data even more restricted.
2. Potential Conflict
-
RTI promotes transparency
-
DPDP promotes privacy
This leads to tension:
-
Public officials’ personal data (e.g., salary, posting, leave details) may be harder to obtain.
-
Activists fear misuse to deny information under the name of “privacy”.
3. Harmonisation Expected
Government must balance both Acts by issuing:
-
Clear Rules on what counts as public interest disclosure
-
Exceptions for corruption-related information
Challenges in the Implementation of the DPDP Act
1. Ambiguity in Definitions
Terms like “legitimate use”, “public interest”, “harm” need clarity.
2. Over-dependence on government notifications
Several provisions depend on future rules → may delay enforcement.
3. Compliance burden on small businesses
Startups may face high cost for data security audits & record-keeping.
4. Government exemptions
Government can exempt departments, raising concerns about privacy dilution.
5. Low awareness among citizens
India lacks widespread digital literacy → users may not understand rights.
6. Cross-border data transfer risks
Blacklisting countries may affect global IT operations.
7. Enforcement capacity
DPBI must handle large volume of complaints and audits efficiently.
Conclusion
The DPDP Act is a major step toward protecting personal data in India’s growing digital economy. It creates a legal structure for consent, data rights, obligations of companies, and penalties for breaches.
However, its success depends on:
-
Clear rules
-
Strong enforcement
-
Balancing transparency (RTI) and privacy
-
Capacity building for small enterprises and citizens
India now moves closer to international standards like GDPR, but must carefully implement the Act to protect both individual rights and digital innovation.
Exam Questions
A. MCQs (Objective)
-
DPDP Act applies to which type of data?
a) All offline data
b) Digital personal data
c) Non-personal data
d) Only government data
Answer: b) -
The regulatory body under DPDP Act is:
a) TRAI
b) Data Protection Board of India
c) NPCI
d) CERT-In
Answer: b) -
Which right is not given to Data Principals?
a) Right to Correction
b) Right to Erasure
c) Right to Withdraw Consent
d) Right to Monetary Compensation
Answer: d) -
The DPDP Act affects disclosure under which section of the RTI Act?
a) 8(1)(j)
b) 4(1)(b)
c) 22
d) 24
Answer: a)
B. Mains Questions (5–10 Marks)
-
Discuss the key features of the Digital Personal Data Protection Act, 2023.
-
Examine the relationship between the DPDP Act and the RTI Act, 2005.
-
What are the major challenges in implementing the DPDP Act? Suggest measures to overcome them.
-
Explain the role and powers of the Data Protection Board of India (DPBI).
