India’s New Data Privacy Law: Rights, Responsibilities, and Penalties Explained

04-01-2025 Sat 08:25 | National | Ap7am Desk

New Delhi: The Union government on Friday (January 3, 2025) released the draft Digital Personal Data Protection (DPDP) Rules, 2025, aimed at enforcing the provisions of the Digital Personal Data Protection Act, 2023. Although the Act was passed over a year ago, the development of rules necessary for its implementation has been ongoing. These newly released draft rules are now open for public consultation. The DPDP Act establishes a legal framework for "data fiduciaries"—entities that collect personal data from "data principals" or users—ensuring that data is protected against misuse and that firms violating data protection principles are penalized.

Enacted by the Indian Parliament on August 11, 2023, the Digital Personal Data Protection Act, 2023 (No. 22 of 2023), provides a comprehensive legal structure for processing digital personal data in India. This legislation seeks to balance individuals' right to data privacy with the necessity for lawful data processing, marking a pivotal moment in India's digital governance.

Key Provisions of the Act
Consent-Based Data Processing
The Act mandates that consent must be "free, specific, informed, unconditional, and unambiguous," signaled through a clear affirmative action. Data principals(the individuals whose data is being processed) retain the right to withdraw consent at any time. Data fiduciaries must ensure compliance with this consent framework.

An example provided in the legislation illustrates this principle: if an individual consents to a telemedicine app processing personal data for services but also grants access to their phone contact list unnecessarily, the consent for accessing the contact list would be invalid.

Obligations of Data Fiduciaries
Data fiduciaries are required to ensure the accuracy of personal data, implement strong security measures to prevent breaches, and erase data when no longer needed. Section 8(5) of the Act emphasizes the obligation to protect personal data by employing reasonable safeguards.

Rights of Data Principals
The Act grants data principals(users) several key rights:

Right to Consent: Individuals have the right to grant or withdraw consent for their data's processing.
Right to Access: Data principals can access summaries of their personal data, details of its processing, and identities of entities with whom the data is shared.
Right to Correction and Erasure: They may correct inaccuracies or request the erasure of outdated or unnecessary data.
Right to Grievance Redressal: Mechanisms for filing complaints against data fiduciaries or Consent Managers are provided.
Right to Nominate: Data principals can appoint representatives to exercise these rights in cases of death or incapacity.

Governance and Compliance
The Data Protection Board of India is established under the Act as an independent regulatory body. It is tasked with monitoring compliance, investigating grievances, and imposing penalties for violations. For entities handling large volumes of sensitive data or with high potential impact, additional requirements—such as appointing a Data Protection Officer and conducting regular data audits—are imposed.

Exemptions and Legitimate Data Uses
The Act includes exemptions for processing related to legal claims, research, archiving, national security, and fulfilling legal obligations. Startups and select Data Fiduciaries may be exempt from certain provisions to support innovation and growth.

Legitimate data uses without explicit consent include responding to medical emergencies, providing government benefits, and complying with legal obligations.

Enforcement and Penalties
Non-compliance with the Act can result in penalties of up to ₹250 crore for significant breaches. Decisions by the Data Protection Board can be appealed to the Telecom Disputes Settlement and Appellate Tribunal. Mediation is encouraged as an alternative dispute resolution mechanism.

Broader Implications
The Digital Personal Data Protection Act, 2023, is a landmark move in India's journey toward robust data privacy laws. By codifying individuals' rights and data fiduciaries' responsibilities, it aims to foster a secure and transparent digital ecosystem. The release of the draft DPDP Rules, 2025, brings the Act closer to implementation, with the potential to transform how data privacy is governed in India.

As public consultation on these rules begins, the effectiveness of this legal framework will depend on the rules' clarity and their enforcement by the Data Protection Board of India.